[Bug 2067672] Re: [SRU] Openssl copyright/changelog.Debian.gz file points at non-existent location
Launchpad Bug Tracker
2067672 at bugs.launchpad.net
Fri Jul 12 09:07:12 UTC 2024
This bug was fixed in the package openssl - 3.2.2-1ubuntu1
---------------
openssl (3.2.2-1ubuntu1) oracular; urgency=medium
* Merge 3.2.2-1 from Debian unstable
- Remaining changes:
+ Symlink changelog.Debian.gz and copyright.gz from libssl-dev and
openssl to the ones in libssl3t64
+ Use perl:native in the autopkgtest for installability on i386.
+ Disable LTO with which the codebase is generally incompatible
(LP: #2058017)
+ Add fips-mode detection and adjust defaults when running in fips mode
* The changelog.gz symlink was broken (LP: #1297025)
* The copyright symlink was broken (LP: #2067672)
* Default configuration includes two paths:
- /var/lib/crypto-config/profiles/current/openssl.conf.d
- /etc/ssl/openssl.conf.d
First one is to read configuration through the crypto-config framework.
Second one is for customization by sysadmin.
openssl (3.2.2-1) unstable; urgency=medium
* Import 3.2.2
- CVE-2024-2511 (Unbounded memory growth with session handling in
TLSv1.3). (Closes: #1068658).
- CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
(Closes: #1071972).
- CVE-2024-4741 (Use After Free with SSL_free_buffers)
(Closes: #1072113).
-- Adrien Nader <adrien.nader at canonical.com> Mon, 01 Jul 2024 17:04:32
+0200
** Changed in: openssl (Ubuntu Oracular)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2511
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4603
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4741
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2067672
Title:
[SRU] Openssl copyright/changelog.Debian.gz file points at non-
existent location
Status in OEM Priority Project:
Triaged
Status in openssl package in Ubuntu:
Fix Released
Status in openssl source package in Noble:
In Progress
Status in openssl source package in Oracular:
Fix Released
Bug description:
[ Impact ]
Due to the t64 transition, the changelog.Debian.gz and copyright
symlinks in various binary packages built from openssl source are
dangling symlinks, because /usr/share/doc/libssl3 no longer exists.
This gives users an error when trying to look at these files, and is
an impediment to inspecting the copyright status of the packages in an
installed system.
[ Test Plan ]
* list the openssl or libssl-dev to check if symbol link is valid.
$ l -thal /usr/share/doc/libssl-dev/
$ l -thal /usr/share/doc/openssl/
$ file /usr/share/doc/libssl-dev/copyright
$ file /usr/share/doc/openssl/copyright
[ Where problems could occur ]
* It didn't affects any functions, just the symbol links are
misssing.
[ Other Info ]
Currently it link to the old version libssl3, currently libssl3 is purely virtual.
$ l -thal /usr/share/doc/openssl-dev/
lrwxrwxrwx 1 root root 30 May 14 17:06 changelog.Debian.gz -> ../libssl3/changelog.Debian.gz
lrwxrwxrwx 1 root root 23 May 14 17:06 changelog.gz -> ../libssl3/changelog.gz
lrwxrwxrwx 1 root root 20 May 14 17:06 copyright -> ../libssl3/copyright
$ l -thal /usr/share/doc/libssl-dev/
total 84K
drwxr-xr-x 2 root root 4.0K May 23 16:08 ./
drwxr-xr-x 2180 root root 76K May 16 20:13 ../
lrwxrwxrwx 1 root root 30 May 14 17:06 changelog.Debian.gz -> ../libssl3/changelog.Debian.gz
lrwxrwxrwx 1 root root 23 May 14 17:06 changelog.gz -> ../libssl3/changelog.gz
lrwxrwxrwx 1 root root 20 May 14 17:06 copyright -> ../libssl3/copyright
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/2067672/+subscriptions
More information about the foundations-bugs
mailing list