UbuntuUpdates.org

Package "libssl-dev"

Name: libssl-dev

Description:

Secure Sockets Layer toolkit - development files

Latest version: 3.0.2-0ubuntu1.18
Release: jammy (22.04)
Level: security
Repository: main
Head package: openssl
Homepage: https://www.openssl.org/

Links


Download "libssl-dev"


Other versions of "libssl-dev" in Jammy

Repository Area Version
base main 3.0.2-0ubuntu1
updates main 3.0.2-0ubuntu1.18

Changelog

Version: 3.0.2-0ubuntu1.12 2023-10-24 16:06:54 UTC

  openssl (3.0.2-0ubuntu1.12) jammy-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: AES-SIV implementation ignores empty associated data
    entries
    - debian/patches/CVE-2023-2975.patch: do not ignore empty associated
      data with AES-SIV mode in
      providers/implementations/ciphers/cipher_aes_siv.c.
    - CVE-2023-2975
  * SECURITY UPDATE: Incorrect cipher key and IV length processing
    - debian/patches/CVE-2023-5363-1.patch: process key length and iv
      length early if present in crypto/evp/evp_enc.c.
    - debian/patches/CVE-2023-5363-2.patch: add unit test in
      test/evp_extra_test.c.
    - CVE-2023-5363

  [ Ian Constantin ]
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of
      an excessively large modulus in DH_check().
    - CVE-2023-3446
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of
      invalid q values in DH_check().
    - CVE-2023-3817

 -- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 08:02:49 -0400

Source diff to previous version
CVE-2023-5363 Incorrect cipher key & IV length processing

Version: 3.0.2-0ubuntu1.10 2023-05-30 16:07:36 UTC

  openssl (3.0.2-0ubuntu1.10) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in AES-XTS cipher decryption
    - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
      crypto/aes/asm/aesv8-armx.pl.
    - CVE-2023-1255
  * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
    - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
      IDENTIFIERs that OBJ_obj2txt will translate in
      crypto/objects/obj_dat.c.
    - CVE-2023-2650
  * Replace CVE-2022-4304 fix with improved version
    - debian/patches/CVE-2022-4304.patch: use alternative fix in
      crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
      crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.

 -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:12:55 -0400

Source diff to previous version
CVE-2023-2650 openssl Possible DoS translating ASN.1 object identifiers
CVE-2022-4304 openssl: Timing Oracle in RSA Decryption

Version: 3.0.2-0ubuntu1.9 2023-04-25 14:07:16 UTC

  openssl (3.0.2-0ubuntu1.9) jammy-security; urgency=medium

  * SECURITY UPDATE: double locking when processing X.509 certificate policy
    constraints
    - debian/patches/CVE-2022-3996-1.patch: revert commit 9aa4be69 and remove
      redundant flag setting.
    - debian/patches/CVE-2022-3996-2.patch: add test case for reported
      deadlock.
    - CVE-2022-3996
  * SECURITY UPDATE: excessive resource use when verifying policy constraints
    - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
      in a policy tree (the default limit is set to 1000 nodes).
    - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
      resource overuse.
    - debian/patches/CVE-2023-0464-3.patch: disable the policy tree
      exponential growth test conditionally.
    - CVE-2023-0464
  * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
    - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
      is checked even in leaf certs.
    - debian/patches/CVE-2023-0465-2.patch: generate some certificates with
      the certificatePolicies extension.
    - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
    - CVE-2023-0466
  * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
    not enabled as documented
    - debian/patches/CVE-2023-0466.patch: fix documentation of
      X509_VERIFY_PARAM_add0_policy().
    - CVE-2023-0466

 -- Camila Camargo de Matos <email address hidden> Mon, 17 Apr 2023 15:12:58 -0300

Source diff to previous version
CVE-2022-3996 If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. O
CVE-2023-0464 A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that includ

Version: 3.0.2-0ubuntu1.8 2023-02-08 19:06:58 UTC

  openssl (3.0.2-0ubuntu1.8) jammy-security; urgency=medium

  * SECURITY UPDATE: X.509 Name Constraints Read Buffer Overflow
    - debian/patches/CVE-2022-4203-1.patch: fix type confusion in
      nc_match_single() in crypto/x509/v3_ncons.c.
    - debian/patches/CVE-2022-4203-2.patch: add testcase for
      nc_match_single type confusion in test/*.
    - CVE-2022-4203
  * SECURITY UPDATE: Timing Oracle in RSA Decryption
    - debian/patches/CVE-2022-4304.patch: fix timing oracle in
      crypto/bn/bn_blind.c, crypto/bn/bn_local.h, crypto/bn/build.info,
      crypto/bn/rsa_sup_mul.c, crypto/rsa/rsa_ossl.c, include/crypto/bn.h.
    - CVE-2022-4304
  * SECURITY UPDATE: Double free after calling PEM_read_bio_ex
    - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header
      and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c.
    - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c.
    - CVE-2022-4450
  * SECURITY UPDATE: Use-after-free following BIO_new_NDEF
    - debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug
      in BIO_new_NDEF in crypto/asn1/bio_ndef.c.
    - debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO
      setup with -stream is handled correctly in
      test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem.
    - CVE-2023-0215
  * SECURITY UPDATE: Invalid pointer dereference in d2i_PKCS7 functions
    - debian/patches/CVE-2023-0216-1.patch: do not dereference PKCS7 object
      data if not set in crypto/pkcs7/pk7_lib.c.
    - debian/patches/CVE-2023-0216-2.patch: add test for d2i_PKCS7 NULL
      dereference in test/recipes/25-test_pkcs7.t,
      test/recipes/25-test_pkcs7_data/malformed.pkcs7.
    - CVE-2023-0216
  * SECURITY UPDATE: NULL dereference validating DSA public key
    - debian/patches/CVE-2023-0217-1.patch: fix NULL deference when
      validating FFC public key in crypto/ffc/ffc_key_validate.c,
      include/internal/ffc.h, test/ffc_internal_test.c.
    - debian/patches/CVE-2023-0217-2.patch: prevent creating DSA and DH
      keys without parameters through import in
      providers/implementations/keymgmt/dh_kmgmt.c,
      providers/implementations/keymgmt/dsa_kmgmt.c.
    - debian/patches/CVE-2023-0217-3.patch: do not create DSA keys without
      parameters by decoder in crypto/x509/x_pubkey.c,
      include/crypto/x509.h,
      providers/implementations/encode_decode/decode_der2key.c.
    - CVE-2023-0217
  * SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName
    - debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for
      x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h.in,
      test/v3nametest.c.
    - CVE-2023-0286
  * SECURITY UPDATE: NULL dereference during PKCS7 data verification
    - debian/patches/CVE-2023-0401-1.patch: check return of BIO_set_md()
      calls in crypto/pkcs7/pk7_doit.c.
    - debian/patches/CVE-2023-0401-2.patch: add testcase for missing return
      check of BIO_set_md() calls in test/recipes/80-test_cms.t,
      test/recipes/80-test_cms_data/pkcs7-md4.pem.
    - CVE-2023-0401

 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2023 12:57:17 -0500

Source diff to previous version
CVE-2022-4203 openssl: X.509 Name Constraints Read Buffer Overflow
CVE-2022-4304 openssl: Timing Oracle in RSA Decryption
CVE-2022-4450 openssl: Double free after calling PEM_read_bio_ex
CVE-2023-0215 openssl: Use-after-free following BIO_new_NDEF
CVE-2023-0216 openssl: Invalid pointer dereference in d2i_PKCS7 functions
CVE-2023-0217 openssl: NULL dereference validating DSA public key
CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
CVE-2023-0401 openssl: NULL dereference during PKCS7 data verification

Version: 3.0.2-0ubuntu1.7 2022-11-01 17:07:22 UTC

  openssl (3.0.2-0ubuntu1.7) jammy-security; urgency=medium

  * SECURITY UPDATE: X.509 Email Address Buffer Overflow
    - debian/patches/CVE-2022-3602-1.patch: fix off by one in punycode
      decoder in crypto/punycode.c, test/build.info, test/punycode_test.c,
      test/recipes/04-test_punycode.t.
    - debian/patches/CVE-2022-3602-2.patch: ensure the result is zero
      terminated in crypto/punycode.c.
    - CVE-2022-3602
  * SECURITY UPDATE: legacy custom cipher issue
    - debian/patches/CVE-2022-3358.patch: fix usage of custom EVP_CIPHER
      objects in crypto/evp/digest.c, crypto/evp/evp_enc.c.
    - CVE-2022-3358

 -- Marc Deslauriers <email address hidden> Thu, 27 Oct 2022 13:06:56 -0400

CVE-2022-3358 OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated i



About   -   Send Feedback to @ubuntu_updates