Change log : Impish (21.10) : openssl package : Ubuntu

Change logs for openssl source package in Impish

  • openssl (1.1.1l-1ubuntu1.6) impish-security; urgency=medium
    
      * SECURITY UPDATE: AES OCB fails to encrypt some bytes
        - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for
          x86 AES-NI in crypto/aes/asm/aesni-x86.pl.
        - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in
          test/recipes/30-test_evp_data/evpciph.txt.
        - CVE-2022-2097
    
     -- Marc Deslauriers <email address hidden>  Mon, 04 Jul 2022 07:22:56 -0400
  • openssl (1.1.1l-1ubuntu1.5) impish-security; urgency=medium
    
      * SECURITY UPDATE: c_rehash script allows command injection
        - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
          apply it before c_rehash-compat.patch.
        - debian/patches/CVE-2022-2068.patch: fix file operations in
          tools/c_rehash.in.
        - debian/patches/c_rehash-compat.patch: updated patch to apply after
          the security updates.
        - CVE-2022-2068
    
     -- Marc Deslauriers <email address hidden>  Wed, 15 Jun 2022 10:38:42 -0400
  • openssl (1.1.1l-1ubuntu1.4) impish; urgency=medium
    
      * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)
      * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
        trigger the underlying bug (LP: #1947588)
    
     -- Simon Chopin <email address hidden>  Fri, 10 Jun 2022 10:11:25 +0200
  • openssl (1.1.1l-1ubuntu1.3) impish-security; urgency=medium
    
      * SECURITY UPDATE: c_rehash script allows command injection
        - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
          openssl in tools/c_rehash.in.
        - CVE-2022-1292
    
     -- Marc Deslauriers <email address hidden>  Tue, 03 May 2022 13:48:03 -0400
  • openssl (1.1.1l-1ubuntu1.2) impish-security; urgency=medium
    
      * SECURITY UPDATE: Infinite loop in BN_mod_sqrt()
        - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in
          crypto/bn/bn_sqrt.c.
        - debian/patches/CVE-2022-0778-2.patch: add documentation of
          BN_mod_sqrt() in doc/man3/BN_add.pod.
        - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for
          BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt.
        - CVE-2022-0778
    
     -- Marc Deslauriers <email address hidden>  Wed, 09 Mar 2022 07:06:18 -0500
  • openssl (1.1.1l-1ubuntu1.1) impish; urgency=medium
    
      * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943)
    
     -- Julian Andres Klode <email address hidden>  Wed, 24 Nov 2021 10:53:29 +0100
  • openssl (1.1.1l-1ubuntu1) impish; urgency=low
    
      * Merge from Debian unstable. Remaining changes:
        - Replace duplicate files in the doc directory with symlinks.
        - debian/libssl1.1.postinst:
          + Display a system restart required notification on libssl1.1
            upgrade on servers, unless needrestart is available.
          + Use a different priority for libssl1.1/restart-services depending
            on whether a desktop, or server dist-upgrade is being performed.
          + Skip services restart & reboot notification if needrestart is in-use.
          + Bump version check to to 1.1.1.
          + Import libraries/restart-without-asking template as used by above.
        - Revert "Enable system default config to enforce TLS1.2 as a
          minimum" & "Increase default security level from 1 to 2".
        - Reword the NEWS entry, as applicable on Ubuntu.
        - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
          and ECC from master.
        - Use perl:native in the autopkgtest for installability on i386.
        - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
          level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
          below 1.2 and update documentation. Previous default of 1, can be set
          by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
          using ':@SECLEVEL=1' CipherString value in openssl.cfg.
        - Import https://github.com/openssl/openssl/pull/12272.patch to enable
          CET.
        - Add support for building with noudeb build profile.
      * Dropped changes:
        - Cherry-pick an upstream patch to fix s390x AES code
    
    openssl (1.1.1l-1) unstable; urgency=medium
    
      * New upstream version.
        - CVE-2021-3711 (SM2 Decryption Buffer Overflow).
        - CVE-2021-3712 (Read buffer overruns processing ASN.1 strings).
    
     -- Simon Chopin <email address hidden>  Fri, 10 Sep 2021 09:59:56 +0200
  • openssl (1.1.1k-1ubuntu1) impish; urgency=low
    
      * Merge from Debian unstable (LP: #1939544). Remaining changes:
        - Replace duplicate files in the doc directory with symlinks.
        - debian/libssl1.1.postinst:
          + Display a system restart required notification on libssl1.1
            upgrade on servers, unless needrestart is available.
          + Use a different priority for libssl1.1/restart-services depending
            on whether a desktop, or server dist-upgrade is being performed.
          + Skip services restart & reboot notification if needrestart is in-use.
          + Bump version check to to 1.1.1.
          + Import libraries/restart-without-asking template as used by above.
        - Revert "Enable system default config to enforce TLS1.2 as a
          minimum" & "Increase default security level from 1 to 2".
        - Reword the NEWS entry, as applicable on Ubuntu.
        - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
          and ECC from master.
        - Use perl:native in the autopkgtest for installability on i386.
        - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
          level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
          below 1.2 and update documentation. Previous default of 1, can be set
          by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
          using ':@SECLEVEL=1' CipherString value in openssl.cfg.
        - Import https://github.com/openssl/openssl/pull/12272.patch to enable
          CET.
        - Add support for building with noudeb build profile.
      * Dropped changes, superseded upstream:
        - SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
          -> CVE-2021-3449
        - SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
          -> CVE-2021-3450
    
    openssl (1.1.1k-1) unstable; urgency=medium
    
      * New upstream version.
        - CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
        - CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
    
     -- Simon Chopin <email address hidden>  Wed, 11 Aug 2021 13:00:48 +0200
  • openssl (1.1.1j-1ubuntu5) impish; urgency=medium
    
      * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
    
     -- Simon Chopin <email address hidden>  Fri, 23 Jul 2021 14:32:42 +0200
  • openssl (1.1.1j-1ubuntu4) impish; urgency=medium
    
      * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
        error when attempting to build a source package, due to pr12272.patch
        patching files multiple times within the same patch. (LP: #1927161)
        - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
        - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
        - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
        - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
        - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
    
     -- Matthew Ruffell <email address hidden>  Wed, 05 May 2021 11:49:27 +1200
  • openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium
    
      * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
        - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
          ssl/statem/extensions.c.
        - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
          <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
        - debian/patches/CVE-2021-3449-3.patch: add a test to
          test/recipes/70-test_renegotiation.t.
        - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
          always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
          ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
          ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
        - CVE-2021-3449
      * SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
        - debian/patches/CVE-2021-3450-1.patch: do not override error return
          value by check_curve in crypto/x509/x509_vfy.c,
          test/verify_extra_test.c.
        - debian/patches/CVE-2021-3450-2.patch: fix return code check in
          crypto/x509/x509_vfy.c.
        - CVE-2021-3450
    
     -- Marc Deslauriers <email address hidden>  Thu, 25 Mar 2021 11:44:30 -0400