-
openssl (1.1.1j-1ubuntu3.6) hirsute; urgency=medium
* Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943)
-- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 11:32:57 +0100
-
openssl (1.1.1j-1ubuntu3.5) hirsute-security; urgency=medium
* SECURITY UPDATE: SM2 Decryption Buffer Overflow
- debian/patches/CVE-2021-3711-1.patch: correctly calculate the length
of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c,
crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h,
test/sm2_internal_test.c.
- debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption
in test/recipes/30-test_evp_data/evppkey.txt.
- debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is
large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c.
- CVE-2021-3711
* SECURITY UPDATE: Read buffer overrun in X509_aux_print()
- debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in
X509_aux_print() in crypto/x509/t_x509.c.
- debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_alt.c,
crypto/x509v3/v3_utl.c, include/crypto/x509.h.
- debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not
assume NUL terminated strings in crypto/x509v3/v3_cpols.c.
- debian/patches/CVE-2021-3712-4.patch: fix printing of
PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in
crypto/x509v3/v3_pci.c.
- debian/patches/CVE-2021-3712-5.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL
terminated strings in test/x509_time_test.c.
- debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print
function to not assume NUL terminated strings in
crypto/asn1/t_spki.c.
- debian/patches/CVE-2021-3712-9.patch: fix
EC_GROUP_new_from_ecparameters to check the base length in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-11.patch: fix the error handling in
i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c.
- debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-13.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- CVE-2021-3712
-- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
-
openssl (1.1.1j-1ubuntu3.2) hirsute; urgency=medium
* Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
openssl (1.1.1j-1ubuntu3.1) hirsute; urgency=medium
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
-
openssl (1.1.1j-1ubuntu3.1) hirsute; urgency=medium
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:00:54 +1200
-
openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
* SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
- debian/patches/CVE-2021-3450-1.patch: do not override error return
value by check_curve in crypto/x509/x509_vfy.c,
test/verify_extra_test.c.
- debian/patches/CVE-2021-3450-2.patch: fix return code check in
crypto/x509/x509_vfy.c.
- CVE-2021-3450
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 11:44:30 -0400
-
openssl (1.1.1j-1ubuntu2) hirsute; urgency=medium
* No-change upload to pick up lto.
-- Matthias Klose <email address hidden> Tue, 23 Mar 2021 15:24:20 +0100
-
openssl (1.1.1j-1ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
* Add support for building with noudeb build profile.
openssl (1.1.1j-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-23841 (NULL pointer deref in X509_issuer_and_serial_hash()).
- CVE-2021-23840 (Possible overflow of the output length argument in
EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate()).
openssl (1.1.1i-3ubuntu2) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
openssl (1.1.1i-3ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
* Drop many patches included upstream.
openssl (1.1.1i-3) unstable; urgency=medium
* Cherry-pick a patch from upstream to address #13931.
* Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
openssl (1.1.1i-2) unstable; urgency=medium
* Apply two patches from upstream to address x509 related regressions.
openssl (1.1.1i-1) unstable; urgency=medium
* New upstream version.
- CVE-2020-1971 (EDIPARTYNAME NULL pointer de-reference).
- Restore rejection of expired trusted (root) certificate
(Closes: #976465).
openssl (1.1.1h-1) unstable; urgency=medium
* New upstream version
* Disable CAPI engine, it is designed for Windows.
openssl (1.1.1g-1) unstable; urgency=medium
* New upstream version
- CVE-2020-1967 (Segmentation fault in SSL_check_chain).
-- Dimitri John Ledkov <email address hidden> Tue, 23 Feb 2021 22:01:12 +0000
-
openssl (1.1.1i-3ubuntu2) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:35:47 +0100
-
openssl (1.1.1i-3ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
* Drop many patches included upstream.
openssl (1.1.1i-3) unstable; urgency=medium
* Cherry-pick a patch from upstream to address #13931.
* Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
openssl (1.1.1i-2) unstable; urgency=medium
* Apply two patches from upstream to address x509 related regressions.
openssl (1.1.1i-1) unstable; urgency=medium
* New upstream version.
- CVE-2020-1971 (EDIPARTYNAME NULL pointer de-reference).
- Restore rejection of expired trusted (root) certificate
(Closes: #976465).
openssl (1.1.1h-1) unstable; urgency=medium
* New upstream version
* Disable CAPI engine, it is designed for Windows.
openssl (1.1.1g-1) unstable; urgency=medium
* New upstream version
- CVE-2020-1967 (Segmentation fault in SSL_check_chain).
-- Dimitri John Ledkov <email address hidden> Mon, 08 Feb 2021 11:08:21 +0000
-
openssl (1.1.1f-1ubuntu5) hirsute; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Tue, 08 Dec 2020 12:33:52 -0500
-
openssl (1.1.1f-1ubuntu4) groovy; urgency=medium
* Cherrypick upstream fix for non-interactive detection on Linux. LP:
#1879826
* Cherrypick AES CTR-DRGB: performance improvement LP: #1799928
* Skip services restart & reboot notification if needrestart is in-use
LP: #1895708
-- Dimitri John Ledkov <email address hidden> Tue, 15 Sep 2020 18:04:36 +0100
