Bug#1036957: unblock: openssl/3.0.8-1
control: retitle -1 unblock: openssl/3.0.9-1
On 2023-05-30 22:16:53 [+0200], To submit@bugs.debian.org wrote:
>
> Please unblock package openssl.
>
> The 3.0.9 release contains security and non-security related fixes for
> the package. There are five new CVEs in total that has been addressed.
> One with "moderate" severity. From the package's changelog:
>
> - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
> Constraints) (Closes: #1034720).
> - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
> silently ignored).
> - CVE-2023-0466 (Certificate policy check not enabled).
> - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
> - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
> - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
>
> The package built on all release architectures (it is still building on
> mipsel at the of writing but I expect it to pass).
> The openssl testsuite run on all architectures during the build process.
> Please find attached the debdiff vs the version in testing.
>
> unblock openssl/3.0.9-1
Sebastian
Reply to: