This bug was fixed in the package openssl - 3.0.7-1ubuntu1 --------------- openssl (3.0.7-1ubuntu1) lunar; urgency=medium
* Merge 3.0.7 from Debian unstable (LP: #1998942) - Drop patches merged upstream: + CVE-2022-3358.patch + CVE-2022-3602-1.patch + CVE-2022-3602-2.patch - Shrink patch since upstream fixed some tests in the patch above: + tests-use-seclevel-1.patch - Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded: + Set-systemwide-default-settings-for-libssl-users.patch - Drop Debian patch not needed anymore: + TEST-Provide-a-default-openssl.cnf-for-tests.patch - Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu: + tls1.2-min-seclevel2.patch - Remaining changes: + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to openssl + d/libssl3.postinst: Revert Debian deletion - Skip services restart & reboot notification if needrestart is in-use. - Bump version check to 1.1.1 (bug opened as LP: #1999139) - Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Import libraries/restart-without-asking template as used by above. + Add support for building with noudeb build profile. + Use perl:native in the autopkgtest for installability on i386. * Correct comment as to which TLS version is disabled with our seclevel: - skip_tls1.1_seclevel3_tests.patch [Sebastian Andrzej Siewior] * CVE-2022-3996 (X.509 Policy Constraints Double Locking). openssl (3.0.7-1) unstable; urgency=medium * Import 3.0.7 - Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) (Closes: #1021620). - X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602). - X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786). * Disable rdrand engine (the opcode on x86). * Remove config bits for MIPS R6, the generic MIPS config can be used. openssl (3.0.5-4) unstable; urgency=medium * Add ssl_conf() serialisation (Closes: #1020308). openssl (3.0.5-3) unstable; urgency=medium * Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt (Closes: #805646). * Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727). -- Adrien Nader <adrien.na...@canonical.com> Tue, 06 Dec 2022 15:11:40 +0100 ** Changed in: openssl (Ubuntu) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3358 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3602 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3786 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3996 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1999139 Title: Outdate version check for restart in libssl3.postinst Status in openssl package in Ubuntu: Fix Released Bug description: Our version of libssl3.postinst compares the installed version to "1.1.1-1ubuntu2.1~18.04.2" (moreover the test is done twice) which is unlikely to be what we want nowadays. The version needs to be updated and since we have been carrying this as a delta from Debian, it would be a good idea to ensure the behaviour still matches what we currently want. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1999139/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp