Thanks for the fix.
I too can verify that our system doesn't segfault on Ubuntu 14.04
(trusty) using latest libssl1.0.0 (=1.0.1f-1ubuntu2.21);
# dpkg -l |grep libssl1.0.0
ii libssl1.0.0:amd64 1.0.1f-1ubuntu2.21
amd64 Secure Sockets Layer toolkit - shared libraries
# php -r "echo
gettype(openssl_x509_parse(file_get_contents('/etc/ssl/certs/ca-certificates.crt')));"
array
We'll definitely be reconsidering which systems will be applying security
upgrades unattended in the future.
This experience makes me wonder how patches for the -security suites
(default for unattended-upgrades) are tested and QA'ed. Can anything be
done to the Ubuntu process to prevent things like this happening again?
I'm unfamiliar with how this is done currently so excuse my ignorance.
But I'm wondering why there seem to be no collaboration or correlation
between Ubuntu and Debian security updates. Debian seems to have got
this one right in the first shot (DSA is here
https://www.debian.org/security/2016/dsa-3673).
BTW: the links to upstream patches on the Ubuntu CVE page
(http://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-2182.html) are invalid caused by a version
string being appended to the commit hash (looks like borked wiki
syntax).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883
Title:
libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
validation to segfault
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
