Bug 39500 - Update to OpenSSL 1.0.2d-1
Update to OpenSSL 1.0.2d-1
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Philipp Hahn
Janek Walkenhorst
http://upstream.rosalinux.ru/versions...
: interim-2
Depends on:
Blocks: 39479
  Show dependency treegraph
 
Reported: 2015-10-08 14:13 CEST by Stefan Gohmann
Modified: 2015-11-17 12:12 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-10-08 14:13:08 CEST
See Bug #39479, we should upgrade to the latest OpenSSL from Debian stretch.

+++ This bug was initially created as a clone of Bug #39479 +++

We need to exclude non-trusted hosts from making a SSL connection to the memcached daemon.
stunnel provides the option "checkHost" for this, but this is only available in stunnel 5.18 in combination with OpenSSL 1.0.2 (both available in stretch).

+++ This bug was initially created as a clone of Bug #39399 +++
Comment 1 Philipp Hahn univentionstaff 2015-10-14 18:05:58 CEST
$ repo_admin.py -U -d stretch -p openssl -r 4.1-0-0
$ b41 openssl

Package: openssl
Version: 1.0.2d-1.104.201510141521
Branch: ucs_4.1-0

# X () { objdump -T /usr/lib/*-linux-gnu/$1.so.1.0.0|awk '$2=="g"{print $6,$7;}';}
# dpkg-query -W openssl libssl1.0.0
libssl1.0.0:amd64       1.0.1e-2.103.201508290009
openssl 1.0.1e-2.103.201508290009
# mkdir 1.0.1e-2.103.201508290009
# for f in libcrypto libssl; do X "$f" >"1.0.1e-2.103.201508290009/$f"; done

# univention-install openssl libssl1.0.0
# dpkg-query -W openssl libssl1.0.0
libssl1.0.0:amd64       1.0.2d-1.104.201510141521
openssl 1.0.2d-1.104.201510141521
# mkdir 1.0.2d-1.104.201510141521
# for f in libcrypto libssl; do X "$f" >"1.0.2d-1.104.201510141521/$f"; done

# diff -r 1.0.1e-2.103.201508290009 1.0.2d-1.104.201510141521 | grep ^\> | grep -v OPENSSL_1.0.2
no new symbols outside 1.0.2 - good
# diff -r 1.0.1e-2.103.201508290009 1.0.2d-1.104.201510141521 | grep ^\<
< OPENSSL_1.0.1 ENGINE_load_rsax
< OPENSSL_1.0.0 BIO_f_zlib
bad...

(In reply to Arvid Requate from Bug #39479 comment 1):
> Quoting https://www.openssl.org/policies/releasestrat.html:
OpenSSL-1.0.1 and 1.0.2 are *incompatible*, as those two symbols were removed. A program compiled against 1.0.1 might use those functions and will fail to be executed with 1.0.2, because the dynamic linker will no longer be able to resolve those two symbols.

I checked »ucs_4.[01]-0 ucs_4.0-0-*4.0-[0-3]« for any package using those symbols - none were found except those expected:
- ucs_4.0-0/amd64/openssl_1.0.1e-2.81.201411010645_amd64.deb
- ucs_4.0-0/amd64/libssl-dev_1.0.1e-2.81.201411010645_amd64.deb
- ucs_4.0-0/amd64/libssl1.0.0_1.0.1e-2.81.201411010645_amd64.deb
- ucs_4.0-0/i386/libssl-dev_1.0.1e-2.81.201411010645_i386.deb
- ucs_4.0-0/i386/libssl1.0.0_1.0.1e-2.81.201411010645_i386.deb
- ucs_4.0-0/i386/openssl_1.0.1e-2.81.201411010645_i386.deb
- ucs_4.1-0/amd64/libssl-dev_1.0.2d-1.104.201510141521_amd64.deb
- ucs_4.1-0/i386/libssl-dev_1.0.2d-1.104.201510141521_i386.deb
- ucs_4.0-0-errata4.0-0/amd64/openssl_1.0.1e-2.85.201501120731_amd64.deb
- ucs_4.0-0-errata4.0-0/amd64/libssl1.0.0_1.0.1e-2.85.201501120731_amd64.deb
- ucs_4.0-0-errata4.0-0/amd64/libssl-dev_1.0.1e-2.85.201501120731_amd64.deb
- ucs_4.0-0-errata4.0-0/i386/openssl_1.0.1e-2.85.201501120731_i386.deb
- ucs_4.0-0-errata4.0-0/i386/libssl-dev_1.0.1e-2.85.201501120731_i386.deb
- ucs_4.0-0-errata4.0-0/i386/libssl1.0.0_1.0.1e-2.85.201501120731_i386.deb
- ucs_4.0-0-errata4.0-1/amd64/libssl-dev_1.0.1e-2.99.201503250939_amd64.deb
- ucs_4.0-0-errata4.0-1/amd64/openssl_1.0.1e-2.99.201503250939_amd64.deb
- ucs_4.0-0-errata4.0-1/amd64/libssl1.0.0_1.0.1e-2.99.201503250939_amd64.deb
- ucs_4.0-0-errata4.0-1/i386/openssl_1.0.1e-2.99.201503250939_i386.deb
- ucs_4.0-0-errata4.0-1/i386/libssl-dev_1.0.1e-2.99.201503250939_i386.deb
- ucs_4.0-0-errata4.0-1/i386/libssl1.0.0_1.0.1e-2.99.201503250939_i386.deb
- ucs_4.0-0-errata4.0-3/amd64/libssl1.0.0_1.0.1e-2.103.201508290009_amd64.deb
- ucs_4.0-0-errata4.0-3/amd64/openssl_1.0.1e-2.103.201508290009_amd64.deb
- ucs_4.0-0-errata4.0-3/amd64/libssl-dev_1.0.1e-2.103.201508290009_amd64.deb
- ucs_4.0-0-errata4.0-3/i386/openssl_1.0.1e-2.103.201508290009_i386.deb
- ucs_4.0-0-errata4.0-3/i386/libssl-dev_1.0.1e-2.103.201508290009_i386.deb
- ucs_4.0-0-errata4.0-3/i386/libssl1.0.0_1.0.1e-2.103.201508290009_i386.deb
- ucs_4.0-0-ucs4.0-1/amd64/openssl_1.0.1e-2.85.201501120731_amd64.deb
- ucs_4.0-0-ucs4.0-1/amd64/libssl1.0.0_1.0.1e-2.85.201501120731_amd64.deb
- ucs_4.0-0-ucs4.0-1/amd64/libssl-dev_1.0.1e-2.85.201501120731_amd64.deb
- ucs_4.0-0-ucs4.0-1/i386/openssl_1.0.1e-2.85.201501120731_i386.deb
- ucs_4.0-0-ucs4.0-1/i386/libssl-dev_1.0.1e-2.85.201501120731_i386.deb
- ucs_4.0-0-ucs4.0-1/i386/libssl1.0.0_1.0.1e-2.85.201501120731_i386.deb
- ucs_4.0-0-ucs4.0-2/amd64/libssl-dev_1.0.1e-2.99.201503250939_amd64.deb
- ucs_4.0-0-ucs4.0-2/amd64/openssl_1.0.1e-2.99.201503250939_amd64.deb
- ucs_4.0-0-ucs4.0-2/amd64/libssl1.0.0_1.0.1e-2.99.201503250939_amd64.deb
- ucs_4.0-0-ucs4.0-2/i386/openssl_1.0.1e-2.99.201503250939_i386.deb
- ucs_4.0-0-ucs4.0-2/i386/libssl-dev_1.0.1e-2.99.201503250939_i386.deb
- ucs_4.0-0-ucs4.0-2/i386/libssl1.0.0_1.0.1e-2.99.201503250939_i386.deb

Lets hope that none of those Apps has a binary using those symbols ...

r64492 | Bug #39500 CL 4.1-0: OpenSSL 1.0.2d
Comment 2 Stefan Gohmann univentionstaff 2015-10-20 17:06:11 CEST
The test case /usr/share/ucs-test/23_apache/20_ssl-protocols fails with the new SSL package. After downgrading openssl and libssl1.0.0 to 1.0.1e-2.99.201503250939, the test case succeed.
Comment 3 Philipp Hahn univentionstaff 2015-10-20 17:29:15 CEST
(In reply to Stefan Gohmann from comment #2)
> The test case /usr/share/ucs-test/23_apache/20_ssl-protocols fails with the
> new SSL package. After downgrading openssl and libssl1.0.0 to
> 1.0.1e-2.99.201503250939, the test case succeed.

openssl (1.0.1j-1): Disables SSLv3 because of CVE-2014-3566
Comment 4 Philipp Hahn univentionstaff 2015-10-20 17:50:47 CEST
r64637 | Bug #39500 apache: Disable SSLv3

Package: ucs-test
Version: 6.0.10-3.1272.201510201749
Branch: ucs_4.1-0
Comment 5 Janek Walkenhorst univentionstaff 2015-11-04 18:17:22 CET
Tests: OK
Changelog: OK (Typo fixed)
Comment 6 Stefan Gohmann univentionstaff 2015-11-17 12:12:44 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".