-
openssl (3.0.13-0ubuntu3) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 06:42:03 +0000
-
openssl (3.0.13-0ubuntu2) noble; urgency=medium
[ Tobias Heider ]
* Add fips-mode detection and adjust defaults when running in fips mode
(LP: #2056593):
- d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch:
Detect if kernel fips mode is enabled
- d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch:
Load FIPS provider if running in FIPS mode
- d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch:
Limit openssl-speed to FIPS compliant algorithms when running in FIPS mode
- d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch
Make sure DRBG respects query properties
- d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch:
Make sure encoding runs with correct library context and provider
[ Adrien Nader ]
* Re-enable intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch
(LP: #2030784)
Thanks Bun K Tan and Dan Zimmerman
* Disable LTO with which the codebase is generally incompatible (LP: #2058017)
-- Adrien Nader <email address hidden> Fri, 15 Mar 2024 09:46:33 +0100
-
openssl (3.0.13-0ubuntu1) noble; urgency=medium
* Import 3.0.13
- Drop security patches :
+ CVE-2023-5363-1.patch
+ CVE-2023-5363-2.patch
+ CVE-2023-5678.patch
+ CVE-2023-6129.patch
+ CVE-2023-6237.patch
+ CVE-2024-0727.patch
- Skip intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch
as it causes testsuite failures.
-- Adrien Nader <email address hidden> Fri, 08 Mar 2024 10:47:35 +0100
-
openssl (3.0.10-1ubuntu5) noble; urgency=medium
* Rename libraries for 64-bit time_t transition. Closes: #1064264
-- Steve Langasek <email address hidden> Sun, 03 Mar 2024 20:47:45 -0800
-
openssl (3.0.10-1ubuntu4) noble; urgency=medium
* SECURITY UPDATE: Excessive time spent in DH check / generation with
large Q parameter value
- debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and
DH_generate_key() safer yet in crypto/dh/dh_check.c,
crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt,
include/crypto/dherr.h, include/openssl/dh.h,
include/openssl/dherr.h.
- CVE-2023-5678
* SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers
on PowerPC
- debian/patches/CVE-2023-6129.patch: fix vector register clobbering in
crypto/poly1305/asm/poly1305-ppc.pl.
- CVE-2023-6129
* SECURITY UPDATE: Excessive time spent checking invalid RSA public keys
- debian/patches/CVE-2023-6237.patch: limit the execution time of RSA
public key check in crypto/rsa/rsa_sp800_56b_check.c,
test/recipes/91-test_pkey_check.t,
test/recipes/91-test_pkey_check_data/rsapub_17k.pem.
- CVE-2023-6237
* SECURITY UPDATE: PKCS12 Decoding crashes
- debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo
data can be NULL in crypto/pkcs12/p12_add.c,
crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c,
crypto/pkcs7/pk7_mime.c.
- CVE-2024-0727
-- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 13:03:16 -0500
-
openssl (3.0.10-1ubuntu3) noble; urgency=medium
* Drop most of d/libssl3.postinst, keeping only the reboot notification on
servers. The dropped code was actually unreachable since around Ubuntu
18.04, except for debconf which was loaded but not used.
* Remove template for debconf
-- Adrien Nader <email address hidden> Mon, 18 Sep 2023 16:06:16 +0200
-
openssl (3.0.10-1ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: Incorrect cipher key and IV length processing
- debian/patches/CVE-2023-5363-1.patch: process key length and iv
length early if present in crypto/evp/evp_enc.c.
- debian/patches/CVE-2023-5363-2.patch: add unit test in
test/evp_extra_test.c.
- CVE-2023-5363
-- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 07:51:05 -0400
-
openssl (3.0.10-1ubuntu2) mantic; urgency=medium
* d/p/intel/*: cherry-pick AVX512 patches for recent Intel CPUs (LP: #2030784)
-- Simon Chopin <email address hidden> Tue, 08 Aug 2023 17:51:58 +0200
-
openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: excessive resource use when verifying policy constraints
- debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
in a policy tree (the default limit is set to 1000 nodes).
- debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
resource overuse.
- debian/patches/CVE-2023-0464-3.patch: disable the policy tree
exponential growth test conditionally.
- CVE-2023-0464
* SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
- debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
is checked even in leaf certs.
- debian/patches/CVE-2023-0465-2.patch: generate some certificates with
the certificatePolicies extension.
- debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
- CVE-2023-0466
* SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
not enabled as documented
- debian/patches/CVE-2023-0466.patch: fix documentation of
X509_VERIFY_PARAM_add0_policy().
- CVE-2023-0466
-- Camila Camargo de Matos <email address hidden> Mon, 24 Apr 2023 07:52:33 -0300