Request MX-23 openssl v 3.2.0  [Solved]

Post Reply
Message
Author
ghunter
Posts: 187
Joined: Mon May 29, 2023 12:40 am

Request MX-23 openssl v 3.2.0

#1 Post by ghunter »

Hi

currently we have openssl and libssl3 such that

Code: Select all

apt info openssl
Package: openssl
Version: 3.0.11-1~deb12u2
Priority: optional
Section: utils
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
Installed-Size: 2,346 kB
Depends: libc6 (>= 2.34), libssl3 (>= 3.0.9)
Suggests: ca-certificates
Homepage: https://www.openssl.org/
My web browser Firefox and others may not even use ca-certs and the like but if I try to remove openssl....it will remove things like cups, ca-certificattes, MX-repo-manager and the like.
Our version is debian version and is getting a little old with some vulnerabilities reported
https://www.openssl.org/
v 3.2.0

Thanks for reading
Top
User avatar
Stevo
Developer
Posts: 14792
Joined: Fri Dec 15, 2006 7:07 pm

Re: Request MX-23 openssl v 3.2.0  [Solved]

#2 Post by Stevo »

Debian is really good about backporting any security fixes to existing stable releases. The deb12u2 at the end of the version means 3.0.11 been updated twice already for Debian 12, besides the 3.0.10 to 3.0.11 update they did when 3.0.10 proved unpatchable.

So Debian watches openssl closely and fixes those issues:

Code: Select all

openssl (3.0.11-1~deb12u2) bookworm-security; urgency=medium

  * CVE-2023-5363 (Incorrect cipher key and IV length processing).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 23 Oct 2023 19:52:22 +0200

openssl (3.0.11-1~deb12u1) bookworm; urgency=medium

  * Import 3.0.11

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 26 Sep 2023 21:08:42 +0200

openssl (3.0.10-1~deb12u1) bookworm; urgency=medium

  * Import 3.0.10
   - CVE-2023-2975 (AES-SIV implementation ignores empty associated data
     entries) (Closes: #1041818).
   - CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
     (Closes: #1041817).
   - CVE-2023-3817 (Excessive time spent checking DH q parameter value).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 26 Aug 2023 11:29:40 +0200
A program compiled against the openssl runtime shared library can use the features in the library libssl3 without having to use or depend on the actual openssl user interface program. That's really common in the Debian ecosystem; in fact it's Deban policy.
MXPI = MX Package Installer
QSI = Quick System Info from menu
The MX Test repository is mostly backports; not the same as Debian testing
Top
ghunter
Posts: 187
Joined: Mon May 29, 2023 12:40 am

Re: Request MX-23 openssl v 3.2.0

#3 Post by ghunter »

aah thanks for the explain
Top
Post Reply

Return to “Package Requests - MX-23”