Ubuntu
openssl package

openssl: merge 3.0.7-1 from Debian unstable

Bug #1998942 reported by Adrien Nader
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Adrien Nader

Bug Description

Debian has moved to 3.0.7 in unstable. Now is a good time to merge it.

Tags: patch
Adrien Nader (adrien)
Changed in openssl (Ubuntu):
assignee: nobody → Adrien Nader (adrien-n)
status: New → In Progress
Revision history for this message
Adrien Nader (adrien) wrote :

Patch available. I've reduced the diff to debian to pretty much two lines and the postinst script. This was made possible by the use of SECLEVEL=2 by debian and by upstream fixing the testsuite for that (mostly by forcing some tests to use SECLEVEL=1).

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "openssl_3.0.7-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Adrien Nader (adrien) wrote :

Attached is a debdiff against Ubuntu's 3.0.5-2ubuntu2.

Revision history for this message
Adrien Nader (adrien) wrote :

Attached is a debdiff against Debian's 3.0.7-1.

Revision history for this message
Adrien Nader (adrien) wrote :

And PPA for this merge is available at https://launchpad.net/~adrien-n/+archive/ubuntu/merge-openssl-3.0.7/ .

Revision history for this message
Adrien Nader (adrien) wrote :

Updated because Debian now has 3.0.7-2 which includes a patch for a low severity security issue (CVE-2022-3996).

PPA is still at https://launchpad.net/~adrien-n/+archive/ubuntu/merge-openssl-3.0.7 .

Attached is the debdiff from 3.0.5-2ubuntu2 to 3.0.7-2ubuntu1 .

Revision history for this message
Adrien Nader (adrien) wrote :

Attached is the debdiff from 3.0.7-2 to 3.0.7-2ubuntu1.

Revision history for this message
Adrien Nader (adrien) wrote :

Updated patch following Simon's feedback: there was a pretty bad mistake in the debian changelog where I included UNRELEASEd changes from Debian as a dedicated changelog entry.

I had to create a new PPA because as part of the changelog fix, I changed the version back to 3.0.7-1ubuntu1 rather than 3.0.7-2ubuntu1. It is at https://launchpad.net/~adrien-n/+archive/ubuntu/merge-openssl-3.0.7-take-two

I'm attaching the debdiffs from debian and from ubuntu.

Revision history for this message
Adrien Nader (adrien) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 3.0.7-1ubuntu1

---------------
openssl (3.0.7-1ubuntu1) lunar; urgency=medium

  * Merge 3.0.7 from Debian unstable (LP: #1998942)
    - Drop patches merged upstream:
      + CVE-2022-3358.patch
      + CVE-2022-3602-1.patch
      + CVE-2022-3602-2.patch
    - Shrink patch since upstream fixed some tests in the patch above:
      + tests-use-seclevel-1.patch
    - Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded:
      + Set-systemwide-default-settings-for-libssl-users.patch
    - Drop Debian patch not needed anymore:
      + TEST-Provide-a-default-openssl.cnf-for-tests.patch
    - Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu:
      + tls1.2-min-seclevel2.patch
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.
  * Correct comment as to which TLS version is disabled with our seclevel:
    - skip_tls1.1_seclevel3_tests.patch

  [Sebastian Andrzej Siewior]
  * CVE-2022-3996 (X.509 Policy Constraints Double Locking).

openssl (3.0.7-1) unstable; urgency=medium

  * Import 3.0.7
    - Using a Custom Cipher with NID_undef may lead to NULL encryption
      (CVE-2022-3358) (Closes: #1021620).
    - X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
    - X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
  * Disable rdrand engine (the opcode on x86).
  * Remove config bits for MIPS R6, the generic MIPS config can be used.

openssl (3.0.5-4) unstable; urgency=medium

  * Add ssl_conf() serialisation (Closes: #1020308).

openssl (3.0.5-3) unstable; urgency=medium

  * Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
   (Closes: #805646).
  * Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).

 -- Adrien Nader <email address hidden> Tue, 06 Dec 2022 15:11:40 +0100

Changed in openssl (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.