-
openssl (1.1.1l-1ubuntu1.6) impish-security; urgency=medium
* SECURITY UPDATE: AES OCB fails to encrypt some bytes
- debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for
x86 AES-NI in crypto/aes/asm/aesni-x86.pl.
- debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in
test/recipes/30-test_evp_data/evpciph.txt.
- CVE-2022-2097
-- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:22:56 -0400
-
openssl (1.1.1l-1ubuntu1.5) impish-security; urgency=medium
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
apply it before c_rehash-compat.patch.
- debian/patches/CVE-2022-2068.patch: fix file operations in
tools/c_rehash.in.
- debian/patches/c_rehash-compat.patch: updated patch to apply after
the security updates.
- CVE-2022-2068
-- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 10:38:42 -0400
-
openssl (1.1.1l-1ubuntu1.4) impish; urgency=medium
* d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)
* d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
trigger the underlying bug (LP: #1947588)
-- Simon Chopin <email address hidden> Fri, 10 Jun 2022 10:11:25 +0200
-
openssl (1.1.1l-1ubuntu1.3) impish-security; urgency=medium
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: do not use shell to invoke
openssl in tools/c_rehash.in.
- CVE-2022-1292
-- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:48:03 -0400
-
openssl (1.1.1l-1ubuntu1.2) impish-security; urgency=medium
* SECURITY UPDATE: Infinite loop in BN_mod_sqrt()
- debian/patches/CVE-2022-0778-1.patch: fix infinite loop in
crypto/bn/bn_sqrt.c.
- debian/patches/CVE-2022-0778-2.patch: add documentation of
BN_mod_sqrt() in doc/man3/BN_add.pod.
- debian/patches/CVE-2022-0778-3.patch: add a negative testcase for
BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt.
- CVE-2022-0778
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:06:18 -0500
-
openssl (1.1.1l-1ubuntu1.1) impish; urgency=medium
* Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943)
-- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 10:53:29 +0100
-
openssl (1.1.1l-1ubuntu1) impish; urgency=low
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
- Add support for building with noudeb build profile.
* Dropped changes:
- Cherry-pick an upstream patch to fix s390x AES code
openssl (1.1.1l-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-3711 (SM2 Decryption Buffer Overflow).
- CVE-2021-3712 (Read buffer overruns processing ASN.1 strings).
-- Simon Chopin <email address hidden> Fri, 10 Sep 2021 09:59:56 +0200
-
openssl (1.1.1k-1ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1939544). Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
- Add support for building with noudeb build profile.
* Dropped changes, superseded upstream:
- SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
-> CVE-2021-3449
- SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
-> CVE-2021-3450
openssl (1.1.1k-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
- CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
-- Simon Chopin <email address hidden> Wed, 11 Aug 2021 13:00:48 +0200
-
openssl (1.1.1j-1ubuntu5) impish; urgency=medium
* Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
-- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
-
openssl (1.1.1j-1ubuntu4) impish; urgency=medium
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Matthew Ruffell <email address hidden> Wed, 05 May 2021 11:49:27 +1200
-
openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
* SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
- debian/patches/CVE-2021-3450-1.patch: do not override error return
value by check_curve in crypto/x509/x509_vfy.c,
test/verify_extra_test.c.
- debian/patches/CVE-2021-3450-2.patch: fix return code check in
crypto/x509/x509_vfy.c.
- CVE-2021-3450
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 11:44:30 -0400