[Bug 1297025] Re: Either the changelog.gz is missing or there is an erroneous link in the libssl1.0.0 package

Launchpad Bug Tracker 1297025 at bugs.launchpad.net
Fri Jul 12 09:07:12 UTC 2024 

This bug was fixed in the package openssl - 3.2.2-1ubuntu1

---------------
openssl (3.2.2-1ubuntu1) oracular; urgency=medium

  * Merge 3.2.2-1 from Debian unstable
    - Remaining changes:
      + Symlink changelog.Debian.gz and copyright.gz from libssl-dev and
        openssl to the ones in libssl3t64
      + Use perl:native in the autopkgtest for installability on i386.
      + Disable LTO with which the codebase is generally incompatible
        (LP: #2058017)
      + Add fips-mode detection and adjust defaults when running in fips mode
  * The changelog.gz symlink was broken (LP: #1297025)
  * The copyright symlink was broken (LP: #2067672)
  * Default configuration includes two paths:
    - /var/lib/crypto-config/profiles/current/openssl.conf.d
    - /etc/ssl/openssl.conf.d
    First one is to read configuration through the crypto-config framework.
    Second one is for customization by sysadmin.

openssl (3.2.2-1) unstable; urgency=medium

  * Import 3.2.2
    - CVE-2024-2511 (Unbounded memory growth with session handling in
      TLSv1.3). (Closes: #1068658).
    - CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
      (Closes: #1071972).
    - CVE-2024-4741 (Use After Free with SSL_free_buffers)
      (Closes: #1072113).

 -- Adrien Nader <adrien.nader at canonical.com>  Mon, 01 Jul 2024 17:04:32
+0200

** Changed in: openssl (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2511

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4603

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4741

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1297025

Title:
  Either the changelog.gz is missing or there is an erroneous link in
  the libssl1.0.0 package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  In libssl-dev for both Precise and Saucy packages for libssl-dev, there is a broken link:
  # ls -l /usr/share/doc/libssl-dev/changelog.gz 
  lrwxrwxrwx 1 root root 27 Jan  8 12:48 /usr/share/doc/libssl-dev/changelog.gz -> ../libssl1.0.0/changelog.gz
  # ls -l /usr/share/doc/libssl1.0.0/changelog.gz 
  ls: cannot access /usr/share/doc/libssl1.0.0/changelog.gz: No such file or directory

  I have verified this in both releases while trying to debug a failing
  build of a 3rd party library that links against these.  Build works in
  Precise, fails in Saucy.  Was looking to see what changed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1297025/+subscriptions

More information about the foundations-bugs mailing list