-
openssl (3.0.10-1ubuntu2.3) mantic-security; urgency=medium
* SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
- debian/patches/openssl-pkcs1-implicit-rejection.patch:
Return deterministic random output instead of an error in case
there is a padding error in crypto/cms/cms_env.c,
crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c,
crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c,
crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in,
doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod,
doc/man3/EVP_PKEY_decrypt.pod,
doc/man3/RSA_padding_add_PKCS1_type_1.pod,
doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod,
include/crypto/rsa.h, include/openssl/core_names.h,
include/openssl/rsa.h,
providers/implementations/asymciphers/rsa_enc.c and
test/recipes/30-test_evp_data/evppkey_rsa_common.txt.
-- David Fernandez Gonzalez <email address hidden> Wed, 21 Feb 2024 11:45:39 +0100
-
openssl (3.0.10-1ubuntu2.2) mantic-security; urgency=medium
* SECURITY UPDATE: Excessive time spent in DH check / generation with
large Q parameter value
- debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and
DH_generate_key() safer yet in crypto/dh/dh_check.c,
crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt,
include/crypto/dherr.h, include/openssl/dh.h,
include/openssl/dherr.h.
- CVE-2023-5678
* SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers
on PowerPC
- debian/patches/CVE-2023-6129.patch: fix vector register clobbering in
crypto/poly1305/asm/poly1305-ppc.pl.
- CVE-2023-6129
* SECURITY UPDATE: Excessive time spent checking invalid RSA public keys
- debian/patches/CVE-2023-6237.patch: limit the execution time of RSA
public key check in crypto/rsa/rsa_sp800_56b_check.c,
test/recipes/91-test_pkey_check.t,
test/recipes/91-test_pkey_check_data/rsapub_17k.pem.
- CVE-2023-6237
* SECURITY UPDATE: PKCS12 Decoding crashes
- debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo
data can be NULL in crypto/pkcs12/p12_add.c,
crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c,
crypto/pkcs7/pk7_mime.c.
- CVE-2024-0727
-- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 13:03:16 -0500
-
openssl (3.0.10-1ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: Incorrect cipher key and IV length processing
- debian/patches/CVE-2023-5363-1.patch: process key length and iv
length early if present in crypto/evp/evp_enc.c.
- debian/patches/CVE-2023-5363-2.patch: add unit test in
test/evp_extra_test.c.
- CVE-2023-5363
-- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 07:51:05 -0400
-
openssl (3.0.10-1ubuntu2) mantic; urgency=medium
* d/p/intel/*: cherry-pick AVX512 patches for recent Intel CPUs (LP: #2030784)
-- Simon Chopin <email address hidden> Tue, 08 Aug 2023 17:51:58 +0200
-
openssl (3.0.10-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile.
+ Use perl:native in the autopkgtest for installability on i386.
openssl (3.0.10-1) unstable; urgency=medium
* Import 3.0.10
- CVE-2023-2975 (AES-SIV implementation ignores empty associated data
entries) (Closes: #1041818).
- CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
(Closes: #1041817).
- CVE-2023-3817 (Excessive time spent checking DH q parameter value).
- Drop bc and m4 from B-D.
-- Gianfranco Costamagna <email address hidden> Wed, 02 Aug 2023 08:59:28 +0200
-
openssl (3.0.9-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile.
+ Use perl:native in the autopkgtest for installability on i386.
openssl (3.0.9-1) unstable; urgency=medium
* Import 3.0.7
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
- Add new symbol.
openssl (3.0.8-1ubuntu3) mantic; urgency=medium
* SECURITY UPDATE: DoS in AES-XTS cipher decryption
- debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
crypto/aes/asm/aesv8-armx.pl.
- CVE-2023-1255
* SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
- debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
IDENTIFIERs that OBJ_obj2txt will translate in
crypto/objects/obj_dat.c.
- CVE-2023-2650
* Replace CVE-2022-4304 fix with improved version
- debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
- debian/patches/CVE-2022-4304.patch: use alternative fix in
crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.
openssl (3.0.8-1ubuntu2) mantic; urgency=medium
* Manual reupload from lunar-security to mantic-proposed pocket, due to
LP failing to copy it
openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: excessive resource use when verifying policy constraints
- debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
in a policy tree (the default limit is set to 1000 nodes).
- debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
resource overuse.
- debian/patches/CVE-2023-0464-3.patch: disable the policy tree
exponential growth test conditionally.
- CVE-2023-0464
* SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
- debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
is checked even in leaf certs.
- debian/patches/CVE-2023-0465-2.patch: generate some certificates with
the certificatePolicies extension.
- debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
- CVE-2023-0466
* SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
not enabled as documented
- debian/patches/CVE-2023-0466.patch: fix documentation of
X509_VERIFY_PARAM_add0_policy().
- CVE-2023-0466
-- Gianfranco Costamagna <email address hidden> Mon, 12 Jun 2023 11:19:44 +0200
-
openssl (3.0.8-1ubuntu3) mantic; urgency=medium
* SECURITY UPDATE: DoS in AES-XTS cipher decryption
- debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
crypto/aes/asm/aesv8-armx.pl.
- CVE-2023-1255
* SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
- debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
IDENTIFIERs that OBJ_obj2txt will translate in
crypto/objects/obj_dat.c.
- CVE-2023-2650
* Replace CVE-2022-4304 fix with improved version
- debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
- debian/patches/CVE-2022-4304.patch: use alternative fix in
crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.
-- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:04:49 -0400
-
openssl (3.0.8-1ubuntu2) mantic; urgency=medium
* Manual reupload from lunar-security to mantic-proposed pocket, due to
LP failing to copy it
-- Gianfranco Costamagna <email address hidden> Wed, 03 May 2023 10:49:04 +0200
-
openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: excessive resource use when verifying policy constraints
- debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
in a policy tree (the default limit is set to 1000 nodes).
- debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
resource overuse.
- debian/patches/CVE-2023-0464-3.patch: disable the policy tree
exponential growth test conditionally.
- CVE-2023-0464
* SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
- debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
is checked even in leaf certs.
- debian/patches/CVE-2023-0465-2.patch: generate some certificates with
the certificatePolicies extension.
- debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
- CVE-2023-0466
* SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
not enabled as documented
- debian/patches/CVE-2023-0466.patch: fix documentation of
X509_VERIFY_PARAM_add0_policy().
- CVE-2023-0466
-- Camila Camargo de Matos <email address hidden> Mon, 24 Apr 2023 07:52:33 -0300
-
openssl (3.0.8-1ubuntu1) lunar; urgency=medium
* Merge 3.0.8 from Debian testing (LP: #2006954)
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile.
+ Use perl:native in the autopkgtest for installability on i386.
-- Adrien Nader <email address hidden> Mon, 20 Feb 2023 16:10:19 +0100