Univention Bugzilla – Bug 40688
UCS 3.3 OpenSSL update
Last modified: 2016-06-07 21:35:50 CEST
OpenSSL should be updated to 1.0.1e (Debian Wheezy) in UCS 3.3.
Of the pacakge found with grep-dctrl -n -e -F Build-Depends -s Package "(openssl|libssl)" \ mirror/ftp/3.2/unmaintained/3.2-*/source/Sources | sort | uniq these are maintained in UCS 3.2-x: * apache2 * bind9 * clamav * curl * cyrus-imapd-2.2 * cyrus-imapd-2.4 * cyrus-sasl2 * fetchmail * freeradius * krb5 * ntp * openldap * openssh * openvpn * php5 * postgresql-8.4 * proftpd-dfsg * pyopenssl * python2.6 * ruby1.8 * shim * spamassassin * squid3 * univention-directory-listener * univention-directory-notifier * wget * xen-4.1 And these are unmaintained in UCS 3.2-x: * asterisk * ejabberd * iscsitarget * lighttpd * links2 * net-snmp * puppet * ruby1.9.1 * strongswan * stunnel4 * tinc * virtualbox * xml-security-c
Most dependent packages have bee rebuilt, three of the unmaintained ones are still refusing to be built currently. With regard to Bug #40946 I'm going to update cyrus-imapd-2.4 to the wheezy-version too.
Created attachment 7569 [details] ucs3.3-rebuilt-for-openssl.txt All dependent packages have been rebuilt, see attached list. * The packages that required backporting from UCS 4.0-x have been built with the ~ucs3.3 suffix. * The ones cherry picked from 3.x-y have been built without that suffix. * In cases where the base package version was the same in UCS 3.2-x and UCS 4.0-x the automatic repo-ng version increment has been temporarily reset for the built.
On my UCS 3.3 i have still packages depending on libssl0.9.8 -> grep-aptavail "libssl0" -F "Depends" -s Source -n| sort -u bacula bind9 citadel hplip iputils kdenetwork libmsn libssh m2crypto nagios-nrpe nagios-plugins openhpi openoffice.org openssh pkcs11-helper python2.6 serf spamassassin univention-licence uw-imap
I got 26.04.16 13:10:21.374 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 210, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 142, in _restart self._start() File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 185, in run from univention.management.console.protocol.server import Server File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/__init__.py", line 187, in <module> from session import * File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 56, in <module> from .client import Client, NoSocketError File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/client.py", line 42, in <module> from OpenSSL import * File "/usr/lib/pymodules/python2.6/OpenSSL/__init__.py", line 11, in <module> import rand, crypto, SSL, tsafe ImportError: /usr/lib/pymodules/python2.6/OpenSSL/SSL.so: undefined symbol: SSLv2_method after the update to 3.3. python-openssl 0.10-1 uses sslv2, which our new openssl does no longer support. cherry picked openssl from 4.0-0 to 3.3, added patch to provide python-pyopenssl in python-openssl (UCS 3.3 python-univention-management-console depends on python-pyopenssl). After that i got 26.04.16 13:54:42.774 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 210, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 142, in _restart self._start() File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 189, in run self.server = Server( port = self.options.port ) File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 455, in __init__ notifier.socket_add( self.connection, self._connection ) File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 93, in socket_add raise AttributeError( 'could not get file description: %s' % id ) AttributeError: could not get file description: <OpenSSL.SSL.Connection object at 0xb6fa1f8c> For UCS 4.0-0 we had to change python-notifier, so i cherry picked python-notifier from 4.0-0 (with all the patches) and rebuilt it in ucs3.3-0 with -> build-package-ng -b '.22~ucs3.3' -P ucs -r 3.3-0-0 --no-pbuilder-update -p python-notifier version should be fine (smaller than 4.0-0 but higher than in 3.2X) 0.9.5-1.22.201411061120 0 500 http://updates.software-univention.de/4.0/maintained/ 4.0-0/all/... *** 0.9.5-1.22~ucs3.3.31.201604261545 0 500 http://192.168.0.10/build2/ ucs_3.3-0/all/ Packages 100 /var/lib/dpkg/status 0.9.5-1.21.201411061106 0 500 http://updates.software-univention.de/3.2/maintained/ 3.2-4/all/...
The following packages still fail to build: Package: libcrypt-openssl-bignum-perl Package: libcrypt-openssl-random-perl Package: libcrypt-openssl-rsa-perl Package: libnet-ssleay-perl I've split this off as Bug 41199. Source: libssh Source: libmsn I've split this off as Bug 41200. Source: kdenetwork Source: nagios-nrpe I'm still checking what's going on with those two. Finally the package "serf" is newer in a customer scope, the TAM needs to decide how/if we ship an additional update for that version.
Created attachment 7667 [details] ucs3.3-rebuilt-for-openssl.txt DONE: Source: bacula Source: bind9 Source: citadel Package: cluster-glue Package: heirloom-mailx Source: hplip Source: iputils Source: kdenetwork Source: m2crypto Source: nagios-nrpe Source: nagios-plugins Package: nmap Source: openhpi Source: openssh Package: openvpn Source: pkcs11-helper Package: postfix Package: python2.5 Package: rdesktop Source: serf Source: spamassassin Package: tcpdump Source: univention-licence Source: uw-imap Package: w3m
OK - 3.3 rebuilt for ssl -> apt-get remove libssl0.9.8 ... Die folgenden Pakete werden ENTFERNT: libcrypt-openssl-random-perl libssl0.9.8 makepasswd python-univention-directory-manager python-univention-directory-reports python-univention-management-console univention-bind univention-directory-manager-tools univention-directory-reports univention-heimdal-kdc univention-join univention-ldap-server univention-management-console univention-management-console-module-appcenter univention-management-console-module-apps univention-management-console-module-join univention-management-console-module-lib univention-management-console-module-mrtg univention-management-console-module-quota univention-management-console-module-reboot univention-management-console-module-services univention-management-console-module-setup univention-management-console-module-sysinfo univention-management-console-module-top univention-management-console-module-ucr univention-management-console-module-udm univention-management-console-module-updater univention-management-console-server univention-management-console-web-server univention-nagios-client univention-nagios-common univention-nfs-server univention-quota univention-role-common univention-role-server-common univention-server-master univention-virtual-machine-manager-schema I think this is Bug 41199 (libcrypt-openssl-random-perl). OK - kde Desktop OK - Changelog
UCS 3.3 has been released: https://docs.software-univention.de/release-notes-3.3-0-en.html https://docs.software-univention.de/release-notes-3.3-0-de.html If this error occurs again, please use "Clone This Bug".