This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.9
---
openssl (1.1.1f-1ubuntu2.9) focal; urgency=medium
* Cherry-pick stable patches to fix potential use-after-free. LP:
#1940656
-- Dimitri John Ledkov Wed, 25 Aug 2021
02:13:44 +0100
** Changed in: openssl (Ubun
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940656
Title:
Potential use aft
I currently do not have a more regular smartcard setup to test out a
hardware pk11 engine with openssl, which is typically the most common
one. But I can use software gost engine to test out that algos provided
by the engine operate correctly.
Installed openssl from proposed, and gost engine.
$ d
@xnox Could you finish the verification and tag the bug verification-
done?
" * Configure and use openssl with any engine and ensure that it
continues to work"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
There is now only a transient ADT regression in Regression in linux-
hwe-5.13 (armhf), which is not a valid ADT because armhf ADT runs in lxd
containers and does not boot the requested kernel.
Please release this package.
--
You received this bug notification because you are a member of Ubuntu
B
** Changed in: openssl (Ubuntu)
Importance: Undecided => Medium
** Changed in: openssl (Ubuntu Focal)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940656
Title
Hello Dimitri, or anyone else affected,
Accepted openssl into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.9 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:
Thanks Marc and Dimitri! With Marc's confirmation this is unblocked from
the SRU queue then.
But please don't assign me. Any member of the SRU team can process this.
Assigning individual SRU team members not part of the SRU process,
implies an implied lock that isn't there, and would only delay th
I'd rather these go through the SRU process first, and they will get
picked up automatically next time we do an openssl security update.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940656
Title:
** Changed in: openssl (Ubuntu Focal)
Status: Incomplete => In Progress
** Changed in: openssl (Ubuntu Focal)
Assignee: (unassigned) => Robie Basak (racb)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launch
I would agree that any hypothetical use-after-free / double-free errors
are usually also security vulnerabilities. But these ones were
discovered with static analysis and/or affecting engine use, in error
conditions only. Thus connectivity must already be failing / denied,
before one can trip these
Shouldn't these go into the security pocket? At the least I'd like an
explicit nak from the security team please.
** Changed in: openssl (Ubuntu Focal)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
h
** Patch added: "lp-1940656-3-engine-fix-double-free-on-error-path.patch"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519403/+files/lp-1940656-3-engine-fix-double-free-on-error-path.patch
--
You received this bug notification because you are a member of Ubuntu
** Patch added: "lp-1940656-1-srp-fix-double-free.patch"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519401/+files/lp-1940656-1-srp-fix-double-free.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubunt
** Patch added:
"lp-1940656-4-Prevent-use-after-free-of-global_engine_lock.patch"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519404/+files/lp-1940656-4-Prevent-use-after-free-of-global_engine_lock.patch
--
You received this bug notification because you are a
** Patch added: "lp-1940656-2-ts-fix-double-free-on-error-path.patch"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+attachment/5519402/+files/lp-1940656-2-ts-fix-double-free-on-error-path.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, wh
16 matches
Mail list logo
