[Bug 1979639] Re: openssl 3.0.3-7 needs port from sid to jammy
Launchpad Bug Tracker
1979639 at bugs.launchpad.net
Fri Jul 1 17:29:53 UTC 2022
This bug was fixed in the package openssl - 3.0.4-1ubuntu1
---------------
openssl (3.0.4-1ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable (LP: #1979639). Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- d/libssl3.postinst: Revert Debian deletion
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Import libraries/restart-without-asking template as used by above.
- Add support for building with noudeb build profile.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Use perl:native in the autopkgtest for installability on i386.
- d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
testsuite
- d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it
on Ubuntu to make it easier for user to change security level
* Dropped changes, merged upstream:
- Add some more string comparison fixes
- d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
trigger the underlying bug
- d/p/lp1978093/*: renew some expiring test certificates
* d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4
regression on AVX-512 capable CPUs.
openssl (3.0.4-1) unstable; urgency=medium
* Import 3.0.3
- CVE-2022-2068 (The c_rehash script allows command injection)
openssl (3.0.3-8) unstable; urgency=medium
* Update to openssl-3.0 head.
* Avoid reusing the init_lock for a different purpose (Closes: #1011339).
openssl (3.0.3-7) unstable; urgency=medium
* Remove the provider section from the provided openssl.cnf
(Closes: #1011051).
openssl (3.0.3-6) unstable; urgency=medium
* Update to openssl-3.0 head which fixes the expired certs in the
testsuite.
-- Simon Chopin <schopin at ubuntu.com> Thu, 23 Jun 2022 12:43:23 +0200
** Changed in: openssl (Ubuntu Kinetic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2068
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1979639
Title:
openssl 3.0.3-7 needs port from sid to jammy
Status in nodejs package in Ubuntu:
Confirmed
Status in openssl package in Ubuntu:
Fix Released
Status in nodejs source package in Jammy:
Confirmed
Status in openssl source package in Jammy:
Confirmed
Status in nodejs source package in Kinetic:
Confirmed
Status in openssl source package in Kinetic:
Fix Released
Bug description:
~ $ lsb-release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
https://launchpad.net/debian/+source/openssl/3.0.3-7 includes a single change, https://sources.debian.org/src/openssl/3.0.3-8/debian/patches/Remove-the-provider-section.patch/
That patch solves a problem with programs that use OpenSSL v1
(statically or dynamically linked); these still read
/etc/ssl/openssl.cnf, but the v3-specific sections in the sid/jammy
default config may cause a failure.
One example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051
Another example: a (non-Ubuntu) Node.js v16 (OpenSSL compiled statically) hits an error in its crypto lib:
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
Uncaught:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
at Sign.sign (node:internal/crypto/sig:131:29) {
opensslErrorStack: [
'error:0E076071:configuration file routines:module_run:unknown module name',
'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
'error:25070067:DSO support routines:DSO_load:could not load the shared library'
],
library: 'DSO support routines',
function: 'dlfcn_load',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
Removing the relevant provider section lines (the Debian patch doesn't apply cleanly, hence the use of sed) fixes it:
~ $ sed -i '/_sect\b/s/^/# /' /etc/ssl/openssl.cnf
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
…
> var sign = crypto.createSign('RSA-SHA256')
…
> sign.update(Buffer.from("hello"))
…
> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
<Buffer c5 e7 ba 01 5a 33 3f 26 43 bb 4e 47 99 49 e4 c7 60 41 be c6 91 63 c6 5d 0a af 78 5c 15 4a 9f 1a e7 24 99 ce 6a f0 05 b5 48 96 4e 59 b8 d5 69 df 3c bc ... 206 more bytes>
I realize there is no libssl1.1 on jammy, but a statically linked OpenSSL is not uncommon (Node.js being a very prominent example).
Would it be possible to get this Debian sid change ported to jammy?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1979639/+subscriptions
More information about the foundations-bugs
mailing list