openssl (3.5.4-1~deb13u1) trixie; urgency=medium
* Import 3.5.4
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 01 Nov 2025 12:22:59 +0100
openssl (3.5.1-1+deb13u1) trixie-security; urgency=medium
* CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
* CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
* CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 26 Sep 2025 21:18:35 +0200
openssl (3.5.1-1) unstable; urgency=medium
* Import 3.5.1
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 12 Jul 2025 18:49:06 +0200
openssl (3.5.0-2) unstable; urgency=medium
* Fix P-384 curve on lower-than-P9 PPC64 targets Closes: #1106516).
* CVE-2025-4575 ("The x509 application adds trusted use instead of
rejected use") (Closes: #1106322).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 28 May 2025 22:13:00 +0200
openssl (3.5.0-1) unstable; urgency=medium
* Import 3.5.0
* Upload to unstable.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 08 Apr 2025 21:15:30 +0200
openssl (3.5.0~~beta1-1) experimental; urgency=medium
* Import 3.5.0-beta1.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 26 Mar 2025 21:38:19 +0100
openssl (3.5.0~~alpha1-1) experimental; urgency=medium
* Import 3.5.0-alpha1.
* Remove usr/share/doc/libssl3 (Closes: #1098515).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 12 Mar 2025 22:08:55 +0100
openssl (3.4.1-1) unstable; urgency=medium
* Import 3.4.1
- CVE-2024-12797 (RFC7250 handshakes with unauthenticated servers don't
abort as expected) (Closes: #1095765).
- CVE-2024-13176 (Timing side-channel in ECDSA signature computation)
(Closes: #1094027).
- Compile on LoongArch again (Closes: #1092307).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 11 Feb 2025 21:30:30 +0100
openssl (3.4.0-2) unstable; urgency=medium
* Disable padlockeng on non-x86 architectures.
* Upload to unstable.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 06 Jan 2025 19:01:42 +0100
openssl (3.4.0-1) experimental; urgency=medium
* Import 3.4.0
- CVE-2024-9143 (Low-level invalid GF(2^m) parameters lead to OOB memory
access) (Closes: #1085378).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 23 Oct 2024 21:18:43 +0200
openssl (3.4.0~~beta1-2) experimental; urgency=medium
* Add a patch to avoid using other memory allocations if custom malloc is
provided.
* Add a patch to check length in the SPARC assembly implementation of
AES-CBC.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 13 Oct 2024 22:07:10 +0200
openssl (3.4.0~~beta1-1) experimental; urgency=medium
* Import 3.4.0-beta1
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 07 Oct 2024 23:03:28 +0200
openssl (3.3.2-1) unstable; urgency=medium
* Import 3.3.2.
- CVE-2024-6119 (Possible denial of service in X.509 name checks).
- CVE-2024-5535 (SSL_select_next_proto buffer overread)
(Closes: #1074487).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 03 Sep 2024 21:43:24 +0200
openssl (3.3.1-7) unstable; urgency=medium
* Make libssl3t64 depend on openssl-provider-legacy (See further development
in #965041).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 19 Aug 2024 23:38:33 +0200
openssl (3.3.1-6) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* Enable ec_nistp_64_gcc_128 on arm64, ppc64el, riscv64. Initially suggested
by Joel Stanley.
* Add a "prefix" for pkg-config and cmake exporter
(Closes: #1078509, #1078020).
* Add Breaks/ Replaces to the legacy provider also against libssl3
(Closes: #1078551).
* Upload to unstable.
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
* Fix day-of-week for changelog entries 0.9.8a-7, 0.9.8a-6, 0.9.8a-4.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 13 Aug 2024 21:39:36 +0200
openssl (3.3.1-5) experimental; urgency=medium
* Split the legacy provider into its own package (Closes: #965041).
* Add the FIPS provider (Closes: #1050210).
* Reintroduce the provider section back in the default openssl.cnf. This is
was to keep compatibility with the openssl 1.1 series. Adding makes it
easier to add/ enable provides such as fips.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 04 Aug 2024 23:22:06 +0200
openssl (3.3.1-2) unstable; urgency=medium
* Upload to unstable.
* Add support for hurd-amd64, patch by Samuel Thibault (Closes: #1076324).
* Use the static archive from the shared build.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 03 Aug 2024 16:17:50 +0200
openssl (3.3.1-1) experimental; urgency=medium
* Import 3.3.1.
- CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
(Closes: #1071972).
- CVE-2024-4741 (Use After Free with SSL_free_buffers)
(Closes: #1072113).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 04 Jun 2024 18:37:30 +0200
openssl (3.3.0-1) experimental; urgency=medium
* Import 3.3.0.
- CVE-2024-2511 (Unbounded memory growth with session handling in TLSv1.3)
(Closes: #1068658).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 11 Apr 2024 21:49:45 +0200
openssl (3.3.0~beta1-1) experimental; urgency=medium
* Import 3.3.0-beta1.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 05 Apr 2024 23:09:03 +0200
openssl (3.2.1-3) unstable; urgency=medium
* Upload to unstable.
* Correct prvious security level in NEWS file (Closes: #1066116).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 04 Apr 2024 22:00:04 +0200
openssl (3.2.1-2) experimental; urgency=medium
* Disable brotli and enable zlib for certificate compression.
* Update to latest openssl-3.2 branch.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 22 Feb 2024 21:41:18 +0100
openssl (3.2.1-1.1~exp1) experimental; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition.
-- Steve Langasek <vorlon@debian.org> Mon, 19 Feb 2024 07:33:51 +0000
openssl (3.2.1-1) experimental; urgency=medium
* Import 3.2.1
- CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
- CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
(Closes: #1060858).
- CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
PowerPC) (Closes: #1060347).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 03 Feb 2024 17:23:00 +0100
openssl (3.2.0-2) experimental; urgency=medium
* Use generic target for riscv64.
* Update to latest openssl-3.2 branch.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 14 Dec 2023 21:13:53 +0100
openssl (3.2.0-1) experimental; urgency=medium
* Import 3.2.0
* Enable zstd, brotli and for certificate compression.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 26 Nov 2023 13:37:14 +0100
openssl (3.1.4-2) unstable; urgency=medium
* Invoke clean up from the openssl binary as a temporary workaround to avoid
a crash in libp11/SoftHSM engine (Closes: #1054546).
* CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
parameter value) (Closes: #1055473).
* Upload to unstable.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 25 Nov 2023 21:35:59 +0100
openssl (3.1.4-1) experimental; urgency=medium
* Import 3.1.4
- CVE-2023-5363 (Incorrect cipher key and IV length processing).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 24 Oct 2023 21:58:49 +0200
openssl (3.1.3-1) experimental; urgency=medium
* Import 3.1.3
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 19 Sep 2023 18:57:49 +0200
openssl (3.1.2-1) experimental; urgency=medium
* Import 3.1.2
- CVE-2023-2975 (AES-SIV implementation ignores empty associated data
entries) (Closes: #1041818).
- CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
(Closes: #1041817).
- CVE-2023-3817 (Excessive time spent checking DH q parameter value).
- Drop bc and m4 from B-D.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 01 Aug 2023 22:51:25 +0200
openssl (3.1.1-1) experimental; urgency=medium
* Import 3.1.1
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
- Add new symbol.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 30 May 2023 19:46:00 +0200
openssl (3.1.0-1) experimental; urgency=medium
* Import 3.1.0
* Add new symbols.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 06 May 2023 12:11:09 +0200
openssl (3.0.8-1) unstable; urgency=medium
* Import 3.0.8
- CVE-2023-0401 (NULL dereference during PKCS7 data verification).
- CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
- CVE-2023-0217 (NULL dereference validating DSA public key).
- CVE-2023-0216 (Invalid pointer dereference in d2i_PKCS7 functions).
- CVE-2023-0215 (Use-after-free following BIO_new_NDEF).
- CVE-2022-4450 (Double free after calling PEM_read_bio_ex).
- CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2022-4203 (X.509 Name Constraints Read Buffer Overflow).
- Padlock: fix byte swapping assembly for AES-192 and 256
(Closes: #1029259).
- Add new symbol.
* Make loongarch64 little endian (Closes: #1029281).
* Drop conflict against libssl1.0-dev.
* Update Standards-Version to 4.6.1. No changes required.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 07 Feb 2023 21:42:42 +0100
openssl (3.0.7-2) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* CVE-2022-3996 (X.509 Policy Constraints Double Locking) (Closes: #1027102).
* Add loongarch64 target (Closes: #1024414).
* Avoid SIGSEGV with engines, reported by ValdikSS (Closes: #1028898).
* Set digestname from argv[0] if it is a builtin hash name
(Closes:# 1025461).
[ Helmut Grohne ]
* Support the noudeb build profile (Closes: #1024929).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 19 Jan 2023 21:31:42 +0100
openssl (3.0.7-1) unstable; urgency=medium
* Import 3.0.7
- Using a Custom Cipher with NID_undef may lead to NULL encryption
(CVE-2022-3358) (Closes: #1021620).
- X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
- X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
* Disable rdrand engine (the opcode on x86).
* Remove config bits for MIPS R6, the generic MIPS config can be used.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 01 Nov 2022 21:39:01 +0100
openssl (3.0.5-4) unstable; urgency=medium
* Add ssl_conf() serialisation (Closes: #1020308).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 19 Sep 2022 21:59:19 +0200
openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 18 Sep 2022 21:48:05 +0200
openssl (3.0.5-2) unstable; urgency=medium
* Update to commit ce3951fc30c7b ("VC++ 2008 or earlier x86 compilers…")
(Closes: #1016290).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 14 Aug 2022 21:57:05 +0200
openssl (3.0.5-1) unstable; urgency=medium
* Import 3.0.5
- Possible module_list_lock crash (Closes: #1013309).
- CVE-2022-2097 (AES OCB fails to encrypt some bytes).
* Update to 55461bf22a57a ("Don't try to make configuration leaner")
* Use -latomic on arc,nios2 and sparc (Closes: #1015792).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 24 Jul 2022 16:30:30 +0200
openssl (3.0.4-2) unstable; urgency=medium
* Address a AVX2 related memory corruption (Closes: #1013441)
(CVE-2022-2274).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 24 Jun 2022 19:27:02 +0200
openssl (3.0.4-1) unstable; urgency=medium
* Import 3.0.4
- CVE-2022-2068 (The c_rehash script allows command injection)
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 22 Jun 2022 08:04:00 +0200
openssl (3.0.3-8) unstable; urgency=medium
* Update to openssl-3.0 head.
* Avoid reusing the init_lock for a different purpose (Closes: #1011339).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 13 Jun 2022 22:16:39 +0200
openssl (3.0.3-7) unstable; urgency=medium
* Remove the provider section from the provided openssl.cnf
(Closes: #1011051).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 08 Jun 2022 23:10:14 +0200
openssl (3.0.3-6) unstable; urgency=medium
* Update to openssl-3.0 head which fixes the expired certs in the testsuite.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 04 Jun 2022 15:25:53 +0200
openssl (3.0.3-5) unstable; urgency=medium
* Don't generate endbr32 opcodes on i386. Thanks to Wolfgang Walter
(Closes: #1011127).
* Backport more compare fixes from upstream.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 20 May 2022 22:01:29 +0200
openssl (3.0.3-4) unstable; urgency=medium
* Add an init to EVP_PKEY_Q_keygen(). GH#18247, reference 1010958.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 16 May 2022 23:20:27 +0200
openssl (3.0.3-3) unstable; urgency=medium
* Revert "Use .s extension for ia64 assembler" and don't zero used
registers. Thanks to John Paul Adrian Glaubitz for debugging
(Closes: #1010975).
* Don't build ev4/ev5 optimized libraries on alpha.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 14 May 2022 21:50:31 +0200
openssl (3.0.3-2) unstable; urgency=medium
* Update standards to 4.6.1. No changes were needed.
* Upload to unstable.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 13 May 2022 23:25:01 +0200
openssl (3.0.3-1) experimental; urgency=medium
* Import 3.0.3
- CVE-2022-1292 (The c_rehash script allows command injection).
- CVE-2022-1343 (OCSP_basic_verify may incorrectly verify the response
signing certificate).
- CVE-2022-1434 (Incorrect MAC key used in the RC4-MD5 ciphersuite).
- CVE-2022-1473 (Resource leakage when decoding certificates and keys).
- Add new symbols.
* Correct the openssl.cnf to provide proper default configuration. Thanks to
Matthias Blümel (Closes: #1010360).
* Use a separator in the CipherString in openssl.cnf (Closes: #948800).
* Remove the postinst script which was used to restart daemons after a
library upgrade. It is not updated and essentially dead code. Users are
advised to switch to checkrestart/ needrestart or a similar service.
Thanks to Helmut Grohne (Closes: #983722).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 06 May 2022 22:21:52 +0200
openssl (3.0.2-1) experimental; urgency=medium
* Import 3.0.2
- CVE-2022-0778 (Infinite loop in BN_mod_sqrt() reachable when parsing
certificates).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 15 Mar 2022 20:54:57 +0100
openssl (3.0.1-1) experimental; urgency=medium
* Import 3.0.1
- CVE-2021-4044 (Fixed invalid handling of X509_verify_cert() internal
errors in libssl).
- CVE-2021-4160 (Carry propagation bug in the MIPS32 and MIPS64 squaring
procedure.)
* Zero used registers at function exit.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 27 Dec 2021 11:44:50 +0100
openssl (3.0.0-1) experimental; urgency=medium
* Import 3.0.0.
* Add ARC, patch by Vineet Gupta (Closes: #989442).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 11 Sep 2021 10:41:54 +0200
openssl (3.0.0~~beta2-1) experimental; urgency=medium
* Import 3.0.0-beta2.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 30 Jul 2021 07:51:18 +0200
openssl (3.0.0~~beta1-1) experimental; urgency=medium
* Import 3.0.0-beta1.
* Use HARNESS_VERBOSE again (otherwise the test suite might killed since no
progress is visible).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 23 Jun 2021 19:32:27 +0200
openssl (3.0.0~~alpha16-1) experimental; urgency=medium
* Import 3.0.0-alpha16.
* Use VERBOSE_FAILURE to log only failures in the build log.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 06 May 2021 21:54:38 +0200
openssl (3.0.0~~alpha15-1) experimental; urgency=medium
* Import 3.0.0-alpha15.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 28 Apr 2021 23:26:47 +0200
openssl (3.0.0~~alpha13-2) experimental; urgency=medium
* Add a proposed patch from upstream to skip negativ errno number in the
testsuite to pass the testsute on hurd.
* Always link against libatomic.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 07 Apr 2021 21:36:02 +0200
openssl (3.0.0~~alpha13-1) experimental; urgency=medium
* Import 3.0.0-alpha13.
* Move configuration.h to architecture specific include folder. Patch from
Antonio Terceiro (Closes: #985555).
* Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
* drop `lsof', the testsuite is not using it anymore.
* Enable ktls.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thu, 01 Apr 2021 23:07:05 +0200
openssl (3.0.0~~alpha4-1) experimental; urgency=medium
* Import 3.0.0-alpha4.
* Add `lsof' which is needed by the test suite.
* Add ossl-modules to libcrypto's udeb.
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 07 Jul 2020 00:16:54 +0200
openssl (3.0.0~~alpha3-1) experimental; urgency=medium
* Import 3.0.0-alpha3
* Install the .so files only in the -dev package (Closes: #962548).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 17 Jun 2020 23:24:43 +0200
openssl (3.0.0~~alpha1-1) experimental; urgency=medium
* Import 3.0.0-alpha1 (Closes: #934836).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 25 Apr 2020 23:08:44 +0200
openssl (1.1.1g-1) unstable; urgency=medium
* New upstream version
- CVE-2020-1967 (Segmentation fault in SSL_check_chain).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 21 Apr 2020 21:45:21 +0200
openssl (1.1.1f-1) unstable; urgency=medium
* New upstream version
- Revert the change of EOF detection to avoid regressions in applications.
(Closes: #955442).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 31 Mar 2020 23:59:59 +0200
openssl (1.1.1e-1) unstable; urgency=medium
* Use dh-compat level 12.
* New upstream version
- CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
(Closes: #947949).
* Update symbol list.
* Update Standards-Version to 4.5.0. No changes required.
* Add musl configurations (Closes: #941765).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 18 Mar 2020 20:59:39 +0100
openssl (1.1.1d-2) unstable; urgency=medium
* Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 12 Oct 2019 21:37:55 +0200
openssl (1.1.1d-1) unstable; urgency=medium
* New upstream version
- CVE-2019-1549 (Fixed a fork protection issue).
- CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP
construction).
- CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey).
* Update symbol list
-- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 14 Sep 2019 00:38:12 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog openssl-provider-legacy`.
Generated by dwww version 1.16 on Tue Dec 16 07:14:56 CET 2025.