[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
This bug was fixed in the package openssl - 3.0.7-1ubuntu1 --- openssl (3.0.7-1ubuntu1) lunar; urgency=medium * Merge 3.0.7 from Debian unstable (LP: #1998942) - Drop patches merged upstream: + CVE-2022-3358.patch + CVE-2022-3602-1.patch + CVE-2022-3602-2.patch - Shrink patch since upstream fixed some tests in the patch above: + tests-use-seclevel-1.patch - Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded: + Set-systemwide-default-settings-for-libssl-users.patch - Drop Debian patch not needed anymore: + TEST-Provide-a-default-openssl.cnf-for-tests.patch - Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu: + tls1.2-min-seclevel2.patch - Remaining changes: + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to openssl + d/libssl3.postinst: Revert Debian deletion - Skip services restart & reboot notification if needrestart is in-use. - Bump version check to 1.1.1 (bug opened as LP: #1999139) - Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Import libraries/restart-without-asking template as used by above. + Add support for building with noudeb build profile. + Use perl:native in the autopkgtest for installability on i386. * Correct comment as to which TLS version is disabled with our seclevel: - skip_tls1.1_seclevel3_tests.patch [Sebastian Andrzej Siewior] * CVE-2022-3996 (X.509 Policy Constraints Double Locking). openssl (3.0.7-1) unstable; urgency=medium * Import 3.0.7 - Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) (Closes: #1021620). - X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602). - X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786). * Disable rdrand engine (the opcode on x86). * Remove config bits for MIPS R6, the generic MIPS config can be used. openssl (3.0.5-4) unstable; urgency=medium * Add ssl_conf() serialisation (Closes: #1020308). openssl (3.0.5-3) unstable; urgency=medium * Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt (Closes: #805646). * Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727). -- Adrien Nader Tue, 06 Dec 2022 15:11:40 +0100 ** Changed in: openssl (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3358 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3602 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3786 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: Fix Released Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
** Patch added: "openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640640/+files/openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Updated patch following Simon's feedback: there was a pretty bad mistake in the debian changelog where I included UNRELEASEd changes from Debian as a dedicated changelog entry. I had to create a new PPA because as part of the changelog fix, I changed the version back to 3.0.7-1ubuntu1 rather than 3.0.7-2ubuntu1. It is at https://launchpad.net/~adrien-n/+archive/ubuntu/merge- openssl-3.0.7-take-two I'm attaching the debdiffs from debian and from ubuntu. ** Patch added: "openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640639/+files/openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Attached is the debdiff from 3.0.7-2 to 3.0.7-2ubuntu1. ** Patch added: "openssl_3.0.7-2-to-openssl_3.0.7-2ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640127/+files/openssl_3.0.7-2-to-openssl_3.0.7-2ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Updated because Debian now has 3.0.7-2 which includes a patch for a low severity security issue (CVE-2022-3996). PPA is still at https://launchpad.net/~adrien-n/+archive/ubuntu/merge- openssl-3.0.7 . Attached is the debdiff from 3.0.5-2ubuntu2 to 3.0.7-2ubuntu1 . ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3996 ** Patch added: "openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-2ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640126/+files/openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-2ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
And PPA for this merge is available at https://launchpad.net/~adrien-n/+archive/ubuntu/merge-openssl-3.0.7/ . -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Attached is a debdiff against Debian's 3.0.7-1. ** Patch added: "openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5638959/+files/openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Attached is a debdiff against Ubuntu's 3.0.5-2ubuntu2. ** Patch added: "openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5638958/+files/openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
The attachment "openssl_3.0.7-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Patch available. I've reduced the diff to debian to pretty much two lines and the postinst script. This was made possible by the use of SECLEVEL=2 by debian and by upstream fixing the testsuite for that (mostly by forcing some tests to use SECLEVEL=1). ** Patch added: "openssl_3.0.7-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5635156/+files/openssl_3.0.7-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp