Package "libssl3"

Name: libssl3


Secure Sockets Layer toolkit - shared libraries

Latest version: 3.0.8-1ubuntu1.4
Release: lunar (23.04)
Level: security
Repository: main
Head package: openssl
Homepage: https://www.openssl.org/


Download "libssl3"

Other versions of "libssl3" in Lunar

Repository Area Version
base main 3.0.8-1ubuntu1
updates main 3.0.8-1ubuntu1.4


Version: 3.0.8-1ubuntu1.4 2023-10-24 16:06:55 UTC

  openssl (3.0.8-1ubuntu1.4) lunar-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: AES-SIV implementation ignores empty associated data
    - debian/patches/CVE-2023-2975.patch: do not ignore empty associated
      data with AES-SIV mode in
    - CVE-2023-2975
  * SECURITY UPDATE: Incorrect cipher key and IV length processing
    - debian/patches/CVE-2023-5363-1.patch: process key length and iv
      length early if present in crypto/evp/evp_enc.c.
    - debian/patches/CVE-2023-5363-2.patch: add unit test in
    - CVE-2023-5363

  [ Ian Constantin ]
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of
      an excessively large modulus in DH_check().
    - CVE-2023-3446
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of
      invalid q values in DH_check().
    - CVE-2023-3817

 -- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 08:02:49 -0400

Source diff to previous version
CVE-2023-5363 Incorrect cipher key & IV length processing

Version: 3.0.8-1ubuntu1.2 2023-05-30 16:07:45 UTC

  openssl (3.0.8-1ubuntu1.2) lunar-security; urgency=medium

  * SECURITY UPDATE: DoS in AES-XTS cipher decryption
    - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
    - CVE-2023-1255
  * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
    - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
      IDENTIFIERs that OBJ_obj2txt will translate in
    - CVE-2023-2650
  * Replace CVE-2022-4304 fix with improved version
    - debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
    - debian/patches/CVE-2022-4304.patch: use alternative fix in
      crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
      crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.

 -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:04:49 -0400

Source diff to previous version
CVE-2023-2650 openssl Possible DoS translating ASN.1 object identifiers
CVE-2022-4304 openssl: Timing Oracle in RSA Decryption

Version: 3.0.8-1ubuntu1.1 2023-04-25 14:07:22 UTC

  openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium

  * SECURITY UPDATE: excessive resource use when verifying policy constraints
    - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
      in a policy tree (the default limit is set to 1000 nodes).
    - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
      resource overuse.
    - debian/patches/CVE-2023-0464-3.patch: disable the policy tree
      exponential growth test conditionally.
    - CVE-2023-0464
  * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
    - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
      is checked even in leaf certs.
    - debian/patches/CVE-2023-0465-2.patch: generate some certificates with
      the certificatePolicies extension.
    - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
    - CVE-2023-0466
  * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
    not enabled as documented
    - debian/patches/CVE-2023-0466.patch: fix documentation of
    - CVE-2023-0466

 -- Camila Camargo de Matos <email address hidden> Mon, 24 Apr 2023 07:52:33 -0300

CVE-2023-0464 A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that includ

About   -   Send Feedback to @ubuntu_updates