XPost: linux.debian.devel.release
Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc:
openssl@packages.debian.org
User:
release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc:
sebastian@breakpoint.cc
Severity: normal
Please unblock package openssl
The -2 release fixes two bugs:
- CVE-2025-4575
Minor (severity low) affecting only the "-addreject" option of the
"openssl x509" command. Only the 3.5 version is affected by this.
Since it is a CVE with an advisory I decided to include it.
- Illegal instruction on ppc64el
Some of the optimized functionality on ppc64el uses unconditionally
instructions which are only supported on POWER9+. Debian supports
POWER8 as the minimum CPU base so this counts as a regression on a
release architecture.
It affects the P-384 EC algorithm which can affect for instance ssh or
https connection if the curve is used.
The algorithm is covered by the test suite but the buildds (and the
porterbox) are POWER9 so it went undetected so far.
Both patches have been cherry-picked from the 3.5 branch.
The "openssl x509" changes look simple and they extend the current
test suite.
The ppc64el related changes were tested by the reporter.
unblock openssl/3.5.0-2
Sebastian
diff -Nru openssl-3.5.0/debian/changelog openssl-3.5.0/debian/changelog
--- openssl-3.5.0/debian/changelog 2025-04-08 21:15:30.000000000 +0200
+++ openssl-3.5.0/debian/changelog 2025-05-28 22:13:00.000000000 +0200
@@ -1,3 +1,11 @@
+openssl (3.5.0-2) unstable; urgency=medium
+
+ * Fix P-384 curve on lower-than-P9 PPC64 targets Closes: #1106516).
+ * CVE-2025-4575 ("The x509 application adds trusted use instead of
+ rejected use") (Closes: #1106322).
+
+ -- Sebastian Andrzej Siewior <
sebastian@breakpoint.cc> Wed, 28 May 2025 22:13:00 +0200
+
openssl (3.5.0-1) unstable; urgency=medium
* Import 3.5.0
diff -Nru openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
--- openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch 2025-05-28 22:10:17.000000000 +0200
@@