UbuntuUpdates.org

Package "openssl"

Name: openssl

Description:

Secure Sockets Layer toolkit - cryptographic utility

Latest version: 3.0.2-0ubuntu1.5
Release: jammy (22.04)
Level: updates
Repository: main
Homepage: https://www.openssl.org/

Links


Download "openssl"


Other versions of "openssl" in Jammy

Repository Area Version
base main 3.0.2-0ubuntu1
security main 3.0.2-0ubuntu1.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.0.2-0ubuntu1.5 2022-06-21 17:06:35 UTC

  openssl (3.0.2-0ubuntu1.5) jammy-security; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
      apply it before c_rehash-compat.patch.
    - debian/patches/CVE-2022-2068-1.patch: fix file operations in
      tools/c_rehash.in.
    - debian/patches/CVE-2022-2068-2.patch: drop the issuer_name_hash=
      prefix from the CRL hash in tools/c_rehash.in.
    - debian/patches/c_rehash-compat.patch: updated patch to apply after
      the security updates.
    - CVE-2022-2068

 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 10:26:20 -0400

Source diff to previous version
CVE-2022-1292 The c_rehash script does not properly sanitise shell metacharacters to ...
CVE-2022-2068 The c_rehash script allows command injection

Version: 3.0.2-0ubuntu1.4 2022-06-20 16:06:22 UTC

  openssl (3.0.2-0ubuntu1.4) jammy; urgency=medium

  * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)

Source diff to previous version
1978093 openssl: FTBFS due to expired certificates

Version: 3.0.2-0ubuntu1.2 2022-05-17 10:06:30 UTC

  openssl (3.0.2-0ubuntu1.2) jammy; urgency=medium

  * d/p/lp1968997/*: cherry-pick a patchset to fix issues with the Turkish
    locale (LP: #1968997)

 -- Simon Chopin <email address hidden> Thu, 05 May 2022 10:04:52 +0200

Source diff to previous version
1968997 openssl has catastrophic issues when locale set to TR_UTF8

Version: 3.0.2-0ubuntu1.1 2022-05-04 19:06:28 UTC

  openssl (3.0.2-0ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
      openssl in tools/c_rehash.in.
    - CVE-2022-1292
  * SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response
    signing certificate
    - debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer
      certificate validation in crypto/ocsp/ocsp_vfy.c.
    - debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid
      responses in test/recipes/80-test_ocsp.t.
    - CVE-2022-1343
  * SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite
    - debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in
      providers/implementations/ciphers/cipher_rc4_hmac_md5.c,
      test/recipes/30-test_evp_data/evpciph_aes_stitched.txt,
      test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt.
    - CVE-2022-1434
  * SECURITY UPDATE: resource leakage when decoding certificates and keys
    - debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in
      crypto/lhash/lhash.c.
    - CVE-2022-1473

 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 12:01:34 -0400

CVE-2022-1292 The c_rehash script does not properly sanitise shell metacharacters to ...
CVE-2022-1343 The function `OCSP_basic_verify` verifies the signer certificate on an ...
CVE-2022-1434 The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly ...
CVE-2022-1473 The OPENSSL_LH_flush() function, which empties a hash table, contains ...



About   -   Send Feedback to @ubuntu_updates