openssl - Debian Package Tracker

general

source: openssl (main)
version: 3.0.8-1
maintainer: Debian OpenSSL Team (archive) (DMD)
uploaders: Kurt Roeckx [DMD] – Christoph Martin [DMD] – Sebastian Andrzej Siewior [DMD]
arch: all any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.1.1n-0+deb10u3
old-sec: 1.1.1n-0+deb10u4
stable: 1.1.1n-0+deb11u3
stable-sec: 1.1.1n-0+deb11u4
testing: 3.0.8-1
unstable: 3.0.8-1
exp: 3.1.0-1

versioned links

1.1.1n-0+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.1n-0+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.1n-0+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.1n-0+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libcrypto3-udeb
libssl-dev
libssl-doc (1 bugs: 0, 0, 1, 0)
libssl3 (1 bugs: 0, 1, 0, 0)
libssl3-udeb
openssl (50 bugs: 0, 28, 22, 0)

action needed

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2023-05-06 Last update: 2023-05-17 06:36

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2023-0464: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0465: Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0466: The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
CVE-2023-1255: Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one.

Created: 2023-03-22 Last update: 2023-04-29 13:36

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2022-07-27 Last update: 2023-05-17 09:03

lintian reports 14 warnings normal

Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-02-10 Last update: 2023-02-10 15:39

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #332498 for more information.

Created: 2017-12-02 Last update: 2017-12-02 00:26

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:

CVE-2023-0464: (needs triaging) A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0465: (needs triaging) Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0466: (needs triaging) The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-03-22 Last update: 2023-04-29 13:36

debian/patches: 9 patches to forward upstream low

Among the 9 debian patches available in version 3.0.8-1 of the package, we noticed the following issues:

9 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2021-01-18 Last update: 2022-05-21 09:05

news

[rss feed]

[2023-05-06] Accepted openssl 3.1.0-1 (source) into experimental (Sebastian Andrzej Siewior)
[2023-02-20] Accepted openssl 1.1.1n-0+deb10u4 (source) into oldstable (Emilio Pozuelo Monfort)
[2023-02-14] openssl 3.0.8-1 MIGRATED to testing (Debian testing watch)
[2023-02-12] Accepted openssl 1.1.1n-0+deb11u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)
[2023-02-07] Accepted openssl 3.0.8-1 (source) into unstable (Sebastian Andrzej Siewior)
[2023-02-07] Accepted openssl 1.1.1n-0+deb11u4 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)
[2023-01-23] openssl 3.0.7-2 MIGRATED to testing (Debian testing watch)
[2023-01-23] openssl 3.0.7-2 MIGRATED to testing (Debian testing watch)
[2023-01-19] Accepted openssl 3.0.7-2 (source) into unstable (Sebastian Andrzej Siewior)
[2022-11-05] openssl 3.0.7-1 MIGRATED to testing (Debian testing watch)
[2022-11-01] Accepted openssl 3.0.7-1 (source) into unstable (Sebastian Andrzej Siewior)
[2022-10-16] openssl 3.0.5-4 MIGRATED to testing (Debian testing watch)
[2022-09-19] Accepted openssl 3.0.5-4 (source) into unstable (Sebastian Andrzej Siewior)
[2022-09-19] Accepted openssl 3.0.5-3 (source) into unstable (Sebastian Andrzej Siewior)
[2022-08-17] openssl 3.0.5-2 MIGRATED to testing (Debian testing watch)
[2022-08-14] Accepted openssl 3.0.5-2 (source) into unstable (Sebastian Andrzej Siewior)
[2022-07-24] Accepted openssl 3.0.5-1 (source) into unstable (Sebastian Andrzej Siewior)
[2022-07-07] openssl 3.0.4-2 MIGRATED to testing (Debian testing watch)
[2022-07-01] Accepted openssl 1.1.1n-0+deb10u3 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)
[2022-07-01] Accepted openssl 1.1.1n-0+deb11u3 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)
[2022-06-26] Accepted openssl 1.1.1n-0+deb11u3 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)
[2022-06-26] Accepted openssl 1.1.1n-0+deb10u3 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)
[2022-06-24] Accepted openssl 3.0.4-2 (source) into unstable (Sebastian Andrzej Siewior)
[2022-06-22] Accepted openssl 3.0.4-1 (source) into unstable (Sebastian Andrzej Siewior)
[2022-06-20] openssl 3.0.3-8 MIGRATED to testing (Debian testing watch)
[2022-06-13] Accepted openssl 3.0.3-8 (source) into unstable (Sebastian Andrzej Siewior)
[2022-06-11] openssl 3.0.3-7 MIGRATED to testing (Debian testing watch)
[2022-06-08] Accepted openssl 3.0.3-7 (source) into unstable (Sebastian Andrzej Siewior)
[2022-06-04] Accepted openssl 3.0.3-6 (source) into unstable (Sebastian Andrzej Siewior)
[2022-05-26] Accepted openssl 1.1.1n-0+deb10u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)

bugs [bug history graph]

all: 57
RC: 0
I&N: 34
M&W: 23
F&P: 0
patch: 1

links

homepage
lintian (0, 14)
buildd: logs, exp, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.0.8-1ubuntu2
62 bugs (1 patch)
patches for 3.0.8-1ubuntu2