[ubuntu/resolute-proposed] openssl 3.5.5-1ubuntu1 (Accepted)
Ravi Kant Sharma
ravi.kant.sharma at canonical.com
Mon Feb 16 16:02:16 UTC 2026
openssl (3.5.5-1ubuntu1) resolute; urgency=medium
[ Eric Berry ]
* Enable CPU jitter fluctuations
* Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider (LP: #2141941)
[ Ravi Kant Sharma ]
* Merge with Debian unstable (LP: #2141708). Remaining changes:
- d/p/regex_match_ecp_nistp521-ppc64.patch
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible
(LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- Enable CPU jitter fluctuations
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
- Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider
* Refreshed patches
- fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch
- fips/two-defines-for-fips-in-libssl-dev-headers.patch
- fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch
openssl (3.5.5-1) unstable; urgency=medium
* Import 3.5.5
- CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC
verification)
- CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)
- CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown
cipher ID)
- CVE-2025-15469 ("openssl dgst" one-shot codepath silently truncates inputs
>16MB)
- CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)
- CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short
writes)
- CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level
OCB function calls)
- CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8
conversion)
- CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()
function)
- CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex
function)
- CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)
- CVE-2026-22796 (ASN1_TYPE Type Confusion in the
- PKCS7_digest_from_attributes() function)
openssl (3.5.4-1ubuntu1) resolute; urgency=medium
* Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)
- d/p/regex_match_ecp_nistp521-ppc64.patch
* Drop patches, merged upstream
- d/p/CVE-2025-9230.patch
- d/p/CVE-2025-9231-1.patch
- d/p/CVE-2025-9231-2.patch
- d/p/CVE-2025-9232.patch
* Merge with Debian unstable (LP: #2133492). Remaining changes:
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible (LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
openssl (3.5.4-1) unstable; urgency=medium
* Import 3.5.4
- CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
- CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
- CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
Date: Sun, 15 Feb 2026 14:56:21 +0100
Changed-By: Ravi Kant Sharma <ravi.kant.sharma at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Dave Jones <dave.jones at canonical.com>
https://launchpad.net/ubuntu/+source/openssl/3.5.5-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Sun, 15 Feb 2026 14:56:21 +0100
Source: openssl
Built-For-Profiles: noudeb
Architecture: source
Version: 3.5.5-1ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ravi Kant Sharma <ravi.kant.sharma at canonical.com>
Launchpad-Bugs-Fixed: 2133492 2137464 2141708 2141941
Changes:
openssl (3.5.5-1ubuntu1) resolute; urgency=medium
.
[ Eric Berry ]
* Enable CPU jitter fluctuations
* Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider (LP: #2141941)
.
[ Ravi Kant Sharma ]
* Merge with Debian unstable (LP: #2141708). Remaining changes:
- d/p/regex_match_ecp_nistp521-ppc64.patch
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible
(LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- Enable CPU jitter fluctuations
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
- Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider
* Refreshed patches
- fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch
- fips/two-defines-for-fips-in-libssl-dev-headers.patch
- fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch
.
openssl (3.5.5-1) unstable; urgency=medium
.
* Import 3.5.5
- CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC
verification)
- CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)
- CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown
cipher ID)
- CVE-2025-15469 ("openssl dgst" one-shot codepath silently truncates inputs
>16MB)
- CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)
- CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short
writes)
- CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level
OCB function calls)
- CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8
conversion)
- CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()
function)
- CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex
function)
- CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)
- CVE-2026-22796 (ASN1_TYPE Type Confusion in the
- PKCS7_digest_from_attributes() function)
.
openssl (3.5.4-1ubuntu1) resolute; urgency=medium
.
* Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)
- d/p/regex_match_ecp_nistp521-ppc64.patch
* Drop patches, merged upstream
- d/p/CVE-2025-9230.patch
- d/p/CVE-2025-9231-1.patch
- d/p/CVE-2025-9231-2.patch
- d/p/CVE-2025-9232.patch
* Merge with Debian unstable (LP: #2133492). Remaining changes:
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible (LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
.
openssl (3.5.4-1) unstable; urgency=medium
.
* Import 3.5.4
- CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
- CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
- CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
Checksums-Sha1:
9aca8ef414ae61f8777aa824840da4ac596d3d46 2904 openssl_3.5.5-1ubuntu1.dsc
72a5ebbdd30bc28a66f069e2d50c66a007c324d2 53104821 openssl_3.5.5.orig.tar.gz
ff7a37d551ce7f25695266d29fb1439ba3f6b43f 833 openssl_3.5.5.orig.tar.gz.asc
0a83332a6c6746e5733eeea9b39e95bf19afadf3 66964 openssl_3.5.5-1ubuntu1.debian.tar.xz
7ad4e1f2c07fbba2c46fd90efcfaae48e7097cb9 6505 openssl_3.5.5-1ubuntu1_source.buildinfo
Checksums-Sha256:
652e2a4d4265bbffdad1007cae1530d95cfd4f2d8f2c80502f2d8f5b7df4e68d 2904 openssl_3.5.5-1ubuntu1.dsc
b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89 53104821 openssl_3.5.5.orig.tar.gz
eaef5b1054b84b8d1e6c61c9fc8867828be5ce686d0221580faf8bdc16489da9 833 openssl_3.5.5.orig.tar.gz.asc
99cad7682aaade672a0683d8516ff0973ba21e10d83aeca8ee29d360d9f402e7 66964 openssl_3.5.5-1ubuntu1.debian.tar.xz
2901b4096a93761675210019a3b0c075233a87dedc597f844d99982df35e7373 6505 openssl_3.5.5-1ubuntu1_source.buildinfo
Files:
1b97311b47663fe13648efeb5d761694 2904 utils optional openssl_3.5.5-1ubuntu1.dsc
9c86d929c3d1067e2c88239d7d1ce81b 53104821 utils optional openssl_3.5.5.orig.tar.gz
7e827079c420b263e8dadfe6fafcdf40 833 utils optional openssl_3.5.5.orig.tar.gz.asc
ffab5a4053bb630894c504726dab0e7a 66964 utils optional openssl_3.5.5-1ubuntu1.debian.tar.xz
1f2f5ac6901ac0fa20d62eaf2bcbf89a 6505 utils optional openssl_3.5.5-1ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at alioth-lists.debian.net>
Vcs-Git: https://git.launchpad.net/~ravi-sharma/ubuntu/+source/openssl
Vcs-Git-Commit: e75edab466ece5daa1bc6c01be425a2105877a51
Vcs-Git-Ref: refs/heads/merge-lp2141708-resolute
More information about the Resolute-changes
mailing list