Bug#333349: marked as done (openssl: Must either version symbols or conflict with ALL libraries linked to previous version)

[Debian Bug Tracking System]

Your message dated Mon, 17 Oct 2005 10:32:07 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#330867: fixed in openssl 0.9.8a-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Oct 2005 13:42:24 +0000
>From [EMAIL PROTECTED] Tue Oct 11 06:42:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from master.debian.org [146.82.138.7] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1EPKOe-00071T-00; Tue, 11 Oct 2005 06:42:24 -0700
Received: from c91fc4c8.cps.virtua.com.br (khazad-dum.debian.net) 
[201.31.196.200] 
        by master.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1EPKOd-0001Q8-00; Tue, 11 Oct 2005 08:42:23 -0500
Received: from localhost (localhost [127.0.0.1])
        by localhost.khazad-dum.debian.net (Postfix) with ESMTP id 99ED8205A16;
        Tue, 11 Oct 2005 10:42:17 -0300 (BRT)
Received: from khazad-dum.debian.net ([127.0.0.1])
        by localhost (khazad-dum [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id 04535-02-2; Tue, 11 Oct 2005 10:42:17 -0300 (BRT)
Received: by khazad-dum.debian.net (Postfix, from userid 1000)
        id 08FEB20024D; Tue, 11 Oct 2005 10:42:17 -0300 (BRT)
Date: Tue, 11 Oct 2005 10:42:17 -0300
From: Henrique de Moraes Holschuh <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: openssl: Must either version symbols or conflict with ALL libraries 
linked to previous version
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.17
X-Debbugs-Cc: debian-devel@lists.debian.org
X-GPG-Fingerprint: 1024D/1CDB0FE3 5422 5C61 F6B7 06FB 7E04  3738 EE25 DE3F 1CDB 
0FE3
User-Agent: Mutt/1.5.11
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at khazad-dum.debian.net
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: openssl
Version: 0.9.8-2
Severity: critical
Justification: breaks unrelated software

OpenSSL does not version symbols.  This means all applications that somehow
end up linked to both openssl 0.9.7 and 0.9.8 segfault or behave otherwise
erratically (which would be a critical bug by itself, as openssl is a
data privacy/authentication framework with severe consequences for overall
system security).

Therefore, ANY new ABI-introducing version of openssl has to conflict with
ALL **libraries** (not applications) that are linked against other openssl
versions.  Not doing so is just hiding the mess for the users to find out as
segfaults.  Transitions like this should be enforced by package
dependencies, always.

The whole deal is made even worse because some of the libraries linking to
openssl are used by PAM modules and/or nssswitch modules, and thus
dlopen()ed by a lot/potentially all applications in the system.

The conflicts are quite messy, but unless either symbol versioning or
another technique that avoids the symbol mess while linked is employed (weak
symbols might do it, I think -- but symbol versioning is much easier to
predict and understand), it is what must be done.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13.4-debian1+libata+bluesmoke+imq+lm85
Locale: LANG=pt_BR.ISO-8859-1, LC_CTYPE=pt_BR.ISO-8859-1 (charmap=ISO-8859-1)

Versions of packages openssl depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libssl0.9.8                   0.9.8-2    SSL shared libraries

openssl recommends no packages.

-- no debconf information

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

---------------------------------------
Received: (at 330867-close) by bugs.debian.org; 17 Oct 2005 17:38:19 +0000
>From [EMAIL PROTECTED] Mon Oct 17 10:38:19 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1ERYqF-0007h7-00; Mon, 17 Oct 2005 10:32:07 -0700
From: Christoph Martin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#330867: fixed in openssl 0.9.8a-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 17 Oct 2005 10:32:07 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: openssl
Source-Version: 0.9.8a-1

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8a-1_i386.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-1_i386.udeb
libssl-dev_0.9.8a-1_i386.deb
  to pool/main/o/openssl/libssl-dev_0.9.8a-1_i386.deb
libssl0.9.8-dbg_0.9.8a-1_i386.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-1_i386.deb
libssl0.9.8_0.9.8a-1_i386.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8a-1_i386.deb
openssl_0.9.8a-1.diff.gz
  to pool/main/o/openssl/openssl_0.9.8a-1.diff.gz
openssl_0.9.8a-1.dsc
  to pool/main/o/openssl/openssl_0.9.8a-1.dsc
openssl_0.9.8a-1_i386.deb
  to pool/main/o/openssl/openssl_0.9.8a-1_i386.deb
openssl_0.9.8a.orig.tar.gz
  to pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <[EMAIL PROTECTED]> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Oct 2005 17:01:06 +0200
Source: openssl
Binary: libssl-dev openssl libssl0.9.8-dbg libcrypto0.9.8-udeb libssl0.9.8
Architecture: source i386
Version: 0.9.8a-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <[EMAIL PROTECTED]>
Changed-By: Christoph Martin <[EMAIL PROTECTED]>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypt
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 330554 330867 332755 333579
Changes: 
 openssl (0.9.8a-1) unstable; urgency=low
 .
   Christoph Martin:
   * fix asm entries for some architectures, fixing #332758 properly.
   * add noexecstack option to i386 subarch
   * include symbol versioning in Configure (closes: #330867)
   * include debian-armeb arch (closes: #333579)
   * include new upstream patches; includes some minor fixes
   * fix dh_shlibdeps line, removing the redundant dependency on
     libssl0.9.8 (closes: #332755)
   * add swedish debconf template (closes: #330554)
 .
   Kurt Roeckx:
   * Also add noexecstack option for amd64, since it now has an
     executable stack with the assembler fixes for amd64.
Files: 
 d185640b299f65afa64823b59c030004 788 utils optional openssl_0.9.8a-1.dsc
 1d16c727c10185e4d694f87f5e424ee1 3271435 utils optional 
openssl_0.9.8a.orig.tar.gz
 e7f1feab1e60fd3138558b6e6e574ef1 29983 utils optional openssl_0.9.8a-1.diff.gz
 9947bc503516ff80d5b04e802e744a8b 982576 utils optional 
openssl_0.9.8a-1_i386.deb
 008ece8c28da53f49e7d64eca57d1f00 2664634 libs important 
libssl0.9.8_0.9.8a-1_i386.deb
 bfd324430e404aa7a7bf675df90768be 528764 debian-installer optional 
libcrypto0.9.8-udeb_0.9.8a-1_i386.udeb
 da860afb4793da0d74b1fd462d27f84c 2935874 libdevel optional 
libssl-dev_0.9.8a-1_i386.deb
 3239665bf893c91b3e16c9917227fffc 10590314 libdevel extra 
libssl0.9.8-dbg_0.9.8a-1_i386.deb
package-type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDU9W8geVih7XOVJcRAtQyAJ9Gh/XqA25SULxTsMHUvo9QO3YarQCgj3pN
bll7+KdfJUpRDWsx62AGKlo=
=uBK0
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]