Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx(2017-06-05): > On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote: > > Kurt Roeckx (2017-06-04): > > > So I've uploaded openssl 1.1.0f-2 > > > > Source debdiff lgtm from -1, and installation over https works fine, > > ACK. > > So I actually have a new version I want to upload: > Modified: openssl/branches/1.1.0/debian/changelog > === > --- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev > 903) > +++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev > 904) > @@ -1,3 +1,9 @@ > +openssl (1.1.0f-3) unstable; urgency=medium > + > + * Don't cleanup a thread-local key we didn't create (Closes: #863707) > + > + -- Kurt Roeckx Mon, 05 Jun 2017 11:40:42 +0200 > + > openssl (1.1.0f-2) unstable; urgency=medium > >* Make the udeb use a versioned depends (Closes: #864080) 1.1.0f-3 (built locally from the source package fetched from incoming) tested successfully with an https-based playbook: ack. KiBi. signature.asc Description: Digital signature
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx(2017-06-05): > On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote: > > Kurt Roeckx (2017-06-04): > > > So I've uploaded openssl 1.1.0f-2 > > > > Source debdiff lgtm from -1, and installation over https works fine, > > ACK. > > So I actually have a new version I want to upload: […] Please don't, let's process stuff that's already been tested and ACKed before considering further changes… KiBi. signature.asc Description: Digital signature
Bug#863472: unblock: openssl/1.1.0f-1
On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote: > Kurt Roeckx(2017-06-04): > > So I've uploaded openssl 1.1.0f-2 > > Source debdiff lgtm from -1, and installation over https works fine, > ACK. So I actually have a new version I want to upload: Modified: openssl/branches/1.1.0/debian/changelog === --- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev 903) +++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev 904) @@ -1,3 +1,9 @@ +openssl (1.1.0f-3) unstable; urgency=medium + + * Don't cleanup a thread-local key we didn't create (Closes: #863707) + + -- Kurt Roeckx Mon, 05 Jun 2017 11:40:42 +0200 + openssl (1.1.0f-2) unstable; urgency=medium * Make the udeb use a versioned depends (Closes: #864080) Added: openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch === --- openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch (rev 0) +++ openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch 2017-06-05 09:42:35 UTC (rev 904) @@ -0,0 +1,47 @@ +From 73bc53708c386c1ea85941d345721e23dc61c05c Mon Sep 17 00:00:00 2001 +From: Rich Salz +Date: Wed, 31 May 2017 12:14:55 -0400 +Subject: [PATCH] Only release thread-local key if we created it. + +Thanks to Jan Alexander Steffens for finding the bug and confirming the +fix. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/3592) +--- + crypto/err/err.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/err/err.c b/crypto/err/err.c +index f866f2fdd0..c55f849590 100644 +--- a/crypto/err/err.c b/crypto/err/err.c +@@ -122,6 +122,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = { + #endif + + static CRYPTO_ONCE err_init = CRYPTO_ONCE_STATIC_INIT; ++static int set_err_thread_local; + static CRYPTO_THREAD_LOCAL err_thread_local; + + static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT; +@@ -260,7 +261,8 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init) + + void err_cleanup(void) + { +-CRYPTO_THREAD_cleanup_local(_thread_local); ++if (set_err_thread_local != 0) ++CRYPTO_THREAD_cleanup_local(_thread_local); + CRYPTO_THREAD_lock_free(err_string_lock); + err_string_lock = NULL; + } +@@ -639,6 +641,7 @@ void ERR_remove_state(unsigned long pid) + + DEFINE_RUN_ONCE_STATIC(err_do_init) + { ++set_err_thread_local = 1; + return CRYPTO_THREAD_init_local(_thread_local, NULL); + } + +-- +2.11.0 + Modified: openssl/branches/1.1.0/debian/patches/series === --- openssl/branches/1.1.0/debian/patches/series2017-06-04 17:21:11 UTC (rev 903) +++ openssl/branches/1.1.0/debian/patches/series2017-06-05 09:42:35 UTC (rev 904) @@ -4,3 +4,4 @@ pic.patch c_rehash-compat.patch #padlock_conf.patch +0001-Only-release-thread-local-key-if-we-created-it.patch
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx(2017-06-04): > So I've uploaded openssl 1.1.0f-2 Source debdiff lgtm from -1, and installation over https works fine, ACK. > and openssl1.0 1.0.2l-2 Bare metal check with WPA is next on my todo list. KiBi. signature.asc Description: Digital signature
Bug#863472: unblock: openssl/1.1.0f-1
On Sun, Jun 04, 2017 at 06:53:29PM +0200, Cyril Brulebois wrote: > Kurt Roeckx(2017-06-04): > > So I changed it this instead: > > dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines > > > > the shlib files now looks like: > > libcrypto 1.1 libssl1.1 (>= 1.1.0f) > > libssl 1.1 libssl1.1 (>= 1.1.0f) > > udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) > > udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) > > > > Since we have symbol files, this does not affect non-udeb > > packages. > > As discussed on IRC (#debian-devel), the earlier syntax (-V with a > version) was fine, and more accurate as it only needs to be bumped > when symbols change. However, using -V without a specific version > should get us updated dependencies every time; they might be stricter > than needed, but that's better than forgetting about bumping the > version IMHO, so fine with me. So I've uploaded openssl 1.1.0f-2 and openssl1.0 1.0.2l-2 Kurt
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx(2017-06-04): > So I changed it this instead: > dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines > > the shlib files now looks like: > libcrypto 1.1 libssl1.1 (>= 1.1.0f) > libssl 1.1 libssl1.1 (>= 1.1.0f) > udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) > udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) > > Since we have symbol files, this does not affect non-udeb > packages. As discussed on IRC (#debian-devel), the earlier syntax (-V with a version) was fine, and more accurate as it only needs to be bumped when symbols change. However, using -V without a specific version should get us updated dependencies every time; they might be stricter than needed, but that's better than forgetting about bumping the version IMHO, so fine with me. Thanks. KiBi. signature.asc Description: Digital signature
Bug#863472: unblock: openssl/1.1.0f-1
On Sun, Jun 04, 2017 at 11:09:00AM +, Niels Thykier wrote: > Kurt Roeckx: > > [...] > >> > >> Maybe file this as an RC bug against openssl so that it isn't forgotten > >> about, but ignore it for r0? > > > > So I have prepared an update. Should I upload it? > > > > [...] > > > > > > Kurt > > > > Ack from here, so if KiBi is ok with it, then please go ahead. So I changed it this instead: dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines the shlib files now looks like: libcrypto 1.1 libssl1.1 (>= 1.1.0f) libssl 1.1 libssl1.1 (>= 1.1.0f) udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) Since we have symbol files, this does not affect non-udeb packages. Kurt
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx: > [...] >> >> Maybe file this as an RC bug against openssl so that it isn't forgotten >> about, but ignore it for r0? > > So I have prepared an update. Should I upload it? > > [...] > > > Kurt > Ack from here, so if KiBi is ok with it, then please go ahead. Thanks, ~Niels
Bug#863472: unblock: openssl/1.1.0f-1
On Sun, Jun 04, 2017 at 05:29:21AM +0200, Cyril Brulebois wrote: > Niels Thykier(2017-06-03): > > Kurt Roeckx: > > > Package: release.debian.org > > > User: release.debian@packages.debian.org > > > Usertags: unblock > > > Severity: normal > > > > > > Hi, > > > > > > I've uploaded a new upstream version of openssl that contains bug > > > fixes. The Debian changelog says: > > >* New upstream version > > > - Fix regression in req -x509 (Closes: #839575) > > > - Properly detect features on the AMD Ryzen processor > > >(Closes: #861145) > > > - Don't mention -tls1_3 in the manpage (Closes: #859191) > > >* Update libssl1.1.symbols for new symbols > > >* Update man-section.patch > > > > > > > > > Kurt > > > > > > > Hi, > > > > Fine by me. CC'ing KiBi for a d-i ack assuming he is ok with this > > last minute change. > > Erm. > > The libssl1.1-udeb package is broken, as it fails to depend on an > appropriate version of libcrypto1.1-udeb, which means I've just > successfully built a debian-installer against testing with this > addition: build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb > and gotten a broken wget: > | wget: /usr/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0f' not found > (required by /usr/lib/libssl.so.1.1) > > See the missing version here: > | $ dpkg --info build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb|grep > Depends: > | Depends: libc6-udeb (>= 2.24), libcrypto1.1-udeb > > One could argue they're from the same source and that this isn't a > practical problem since they're going to migrate at the same time and be > used together in debian-installer, but further fun could come up when > other packages start depending on particular symbols (hello wget), so I > think I'd be nice to have this fixed. > > Maybe file this as an RC bug against openssl so that it isn't forgotten > about, but ignore it for r0? So I have prepared an update. Should I upload it? The source changes are: --- openssl-1.1.0f/debian/changelog 2017-05-25 18:29:01.0 +0200 +++ openssl-1.1.0f/debian/changelog 2017-06-04 12:07:38.0 +0200 @@ -1,3 +1,10 @@ +openssl (1.1.0f-2) unstable; urgency=medium + + * Make the udeb use a versioned depends (Closes: #864080) + * Conflict with libssl1.0-dev (Closes: #863367) + + -- Kurt Roeckx Sun, 04 Jun 2017 12:07:38 +0200 + openssl (1.1.0f-1) unstable; urgency=medium * New upstream version diff -Nru openssl-1.1.0f/debian/control openssl-1.1.0f/debian/control --- openssl-1.1.0f/debian/control 2017-01-26 23:19:08.0 +0100 +++ openssl-1.1.0f/debian/control 2017-06-04 12:07:33.0 +0200 @@ -72,6 +72,7 @@ Multi-Arch: same Recommends: libssl-doc Depends: libssl1.1 (= ${binary:Version}), ${misc:Depends} +Conflicts: libssl1.0-dev Description: Secure Sockets Layer toolkit - development files This package is part of the OpenSSL project's implementation of the SSL and TLS cryptographic protocols for secure communication over the diff -Nru openssl-1.1.0f/debian/rules openssl-1.1.0f/debian/rules --- openssl-1.1.0f/debian/rules 2017-05-25 18:17:29.0 +0200 +++ openssl-1.1.0f/debian/rules 2017-06-04 11:48:25.0 +0200 @@ -138,7 +138,7 @@ override_dh_makeshlibs: #dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4 - dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb" -Xengines + dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb (>= 1.1.0f)" -Xengines # XXX: This needs gets set perl:any by dh_perl which is correct, but # that breaks debootstrap in jessie (the current stable). This hack # could be removed once stretch is stable and contains a fixed It changes the shlibs file from: libcrypto 1.1 libssl1.1 libssl 1.1 libssl1.1 udeb: libcrypto 1.1 libcrypto1.1-udeb udeb: libssl 1.1 libssl1.1-udeb to: libcrypto 1.1 libssl1.1 libssl 1.1 libssl1.1 udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) It results in the following debdiff change on the binaries: File lists identical (after any substitutions) Control files of package libcrypto1.1-udeb: lines which differ (wdiff format) - Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl-dev: lines which differ (wdiff format) -- {+Conflicts: libssl1.0-dev+} Depends: libssl1.1 (= [-1.1.0f-1)-] {+1.1.0f-2)+} Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl-doc: lines which differ (wdiff format) -- Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl1.1: lines which differ (wdiff format) - Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl1.1-dbgsym: lines which differ (wdiff
Bug#863472: unblock: openssl/1.1.0f-1
Niels Thykier(2017-06-03): > Kurt Roeckx: > > Package: release.debian.org > > User: release.debian@packages.debian.org > > Usertags: unblock > > Severity: normal > > > > Hi, > > > > I've uploaded a new upstream version of openssl that contains bug > > fixes. The Debian changelog says: > >* New upstream version > > - Fix regression in req -x509 (Closes: #839575) > > - Properly detect features on the AMD Ryzen processor > >(Closes: #861145) > > - Don't mention -tls1_3 in the manpage (Closes: #859191) > >* Update libssl1.1.symbols for new symbols > >* Update man-section.patch > > > > > > Kurt > > > > Hi, > > Fine by me. CC'ing KiBi for a d-i ack assuming he is ok with this > last minute change. Erm. The libssl1.1-udeb package is broken, as it fails to depend on an appropriate version of libcrypto1.1-udeb, which means I've just successfully built a debian-installer against testing with this addition: build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb and gotten a broken wget: | wget: /usr/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0f' not found (required by /usr/lib/libssl.so.1.1) See the missing version here: | $ dpkg --info build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb|grep Depends: | Depends: libc6-udeb (>= 2.24), libcrypto1.1-udeb One could argue they're from the same source and that this isn't a practical problem since they're going to migrate at the same time and be used together in debian-installer, but further fun could come up when other packages start depending on particular symbols (hello wget), so I think I'd be nice to have this fixed. Maybe file this as an RC bug against openssl so that it isn't forgotten about, but ignore it for r0? That being said, an installer built against both updated udebs seem to work fine with regular http and https test cases, which is better news. Awaiting RT comments before d-i ACK'ing this update. KiBi. signature.asc Description: Digital signature
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx: > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: unblock > Severity: normal > > Hi, > > I've uploaded a new upstream version of openssl that contains bug > fixes. The Debian changelog says: >* New upstream version > - Fix regression in req -x509 (Closes: #839575) > - Properly detect features on the AMD Ryzen processor >(Closes: #861145) > - Don't mention -tls1_3 in the manpage (Closes: #859191) >* Update libssl1.1.symbols for new symbols >* Update man-section.patch > > > Kurt > Hi, Fine by me. CC'ing KiBi for a d-i ack assuming he is ok with this last minute change. ~Niels
Bug#863472: unblock: openssl/1.1.0f-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hi, I've uploaded a new upstream version of openssl that contains bug fixes. The Debian changelog says: * New upstream version - Fix regression in req -x509 (Closes: #839575) - Properly detect features on the AMD Ryzen processor (Closes: #861145) - Don't mention -tls1_3 in the manpage (Closes: #859191) * Update libssl1.1.symbols for new symbols * Update man-section.patch Kurt