[Bug 2067384] Re: openssl: merge 3.2.1-3 from unstable
Launchpad Bug Tracker
2067384 at bugs.launchpad.net
Wed Jul 3 10:20:16 UTC 2024
This bug was fixed in the package openssl - 3.2.1-3ubuntu1
---------------
openssl (3.2.1-3ubuntu1) oracular; urgency=medium
* Merge 3.2.1-3 from Debian unstable (LP: #2067384)
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ Use perl:native in the autopkgtest for installability on i386.
+ Disable LTO with which the codebase is generally incompatible
(LP: #2058017)
+ Add fips-mode detection and adjust defaults when running in fips mode
- Dropped changes:
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile which has been
integrated
+ Patches that forbade TLS < 1.2 @SECLEVEL=2 which is now upstream
behaviour:
- skip_tls1.1_seclevel3_tests.patch
- tests-use-seclevel-1.patch
- tls1.2-min-seclevel2.patch
+ Revert the provider removal from the default configuration as there's
no point in carrying the delta (will see if Debian drops the patch)
+ d/p/intel/*: was a backport from upstream changes
+ d/p/CVE-*: was a backport from upstream changes
openssl (3.2.1-3) unstable; urgency=medium
* Upload to unstable.
* Correct prvious security level in NEWS file (Closes: #1066116).
openssl (3.2.1-2) experimental; urgency=medium
* Disable brotli and enable zlib for certificate compression.
* Update to latest openssl-3.2 branch.
openssl (3.2.1-1.1~exp1) experimental; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition.
openssl (3.2.1-1) experimental; urgency=medium
* Import 3.2.1
- CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
- CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
(Closes: #1060858).
- CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
PowerPC) (Closes: #1060347).
openssl (3.2.0-2) experimental; urgency=medium
* Use generic target for riscv64.
* Update to latest openssl-3.2 branch.
openssl (3.2.0-1) experimental; urgency=medium
* Import 3.2.0
* Enable zstd, brotli and for certificate compression.
openssl (3.1.4-2) unstable; urgency=medium
* Invoke clean up from the openssl binary as a temporary workaround to avoid
a crash in libp11/SoftHSM engine (Closes: #1054546).
* CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
parameter value) (Closes: #1055473).
* Upload to unstable.
openssl (3.1.4-1) experimental; urgency=medium
* Import 3.1.4
- CVE-2023-5363 (Incorrect cipher key and IV length processing).
openssl (3.1.3-1) experimental; urgency=medium
* Import 3.1.3
openssl (3.1.2-1) experimental; urgency=medium
* Import 3.1.2
- CVE-2023-2975 (AES-SIV implementation ignores empty associated data
entries) (Closes: #1041818).
- CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
(Closes: #1041817).
- CVE-2023-3817 (Excessive time spent checking DH q parameter value).
- Drop bc and m4 from B-D.
openssl (3.1.1-1) experimental; urgency=medium
* Import 3.1.1
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
- Add new symbol.
openssl (3.1.0-1) experimental; urgency=medium
* Import 3.1.0
* Add new symbols.
-- Adrien Nader <adrien.nader at canonical.com> Tue, 28 May 2024 14:30:44
+0200
** Changed in: openssl (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-4304
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-0464
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-0465
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-0466
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-1255
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2650
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2975
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3446
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3817
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5363
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5678
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-6129
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-6237
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-0727
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2067384
Title:
openssl: merge 3.2.1-3 from unstable
Status in openssl package in Ubuntu:
Fix Released
Bug description:
Unstable has openssl 3.2.1 which is need to fix some tests for nodejs
and some features for cryptsetup and is a good step to 3.3 for 24.10.
Merge request:
https://code.launchpad.net/~adrien/ubuntu/+source/openssl/+git/openssl/+merge/466581
Copied over from the MP for anyone looking for the detailed rationales behind the dropped delta:
Merge unstable's openssl 3.2.1-1
Remove most of the delta we have compared to Debian.
Openssl 3.2 now forbids TLS < 1.2 when at SECLEVEL=2 which we were
already doing through a patch. This lets us drop patches that implement
this and those that adapt tests.
In addition, debian had integrated the support for the noudeb profile
but we still had some bits related to our diff which we can actually
drop.
Debian had reverted a change in the default configuration file that
broke applications which were using openssl < 3. We had not propagated
that due to various reasons which don't apply for a new development
cycle. I will see if the patch can be dropped Debian-side as it mostly
made sense when openssl versions were likely to be installed alongside
(i.e. during the transition).
The AVX-512 patches have been integrated upstream and can be dropped.
The FIPS patches only make sense during Ubuntu LTS cycles. There is
value in them but the next LTS cycle is in 18 months and the preferred
approach is rather to have them merged upstream by then.
In a private conversation with Tobias (from whom I integrated the FIPS
patches for Noble), we agreed that we could drop the FIPS patches
after Noble since they would be useless until 26.04, at which point
they should have been upstreamed already. Overall it's not very useful
to keep them around as patches during the releases they're certainly
not going to be used (it's fine to have them through, say, upstream
3.4 or 3.5 however).
All security patches have been integrated.
The code for reboot notification has been removed too as it was buggy
and was actually only working on desktops while the original intent was
to have that code run on servers. Considering there has been no
specification of what was wanted and how it evolved over the years, it's
impossible to "fix" so let's just remove it. The right place to
implement such things is not in postinst scripts.
There are a few things kept: a symlink for changelog/copyright files,
using perl:native in autopkgtests depends, and disabling LTO. The
symlink topic will be looked at later on as there are issues there (the
targets don't exist!), and I will also attempt to drop using
perl:native. I will be doing that slightly later on as there are already
many changes and 3.2 is needed to fix some other tests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2067384/+subscriptions
More information about the foundations-bugs
mailing list