[ubuntu/kinetic-proposed] openssl 3.0.2-0ubuntu2 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Tue May 3 20:42:17 UTC 2022
openssl (3.0.2-0ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: do not use shell to invoke
openssl in tools/c_rehash.in.
- CVE-2022-1292
* SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response
signing certificate
- debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer
certificate validation in crypto/ocsp/ocsp_vfy.c.
- debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid
responses in test/recipes/80-test_ocsp.t.
- CVE-2022-1343
* SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite
- debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in
providers/implementations/ciphers/cipher_rc4_hmac_md5.c,
test/recipes/30-test_evp_data/evpciph_aes_stitched.txt,
test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt.
- CVE-2022-1434
* SECURITY UPDATE: resource leakage when decoding certificates and keys
- debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in
crypto/lhash/lhash.c.
- CVE-2022-1473
Date: Tue, 03 May 2022 12:01:34 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu2
-------------- next part --------------
Format: 1.8
Date: Tue, 03 May 2022 12:01:34 -0400
Source: openssl
Built-For-Profiles: noudeb
Architecture: source
Version: 3.0.2-0ubuntu2
Distribution: kinetic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
openssl (3.0.2-0ubuntu2) kinetic; urgency=medium
.
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: do not use shell to invoke
openssl in tools/c_rehash.in.
- CVE-2022-1292
* SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response
signing certificate
- debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer
certificate validation in crypto/ocsp/ocsp_vfy.c.
- debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid
responses in test/recipes/80-test_ocsp.t.
- CVE-2022-1343
* SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite
- debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in
providers/implementations/ciphers/cipher_rc4_hmac_md5.c,
test/recipes/30-test_evp_data/evpciph_aes_stitched.txt,
test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt.
- CVE-2022-1434
* SECURITY UPDATE: resource leakage when decoding certificates and keys
- debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in
crypto/lhash/lhash.c.
- CVE-2022-1473
Checksums-Sha1:
904f10f27f6ae1296a9eee1851e17063963297d1 2718 openssl_3.0.2-0ubuntu2.dsc
2232a63bf002ffd4ec4265f229c6cb9093955a07 102684 openssl_3.0.2-0ubuntu2.debian.tar.xz
a95e3c8c898e8e85071e421c2fe258967b450916 6372 openssl_3.0.2-0ubuntu2_source.buildinfo
Checksums-Sha256:
b51a06e4300578c959c46de2acced5508dc86e94776b34c2b3342d1ba1cedaf4 2718 openssl_3.0.2-0ubuntu2.dsc
ab625a91b72fb99c1b1151090b7238f136fc2e6141753e094806fa71e3112ef2 102684 openssl_3.0.2-0ubuntu2.debian.tar.xz
1457de8bcdfec7990249b6bd1128004907989693ce1220dfd4b91d2b61b83553 6372 openssl_3.0.2-0ubuntu2_source.buildinfo
Files:
16e4de38edf511337eb54cfaa0c8e4ce 2718 utils optional openssl_3.0.2-0ubuntu2.dsc
5fe005be2bc3e7a4a5850e98ce6e47bf 102684 utils optional openssl_3.0.2-0ubuntu2.debian.tar.xz
e208f0675da74eae295d4cc893a1ec89 6372 utils optional openssl_3.0.2-0ubuntu2_source.buildinfo
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at alioth-lists.debian.net>
More information about the kinetic-changes
mailing list