UbuntuUpdates.org

Package "openssl"

Name: openssl

Description:

Secure Sockets Layer toolkit - cryptographic utility

Latest version: 3.0.2-0ubuntu1.6
Release: jammy (22.04)
Level: security
Repository: main
Homepage: https://www.openssl.org/

Links


Download "openssl"


Other versions of "openssl" in Jammy

Repository Area Version
base main 3.0.2-0ubuntu1
updates main 3.0.2-0ubuntu1.6

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.0.2-0ubuntu1.6 2022-07-05 21:46:32 UTC

  openssl (3.0.2-0ubuntu1.6) jammy-security; urgency=medium

  * SECURITY UPDATE: AES OCB fails to encrypt some bytes
    - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for
      x86 AES-NI in crypto/aes/asm/aesni-x86.pl.
    - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in
      test/recipes/30-test_evp_data/evpciph_aes_ocb.txt.
    - CVE-2022-2097

 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:20:23 -0400

Source diff to previous version
CVE-2022-2097 AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimi ...

Version: 3.0.2-0ubuntu1.5 2022-06-21 15:06:24 UTC

  openssl (3.0.2-0ubuntu1.5) jammy-security; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
      apply it before c_rehash-compat.patch.
    - debian/patches/CVE-2022-2068-1.patch: fix file operations in
      tools/c_rehash.in.
    - debian/patches/CVE-2022-2068-2.patch: drop the issuer_name_hash=
      prefix from the CRL hash in tools/c_rehash.in.
    - debian/patches/c_rehash-compat.patch: updated patch to apply after
      the security updates.
    - CVE-2022-2068

 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 10:26:20 -0400

Source diff to previous version
CVE-2022-1292 The c_rehash script does not properly sanitise shell metacharacters to ...
CVE-2022-2068 The c_rehash script allows command injection

Version: 3.0.2-0ubuntu1.1 2022-05-04 17:06:21 UTC

  openssl (3.0.2-0ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
      openssl in tools/c_rehash.in.
    - CVE-2022-1292
  * SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response
    signing certificate
    - debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer
      certificate validation in crypto/ocsp/ocsp_vfy.c.
    - debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid
      responses in test/recipes/80-test_ocsp.t.
    - CVE-2022-1343
  * SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite
    - debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in
      providers/implementations/ciphers/cipher_rc4_hmac_md5.c,
      test/recipes/30-test_evp_data/evpciph_aes_stitched.txt,
      test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt.
    - CVE-2022-1434
  * SECURITY UPDATE: resource leakage when decoding certificates and keys
    - debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in
      crypto/lhash/lhash.c.
    - CVE-2022-1473

 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 12:01:34 -0400

CVE-2022-1292 The c_rehash script does not properly sanitise shell metacharacters to ...
CVE-2022-1343 The function `OCSP_basic_verify` verifies the signer certificate on an ...
CVE-2022-1434 The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly ...
CVE-2022-1473 The OPENSSL_LH_flush() function, which empties a hash table, contains ...



About   -   Send Feedback to @ubuntu_updates