[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
This bug was fixed in the package openssl - 3.0.7-1ubuntu1
---
openssl (3.0.7-1ubuntu1) lunar; urgency=medium
* Merge 3.0.7 from Debian unstable (LP: #1998942)
- Drop patches merged upstream:
+ CVE-2022-3358.patch
+ CVE-2022-3602-1.patch
+ CVE-2022-3602-2.patch
- Shrink patch since upstream fixed some tests in the patch above:
+ tests-use-seclevel-1.patch
- Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded:
+ Set-systemwide-default-settings-for-libssl-users.patch
- Drop Debian patch not needed anymore:
+ TEST-Provide-a-default-openssl.cnf-for-tests.patch
- Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu:
+ tls1.2-min-seclevel2.patch
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile.
+ Use perl:native in the autopkgtest for installability on i386.
* Correct comment as to which TLS version is disabled with our seclevel:
- skip_tls1.1_seclevel3_tests.patch
[Sebastian Andrzej Siewior]
* CVE-2022-3996 (X.509 Policy Constraints Double Locking).
openssl (3.0.7-1) unstable; urgency=medium
* Import 3.0.7
- Using a Custom Cipher with NID_undef may lead to NULL encryption
(CVE-2022-3358) (Closes: #1021620).
- X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
- X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
* Disable rdrand engine (the opcode on x86).
* Remove config bits for MIPS R6, the generic MIPS config can be used.
openssl (3.0.5-4) unstable; urgency=medium
* Add ssl_conf() serialisation (Closes: #1020308).
openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Adrien Nader Tue, 06 Dec 2022 15:11:40
+0100
** Changed in: openssl (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3358
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3602
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3786
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1998942
Title:
openssl: merge 3.0.7-1 from Debian unstable
Status in openssl package in Ubuntu:
Fix Released
Bug description:
Debian has moved to 3.0.7 in unstable. Now is a good time to merge it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
** Patch added: "openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640640/+files/openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Updated patch following Simon's feedback: there was a pretty bad mistake in the debian changelog where I included UNRELEASEd changes from Debian as a dedicated changelog entry. I had to create a new PPA because as part of the changelog fix, I changed the version back to 3.0.7-1ubuntu1 rather than 3.0.7-2ubuntu1. It is at https://launchpad.net/~adrien-n/+archive/ubuntu/merge- openssl-3.0.7-take-two I'm attaching the debdiffs from debian and from ubuntu. ** Patch added: "openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640639/+files/openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1~ppa2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Attached is the debdiff from 3.0.7-2 to 3.0.7-2ubuntu1. ** Patch added: "openssl_3.0.7-2-to-openssl_3.0.7-2ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640127/+files/openssl_3.0.7-2-to-openssl_3.0.7-2ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Updated because Debian now has 3.0.7-2 which includes a patch for a low severity security issue (CVE-2022-3996). PPA is still at https://launchpad.net/~adrien-n/+archive/ubuntu/merge- openssl-3.0.7 . Attached is the debdiff from 3.0.5-2ubuntu2 to 3.0.7-2ubuntu1 . ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3996 ** Patch added: "openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-2ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5640126/+files/openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-2ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
And PPA for this merge is available at https://launchpad.net/~adrien-n/+archive/ubuntu/merge-openssl-3.0.7/ . -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Attached is a debdiff against Debian's 3.0.7-1. ** Patch added: "openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5638959/+files/openssl_3.0.7-1-to-openssl_3.0.7-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Attached is a debdiff against Ubuntu's 3.0.5-2ubuntu2. ** Patch added: "openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5638958/+files/openssl_3.0.5-2ubuntu2-to-openssl_3.0.7-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
The attachment "openssl_3.0.7-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998942] Re: openssl: merge 3.0.7-1 from Debian unstable
Patch available. I've reduced the diff to debian to pretty much two lines and the postinst script. This was made possible by the use of SECLEVEL=2 by debian and by upstream fixing the testsuite for that (mostly by forcing some tests to use SECLEVEL=1). ** Patch added: "openssl_3.0.7-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+attachment/5635156/+files/openssl_3.0.7-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1998942 Title: openssl: merge 3.0.7-1 from Debian unstable Status in openssl package in Ubuntu: In Progress Bug description: Debian has moved to 3.0.7 in unstable. Now is a good time to merge it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1998942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
