Ubuntu
openssl package

openssl 3.0.5-2ubuntu2.1 source package in Ubuntu

Changelog

openssl (3.0.5-2ubuntu2.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: X.509 Name Constraints Read Buffer Overflow
    - debian/patches/CVE-2022-4203-1.patch: fix type confusion in
      nc_match_single() in crypto/x509/v3_ncons.c.
    - debian/patches/CVE-2022-4203-2.patch: add testcase for
      nc_match_single type confusion in test/*.
    - CVE-2022-4203
  * SECURITY UPDATE: Timing Oracle in RSA Decryption
    - debian/patches/CVE-2022-4304.patch: fix timing oracle in
      crypto/bn/bn_blind.c, crypto/bn/bn_local.h, crypto/bn/build.info,
      crypto/bn/rsa_sup_mul.c, crypto/rsa/rsa_ossl.c, include/crypto/bn.h.
    - CVE-2022-4304
  * SECURITY UPDATE: Double free after calling PEM_read_bio_ex
    - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header
      and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c.
    - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c.
    - CVE-2022-4450
  * SECURITY UPDATE: Use-after-free following BIO_new_NDEF
    - debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug
      in BIO_new_NDEF in crypto/asn1/bio_ndef.c.
    - debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO
      setup with -stream is handled correctly in
      test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem.
    - CVE-2023-0215
  * SECURITY UPDATE: Invalid pointer dereference in d2i_PKCS7 functions
    - debian/patches/CVE-2023-0216-1.patch: do not dereference PKCS7 object
      data if not set in crypto/pkcs7/pk7_lib.c.
    - debian/patches/CVE-2023-0216-2.patch: add test for d2i_PKCS7 NULL
      dereference in test/recipes/25-test_pkcs7.t,
      test/recipes/25-test_pkcs7_data/malformed.pkcs7.
    - CVE-2023-0216
  * SECURITY UPDATE: NULL dereference validating DSA public key
    - debian/patches/CVE-2023-0217-1.patch: fix NULL deference when
      validating FFC public key in crypto/ffc/ffc_key_validate.c,
      include/internal/ffc.h, test/ffc_internal_test.c.
    - debian/patches/CVE-2023-0217-2.patch: prevent creating DSA and DH
      keys without parameters through import in
      providers/implementations/keymgmt/dh_kmgmt.c,
      providers/implementations/keymgmt/dsa_kmgmt.c.
    - debian/patches/CVE-2023-0217-3.patch: do not create DSA keys without
      parameters by decoder in crypto/x509/x_pubkey.c,
      include/crypto/x509.h,
      providers/implementations/encode_decode/decode_der2key.c.
    - CVE-2023-0217
  * SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName
    - debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for
      x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h.in,
      test/v3nametest.c.
    - CVE-2023-0286
  * SECURITY UPDATE: NULL dereference during PKCS7 data verification
    - debian/patches/CVE-2023-0401-1.patch: check return of BIO_set_md()
      calls in crypto/pkcs7/pk7_doit.c.
    - debian/patches/CVE-2023-0401-2.patch: add testcase for missing return
      check of BIO_set_md() calls in test/recipes/80-test_cms.t,
      test/recipes/80-test_cms_data/pkcs7-md4.pem.
    - CVE-2023-0401

 -- Marc Deslauriers <email address hidden>  Mon, 06 Feb 2023 12:57:17 -0500

Upload details

Uploaded by:
Marc Deslauriers
Uploaded to:
Kinetic
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
utils
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
openssl_3.0.5.orig.tar.gz 14.4 MiB aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a
openssl_3.0.5.orig.tar.gz.asc 862 bytes 95f23bb4eb6faa8d0f1ca1b83cfb00a2bed4b53e124a4f13e1499abc0b426129
openssl_3.0.5-2ubuntu2.1.debian.tar.xz 173.7 KiB 7dc7e6fd16dfe6cca7fffb33f009bf76984bf1f42c60ca0cc94134f8f6d9432a
openssl_3.0.5-2ubuntu2.1.dsc 2.7 KiB c8438920be88645599af7528c90b13a01d014ee91ab3f1b1362b03eced735dd0

View changes file

Binary packages built by this source

libssl-dev: Secure Sockets Layer toolkit - development files

 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains development libraries, header files, and manpages for libssl
 and libcrypto.

libssl-doc: Secure Sockets Layer toolkit - development documentation

 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains manpages and demo files for libssl and libcrypto.

libssl3: Secure Sockets Layer toolkit - shared libraries

 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It provides the libssl and libcrypto shared libraries.

libssl3-dbgsym: debug symbols for libssl3
openssl: Secure Sockets Layer toolkit - cryptographic utility

 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.

openssl-dbgsym: debug symbols for openssl