[Pkg-openssl-devel] Bug#1036957: unblock: openssl/3.0.8-1
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Tue May 30 21:16:53 BST 2023
Package: release.debian.org
Control: affects -1 + src:openssl
User: release.debian.org at packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package openssl.
The 3.0.9 release contains security and non-security related fixes for
the package. There are five new CVEs in total that has been addressed.
One with "moderate" severity. From the package's changelog:
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
The package built on all release architectures (it is still building on
mipsel at the of writing but I expect it to pass).
The openssl testsuite run on all architectures during the build process.
Please find attached the debdiff vs the version in testing.
unblock openssl/3.0.9-1
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl_3_0_9.diff
Type: text/x-diff
Size: 646835 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20230530/54a14a04/attachment-0001.diff>
More information about the Pkg-openssl-devel
mailing list