[Touch-packages] [Bug 2019970] [NEW] OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
Public bug reported: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: New Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
Thanks for trying to reproduce this. A crash can only be triggered with two providers active. Your command "OPENSSL_MODULES=_build/lib/ OPENSSL_CONF=scripts/o-ca.cnf ./.local/bin/openssl version" is not quite conclusive: The config file "o-ca.cnf" doesn't look right. Please verify that your setup confirms two instances of the provider being active. You can do this with the option "list -providers": This is what must be displayed (also in the test run) to trigger/showcase the problem: OPENSSL_MODULES=_build/lib/ OPENSSL_CONF=scripts/openssl-ca.cnf LD_LIBRARY_PATH=.local/lib64 ./.local/bin/openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.2.0 status: active oqsprovider name: OpenSSL OQS Provider version: 0.5.0-dev status: active oqsprovider2 name: OpenSSL OQS Provider version: 0.5.0-dev status: active -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: New Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
Fine for me -- I'm working around this (not using Ubuntu for CI any more and/or using/building less buggy OpenSSL releases for CI). > if it's time to re-visit that practice of not updating through minor openssl versions; it's risky to try. What risks do you see? I find it much more risky _not_ to do it: You'll retain buggy versions that are possibly also security risks: I'm counting 24 CVEs that Ubuntu with this policy willingly does not fix -- as an Ubuntu user I wouldn't be happy (see https://www.openssl.org/news/vulnerabilities-3.0.html) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: Incomplete Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
Thanks for this explanation, Seth. Very good to know--from a security perspective. A bit less satisfying from a functionality perspective, particularly given the assurance by Matt from the OpenSSL team above. I do understand though that you're aiming for "bug completeness" to support those that rely on those bugs. The others then need to work around them (using other distros or building packages from source). Please feel free to close this report then. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: Incomplete Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
Thanks very much for this complete answer and apologies for using the term "bug completeness": I meant "feature stability" (with bugs being on the arguably negative side of that term -- and this discussion being one regarding a bug). Clearly there's more users (valuing stability) than developers (valuing "progress" -- with known risks). I personally think the OpenSSL team goes to great lengths to not break things with new sub-sub-version releases but I can appreciate that not all projects do the same and you don't want to annoy your users. Indeed your distribution is one of the first to have integrated OpenSSL3 -- which gave me the ability to integrate quantum safe crypto and thus make available that capability (in 3.0.2 only for KEMs, in future releases also for signatures/certificates) to Ubuntu users: So, a big Thanks to you for having taken that step -- with regard to quantum security possibly still many, many years before it's a true necessity. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: Incomplete Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
