[ubuntu/impish-proposed] openssl 1.1.1k-1ubuntu1 (Accepted)
Simon Chopin
simon.chopin at canonical.com
Fri Aug 13 17:33:13 UTC 2021
openssl (1.1.1k-1ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1939544). Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
- Add support for building with noudeb build profile.
* Dropped changes, superseded upstream:
- SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
-> CVE-2021-3449
- SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
-> CVE-2021-3450
openssl (1.1.1k-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
- CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
Date: Wed, 11 Aug 2021 13:00:48 +0200
Changed-By: Simon Chopin <simon.chopin at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Julian Andres Klode <julian.klode at canonical.com>
https://launchpad.net/ubuntu/+source/openssl/1.1.1k-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Wed, 11 Aug 2021 13:00:48 +0200
Source: openssl
Built-For-Profiles: noudeb
Architecture: source
Version: 1.1.1k-1ubuntu1
Distribution: impish
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Simon Chopin <simon.chopin at canonical.com>
Launchpad-Bugs-Fixed: 1939544
Changes:
openssl (1.1.1k-1ubuntu1) impish; urgency=low
.
* Merge from Debian unstable (LP: #1939544). Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
- Add support for building with noudeb build profile.
* Dropped changes, superseded upstream:
- SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
-> CVE-2021-3449
- SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
-> CVE-2021-3450
.
openssl (1.1.1k-1) unstable; urgency=medium
.
* New upstream version.
- CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
- CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
Checksums-Sha1:
e89670d299d48cd565ec6a85ccb6259631727c9e 2758 openssl_1.1.1k-1ubuntu1.dsc
bad9dc4ae6dcc1855085463099b5dacb0ec6130b 9823400 openssl_1.1.1k.orig.tar.gz
60ec762123a6eeee4136942d50f67369de960a9d 488 openssl_1.1.1k.orig.tar.gz.asc
9ea36c739b64a8868461b59a14e9bf5324e08aaf 147076 openssl_1.1.1k-1ubuntu1.debian.tar.xz
19dab0519e33bbc6b3a420967b8aa9faabb9d786 7796 openssl_1.1.1k-1ubuntu1_source.buildinfo
Checksums-Sha256:
8b8ebce487b0ab6c9df73e3c80805eb03a008920e943861d9b83e18a25b57ff2 2758 openssl_1.1.1k-1ubuntu1.dsc
892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 9823400 openssl_1.1.1k.orig.tar.gz
addeaa197444a62c6063d7f819512c2c22b42141dec9d8ec3bff7e4518e1d1c9 488 openssl_1.1.1k.orig.tar.gz.asc
c63bc1377eceb3a69a9ca4d2e1b5532ff92e6daf73f582dd143479b4775a3068 147076 openssl_1.1.1k-1ubuntu1.debian.tar.xz
34b78eddea7ffad6f2433deff282051ab04eb14e9b652d8580638a2f82ca7a7b 7796 openssl_1.1.1k-1ubuntu1_source.buildinfo
Files:
3a4c77e1264dafcf749d3af1a3af81a2 2758 utils optional openssl_1.1.1k-1ubuntu1.dsc
c4e7d95f782b08116afa27b30393dd27 9823400 utils optional openssl_1.1.1k.orig.tar.gz
8119ccb30bf6a12176a320041d225406 488 utils optional openssl_1.1.1k.orig.tar.gz.asc
c3a81ff7ade2dd1fd17a0e8fe87b2e23 147076 utils optional openssl_1.1.1k-1ubuntu1.debian.tar.xz
684f72225b887e6eb0c70da385b8f0f1 7796 utils optional openssl_1.1.1k-1ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>
More information about the impish-changes
mailing list