openssl: merge 3.2.1-3 from unstable
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssl (Ubuntu) |
Fix Released
|
High
|
Adrien Nader | ||
Bug Description
Unstable has openssl 3.2.1 which is need to fix some tests for nodejs and some features for cryptsetup and is a good step to 3.3 for 24.10.
Merge request: https:/
Copied over from the MP for anyone looking for the detailed rationales behind the dropped delta:
Merge unstable's openssl 3.2.1-1
Remove most of the delta we have compared to Debian.
Openssl 3.2 now forbids TLS < 1.2 when at SECLEVEL=2 which we were
already doing through a patch. This lets us drop patches that implement
this and those that adapt tests.
In addition, debian had integrated the support for the noudeb profile
but we still had some bits related to our diff which we can actually
drop.
Debian had reverted a change in the default configuration file that
broke applications which were using openssl < 3. We had not propagated
that due to various reasons which don't apply for a new development
cycle. I will see if the patch can be dropped Debian-side as it mostly
made sense when openssl versions were likely to be installed alongside
(i.e. during the transition).
The AVX-512 patches have been integrated upstream and can be dropped.
The FIPS patches only make sense during Ubuntu LTS cycles. There is
value in them but the next LTS cycle is in 18 months and the preferred
approach is rather to have them merged upstream by then.
In a private conversation with Tobias (from whom I integrated the FIPS patches for Noble), we agreed that we could drop the FIPS patches after Noble since they would be useless until 26.04, at which point they should have been upstreamed already. Overall it's not very useful to keep them around as patches during the releases they're certainly not going to be used (it's fine to have them through, say, upstream 3.4 or 3.5 however).
All security patches have been integrated.
The code for reboot notification has been removed too as it was buggy
and was actually only working on desktops while the original intent was
to have that code run on servers. Considering there has been no
specification of what was wanted and how it evolved over the years, it's
impossible to "fix" so let's just remove it. The right place to
implement such things is not in postinst scripts.
There are a few things kept: a symlink for changelog/copyright files,
using perl:native in autopkgtests depends, and disabling LTO. The
symlink topic will be looked at later on as there are issues there (the
targets don't exist!), and I will also attempt to drop using
perl:native. I will be doing that slightly later on as there are already
many changes and 3.2 is needed to fix some other tests.
Related branches
- Simon Chopin (community): Approve
- git-ubuntu import: Pending requested
-
Diff: 2043 lines (+1839/-3) (has conflicts)10 files modifieddebian/changelog (+940/-0)
debian/control (+2/-1)
debian/patches/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch (+38/-0)
debian/patches/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch (+130/-0)
debian/patches/fips/crypto-Add-kernel-FIPS-mode-detection.patch (+155/-0)
debian/patches/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch (+495/-0)
debian/patches/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch (+57/-0)
debian/patches/series (+11/-0)
debian/rules (+10/-1)
debian/tests/control (+1/-1)
| description: | updated |
| description: | updated |
| Changed in openssl (Ubuntu): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in openssl (Ubuntu): | |
| status: | Fix Committed → Fix Released |
This bug was fixed in the package openssl - 3.2.1-3ubuntu1
---------------
openssl (3.2.1-3ubuntu1) oracular; urgency=medium
* Merge 3.2.1-3 from Debian unstable (LP: #2067384)
- Remaining changes:
+ Symlink changelog{
openssl
+ Use perl:native in the autopkgtest for installability on i386.
+ Disable LTO with which the codebase is generally incompatible
(LP: #2058017)
+ Add fips-mode detection and adjust defaults when running in fips mode
- Dropped changes:
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/
+ Add support for building with noudeb build profile which has been
integrated
+ Patches that forbade TLS < 1.2 @SECLEVEL=2 which is now upstream
behaviour:
- skip_tls1.
- tests-use-
- tls1.2-
+ Revert the provider removal from the default configuration as there's
no point in carrying the delta (will see if Debian drops the patch)
+ d/p/intel/*: was a backport from upstream changes
+ d/p/CVE-*: was a backport from upstream changes
openssl (3.2.1-3) unstable; urgency=medium
* Upload to unstable.
* Correct prvious security level in NEWS file (Closes: #1066116).
openssl (3.2.1-2) experimental; urgency=medium
* Disable brotli and enable zlib for certificate compression.
* Update to latest openssl-3.2 branch.
openssl (3.2.1-1.1~exp1) experimental; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition.
openssl (3.2.1-1) experimental; urgency=medium
* Import 3.2.1
- CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
- CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
(Closes: #1060858).
- CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
PowerPC) (Closes: #1060347).
openssl (3.2.0-2) experimental; urgency=medium
* Use generic target for riscv64.
* Update to latest openssl-3.2 branch.
openssl (3.2.0-1) experimental; urgency=medium
* Import 3.2.0
* Enable zstd, brotli and for certificate compression.
openssl (3.1.4-2) unstable; urgency=medium
* Invoke clean up from the openssl binary as a temporary workaround to avoid
a crash in libp11/SoftHSM engine (Closes: #1054546).
* CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
parameter value) (Closes: #1055473).
* Upload to unstable.
openssl (3.1.4-1) experimental; urgency=medium
* Import 3.1.4
- CVE-2023-5363 (Incorrect cipher key and IV length processing).
openssl (3.1.3-1) experimental; urgency=medium
* Import 3.1.3
openssl (3.1.2-1) experimental; urgency=medium
* Import 3.1.2
- CVE-2023-2975 (AES-SIV implem...