Please merge openssl from debian unstable

Openssl's support policy means we won't be using a non-LTS version in Ubuntu. There's a small window where we might use a non-LTS version provided we are sure we can upgrade to an LTS version of openssl in time for our own LTS but at the moment this situation has not happened yet.

Openssl 3.1 is not an LTS, nor is 3.2 (released a few days ago), and it is not known if 3.3 will be. By the way, 3.3 should be released in April, almost in time for our LTS, but again, we don't know if it will also be an LTS release.

As a consequence, we are unfortunately most likely going with 3.0 in 24.04, and every subsequent ubuntu release until we know we will have an LTS in time for our 26.04 (because we can't "downgrade" openssl version for our LTS releases).

In the future it is possible that we introduce "openssl-latest" or something like that in order to track most recent releases but without any support guarantee. This would be a completely separate package.

In any case, I hadn't noticed that 3.1.* had been uploaded to Debian unstable. I was assuming that the debian maintainers would stick to 3.0 for the same reasons as I outlined above. It's possible they're betting they will have an openssl LTS release in time for trixie's release since trixie might be out in 2025 and by that time openssl 3.0 will roughly reach EOL, and a new openssl LTS would be needed. I guess we'll have to discuss which openssl version to use post-24.04 but probably not before 24.04 is released.

I'm going to re-write this report as something post 24.04 since we can't do anything before 24.04 sadly.

Will resume once new openssl LTS is realsed.

This bug was fixed in the package openssl - 3.3.1-2ubuntu1

---------------
openssl (3.3.1-2ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2044795). Remaining changes:
    - Use perl:native in the autopkgtest for installability on i386.
    - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
    - Disable LTO with which the codebase is generally incompatible (LP #2058017)
    - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
    - patch: crypto: Add kernel FIPS mode detection
    - patch: crypto: Automatically use the FIPS provider...
    - patch: apps/speed: Omit unavailable algorithms in FIPS mode
    - patch: apps: pass -propquery arg to the libctx DRBG fetches
    - patch: test: Ensure encoding runs with the correct context...
    - SECURITY UPDATE: crash or memory disclosure via SSL_select_next_proto
      - debian/patches/CVE-2024-5535*.patch: validate provided client list in
        ssl/ssl_lib.c.
      - CVE-2024-5535

openssl (3.3.1-2) unstable; urgency=medium

  * Upload to unstable.
  * Add support for hurd-amd64, patch by Samuel Thibault (Closes: #1076324).
  * Use the static archive from the shared build.

openssl (3.3.1-1) experimental; urgency=medium

  * Import 3.3.1.
    - CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
      (Closes: #1071972).
    - CVE-2024-4741 (Use After Free with SSL_free_buffers)
      (Closes: #1072113).

openssl (3.3.0-1) experimental; urgency=medium

  * Import 3.3.0.
    - CVE-2024-2511 (Unbounded memory growth with session handling in TLSv1.3)
      (Closes: #1068658).

openssl (3.3.0~beta1-1) experimental; urgency=medium

  * Import 3.3.0-beta1.

 -- Simon Chopin <email address hidden> Mon, 12 Aug 2024 13:49:56 +0200