Bug#907906: stretch-pu: package openssl/1.1.0f-3+deb9u2

[Kurt Roeckx]

On Tue, Sep 04, 2018 at 04:41:32PM +0200, Moritz Mühlenhoff wrote:
> 
> (I've been deploying customs debs of the 1.0.2x and 1.1.0x openssl releases
> at work and I haven't run into any compatibility issues/API issues during
> that).

We should really do upload all the latest point releases to all
supported branches.


Kurt

Bug#907906: stretch-pu: package openssl/1.1.0f-3+deb9u2

[Moritz Mühlenhoff]

On Tue, Sep 04, 2018 at 12:12:56AM +0200, Sebastian Andrzej Siewior wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: stretch
> Severity: normal

I can't speak for the SRMs, but personally I'm in favour of this. In
fact, I had been meaning to contact you and Kurt wrt switching to
releasing the openssl micro releases for buster-security onwards (but
I think it's ok to retroactively apply this for stretch as well).

We've had good results of shipping upstream micro releases in -security
for selected packages which sane/well-established release/QA processes
and I think openssl is a sensible candidate.
Apart from the pure security fixes, there's a grey area of changes
which are important to also get to stable (and there have been cases
where a bugfix shipped in an openssl stable release turned out to be
security-relevant later on).

(I've been deploying customs debs of the 1.0.2x and 1.1.0x openssl releases
at work and I haven't run into any compatibility issues/API issues during
that).

> The BTS bugs #903566 and #907457 are two examples which were raised
> within Debian.

It also allows to build some software in stretch which doesn't work
with 1.1.0f, e.g. nodejs 10 requires 1.1.0g as it depends on some API
functions only introduced there.

Cheers,
Moritz

Bug#907906: stretch-pu: package openssl/1.1.0f-3+deb9u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

I prepared an update for OpenSSL to synchronize it with upstream's
latest stable release (i).  The i release is an OpenSSL stable release
within the 1.1.0 series with no additional features. It contains only
fixes which don't fix anything security related but still qualify as
something that should be fixed with a stable release.
The BTS bugs #903566 and #907457 are two examples which were raised
within Debian.

As part of my QA I rebuilt all openssl's and libssl1.1 reverse
dependencies [0]. Some packages (like nova) failed to build against this
and current (currently Stretch) openssl due its testsuite and it might
have something todo with by sbuild setup since it succeeded in the
"reproducible builds" build. However, openbsc also FTBFS in
"reproducible builds". Everything that FTBFS against that i also FTBFS
against the current openssl in my setup except for one package.

The package python-cryptography fails to build due to an API change of
BIO_callback_ctrl() in OpenSSL. While is a no-no in a stable release, it
has been explained [1] that the function / callback was always used with
a different prototype. I fixed this by removing the function / prototype
from the python wrapper while upstream removed the almost all BIO
related wrappers [2].
I would submit a pu bugs for python-cryptography if there is nothing
wrong with this one.

I am attaching a diff of the debian/ folder of the update (the openssl
part is replaced with the new version). The whole diff is 24MiB in size
and can be fetched from [4] compressed.

If the release team would like some additional tests, please let me
know.

[0] https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-1.1.0i/
[1] https://github.com/openssl/openssl/pull/4493#discussion_r143505277
[2] https://github.com/pyca/cryptography/pull/4220
[3] 
https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-python-cryptography/
[4] 
https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-1.1.0i/ossl_1.1.0f-3deb9u2_to_1.1.0i.patch.xz

Sebastian
diff --git a/debian/changelog b/debian/changelog
index 3c231b9b2cf9a..886d06e39674d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+openssl (1.1.0i-1~deb9u1) stretch; urgency=medium
+
+  * Import 1.1.0i
+- Fix segfault ERR_clear_error (Closes: #903566)
+- Fix commandline option for CAengine (Closes: #907457)
+  * Abort the build if symbols are discovered which are not part of the
+symbols file.
+
+ -- Sebastian Andrzej Siewior   Mon, 03 Sep 2018 23:59:02 +0200
+
 openssl (1.1.0f-3+deb9u2) stretch-security; urgency=high
 
   * CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols
index 9d70f3748ca03..84875cff36446 100644
--- a/debian/libssl1.1.symbols
+++ b/debian/libssl1.1.symbols
@@ -4,6 +4,9 @@ libcrypto.so.1.1 libssl1.1 #MINVER#
  *@OPENSSL_1_1_0c 1.1.0c
  *@OPENSSL_1_1_0d 1.1.0d
  *@OPENSSL_1_1_0f 1.1.0f
+ *@OPENSSL_1_1_0g 1.1.0g
+ *@OPENSSL_1_1_0h 1.1.0h
+ *@OPENSSL_1_1_0i 1.1.0i
 libssl.so.1.1 libssl1.1 #MINVER#
  *@OPENSSL_1_1_0 1.1.0
  *@OPENSSL_1_1_0d 1.1.0d
diff --git a/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch b/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
deleted file mode 100644
index 835b95d00696e..0
diff --git a/debian/patches/CVE-2017-3735.patch b/debian/patches/CVE-2017-3735.patch
deleted file mode 100644
index d152ddd387949..0
diff --git a/debian/patches/CVE-2017-3736.patch b/debian/patches/CVE-2017-3736.patch
deleted file mode 100644
index e60063fb65544..0
diff --git a/debian/patches/Fix-a-Proxy-race-condition.patch b/debian/patches/Fix-a-Proxy-race-condition.patch
deleted file mode 100644
index a2b72b8b79f66..0
diff --git a/debian/patches/Fix-race-condition-in-TLSProxy.patch b/debian/patches/Fix-race-condition-in-TLSProxy.patch
deleted file mode 100644
index 24b05c7e14139..0
diff --git a/debian/patches/Limit-ASN.1-constructed-types-recursive-definition-d.patch b/debian/patches/Limit-ASN.1-constructed-types-recursive-definition-d.patch
deleted file mode 100644
index 45e0feb25dc07..0
diff --git a/debian/patches/bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch b/debian/patches/bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch
deleted file mode 100644
index dbd3573187081..0
diff --git a/debian/patches/c_rehash-compat.patch b/debian/patches/c_rehash-compat.patch
index de24948e8dfac..199480af27e4d 100644
--- a/debian/patches/c_rehash-compat.patch
+++ b/debian/patches/c_rehash-compat.patch
@@ -1,15 +1,16 @@
-From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001
 From: Ludwig Nussel 
 Date: Wed, 21 Apr 2010 15:52:10 +0200
 Subject: [PATCH] also create old hash for compatibility
 
 ---
- tools/c_rehash.in |