Launchpad itself

sometimes changelog entries miss the author

Asked by Seth Arnold on 2023-07-17

Hello, launchpad very helpfully shows changelogs for packages to save downloading and unpacking a package just to read the changelog. Sometimes it doesn't print who actually made the changelog, entry.

A recent example is openssl version 3.0.9-1ubuntu1 : the uploader isn't visible on the "all entries" page:

https://launchpad.net/ubuntu/+source/openssl/+changelog

And it isn't visible on the page for the specific version:

https://launchpad.net/ubuntu/+source/openssl/3.0.9-1ubuntu1

This last page instead shows information for multiple releases, in what feels like it might be a bug.

Thanks

openssl (3.0.9-1ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.

openssl (3.0.9-1) unstable; urgency=medium

  * Import 3.0.7
   - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
     Constraints) (Closes: #1034720).
   - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
     silently ignored).
   - CVE-2023-0466 (Certificate policy check not enabled).
   - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
   - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
   - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
   - Add new symbol.

openssl (3.0.8-1ubuntu3) mantic; urgency=medium

  * SECURITY UPDATE: DoS in AES-XTS cipher decryption
    - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
      crypto/aes/asm/aesv8-armx.pl.
    - CVE-2023-1255
  * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
    - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
      IDENTIFIERs that OBJ_obj2txt will translate in
      crypto/objects/obj_dat.c.
    - CVE-2023-2650
  * Replace CVE-2022-4304 fix with improved version
    - debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
    - debian/patches/CVE-2022-4304.patch: use alternative fix in
      crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
      crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.

openssl (3.0.8-1ubuntu2) mantic; urgency=medium

* Manual reupload from lunar-security to mantic-proposed pocket, due to
LP failing to copy it

openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium

  * SECURITY UPDATE: excessive resource use when verifying policy constraints
    - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
      in a policy tree (the default limit is set to 1000 nodes).
    - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
      resource overuse.
    - debian/patches/CVE-2023-0464-3.patch: disable the policy tree
      exponential growth test conditionally.
    - CVE-2023-0464
  * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
    - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
      is checked even in leaf certs.
    - debian/patches/CVE-2023-0465-2.patch: generate some certificates with
      the certificatePolicies extension.
    - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
    - CVE-2023-0466
  * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
    not enabled as documented
    - debian/patches/CVE-2023-0466.patch: fix documentation of
      X509_VERIFY_PARAM_add0_policy().
    - CVE-2023-0466

-- Gianfranco Costamagna <email address hidden> Mon, 12 Jun 2023 11:19:44 +0200

Question information

Language:: English Edit question

Status:: Solved

For:: Launchpad itself Edit question

Assignee:: No assignee Edit question

Solved by:: Seth Arnold

Solved:: 2023-07-19

Last query:: 2023-07-19

Last reply:: 2023-07-18

Revision history for this message

Jürgen Gmach (jugmac00) said on 2023-07-18:

Hi Seth,

Could you please create two separate bug reports?

a) for the missing uploader info ( we have a suspicion this is a result from packages synced from Debian vs packages directly uploaded from Launchpad )

b) for the excess info shown on the page for a single package version

Thank you!

Revision history for this message

Seth Arnold (seth-arnold) said on 2023-07-19:

Done:

- /+changelog piece https://bugs.launchpad.net/launchpad/+bug/2028102
- specific version piece https://bugs.launchpad.net/launchpad/+bug/2028103

Thanks