[Bug 2141941] Re: Please add Jitter userspace entropy to the fips provider
Launchpad Bug Tracker
2141941 at bugs.launchpad.net
Sun Mar 8 04:57:17 UTC 2026
This bug was fixed in the package openssl - 3.5.5-1ubuntu1
---------------
openssl (3.5.5-1ubuntu1) resolute; urgency=medium
[ Eric Berry ]
* Enable CPU jitter fluctuations
* Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider (LP: #2141941)
[ Ravi Kant Sharma ]
* Merge with Debian unstable (LP: #2141708). Remaining changes:
- d/p/regex_match_ecp_nistp521-ppc64.patch
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible
(LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- Enable CPU jitter fluctuations
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
- Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider
* Refreshed patches
- fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch
- fips/two-defines-for-fips-in-libssl-dev-headers.patch
- fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch
openssl (3.5.5-1) unstable; urgency=medium
* Import 3.5.5
- CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC
verification)
- CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)
- CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown
cipher ID)
- CVE-2025-15469 ("openssl dgst" one-shot codepath silently truncates inputs
>16MB)
- CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)
- CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short
writes)
- CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level
OCB function calls)
- CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8
conversion)
- CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()
function)
- CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex
function)
- CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)
- CVE-2026-22796 (ASN1_TYPE Type Confusion in the
- PKCS7_digest_from_attributes() function)
openssl (3.5.4-1ubuntu1) resolute; urgency=medium
* Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)
- d/p/regex_match_ecp_nistp521-ppc64.patch
* Drop patches, merged upstream
- d/p/CVE-2025-9230.patch
- d/p/CVE-2025-9231-1.patch
- d/p/CVE-2025-9231-2.patch
- d/p/CVE-2025-9232.patch
* Merge with Debian unstable (LP: #2133492). Remaining changes:
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible (LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
openssl (3.5.4-1) unstable; urgency=medium
* Import 3.5.4
- CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
- CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
- CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
-- Ravi Kant Sharma <ravi.kant.sharma at canonical.com> Sun, 15 Feb 2026
14:56:21 +0100
** Changed in: openssl (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2025-11187
** CVE added: https://cve.org/CVERecord?id=CVE-2025-15467
** CVE added: https://cve.org/CVERecord?id=CVE-2025-15468
** CVE added: https://cve.org/CVERecord?id=CVE-2025-15469
** CVE added: https://cve.org/CVERecord?id=CVE-2025-66199
** CVE added: https://cve.org/CVERecord?id=CVE-2025-68160
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69418
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69419
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69420
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69421
** CVE added: https://cve.org/CVERecord?id=CVE-2025-9230
** CVE added: https://cve.org/CVERecord?id=CVE-2025-9231
** CVE added: https://cve.org/CVERecord?id=CVE-2025-9232
** CVE added: https://cve.org/CVERecord?id=CVE-2026-22795
** CVE added: https://cve.org/CVERecord?id=CVE-2026-22796
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2141941
Title:
Please add Jitter userspace entropy to the fips provider
Status in openssl package in Ubuntu:
Fix Released
Bug description:
if a kernel is present that is ubuntu distributed and fips enabled,
OpenSSL should be configured to run using entropy provided by the
kernel. if there is no kernel present that is fips enabled (eg. in a
container), OpenSSL should use entropy provided by the jitter entropy
library.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2141941/+subscriptions
More information about the foundations-bugs
mailing list