• Bug#1106738: unblock: openssl/3.5.0-2

    From Sebastian Andrzej Siewior@21:1/5 to All on Wed May 28 23:40:01 2025
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Control: affects -1 + src:openssl
    X-Debbugs-Cc: openssl@packages.debian.org
    User: release.debian.org@packages.debian.org
    Usertags: unblock
    X-Debbugs-Cc: sebastian@breakpoint.cc
    Severity: normal

    Please unblock package openssl

    The -2 release fixes two bugs:
    - CVE-2025-4575
    Minor (severity low) affecting only the "-addreject" option of the
    "openssl x509" command. Only the 3.5 version is affected by this.
    Since it is a CVE with an advisory I decided to include it.

    - Illegal instruction on ppc64el
    Some of the optimized functionality on ppc64el uses unconditionally
    instructions which are only supported on POWER9+. Debian supports
    POWER8 as the minimum CPU base so this counts as a regression on a
    release architecture.
    It affects the P-384 EC algorithm which can affect for instance ssh or
    https connection if the curve is used.
    The algorithm is covered by the test suite but the buildds (and the
    porterbox) are POWER9 so it went undetected so far.

    Both patches have been cherry-picked from the 3.5 branch.

    The "openssl x509" changes look simple and they extend the current
    test suite.
    The ppc64el related changes were tested by the reporter.

    unblock openssl/3.5.0-2

    Sebastian

    diff -Nru openssl-3.5.0/debian/changelog openssl-3.5.0/debian/changelog
    --- openssl-3.5.0/debian/changelog 2025-04-08 21:15:30.000000000 +0200
    +++ openssl-3.5.0/debian/changelog 2025-05-28 22:13:00.000000000 +0200
    @@ -1,3 +1,11 @@
    +openssl (3.5.0-2) unstable; urgency=medium
    +
    + * Fix P-384 curve on lower-than-P9 PPC64 targets Closes: #1106516).
    + * CVE-2025-4575 ("The x509 application adds trusted use instead of
    + rejected use") (Closes: #1106322).
    +
    + -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 28 May 2025 22:13:00 +0200
    +
    openssl (3.5.0-1) unstable; urgency=medium

    * Import 3.5.0
    diff -Nru openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
    --- openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch 1970-01-01 01:00:00.000000000 +0100
    +++ openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch 2025-05-28 22:10:17.000000000 +0200
    @@