Ubuntu
openssl package

Change logs for openssl source package in Groovy

  1. Groovy (20.10)
  2. Change log 
  • openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium

  * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
    to validate, as it is common on self-signed leaf certificates.
    (LP: #1926254)
    - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch
    - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch
    - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch
  * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
    error when attempting to build a source package, due to pr12272.patch
    patching files multiple times within the same patch. (LP: #1927161)
    - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
    - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
    - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
    - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
    - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch

 -- Matthew Ruffell <email address hidden>  Wed, 05 May 2021 12:13:30 +1200
  • openssl (1.1.1f-1ubuntu4.3) groovy-security; urgency=medium

  * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
    - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
      ssl/statem/extensions.c.
    - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
      <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
    - debian/patches/CVE-2021-3449-3.patch: add a test to
      test/recipes/70-test_renegotiation.t.
    - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
      always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
      ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
      ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
    - CVE-2021-3449

 -- Marc Deslauriers <email address hidden>  Mon, 22 Mar 2021 07:33:17 -0400
  • openssl (1.1.1f-1ubuntu4.2) groovy-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in CipherUpdate
    - debian/patches/CVE-2021-23840.patch: don't overflow the output length
      in EVP_CipherUpdate calls in crypto/err/openssl.txt,
      crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
    - CVE-2021-23840
  * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
    - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
      crypto/x509/x509_cmp.c.
    - CVE-2021-23841

 -- Marc Deslauriers <email address hidden>  Wed, 17 Feb 2021 07:32:55 -0500
  • openssl (1.1.1f-1ubuntu4.1) groovy-security; urgency=medium

  * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
    - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
      DirectoryString in crypto/x509v3/v3_genn.c.
    - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
      in crypto/x509v3/v3_genn.c.
    - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
      types don't use implicit tagging in crypto/asn1/asn1_err.c,
      crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
      include/openssl/asn1err.h.
    - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
      to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
      crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
      include/openssl/asn1err.h.
    - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
      in test/v3nametest.c.
    - debian/patches/CVE-2020-1971-6.patch: add a test for
      encoding/decoding using an invalid ASN.1 Template in
      test/asn1_decode_test.c, test/asn1_encode_test.c.
    - CVE-2020-1971

 -- Marc Deslauriers <email address hidden>  Wed, 02 Dec 2020 09:43:55 -0500
  • openssl (1.1.1f-1ubuntu4) groovy; urgency=medium

  * Cherrypick upstream fix for non-interactive detection on Linux. LP:
    #1879826
  * Cherrypick AES CTR-DRGB: performance improvement LP: #1799928
  * Skip services restart & reboot notification if needrestart is in-use
    LP: #1895708

 -- Dimitri John Ledkov <email address hidden>  Tue, 15 Sep 2020 18:04:36 +0100
  • openssl (1.1.1f-1ubuntu3) groovy; urgency=medium

  * Import https://github.com/openssl/openssl/pull/12272.patch to enable
    CET.

 -- Dimitri John Ledkov <email address hidden>  Thu, 25 Jun 2020 14:18:43 +0100
  • openssl (1.1.1f-1ubuntu2) focal; urgency=medium

  * SECURITY UPDATE: Segmentation fault in SSL_check_chain
    - debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in
      test/recipes/70-test_sslsigalgs.t.
    - debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in
      SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c.
    - debian/patches/CVE-2020-1967-3.patch: fix test in
      test/recipes/70-test_sslsigalgs.t.
    - debian/patches/CVE-2020-1967-4.patch: fix test in
      test/recipes/70-test_sslsigalgs.t.
    - CVE-2020-1967

 -- Marc Deslauriers <email address hidden>  Mon, 20 Apr 2020 07:53:50 -0400