* Merge from Debian unstable (LP: #1939544). Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
- Add support for building with noudeb build profile.
* Dropped changes, superseded upstream:
- SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
-> CVE-2021-3449
- SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
-> CVE-2021-3450
openssl (1.1.1k-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
- CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
-- Simon Chopin <email address hidden> Wed, 11 Aug 2021 13:00:48 +0200
This bug was fixed in the package openssl - 1.1.1k-1ubuntu1
---------------
openssl (1.1.1k-1ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1939544). Remaining changes: libssl1. 1.postinst: 1/restart- services depending restart- without- asking template as used by above. TLS_SECURITY_ LEVEL=2 as compiled-in minimum security set_security_ level() , SSL_set_ security_ level() or /github. com/openssl/ openssl/ pull/12272. patch to enable algorithms processing FLAG_X509_ STRICT
- Replace duplicate files in the doc directory with symlinks.
- debian/
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https:/
CET.
- Add support for building with noudeb build profile.
* Dropped changes, superseded upstream:
- SECURITY UPDATE: NULL pointer deref in signature_
-> CVE-2021-3449
- SECURITY UPDATE: CA cert check bypass with X509_V_
-> CVE-2021-3450
openssl (1.1.1k-1) unstable; urgency=medium
* New upstream version. FLAG_X509_ STRICT) . algorithms processing).
- CVE-2021-3450 (CA certificate check bypass with X509_V_
- CVE-2021-3449 (NULL pointer deref in signature_
-- Simon Chopin <email address hidden> Wed, 11 Aug 2021 13:00:48 +0200