UbuntuUpdates.org

Package "openssl"

Name: openssl

Description:

Secure Sockets Layer toolkit - cryptographic utility
Latest version: 3.0.8-1ubuntu1.2
Release: lunar (23.04)
Level: updates
Repository: main
Homepage: https://www.openssl.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "openssl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "openssl" in Lunar

Repository Area Version
base main 3.0.8-1ubuntu1
security main 3.0.8-1ubuntu1.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.0.8-1ubuntu1.2 2023-05-30 17:07:09 UTC

  openssl (3.0.8-1ubuntu1.2) lunar-security; urgency=medium

  * SECURITY UPDATE: DoS in AES-XTS cipher decryption
    - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
      crypto/aes/asm/aesv8-armx.pl.
    - CVE-2023-1255
  * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
    - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
      IDENTIFIERs that OBJ_obj2txt will translate in
      crypto/objects/obj_dat.c.
    - CVE-2023-2650
  * Replace CVE-2022-4304 fix with improved version
    - debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
    - debian/patches/CVE-2022-4304.patch: use alternative fix in
      crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
      crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.

 -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:04:49 -0400
Source diff to previous version
CVE-2023-2650 openssl Possible DoS translating ASN.1 object identifiers
CVE-2022-4304 openssl: Timing Oracle in RSA Decryption

Version: 3.0.8-1ubuntu1.1 2023-04-25 19:07:45 UTC

  openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium

  * SECURITY UPDATE: excessive resource use when verifying policy constraints
    - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
      in a policy tree (the default limit is set to 1000 nodes).
    - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
      resource overuse.
    - debian/patches/CVE-2023-0464-3.patch: disable the policy tree
      exponential growth test conditionally.
    - CVE-2023-0464
  * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
    - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
      is checked even in leaf certs.
    - debian/patches/CVE-2023-0465-2.patch: generate some certificates with
      the certificatePolicies extension.
    - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
    - CVE-2023-0466
  * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
    not enabled as documented
    - debian/patches/CVE-2023-0466.patch: fix documentation of
      X509_VERIFY_PARAM_add0_policy().
    - CVE-2023-0466

 -- Camila Camargo de Matos <email address hidden> Mon, 24 Apr 2023 07:52:33 -0300
CVE-2023-0464 A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that includ


About   -   Send Feedback to @ubuntu_updates