Processed: Re: Bug#1036957: unblock: openssl/3.0.8-1
Processing control commands: > tags -1 d-i Bug #1036957 [release.debian.org] unblock: openssl/3.0.9-1 Added tag(s) d-i. -- 1036957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036957 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036957: unblock: openssl/3.0.8-1
Control: tags -1 d-i Hi kibi, Can you have a look at this onblock request? It's blocked on your block-udeb. Paul On 30-05-2023 22:52, Sebastian Andrzej Siewior wrote: control: retitle -1 unblock: openssl/3.0.9-1 On 2023-05-30 22:16:53 [+0200], To sub...@bugs.debian.org wrote: Please unblock package openssl. The 3.0.9 release contains security and non-security related fixes for the package. There are five new CVEs in total that has been addressed. One with "moderate" severity. From the package's changelog: - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy Constraints) (Closes: #1034720). - CVE-2023-0465 (Invalid certificate policies in leaf certificates are silently ignored). - CVE-2023-0466 (Certificate policy check not enabled). - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption). - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers). - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM). The package built on all release architectures (it is still building on mipsel at the of writing but I expect it to pass). The openssl testsuite run on all architectures during the build process. Please find attached the debdiff vs the version in testing. unblock openssl/3.0.9-1 Sebastian OpenPGP_signature Description: OpenPGP digital signature
Bug#1036957: unblock: openssl/3.0.8-1
control: retitle -1 unblock: openssl/3.0.9-1 On 2023-05-30 22:16:53 [+0200], To sub...@bugs.debian.org wrote: > > Please unblock package openssl. > > The 3.0.9 release contains security and non-security related fixes for > the package. There are five new CVEs in total that has been addressed. > One with "moderate" severity. From the package's changelog: > > - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy > Constraints) (Closes: #1034720). > - CVE-2023-0465 (Invalid certificate policies in leaf certificates are > silently ignored). > - CVE-2023-0466 (Certificate policy check not enabled). > - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption). > - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers). > - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 > bit ARM). > > The package built on all release architectures (it is still building on > mipsel at the of writing but I expect it to pass). > The openssl testsuite run on all architectures during the build process. > Please find attached the debdiff vs the version in testing. > > unblock openssl/3.0.9-1 Sebastian
