Package: openssl Version: 1.1.1c-1 Severity: serious (You seem to use the serious severity for such reports.)
Dear OpenSSL Maintainers, Please see https://github.com/kronosnet/kronosnet/issues/226: the Kronosnet upstream CI started to fail in the Valgrind memory checks after the libssl upgrade from 1.1.1b-2 to 1.1.1c-1. This is reproducible with kronosnet_1.8-2 in testing and unstable by building it with valgrind installed: "make -C libknet/tests check-memcheck" gives a failure in api_knet_send_crypto_test: ==28725== Thread 8: ==28725== Conditional jump or move depends on uninitialised value(s) ==28725== at 0xC4BED7B: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1) ==28725== by 0xC4BF422: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1) ==28725== by 0xC4C00B9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1) ==28725== by 0xC4C0C02: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1) ==28725== by 0x48454B7: encrypt_openssl (crypto_openssl.c:184) ==28725== by 0x4845C5D: opensslcrypto_encrypt_and_signv (crypto_openssl.c:326) ==28725== by 0x4845D19: opensslcrypto_encrypt_and_sign (crypto_openssl.c:360) ==28725== by 0x48595C1: _handle_check_each (threads_heartbeat.c:74) ==28725== by 0x48595C1: _send_pings (threads_heartbeat.c:148) ==28725== by 0x48598F4: _handle_heartbt_thread (threads_heartbeat.c:217) ==28725== by 0x4877FA2: start_thread (pthread_create.c:486) ==28725== by 0x498A4CE: clone (clone.S:95) [...] I don't know whether this is a genuine library bug, an application bug or a valgrind bug, but wanted to make sure you see this before the buster release. The Kronosnet DebCI tests don't run these tests automatically. -- Regards, Feri.