Change log for openssl package in Ubuntu
51 → 100 of 466 results | First • Previous • Next • Last |
openssl (1.1.1-1ubuntu2.1~18.04.17) bionic-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 * NOTE: This package does _not_ contain the changes from 1.1.1-1ubuntu2.1~18.04.16 in bionic-proposed. -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:51:42 -0400
openssl (1.1.1l-1ubuntu1.3) impish-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:48:03 -0400
Available diffs
Superseded in bionic-proposed |
openssl (1.1.1-1ubuntu2.1~18.04.16) bionic; urgency=medium * Backport pr9780: - d/p/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch - d/p/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch (LP: #1940141) -- Bruce Elrick <email address hidden> Wed, 16 Mar 2022 17:05:32 +0000
Available diffs
Superseded in kinetic-release |
Published in jammy-release |
Deleted in jammy-proposed (Reason: Moved to jammy) |
openssl (3.0.2-0ubuntu1) jammy; urgency=medium * New upstream bugfix release (LP: #1965141) * d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the testsuite -- Simon Chopin <email address hidden> Wed, 16 Mar 2022 09:35:51 +0100
Available diffs
- diff from 3.0.1-0ubuntu1 to 3.0.2-0ubuntu1 (119.8 KiB)
openssl (1.1.1l-1ubuntu1.2) impish-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 -- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:06:18 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.15) bionic-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 -- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:13:40 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.12) focal-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 -- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:12:45 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.11) focal; urgency=medium * Fixup pointer authentication for armv8 systems that support it when using the poly1305 MAC, preventing segmentation faults. (LP: #1960863) - d/p/lp-1960863-crypto-poly1305-asm-fix-armv8-pointer-authenticat.patch -- Matthew Ruffell <email address hidden> Tue, 15 Feb 2022 10:10:01 +1300
Available diffs
openssl (3.0.1-0ubuntu1) jammy; urgency=medium * New upstream release (LP: #1955026). + Dropped patches, merged upstream: - d/p/double-engine-load* - d/p/Add-null-digest-implementation-to-the-default-provid.patch - d/p/Don-t-create-an-ECX-key-with-short-keys.patch + Refreshed patches: - d/p/c_rehash-compat.patch -- Simon Chopin <email address hidden> Thu, 16 Dec 2021 09:10:48 +0100
Available diffs
- diff from 3.0.0-1ubuntu1 to 3.0.1-0ubuntu1 (178.5 KiB)
- diff from 3.0.0-1ubuntu2 to 3.0.1-0ubuntu1 (180.8 KiB)
Superseded in jammy-proposed |
openssl (3.0.0-1ubuntu2) jammy; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Tue, 07 Dec 2021 17:15:51 +0100
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.14) bionic; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:50:16 +0100
openssl (1.1.1f-1ubuntu2.10) focal; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:20:48 +0100
Available diffs
openssl (1.1.1j-1ubuntu3.6) hirsute; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 11:32:57 +0100
Available diffs
openssl (1.1.1l-1ubuntu1.1) impish; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 10:53:29 +0100
Available diffs
openssl (3.0.0-1ubuntu1) jammy; urgency=medium * Manual merge of version 3.0.0-1 from Debian experimental, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Add support for building with noudeb build profile. * d/p/Don-t-create-an-ECX-key-with-short-keys.patch: Backported from upstream to fix a regression with short keys (LP: #1946213) * d/p/Add-null-digest-implementation-to-the-default-provid.patch: Backported from upstream to fix a compatibility issue with 1.1.1l * Manually call dh_installdirs to fix build failure * Drop some Ubuntu patches merged upstream + The s390x series (00xx) has been applied upstream + The lp-1927161 Intel CET series has been applied upstream + CVE-2021-3449 has been fixed upstream + CVE-2021-3450 doesn't apply to 3.0 branch * Refresh and adapt the remaining patches
Available diffs
- diff from 1.1.1l-1ubuntu1 to 3.0.0-1ubuntu1 (12.7 MiB)
Superseded in jammy-release |
Obsolete in impish-release |
Deleted in impish-proposed (Reason: Moved to impish) |
openssl (1.1.1l-1ubuntu1) impish; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. - Add support for building with noudeb build profile. * Dropped changes: - Cherry-pick an upstream patch to fix s390x AES code
Available diffs
- diff from 1.1.1k-1ubuntu1 to 1.1.1l-1ubuntu1 (47.9 KiB)
openssl (1.1.1f-1ubuntu2.9) focal; urgency=medium * Cherry-pick stable patches to fix potential use-after-free. LP: #1940656 -- Dimitri John Ledkov <email address hidden> Wed, 25 Aug 2021 02:13:44 +0100
Available diffs
openssl (1.1.1j-1ubuntu3.5) hirsute-security; urgency=medium * SECURITY UPDATE: SM2 Decryption Buffer Overflow - debian/patches/CVE-2021-3711-1.patch: correctly calculate the length of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c, crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h, test/sm2_internal_test.c. - debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption in test/recipes/30-test_evp_data/evppkey.txt. - debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c. - CVE-2021-3711 * SECURITY UPDATE: Read buffer overrun in X509_aux_print() - debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in X509_aux_print() in crypto/x509/t_x509.c. - debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_alt.c, crypto/x509v3/v3_utl.c, include/crypto/x509.h. - debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not assume NUL terminated strings in crypto/x509v3/v3_cpols.c. - debian/patches/CVE-2021-3712-4.patch: fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in crypto/x509v3/v3_pci.c. - debian/patches/CVE-2021-3712-5.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL terminated strings in test/x509_time_test.c. - debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print function to not assume NUL terminated strings in crypto/asn1/t_spki.c. - debian/patches/CVE-2021-3712-9.patch: fix EC_GROUP_new_from_ecparameters to check the base length in crypto/ec/ec_asn1.c. - debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-11.patch: fix the error handling in i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c. - debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-13.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - CVE-2021-3712 -- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.13) bionic-security; urgency=medium * SECURITY UPDATE: SM2 Decryption Buffer Overflow - debian/patches/CVE-2021-3711-1.patch: correctly calculate the length of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c, crypto/sm2/sm2_pmeth.c, crypto/include/internal/sm2.h, test/sm2_internal_test.c. - debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption in test/recipes/30-test_evp_data/evppkey.txt. - debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c. - CVE-2021-3711 * SECURITY UPDATE: Read buffer overrun in X509_aux_print() - debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in X509_aux_print() in crypto/x509/t_x509.c. - debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_alt.c, crypto/x509v3/v3_utl.c, crypto/include/internal/x509_int.h. - debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not assume NUL terminated strings in crypto/x509v3/v3_cpols.c. - debian/patches/CVE-2021-3712-4.patch: fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in crypto/x509v3/v3_pci.c. - debian/patches/CVE-2021-3712-5.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL terminated strings in test/x509_time_test.c. - debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print function to not assume NUL terminated strings in crypto/asn1/t_spki.c. - debian/patches/CVE-2021-3712-9.patch: fix EC_GROUP_new_from_ecparameters to check the base length in crypto/ec/ec_asn1.c. - debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-11.patch: fix the error handling in i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c. - debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-13.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - CVE-2021-3712 -- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
openssl (1.1.1f-1ubuntu2.8) focal-security; urgency=medium * SECURITY UPDATE: SM2 Decryption Buffer Overflow - debian/patches/CVE-2021-3711-1.patch: correctly calculate the length of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c, crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h, test/sm2_internal_test.c. - debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption in test/recipes/30-test_evp_data/evppkey.txt. - debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c. - CVE-2021-3711 * SECURITY UPDATE: Read buffer overrun in X509_aux_print() - debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in X509_aux_print() in crypto/x509/t_x509.c. - debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_alt.c, crypto/x509v3/v3_utl.c, include/crypto/x509.h. - debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not assume NUL terminated strings in crypto/x509v3/v3_cpols.c. - debian/patches/CVE-2021-3712-4.patch: fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in crypto/x509v3/v3_pci.c. - debian/patches/CVE-2021-3712-5.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL terminated strings in test/x509_time_test.c. - debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print function to not assume NUL terminated strings in crypto/asn1/t_spki.c. - debian/patches/CVE-2021-3712-9.patch: fix EC_GROUP_new_from_ecparameters to check the base length in crypto/ec/ec_asn1.c. - debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-11.patch: fix the error handling in i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c. - debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-13.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - CVE-2021-3712 -- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
Available diffs
openssl (1.1.1k-1ubuntu1) impish; urgency=low * Merge from Debian unstable (LP: #1939544). Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. - Add support for building with noudeb build profile. * Dropped changes, superseded upstream: - SECURITY UPDATE: NULL pointer deref in signature_algorithms processing -> CVE-2021-3449 - SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT -> CVE-2021-3450
Available diffs
- diff from 1.1.1j-1ubuntu5 to 1.1.1k-1ubuntu1 (14.6 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.10) bionic; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
openssl (1.1.1f-1ubuntu2.5) focal; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
Available diffs
openssl (1.1.1j-1ubuntu3.2) hirsute; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
Available diffs
openssl (1.1.1j-1ubuntu5) impish; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
Available diffs
Published in xenial-security |
Published in xenial-updates |
Deleted in xenial-proposed (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium * Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt connection with the default chain remains trusted even after the expiry of the redundant CA certificate. LP: #1928989 -- Dimitri John Ledkov <email address hidden> Mon, 28 Jun 2021 14:05:36 +0100
Available diffs
openssl (1.1.1f-1ubuntu2.4) focal; urgency=medium * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch -- Matthew Ruffell <email address hidden> Wed, 28 Apr 2021 12:37:28 +1200
Available diffs
openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:13:30 +1200
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1j-1ubuntu3.1) hirsute; urgency=medium * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:00:54 +1200
Available diffs
openssl (1.1.1j-1ubuntu4) impish; urgency=medium * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 11:49:27 +1200
Available diffs
Superseded in impish-release |
Obsolete in hirsute-release |
Deleted in hirsute-proposed (Reason: Moved to hirsute) |
openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 * SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT - debian/patches/CVE-2021-3450-1.patch: do not override error return value by check_curve in crypto/x509/x509_vfy.c, test/verify_extra_test.c. - debian/patches/CVE-2021-3450-2.patch: fix return code check in crypto/x509/x509_vfy.c. - CVE-2021-3450 -- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 11:44:30 -0400
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1j-1ubuntu2) hirsute; urgency=medium * No-change upload to pick up lto. -- Matthias Klose <email address hidden> Tue, 23 Mar 2021 15:24:20 +0100
Available diffs
- diff from 1.1.1j-1ubuntu1 to 1.1.1j-1ubuntu2 (320 bytes)
openssl (1.1.1-1ubuntu2.1~18.04.9) bionic-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:42:42 -0400
openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:37:17 -0400
Available diffs
openssl (1.1.1f-1ubuntu4.3) groovy-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:33:17 -0400
Available diffs
openssl (1.1.1j-1ubuntu1) hirsute; urgency=medium * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. * Add support for building with noudeb build profile.
Available diffs
- diff from 1.1.1f-1ubuntu5 to 1.1.1j-1ubuntu1 (182.8 KiB)
- diff from 1.1.1i-3ubuntu2 to 1.1.1j-1ubuntu1 (37.3 KiB)
openssl (1.0.1-4ubuntu5.45) precise-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/DirectoryString-is-a-CHOICE-type-and-therefore-uses-expli.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/Check-that-multi-strings-CHOICE-types-don-t-use-implicit-.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. - debian/patches/Complain-if-we-are-attempting-to-encode-with-an-invalid-A.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. - CVE-2020-1971 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Avital Ostromich <email address hidden> Fri, 19 Feb 2021 17:38:20 -0500
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1i-3ubuntu2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. -- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:35:47 +0100
Available diffs
- diff from 1.1.1i-3ubuntu1 to 1.1.1i-3ubuntu2 (331 bytes)
openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in crypto/evp/evp_err.c, crypto/evp/evp.h. - debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in crypto/evp/evp_err.c, crypto/evp/evp.h. - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/evp/evp_enc.c, crypto/evp/evp_err.c, crypto/evp/evp.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 08:14:40 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.8) bionic-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840-pre1.patch: add a new EVP error code in crypto/err/openssl.txt, crypto/evp/evp_err.c, include/openssl/evperr.h. - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/err/openssl.txt, crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
openssl (1.1.1f-1ubuntu4.2) groovy-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/err/openssl.txt, crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:32:55 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.2) focal-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/err/openssl.txt, crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1i-3ubuntu1) hirsute; urgency=medium * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. * Drop many patches included upstream.
Available diffs
- diff from 1.1.1f-1ubuntu5 to 1.1.1i-3ubuntu1 (171.0 KiB)
openssl (1.1.1f-1ubuntu5) hirsute; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Tue, 08 Dec 2020 12:33:52 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.7) bionic-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:54:45 -0500
openssl (1.1.1f-1ubuntu2.1) focal-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:52:44 -0500
Available diffs
openssl (1.1.1f-1ubuntu4.1) groovy-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:43:55 -0500
Available diffs
openssl (1.0.2g-1ubuntu4.18) xenial-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in crypto/x509v3/v3nametest.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 10:43:58 -0500
Available diffs
Superseded in hirsute-release |
Obsolete in groovy-release |
Deleted in groovy-proposed (Reason: moved to Release) |
openssl (1.1.1f-1ubuntu4) groovy; urgency=medium * Cherrypick upstream fix for non-interactive detection on Linux. LP: #1879826 * Cherrypick AES CTR-DRGB: performance improvement LP: #1799928 * Skip services restart & reboot notification if needrestart is in-use LP: #1895708 -- Dimitri John Ledkov <email address hidden> Tue, 15 Sep 2020 18:04:36 +0100
Available diffs
openssl (1.0.2g-1ubuntu4.17) xenial-security; urgency=medium * SECURITY UPDATE: Raccoon Attack - debian/patches/CVE-2020-1968.patch: disable ciphers that reuse the DH secret across multiple TLS connections in ssl/s3_lib.c. - CVE-2020-1968 -- Marc Deslauriers <email address hidden> Tue, 15 Sep 2020 14:13:51 -0400
Available diffs
51 → 100 of 466 results | First • Previous • Next • Last |