Thanks for the analysis and testing. I think we can mark this issue as
Won't Fix, especially after all this time.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1469834
I've tried to reproduce on Lunar and got a CSR. I'm going to mark this
as Fix Released.
** Changed in: openssl (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
I'm leaning towards marking this bug as Won't Fix. As stated above, this
is needed by a minority of users and the current configuration (which is
still the same regarding this) is therefore sound for the vast majority
of users. Moreover this would have consequences for this majority of
users as
And as far as I can tell, gnutls doesn't use MD4 anymore. Marking as Fix
released also for gnutls26.
** Changed in: gnutls26 (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
** Changed in: openssl (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/654896
Title:
SCTP DTLS support
Status in
The file private_key.pem was not provided and this makes it impossible
to run the reproducer unfortunately.
** Changed in: openssl (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
As far as I can understand from the mailing-list thread, the patch
unfortunately did not get merged. However, the versions against which
this issue has been reported are also very old at this point and I think
this means the issue will be WONTFIX.
--
You received this bug notification because
This ticket will be WONTFIX because SSL3 is not supported anymore (and
it's now known that supporting SSL2, SSL3 and TLS1.x at the same time
with the same code was a mistake, which makes issues like this one not
surprising).
--
You received this bug notification because you are a member of
There has been no activity on this bug for 7 years. Marc stated 1.0.2
connects successfully. Moreover, the last comments were about this
occuring with 1.0.1f on 14.04 (8 years old). Lastly, the corresponding
code seems to be gone. I'll mark this as Fix Released.
** Changed in: openssl (Ubuntu)
*** This bug is a duplicate of bug 1971650 ***
https://bugs.launchpad.net/bugs/1971650
This is not strictly a duplicate of
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971650 since
this one is now about switching to needrestart, but I believe it
subsumes the current bug enough to
There is no mention of either CVE-2011-4019 or 4109 at the moment in
debian/changelog. As such there is nothing to do.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-4019
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
I've tried to reproduce the issue (thanks for the reproducer!) and
didn't manage to. I'm not sure the API is still there and in the same
form but also, pem.h is vastly different and much much simpler. I think
there's nothing to do and this bug should be WONTFIX.
--
You received this bug
I've tried to reproduce the issue but to no avail. Having the exact
steps coule be helpful.
** Changed in: openssl (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
Camellia is available IIRC although it is going away. IDEA already went
away in real-world scenarios (but it might be available anyway) and
MDC-2 is something I hadn't heard of before now.
I'm marking this as Invalid because there is no single Status meaningful
here since this mentions three
Actually that's fix released instead. Maybe the "invalid" status comes
from rt.openssl.org becoming unreachable.
** Bug watch added: github.com/openssl/openssl/issues #3980
https://github.com/openssl/openssl/issues/3980
--
You received this bug notification because you are a member of Ubuntu
Btw, discussion upstream at
https://github.com/openssl/openssl/issues/3980 (you can see everything
has been imported in 2017).
** Changed in: openssl (Ubuntu)
Status: Invalid => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
I'm going to replicate the status used by upstream (Invalid) even though
rt.openssl.org has unfortunately been decomissioned.
** Changed in: openssl (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
It looks like php5 was changed to accomodate whatever openssl was doing.
It's difficult to tell whether something has been changed on the openssl
side in the meantime but considering how long it's been, I see no reason
to keep this bug open.
--
You received this bug notification because you are
I'm going to mark this bug as Incomplete. If it is encountered again,
please try to provide a reproducer: having to reproduce against a multi-
tenant postgresql is a lot of work (especially when you're not familiar
with pg).
** Changed in: openssl (Ubuntu)
Status: Confirmed => Incomplete
I'm going to mark this as Fix Released due to the message above even
though I wasn't able to try to reproduce today (due to so many things
having changed since 2012).
** Changed in: openssl (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a
** Changed in: seahorse
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/357998
Title:
openssh-client (amd64) can't login after upgrade to
AFAIU, MD4 is officially deprecated in openssl and it should also be
forbidden with openssl's seclevel.
Right now I actually have troubles finding definitive answers because of
how long this has probably been.
** Changed in: openssl (Ubuntu)
Status: Confirmed => Fix Released
--
You
** Changed in: openssl (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/795355
Title:
Intermittent SSL connection faults
I think this should be won't fix since there is now a FIPS version
available and it's 100% sure it must not be the default version (and
that it wouldn't make a lot of sense even for people who want FIPS
stuff).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
I'm not seeing that behaviour on a 23.04 system and I expect it to be
the same since 22.04 at least. As such I'm going to mark this as Fix
Released.
** Changed in: openssl (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
I tried this again (openssl3) and got the following:
40C75734AE7F:error:1465:UI routines:UI_set_result_ex:result too
small:../crypto/ui/ui_lib.c:884:You must type in 4 to 1024 characters
40C75734AE7F:error:146B:UI routines:UI_process:processing
Seth pointed out that there was actually a reproducer attached. I'm
sorry to have missed it, especially considering how complete it is.
Anyway, I tried it and it's successful at the moment so we'll close this
bug.
--
You received this bug notification because you are a member of Ubuntu
Touch
RC4-MD5 was already considered pretty bad when this bug was filled; now
they're clearly deprecated and Ubuntu's openssl is actively pushing for
higher security standards. As such I think this bug should be WONTFIX.
--
You received this bug notification because you are a member of Ubuntu
Touch
*** This bug is a duplicate of bug 1971650 ***
https://bugs.launchpad.net/bugs/1971650
I think this is pretty much a duplicate of 1971650 which is about
migrating to needrestart from the current postinst. Like with another
bug I recently marked as duplicate, I don't think it is exactly the
I wasn't able to reproduce the issue. I've tried the attached reproducer but:
- I don't have a file "TrustStore.pem",
- if I comment out the block of code that tries to load this file, I get
"Certificate verification error: 20",
- in both cases, valgrind reports no memory lost or still reachable.
*** This bug is a duplicate of bug 1971650 ***
https://bugs.launchpad.net/bugs/1971650
I'm going to mark this as duplicate of 1971650 which is about updating
the logic for libssl upgrades since it will cover this issue too (and
we'd like to address it in the not-so-distant future).
** This
I'm marking this bug as Fix Released for the openssl package too because
we've incorporated this already and I can't reproduce the issue (I used
conference.igniterealtime.org:5222 since the original testcase doesn't
resolve anymore).
** Changed in: openssl (Ubuntu)
Status: Confirmed => Fix
I was able to reproduce your results but there aren't that many patches
being applied at the moment and that makes the failure surprising. I
didn't spot anything obvious in the certificates either but overall I
think this bug needs a reproducer which covers the generation of the
certificates
Hi,
Thank you for taking the time to report this issue and providing a
reproducer. Unfortunately I have not succeeded in reproducing the issue.
In a fresh jammy container, using "OPENSSL_BRANCH=openssl-3.0.3
scripts/fullbuild.sh", I then ran "ln -s oqsprovider.so
_build/lib/oqsprovider2.so" which
Gil, can you do the verification? Thanks.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1994165
Title:
CMS_final: do not ignore CMS_dataFinal result
Status in openssl
As expected, it wasn't very easy to create a reproducer since the
openssl tool couldn't be used and it required introducing errors in
lower layers. Moreover the CMS_dataFinal symbol cannot be overriden in a
meaningful way, probably either due to LTO or symbol visibility.
Fortunately it was still
Frank and Grgo, thanks for the verification. That was very helpful.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2023545
Title:
[UBUNTU 22.04] openssl with ibmca engine
Thanks a lot for the verification Simon!
I looked at the test results and I believe failed tests are all fine:
- diffoscope: pyhon "ModuleNotFoundError: No module named 'tests.utils'"
- dotnet*: complains that this dotnet is not tested for 24.04 (yes, 24.04);
this system of keeping a matrix of
Thanks for re-trying and reporting!
For some (possible) context: there have been some infrastructure issues
his week, especially at the beginning of the week: broken services and
delays in the pipelines. I was expecting this to be the cause of the
issue.
--
You received this bug notification
I'm not seeing the issue on 3.2.1. I'm preparing 3.0.13 without the AES
patch and will probably deal with it after the feature freeze at the end
of the month.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
While preparing an update to 3.0.13 for Noble, I started encoutering
testsuite failures.
The cause is the AES patch combined with 3.0.13 (more specifically with the
dupctx patches. The problematic combination looks something like the following:
- AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ
-
I tested this patch set on a Zen 4 machine too and saw roughly similar
speedups.
And before someone asks: no, I'm not testing that on Via CPUs!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
I'm attaching an updated debdiff.
- remove left-over patches for a bug that we decided to not handle as part of
this SRU (patches were already unlisted from d/p/series)
- added Bug-Ubuntu entries to patches
PPA is the same. New build is at
https://launchpad.net/~adrien-n/+archive/ubuntu/jammy-
Here is an updated version.
I've dropped the extra patch for #1994165 and fixed the changelog where
I had swapped comments for two of the patches.
I've created a new PPA at
https://launchpad.net/~adrien-n/+archive/ubuntu/jammy-
openssl-2033422-sru because the version is unchanged (there has been
Thanks for the review and upload.
I have a similar take on the patches in this series and I believe it
would be very difficult and riskier to try to skip some of the patches
in this series which has seen real-world use as a whole, starting with
openssl >= 3.0.4 (which we started shipping in
Openssl's support policy means we won't be using a non-LTS version in
Ubuntu. There's a small window where we might use a non-LTS version
provided we are sure we can upgrade to an LTS version of openssl in time
for our own LTS but at the moment this situation has not happened yet.
Openssl 3.1 is
Thanks a lot for the tests, that's very appreciated.
I ran that on my laptop (11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz)
which quite surprisingly has all these CPU features. Mostly idle,
dynamic CPU governor but no thermal throttling at all (and if there
were, it would probably slow down the
As you mention, it's difficult to test with this reproducer specifically
since it's specialized hardware and I've largely had to rely on testing
from the proxied persons who also have interests and duties in this
working well. The issue also appears without the specific hardware when
using
Indeed, there is an "extra" change which I saw fit to include after
reviewing the change with care.
Replicating the issue directly involves using the openssl C APIs because
higher-level interfaces like the command-line ones prevent calling the
affected code in a way that will trigger the issue.
That looks a lot like the -fstack-clash-protection issue we've been
having recently for other packages on armhf.
dpkg 1.22.1ubuntu3 should fix this (
https://launchpad.net/ubuntu/+source/dpkg/1.22.1ubuntu3 )
The place where I've written the most details about this is
Thanks for looking more deeply than I did. I guess I'll upload both to
my PPA, using whichever version is in -proposed right now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
I'm going to mark this as duplicate of another bug which I have an
overdue answer to provide.
But one important question: what is your actual usecase that is
negatively impacted?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed
Apologies for not answering earlier; I wasn't available when I first saw
your message.
FWIW, there's just been another report of the same issue with a
different scenario but that's half-way between the "streaming" case and
the "data at rest" one.
The reason this fix is difficult to integrate in
*** This bug is a duplicate of bug 1990216 ***
https://bugs.launchpad.net/bugs/1990216
** This bug has been marked a duplicate of bug 1990216
backport fix for "OpenSSL 3 cannot decrypt data encrypted with OpenSSL 1.1
with blowfish in OFB or CFB modes" to Jammy
--
You received this bug
Sometimes I don't understand what happens when I attempt to reply by
mail...
Anyway...
The affected code is in libcrypto which I think sees fewer important security
fixes. Therefore it's possible to build it and put it in your library search
path. This should fix the issue without being too
There aren't many ways to make localtime() fail and we still don't know
how this happened in this case. We expect this happens maybe on a 32-bit
machine. You can't have a really huge value in btmp anyway because
everything is stored on 32-bit signed integers but maybe seconds are
negative or
XZ developers have a couple questions regarding this after looking at the trace:
- is it reproducible? did it happen several times?
- does the machine use ECC memory?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xz-utils
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy
** Tags removed: foundations-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in
** Changed in: openssl (Ubuntu)
Status: Triaged => New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2062167
Title:
[FFe] openssl: post-3.0.13 changes from git
Note that there is a CVE fix in there too. It's low-severity because
it's only unbounded memory growth but it's quite easy to trigger and I
think that anyone who has a webserver with TLS 1.3 will want it patched.
Therefore there should be an upload of this at least.
--
You received this bug
Public bug reported:
I would like to have the most recent openssl version possible in Noble.
For that I am requesting to upload all the commits in the openssl-3.0
branch that follow 3.0.13 which is already in the archive.
I would like to include 3.0.14 afterwards if feasible. Having the most
** Changed in: openssl (Ubuntu)
Milestone: None => ubuntu-24.10
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1297025
Title:
Either the changelog.gz is missing or
AFAIU there is no issue in the package at the moment so I'll close the
report. Thanks for investigating and trying the package reinstallation.
(Also, Alex, impressive intuition!)
** Changed in: openssl (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are
*** This bug is a duplicate of bug 1297025 ***
https://bugs.launchpad.net/bugs/1297025
** This bug has been marked a duplicate of bug 1297025
Either the changelog.gz is missing or there is an erroneous link in the
libssl1.0.0 package
--
You received this bug notification because you are
I plan to work on this during the OO cycle. It's an issue inherited from
Debian AFAIU.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1297025
Title:
Either the
** Changed in: openssl (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2058017
Title:
openssl is not LTO-safe
Status
** Changed in: openssl (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2056593
Title:
[FFE] FIPS compatibility patches
** Description changed:
tl;dr: since it's too much work to make openssl LTO-safe, upstream
doesn't see it as a goal and doesn't test it, and there are probably no
performance gains to LTO for this package.
Openssl is an old project and the codebase wasn't written with aliasing
rules
** Description changed:
tl;dr: since it's too much work to make openssl LTO-safe, upstream
doesn't see it as a goal and doesn't test it, and there are probably no
performance gains to LTO for this package.
Openssl is an old project and the codebase wasn't written with aliasing
rules
Thanks a lot for looking at this. The issue seems fixed on my machine.
There are currently several changes being prepared for openssl and I
think I'd rather batch them considering the state of the CI queue but
this will definitely go into Noble. Thanks again.
--
You received this bug
Public bug reported:
tl;dr: since it's too much work to make openssl LTO-safe, upstream
doesn't see it as a goal and doesn't test it, and there are probably no
performance gains to LTO for this package.
Openssl is an old project and the codebase wasn't written with aliasing
rules in mind. There
** Description changed:
tl;dr: since it's too much work to make openssl LTO-safe, upstream
doesn't see it as a goal and doesn't test it, and there are probably no
performance gains to LTO for this package.
Openssl is an old project and the codebase wasn't written with aliasing
rules
I did some additional tests too in a noble container.
With/without the env var to set the file location, including with the
file missing, with/without the env var to force FIPS mode, and using
values 0, 1, 42, -42, a.
By the way, note that access to these environment variables uses
** Summary changed:
- [FFe] openssl is not LTO-safe
+ openssl is not LTO-safe
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2058017
Title:
openssl is not LTO-safe
** Summary changed:
- openssl is not LTO-safe
+ [FFe] openssl is not LTO-safe
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2058017
Title:
[FFe] openssl is not LTO-safe
** Changed in: openssl (Ubuntu)
Milestone: None => ubuntu-24.04
** Changed in: openssl (Ubuntu)
Assignee: (unassigned) => Adrien Nader (adrien-n)
** Changed in: openssl (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member
** Description changed:
We have an open MR with a handful of FIPS compatibilty changes we wore hoping
to get into 24.04. The main purpose of the changes is to detect whether the
kernel is running in FIPS mode and adjust the behavior of the library
accordingly by loading the correct
Hey,
I think everything in the gnutls/ directory should be allowed: there can
be profiles with arbitrary names (or at least alnum I guess) which
define priority/configuration strings that can be used by gnutls
applications. I'm not aware of anything else that typically goes there
but I haven't
I had forgotten about this bug. Thanks for bringing this up and let me
close this.
** Changed in: xz-utils (Ubuntu)
Status: New => Invalid
** Description changed:
+ NOTE: THE VERSION MENTIONED HERE HAS BEEN BACKDOORED.
+ I am keeping the text below unchanged due to its possible
** Description changed:
+ NOTE: THIS IS AN ATTEMPT AT INCLUDING A BACKDOOR. THIS IS LEFT FOR
+ HISTORICAL PURPOSES ONLY AND MUST NOT BE DONE.
+
+
Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
was
Due to openssl's release schedule, 24.04 Noble Numbat will still use
3.0. It will be 3.0.13 unless a 3.0.14 is released very soon.
After Noble Numbat is released, I will work on openssl 3.3 for the
subsequent Ubuntu release. It is not yet released but will be soon so I
might start with beta/RC.
I'll dive deeper into this. The timing collides with the t64 transition
so that makes me curious. Moreover, Debian reverted to 5.4.5 so the
situation where we're on 5.6.0 doesn't match Debian either.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
I'm going to target this to 24.10 as it's the first time it will be
possible to "solve" it. As far as I understand, there will probably be
performance loss with 3.3 compared to 1.1 but it's going to be a long
tail rather than a few big changes which have been included in 3.1, 3.2
and 3.3.
Btw,
** Also affects: openssl (Ubuntu Noble)
Importance: Undecided
Status: Confirmed
** Also affects: openssl (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Mantic)
Importance: Undecided
Status: New
** Changed in: openssl (Ubuntu
Thanks for the report. I am reluctant to backport this as I'm not sure
it makes a lot of sense system-wide. Curl upstream didn't seem happy
with enabling this work-around even in 2021. It seems the reason to
integrate this would be to be able to ignore this despite curl not
ignoring it nor
There are several reasons a program can skip loading the openssl
configuration unfortunately: env vars pointing to another file, apparmor
preventing loading, library initilization skipping it, ...
Is the program that ignores the openssl configuration file in the Ubuntu
archive? Or public?
--
Graham pointed out that the upload was actually to unstable and
therefore autosync'ed already!
I'm going to keep the bug open until it migrates due to the possibility
of some testsuite failures.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
Public bug reported:
Xz-utils 5.6.0 was released last Friday. It features a much faster
decompression code on all platforms but on x86_64 in particular, it is
60% faster in my testing. It also aligns better current practices of
enabling multi-threading by default (always with a default memory
Thanks for continued investigation.
A reproducer would be valuable as it would allow me to verify
independently the patch is effective, within the limits of the
understanding of the situation of course and that can be especially
time-consuming when not having access to the remote server. :/
A
201 - 289 of 289 matches
Mail list logo