Re: Heads-up: OpenSSL update
On Fri, 2023-02-10 at 12:05 -0600, Michel Alexandre Salim wrote: > Dear Dmitry, > > On Fri, 2023-02-10 at 09:55 +0100, Dmitry Belyavskiy wrote: > > Dear Michel, > > > > In RHEL/CentOS we currently provide a double versioning for > > OPENSSL_strcasecmp and OPENSSL_strncasecmp functions. > > They were added in 3.0.1 downstream and 3.0.3 upstream. > > > > 0056-strcasecmp.patch in CentOS stream fixes the test in question. > > > Ah, interesting. I took a look at the history of that patch, and > narrowed down the issue: > > - with f2a49ef424f831aac988356fc8b2b910e443dc42 from Nov 25, > rebuilding > in EPEL 8 fails: > - > https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/f2a49ef424f831aac988356fc8b2b910e443dc42 > https://koji.fedoraproject.org/koji/taskinfo?taskID=97348528 > > - with that patch backed out, building 3.0.7-2 succeeds: > https://koji.fedoraproject.org/koji/taskinfo?taskID=97348707 > > Note that these are the exact openssl package from c9s, just rebuilt > with the g++ dependency replaced by gcc-c++. > > I suppose the easiest resolution here is for me to build openssl3 > (for > EPEL 8) with that commit backed out, but I'm a bit puzzled as to why > this happens. Any idea there? > I initially thought it's the addition of the linker option --allow- multiple-definition shows up in Alma 8's `ld --help`, so ... it's not that. Stumped, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 signature.asc Description: This is a digitally signed message part ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Heads-up: OpenSSL update
Dear Michel, On Fri, Feb 10, 2023 at 7:06 PM Michel Alexandre Salim wrote: > > Dear Dmitry, > > On Fri, 2023-02-10 at 09:55 +0100, Dmitry Belyavskiy wrote: > > Dear Michel, > > > > In RHEL/CentOS we currently provide a double versioning for > > OPENSSL_strcasecmp and OPENSSL_strncasecmp functions. > > They were added in 3.0.1 downstream and 3.0.3 upstream. > > > > 0056-strcasecmp.patch in CentOS stream fixes the test in question. > > > Ah, interesting. I took a look at the history of that patch, and > narrowed down the issue: > > - with f2a49ef424f831aac988356fc8b2b910e443dc42 from Nov 25, rebuilding > in EPEL 8 fails: > - > https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/f2a49ef424f831aac988356fc8b2b910e443dc42 > https://koji.fedoraproject.org/koji/taskinfo?taskID=97348528 > > - with that patch backed out, building 3.0.7-2 succeeds: > https://koji.fedoraproject.org/koji/taskinfo?taskID=97348707 > > Note that these are the exact openssl package from c9s, just rebuilt > with the g++ dependency replaced by gcc-c++. > > I suppose the easiest resolution here is for me to build openssl3 (for > EPEL 8) with that commit backed out, but I'm a bit puzzled as to why > this happens. Any idea there? No idea. It is probably worth adding some diagnostic output to the test in question. Maybe g++ uses a different naming schema in case of multiversioned functions. > Thanks, > > Michel > > > On Thu, Feb 9, 2023 at 9:47 PM Michel Alexandre Salim > > wrote: > > > > > > Hi Dmitry, > > > > > > On Thu, 2023-02-09 at 18:02 +0100, Dmitry Belyavskiy wrote: > > > > Dear colleagues, > > > > > > > > I've just pushed updates of OpenSSL to the 3.0.8 version to > > > > f36/37. > > > > I will also push to f38 and rawhide later today. > > > > > > > > This is a security release, it fixes 8 MODERATE CVEs > > > > (https://www.openssl.org/news/secadv/20230207.txt) > > > > > > > > I kindly ask you to test the version so it could be rolled up > > > > earlier. > > > > > > > Would you happen to have any insight into why some tests are > > > failing > > > when rebuilt on EPEL 8? > > > > > > This is with a scratch build of EPEL 8's openssl3 (which is just a > > > rebuild of openssl but renamed and with some subpackages removed) > > > https://koji.fedoraproject.org/koji/taskinfo?taskID=97314920 > > > > > > The errors are all identical, so to be doubly sure I rebuilt the > > > centos > > > 9 srpm (only on x86_64), just slightly modified to change the g++ > > > BR to > > > gcc-c++, and it failed identically > > > https://koji.fedoraproject.org/koji/taskinfo?taskID=97318473 > > > > > > # The following symbols are missing in libcrypto.so.3: > > > # OPENSSL_strcasecmp > > > # OPENSSL_strncasecmp > > > # The following symbols are extra in libcrypto.so.3: > > > # BIO_dgram_is_sctp > > > # BIO_dgram_sctp_msg_waiting > > > # BIO_dgram_sctp_notification_cb > > > # BIO_dgram_sctp_wait_for_dry > > > # BIO_new_dgram_sctp > > > # BIO_s_datagram_sctp > > > not ok 2 - check that there are no missing symbols in > > > libcrypto.so.3 > > > # - > > > > > > -03-test_internal_modes.t ... ok > > > 03-test_internal_namemap.t . ok > > > 03-test_internal_curve448.t ok > > > 03-test_internal_poly1305.t ok > > > # Looks like you failed 1 test of 4.01-test_symbol_presence.t > > > .. > > > Dubious, test returned 1 (wstat 256, 0x100) > > > Failed 1/4 subtests > > > 02-test_lhash.t ... > > > > > > Thanks, > > > > > > -- > > > Michel Alexandre Salim > > > identities: > > > https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 > > > ___ > > > devel mailing list -- devel@lists.fedoraproject.org > > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > > Do not reply to spam, report it: > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > -- > > Dmitry Belyavskiy > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > -- > Michel Alexandre Salim > identities: > https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 > ___
Re: Heads-up: OpenSSL update
Dear Dmitry, On Fri, 2023-02-10 at 09:55 +0100, Dmitry Belyavskiy wrote: > Dear Michel, > > In RHEL/CentOS we currently provide a double versioning for > OPENSSL_strcasecmp and OPENSSL_strncasecmp functions. > They were added in 3.0.1 downstream and 3.0.3 upstream. > > 0056-strcasecmp.patch in CentOS stream fixes the test in question. > Ah, interesting. I took a look at the history of that patch, and narrowed down the issue: - with f2a49ef424f831aac988356fc8b2b910e443dc42 from Nov 25, rebuilding in EPEL 8 fails: - https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/f2a49ef424f831aac988356fc8b2b910e443dc42 https://koji.fedoraproject.org/koji/taskinfo?taskID=97348528 - with that patch backed out, building 3.0.7-2 succeeds: https://koji.fedoraproject.org/koji/taskinfo?taskID=97348707 Note that these are the exact openssl package from c9s, just rebuilt with the g++ dependency replaced by gcc-c++. I suppose the easiest resolution here is for me to build openssl3 (for EPEL 8) with that commit backed out, but I'm a bit puzzled as to why this happens. Any idea there? Thanks, Michel > On Thu, Feb 9, 2023 at 9:47 PM Michel Alexandre Salim > wrote: > > > > Hi Dmitry, > > > > On Thu, 2023-02-09 at 18:02 +0100, Dmitry Belyavskiy wrote: > > > Dear colleagues, > > > > > > I've just pushed updates of OpenSSL to the 3.0.8 version to > > > f36/37. > > > I will also push to f38 and rawhide later today. > > > > > > This is a security release, it fixes 8 MODERATE CVEs > > > (https://www.openssl.org/news/secadv/20230207.txt) > > > > > > I kindly ask you to test the version so it could be rolled up > > > earlier. > > > > > Would you happen to have any insight into why some tests are > > failing > > when rebuilt on EPEL 8? > > > > This is with a scratch build of EPEL 8's openssl3 (which is just a > > rebuild of openssl but renamed and with some subpackages removed) > > https://koji.fedoraproject.org/koji/taskinfo?taskID=97314920 > > > > The errors are all identical, so to be doubly sure I rebuilt the > > centos > > 9 srpm (only on x86_64), just slightly modified to change the g++ > > BR to > > gcc-c++, and it failed identically > > https://koji.fedoraproject.org/koji/taskinfo?taskID=97318473 > > > > # The following symbols are missing in libcrypto.so.3: > > # OPENSSL_strcasecmp > > # OPENSSL_strncasecmp > > # The following symbols are extra in libcrypto.so.3: > > # BIO_dgram_is_sctp > > # BIO_dgram_sctp_msg_waiting > > # BIO_dgram_sctp_notification_cb > > # BIO_dgram_sctp_wait_for_dry > > # BIO_new_dgram_sctp > > # BIO_s_datagram_sctp > > not ok 2 - check that there are no missing symbols in > > libcrypto.so.3 > > # - > > > > -03-test_internal_modes.t ... ok > > 03-test_internal_namemap.t . ok > > 03-test_internal_curve448.t ok > > 03-test_internal_poly1305.t ok > > # Looks like you failed 1 test of 4.01-test_symbol_presence.t > > .. > > Dubious, test returned 1 (wstat 256, 0x100) > > Failed 1/4 subtests > > 02-test_lhash.t ... > > > > Thanks, > > > > -- > > Michel Alexandre Salim > > identities: > > https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > -- > Dmitry Belyavskiy > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 signature.asc Description: This is a digitally signed message part ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it:
Re: Heads-up: OpenSSL update
Dear Michel, In RHEL/CentOS we currently provide a double versioning for OPENSSL_strcasecmp and OPENSSL_strncasecmp functions. They were added in 3.0.1 downstream and 3.0.3 upstream. 0056-strcasecmp.patch in CentOS stream fixes the test in question. On Thu, Feb 9, 2023 at 9:47 PM Michel Alexandre Salim wrote: > > Hi Dmitry, > > On Thu, 2023-02-09 at 18:02 +0100, Dmitry Belyavskiy wrote: > > Dear colleagues, > > > > I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. > > I will also push to f38 and rawhide later today. > > > > This is a security release, it fixes 8 MODERATE CVEs > > (https://www.openssl.org/news/secadv/20230207.txt) > > > > I kindly ask you to test the version so it could be rolled up > > earlier. > > > Would you happen to have any insight into why some tests are failing > when rebuilt on EPEL 8? > > This is with a scratch build of EPEL 8's openssl3 (which is just a > rebuild of openssl but renamed and with some subpackages removed) > https://koji.fedoraproject.org/koji/taskinfo?taskID=97314920 > > The errors are all identical, so to be doubly sure I rebuilt the centos > 9 srpm (only on x86_64), just slightly modified to change the g++ BR to > gcc-c++, and it failed identically > https://koji.fedoraproject.org/koji/taskinfo?taskID=97318473 > > # The following symbols are missing in libcrypto.so.3: > # OPENSSL_strcasecmp > # OPENSSL_strncasecmp > # The following symbols are extra in libcrypto.so.3: > # BIO_dgram_is_sctp > # BIO_dgram_sctp_msg_waiting > # BIO_dgram_sctp_notification_cb > # BIO_dgram_sctp_wait_for_dry > # BIO_new_dgram_sctp > # BIO_s_datagram_sctp > not ok 2 - check that there are no missing symbols in libcrypto.so.3 > # - > -03-test_internal_modes.t ... ok > 03-test_internal_namemap.t . ok > 03-test_internal_curve448.t ok > 03-test_internal_poly1305.t ok > # Looks like you failed 1 test of 4.01-test_symbol_presence.t > .. > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/4 subtests > 02-test_lhash.t ... > > Thanks, > > -- > Michel Alexandre Salim > identities: > https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Dmitry Belyavskiy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Heads-up: OpenSSL update
On Thu, 9 Feb 2023, Dmitry Belyavskiy wrote: I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. I will also push to f38 and rawhide later today. Why is f36/f37 the playground for f38/rawhide? Shouldn't this be done in the reverse order? In fact all the updates landed simultaneously. Ahh okay, no worries then :) Thanks for the updates! Paul ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Heads-up: OpenSSL update
Hi Dmitry, On Thu, 2023-02-09 at 18:02 +0100, Dmitry Belyavskiy wrote: > Dear colleagues, > > I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. > I will also push to f38 and rawhide later today. > > This is a security release, it fixes 8 MODERATE CVEs > (https://www.openssl.org/news/secadv/20230207.txt) > > I kindly ask you to test the version so it could be rolled up > earlier. > Would you happen to have any insight into why some tests are failing when rebuilt on EPEL 8? This is with a scratch build of EPEL 8's openssl3 (which is just a rebuild of openssl but renamed and with some subpackages removed) https://koji.fedoraproject.org/koji/taskinfo?taskID=97314920 The errors are all identical, so to be doubly sure I rebuilt the centos 9 srpm (only on x86_64), just slightly modified to change the g++ BR to gcc-c++, and it failed identically https://koji.fedoraproject.org/koji/taskinfo?taskID=97318473 # The following symbols are missing in libcrypto.so.3: # OPENSSL_strcasecmp # OPENSSL_strncasecmp # The following symbols are extra in libcrypto.so.3: # BIO_dgram_is_sctp # BIO_dgram_sctp_msg_waiting # BIO_dgram_sctp_notification_cb # BIO_dgram_sctp_wait_for_dry # BIO_new_dgram_sctp # BIO_s_datagram_sctp not ok 2 - check that there are no missing symbols in libcrypto.so.3 # - -03-test_internal_modes.t ... ok 03-test_internal_namemap.t . ok 03-test_internal_curve448.t ok 03-test_internal_poly1305.t ok # Looks like you failed 1 test of 4.01-test_symbol_presence.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests 02-test_lhash.t ... Thanks, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 signature.asc Description: This is a digitally signed message part ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Heads-up: OpenSSL update
Hi Dmitry, On Thu, 2023-02-09 at 18:02 +0100, Dmitry Belyavskiy wrote: > Dear colleagues, > > I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. > I will also push to f38 and rawhide later today. > > This is a security release, it fixes 8 MODERATE CVEs > (https://www.openssl.org/news/secadv/20230207.txt) > > I kindly ask you to test the version so it could be rolled up > earlier. > Thanks for the heads-up! Will test and rebase the openssl3 package in EPEL8 too. Best regards, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 signature.asc Description: This is a digitally signed message part ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Heads-up: OpenSSL update
Dear Paul On Thu, Feb 9, 2023 at 6:56 PM Paul Wouters wrote: > > On Thu, 9 Feb 2023, Dmitry Belyavskiy wrote: > > > I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. > > I will also push to f38 and rawhide later today. > > Why is f36/f37 the playground for f38/rawhide? Shouldn't this be done > in the reverse order? In fact all the updates landed simultaneously. > > This is a security release, it fixes 8 MODERATE CVEs > > (https://www.openssl.org/news/secadv/20230207.txt) > > > > I kindly ask you to test the version so it could be rolled up earlier. > > I really would hope that testing happens in rawhide before it is pushed > into f36/f37 :( As there are many vulnerabilities, I preferred to push the releases ASAP. Previously I was blamed for pushing only CVE fixes instead of updating. I don't expect any regressions, speaking frankly. -- Dmitry Belyavskiy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Heads-up: OpenSSL update
On Thu, 9 Feb 2023, Dmitry Belyavskiy wrote: I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. I will also push to f38 and rawhide later today. Why is f36/f37 the playground for f38/rawhide? Shouldn't this be done in the reverse order? This is a security release, it fixes 8 MODERATE CVEs (https://www.openssl.org/news/secadv/20230207.txt) I kindly ask you to test the version so it could be rolled up earlier. I really would hope that testing happens in rawhide before it is pushed into f36/f37 :( Paul ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Heads-up: OpenSSL update
Dear colleagues, I've just pushed updates of OpenSSL to the 3.0.8 version to f36/37. I will also push to f38 and rawhide later today. This is a security release, it fixes 8 MODERATE CVEs (https://www.openssl.org/news/secadv/20230207.txt) I kindly ask you to test the version so it could be rolled up earlier. Many thanks in advance! -- Dmitry Belyavskiy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
