[ubuntu/jammy-security] openssl 3.0.2-0ubuntu1.1 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed May 4 16:33:30 UTC 2022
openssl (3.0.2-0ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: do not use shell to invoke
openssl in tools/c_rehash.in.
- CVE-2022-1292
* SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response
signing certificate
- debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer
certificate validation in crypto/ocsp/ocsp_vfy.c.
- debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid
responses in test/recipes/80-test_ocsp.t.
- CVE-2022-1343
* SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite
- debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in
providers/implementations/ciphers/cipher_rc4_hmac_md5.c,
test/recipes/30-test_evp_data/evpciph_aes_stitched.txt,
test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt.
- CVE-2022-1434
* SECURITY UPDATE: resource leakage when decoding certificates and keys
- debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in
crypto/lhash/lhash.c.
- CVE-2022-1473
Date: 2022-05-03 20:41:39.532872+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list