This bug was fixed in the package openssl - 3.5.5-1ubuntu1
---------------
openssl (3.5.5-1ubuntu1) resolute; urgency=medium
[ Eric Berry ]
* Enable CPU jitter fluctuations
* Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider (LP: #2141941)
[ Ravi Kant Sharma ]
* Merge with Debian unstable (LP: #2141708). Remaining changes:
- d/p/regex_match_ecp_nistp521-ppc64.patch
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible
(LP #2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- Enable CPU jitter fluctuations
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
- Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS
provider
* Refreshed patches
- fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch
- fips/two-defines-for-fips-in-libssl-dev-headers.patch
- fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch
openssl (3.5.5-1) unstable; urgency=medium
* Import 3.5.5
- CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC
verification)
- CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)
- CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown
cipher ID)
- CVE-2025-15469 ("openssl dgst" one-shot codepath silently truncates inputs
>16MB)
- CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)
- CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short
writes)
- CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level
OCB function calls)
- CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8
conversion)
- CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()
function)
- CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex
function)
- CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)
- CVE-2026-22796 (ASN1_TYPE Type Confusion in the
- PKCS7_digest_from_attributes() function)
openssl (3.5.4-1ubuntu1) resolute; urgency=medium
* Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)
- d/p/regex_match_ecp_nistp521-ppc64.patch
* Drop patches, merged upstream
- d/p/CVE-2025-9230.patch
- d/p/CVE-2025-9231-1.patch
- d/p/CVE-2025-9231-2.patch
- d/p/CVE-2025-9232.patch
* Merge with Debian unstable (LP: #2133492). Remaining changes:
- Use perl:native in the autopkgtest for installability on i386.
- Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
- Disable LTO with which the codebase is generally incompatible (LP
#2058017)
- Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
- Don't enable or package anything FIPS (LP #2087955)
- Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)
- fips patches (debian/patches/fips):
- crypto: Add kernel FIPS mode detection
- crypto: Automatically use the FIPS provider...
- apps/speed: Omit unavailable algorithms in FIPS mode
- apps: pass -propquery arg to the libctx DRBG fetches
- test: Ensure encoding runs with the correct context...
- Add Ubuntu-specific defines to help FIPS certification (LP #2073991)
+ UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
+ UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
openssl (3.5.4-1) unstable; urgency=medium
* Import 3.5.4
- CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
- CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
- CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
-- Ravi Kant Sharma <[email protected]> Sun, 15 Feb 2026
14:56:21 +0100
** Changed in: openssl (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2025-11187
** CVE added: https://cve.org/CVERecord?id=CVE-2025-15467
** CVE added: https://cve.org/CVERecord?id=CVE-2025-15468
** CVE added: https://cve.org/CVERecord?id=CVE-2025-15469
** CVE added: https://cve.org/CVERecord?id=CVE-2025-66199
** CVE added: https://cve.org/CVERecord?id=CVE-2025-68160
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69418
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69419
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69420
** CVE added: https://cve.org/CVERecord?id=CVE-2025-69421
** CVE added: https://cve.org/CVERecord?id=CVE-2025-9230
** CVE added: https://cve.org/CVERecord?id=CVE-2025-9231
** CVE added: https://cve.org/CVERecord?id=CVE-2025-9232
** CVE added: https://cve.org/CVERecord?id=CVE-2026-22795
** CVE added: https://cve.org/CVERecord?id=CVE-2026-22796
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141708
Title:
Please merge openssl 3.5.5-1 into resolute
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2141708/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
