[Bug 2066990] Re: openssl fails with out of memory messages while trying to load the FIPS provider in a non-FIPS container on a FIPS host

Adrien Nader 2066990 at bugs.launchpad.net
Wed Mar 19 13:54:09 UTC 2025 

There isn't a plan completely laid out for backporting this. It can be
done but as you can see here, it's a very minimal change and it barely
passes the criteria for backporting. This means it absolutely must be
staged so that it's picked up by a subsequent security update rather
than being a standalone update (openssl is installed everywhere so
changing the package affects everybody, it's high-impact).

With that said, it's also a change that sits in a weird spot: once
you've understood the issue, then you probably don't need the warning
anymore and search engines should help find it now. Can you explain your
need a bit so I can better gauge the need? Did you encounter the issue
or are you rather trying to make sure you don't?

BTW, with plucky being released soon, you'll start seeing the effect of
the change if the container you run is on plucky.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2066990

Title:
  openssl fails with out of memory messages while trying to load the
  FIPS provider in a non-FIPS container on a FIPS host

Status in ca-certificates package in Ubuntu:
  Invalid
Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  I wanted to try the new Ubuntu 24.04 Noble Numbat based .NET docker
  image and updated the base docker image in our CI pipeline to
  mcr.microsoft.com/dotnet/sdk:8.0-noble. However, it results in an out-
  of-memory exception. Based on my investigation, the exception occurs
  specifically when the update-ca-certificates command is executed. I
  can also repro the issue with ubuntu:noble image which means it's not
  specific to .NET docker images. It works fine with Jammy, by the way.
  The problem likely lies with the Noble base image rather than the .NET
  image. I'm not sure what changes were made between Jammy and Noble,
  but it appears that updating certificates consumes a lot of memory in
  Noble. I adjusted some memory settings in our GitLab runner, but it
  didn't resolve the issue. I attached all Gitlab Runner shell logs for
  .NET 8 Jammy, .NET 8 Noble and Ubuntu Noble images.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2066990/+subscriptions

More information about the foundations-bugs mailing list