Univention Bugzilla – Bug 39500
Update to OpenSSL 1.0.2d-1
Last modified: 2015-11-17 12:12:44 CET
See Bug #39479, we should upgrade to the latest OpenSSL from Debian stretch. +++ This bug was initially created as a clone of Bug #39479 +++ We need to exclude non-trusted hosts from making a SSL connection to the memcached daemon. stunnel provides the option "checkHost" for this, but this is only available in stunnel 5.18 in combination with OpenSSL 1.0.2 (both available in stretch). +++ This bug was initially created as a clone of Bug #39399 +++
$ repo_admin.py -U -d stretch -p openssl -r 4.1-0-0 $ b41 openssl Package: openssl Version: 1.0.2d-1.104.201510141521 Branch: ucs_4.1-0 # X () { objdump -T /usr/lib/*-linux-gnu/$1.so.1.0.0|awk '$2=="g"{print $6,$7;}';} # dpkg-query -W openssl libssl1.0.0 libssl1.0.0:amd64 1.0.1e-2.103.201508290009 openssl 1.0.1e-2.103.201508290009 # mkdir 1.0.1e-2.103.201508290009 # for f in libcrypto libssl; do X "$f" >"1.0.1e-2.103.201508290009/$f"; done # univention-install openssl libssl1.0.0 # dpkg-query -W openssl libssl1.0.0 libssl1.0.0:amd64 1.0.2d-1.104.201510141521 openssl 1.0.2d-1.104.201510141521 # mkdir 1.0.2d-1.104.201510141521 # for f in libcrypto libssl; do X "$f" >"1.0.2d-1.104.201510141521/$f"; done # diff -r 1.0.1e-2.103.201508290009 1.0.2d-1.104.201510141521 | grep ^\> | grep -v OPENSSL_1.0.2 no new symbols outside 1.0.2 - good # diff -r 1.0.1e-2.103.201508290009 1.0.2d-1.104.201510141521 | grep ^\< < OPENSSL_1.0.1 ENGINE_load_rsax < OPENSSL_1.0.0 BIO_f_zlib bad... (In reply to Arvid Requate from Bug #39479 comment 1): > Quoting https://www.openssl.org/policies/releasestrat.html: OpenSSL-1.0.1 and 1.0.2 are *incompatible*, as those two symbols were removed. A program compiled against 1.0.1 might use those functions and will fail to be executed with 1.0.2, because the dynamic linker will no longer be able to resolve those two symbols. I checked »ucs_4.[01]-0 ucs_4.0-0-*4.0-[0-3]« for any package using those symbols - none were found except those expected: - ucs_4.0-0/amd64/openssl_1.0.1e-2.81.201411010645_amd64.deb - ucs_4.0-0/amd64/libssl-dev_1.0.1e-2.81.201411010645_amd64.deb - ucs_4.0-0/amd64/libssl1.0.0_1.0.1e-2.81.201411010645_amd64.deb - ucs_4.0-0/i386/libssl-dev_1.0.1e-2.81.201411010645_i386.deb - ucs_4.0-0/i386/libssl1.0.0_1.0.1e-2.81.201411010645_i386.deb - ucs_4.0-0/i386/openssl_1.0.1e-2.81.201411010645_i386.deb - ucs_4.1-0/amd64/libssl-dev_1.0.2d-1.104.201510141521_amd64.deb - ucs_4.1-0/i386/libssl-dev_1.0.2d-1.104.201510141521_i386.deb - ucs_4.0-0-errata4.0-0/amd64/openssl_1.0.1e-2.85.201501120731_amd64.deb - ucs_4.0-0-errata4.0-0/amd64/libssl1.0.0_1.0.1e-2.85.201501120731_amd64.deb - ucs_4.0-0-errata4.0-0/amd64/libssl-dev_1.0.1e-2.85.201501120731_amd64.deb - ucs_4.0-0-errata4.0-0/i386/openssl_1.0.1e-2.85.201501120731_i386.deb - ucs_4.0-0-errata4.0-0/i386/libssl-dev_1.0.1e-2.85.201501120731_i386.deb - ucs_4.0-0-errata4.0-0/i386/libssl1.0.0_1.0.1e-2.85.201501120731_i386.deb - ucs_4.0-0-errata4.0-1/amd64/libssl-dev_1.0.1e-2.99.201503250939_amd64.deb - ucs_4.0-0-errata4.0-1/amd64/openssl_1.0.1e-2.99.201503250939_amd64.deb - ucs_4.0-0-errata4.0-1/amd64/libssl1.0.0_1.0.1e-2.99.201503250939_amd64.deb - ucs_4.0-0-errata4.0-1/i386/openssl_1.0.1e-2.99.201503250939_i386.deb - ucs_4.0-0-errata4.0-1/i386/libssl-dev_1.0.1e-2.99.201503250939_i386.deb - ucs_4.0-0-errata4.0-1/i386/libssl1.0.0_1.0.1e-2.99.201503250939_i386.deb - ucs_4.0-0-errata4.0-3/amd64/libssl1.0.0_1.0.1e-2.103.201508290009_amd64.deb - ucs_4.0-0-errata4.0-3/amd64/openssl_1.0.1e-2.103.201508290009_amd64.deb - ucs_4.0-0-errata4.0-3/amd64/libssl-dev_1.0.1e-2.103.201508290009_amd64.deb - ucs_4.0-0-errata4.0-3/i386/openssl_1.0.1e-2.103.201508290009_i386.deb - ucs_4.0-0-errata4.0-3/i386/libssl-dev_1.0.1e-2.103.201508290009_i386.deb - ucs_4.0-0-errata4.0-3/i386/libssl1.0.0_1.0.1e-2.103.201508290009_i386.deb - ucs_4.0-0-ucs4.0-1/amd64/openssl_1.0.1e-2.85.201501120731_amd64.deb - ucs_4.0-0-ucs4.0-1/amd64/libssl1.0.0_1.0.1e-2.85.201501120731_amd64.deb - ucs_4.0-0-ucs4.0-1/amd64/libssl-dev_1.0.1e-2.85.201501120731_amd64.deb - ucs_4.0-0-ucs4.0-1/i386/openssl_1.0.1e-2.85.201501120731_i386.deb - ucs_4.0-0-ucs4.0-1/i386/libssl-dev_1.0.1e-2.85.201501120731_i386.deb - ucs_4.0-0-ucs4.0-1/i386/libssl1.0.0_1.0.1e-2.85.201501120731_i386.deb - ucs_4.0-0-ucs4.0-2/amd64/libssl-dev_1.0.1e-2.99.201503250939_amd64.deb - ucs_4.0-0-ucs4.0-2/amd64/openssl_1.0.1e-2.99.201503250939_amd64.deb - ucs_4.0-0-ucs4.0-2/amd64/libssl1.0.0_1.0.1e-2.99.201503250939_amd64.deb - ucs_4.0-0-ucs4.0-2/i386/openssl_1.0.1e-2.99.201503250939_i386.deb - ucs_4.0-0-ucs4.0-2/i386/libssl-dev_1.0.1e-2.99.201503250939_i386.deb - ucs_4.0-0-ucs4.0-2/i386/libssl1.0.0_1.0.1e-2.99.201503250939_i386.deb Lets hope that none of those Apps has a binary using those symbols ... r64492 | Bug #39500 CL 4.1-0: OpenSSL 1.0.2d
The test case /usr/share/ucs-test/23_apache/20_ssl-protocols fails with the new SSL package. After downgrading openssl and libssl1.0.0 to 1.0.1e-2.99.201503250939, the test case succeed.
(In reply to Stefan Gohmann from comment #2) > The test case /usr/share/ucs-test/23_apache/20_ssl-protocols fails with the > new SSL package. After downgrading openssl and libssl1.0.0 to > 1.0.1e-2.99.201503250939, the test case succeed. openssl (1.0.1j-1): Disables SSLv3 because of CVE-2014-3566
r64637 | Bug #39500 apache: Disable SSLv3 Package: ucs-test Version: 6.0.10-3.1272.201510201749 Branch: ucs_4.1-0
Tests: OK Changelog: OK (Typo fixed)
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".