[ubuntu/resolute-proposed] openssl 3.5.4-1ubuntu1 (Accepted)

Ravi Kant Sharma ravi.kant.sharma at canonical.com
Fri Jan 23 17:56:17 UTC 2026 

openssl (3.5.4-1ubuntu1) resolute; urgency=medium

  * Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)
    - d/p/regex_match_ecp_nistp521-ppc64.patch
  * Drop patches, merged upstream
    - d/p/CVE-2025-9230.patch
    - d/p/CVE-2025-9231-1.patch
    - d/p/CVE-2025-9231-2.patch
    - d/p/CVE-2025-9232.patch
  * Merge with Debian unstable (LP: #2133492). Remaining changes:
    - Use perl:native in the autopkgtest for installability on i386.
    - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
    - Disable LTO with which the codebase is generally incompatible (LP #2058017)
    - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
    - Don't enable or package anything FIPS (LP #2087955)
    - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
    - fips patches (debian/patches/fips):
      - crypto: Add kernel FIPS mode detection
      - crypto: Automatically use the FIPS provider...
      - apps/speed: Omit unavailable algorithms in FIPS mode
      - apps: pass -propquery arg to the libctx DRBG fetches
      - test: Ensure encoding runs with the correct context...
      - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
        + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
        + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE

openssl (3.5.4-1) unstable; urgency=medium

  * Import 3.5.4
   - CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
   - CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
   - CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)

Date: Thu, 08 Jan 2026 15:53:39 +0100
Changed-By: Ravi Kant Sharma <ravi.kant.sharma at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Julian Andres Klode <julian.klode at canonical.com>
https://launchpad.net/ubuntu/+source/openssl/3.5.4-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 08 Jan 2026 15:53:39 +0100
Source: openssl
Built-For-Profiles: noudeb
Architecture: source
Version: 3.5.4-1ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ravi Kant Sharma <ravi.kant.sharma at canonical.com>
Launchpad-Bugs-Fixed: 2133492 2137464
Changes:
 openssl (3.5.4-1ubuntu1) resolute; urgency=medium
 .
   * Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)
     - d/p/regex_match_ecp_nistp521-ppc64.patch
   * Drop patches, merged upstream
     - d/p/CVE-2025-9230.patch
     - d/p/CVE-2025-9231-1.patch
     - d/p/CVE-2025-9231-2.patch
     - d/p/CVE-2025-9232.patch
   * Merge with Debian unstable (LP: #2133492). Remaining changes:
     - Use perl:native in the autopkgtest for installability on i386.
     - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
     - Disable LTO with which the codebase is generally incompatible (LP #2058017)
     - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
     - Don't enable or package anything FIPS (LP #2087955)
     - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
     - fips patches (debian/patches/fips):
       - crypto: Add kernel FIPS mode detection
       - crypto: Automatically use the FIPS provider...
       - apps/speed: Omit unavailable algorithms in FIPS mode
       - apps: pass -propquery arg to the libctx DRBG fetches
       - test: Ensure encoding runs with the correct context...
       - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
         + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
         + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
 .
 openssl (3.5.4-1) unstable; urgency=medium
 .
   * Import 3.5.4
    - CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
    - CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
    - CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
Checksums-Sha1:
 0cd0d57f0b07cd8ed357670cf017825991bbf318 2865 openssl_3.5.4-1ubuntu1.dsc
 b75daac8e10f189abe28a076ba5905d363e4801f 53190367 openssl_3.5.4.orig.tar.gz
 5f2dc895c3124ec1a04e17f2aa679f86ec49227c 833 openssl_3.5.4.orig.tar.gz.asc
 2e37f3750b86733d2bac47f80a93a8e536150b0d 65920 openssl_3.5.4-1ubuntu1.debian.tar.xz
 890eced7302df95a8c693ee310208ef7d142146a 6673 openssl_3.5.4-1ubuntu1_source.buildinfo
Checksums-Sha256:
 7832322ff46fb82576ea14fcb8f230d7a3e14ef193c7afcb3b9bc21dfeb3d449 2865 openssl_3.5.4-1ubuntu1.dsc
 967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99 53190367 openssl_3.5.4.orig.tar.gz
 cfcabcfc6e43237392e0ab42e2326fceb71037036c2adaa7ecc7e251778e38f4 833 openssl_3.5.4.orig.tar.gz.asc
 fda9561c0c0bcdf2144782b3400ae7393116db9a2d95579f99b6c2c071171335 65920 openssl_3.5.4-1ubuntu1.debian.tar.xz
 e975a6f14577c1f26c237178449f313f0128a4b93b8e469f9a7856d3b8a89b72 6673 openssl_3.5.4-1ubuntu1_source.buildinfo
Files:
 fd975ff6bd00d80564b3c4a547fc7d91 2865 utils optional openssl_3.5.4-1ubuntu1.dsc
 570a7ab371147b6ba72c6d0fed93131f 53190367 utils optional openssl_3.5.4.orig.tar.gz
 fc505832a9796504dcd48c14fd34c4cb 833 utils optional openssl_3.5.4.orig.tar.gz.asc
 1d25c90f8b67fd56459674bfee0fdd46 65920 utils optional openssl_3.5.4-1ubuntu1.debian.tar.xz
 158190a3dd66440dc6a84ae9871f9272 6673 utils optional openssl_3.5.4-1ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at alioth-lists.debian.net>
Vcs-Git: https://git.launchpad.net/~juliank/ubuntu/+source/openssl
Vcs-Git-Commit: a8a8f565e249312ec72336760779b0445ee8a65b
Vcs-Git-Ref: refs/heads/debian/sid

More information about the Resolute-changes mailing list