On Thu, Apr 29, 2021 at 8:13 PM Matthew Ruffell <[email protected]> wrote: > > Hi Security Team, > > VISA opened a case, SF308725 - "openssl unable to process the certificate on > Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects > both Focal and Groovy. > > [1] > https://canonical.lightning.force.com/lightning/r/Case/5004K000005pGePQAU/view > > A commit was merged in 1.1.1f which disallows certificates which set > "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, > but > this is a common configuration in certificates in the wild, particularly self > signed certificates. > > This was reported upstream and fixed in 1.1.1g, to relax this particular > scenario only, to allow it to be accepted as a valid certificate. > > More information and a full reproducer is available on the Launchpad bug, > LP #1926254 - "x509 Certificate verification fails when > basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2]. > > [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254 > > Due to the nature of the package, can you please review the launchpad bug and > debdiffs I have attached to the launchpad bug, and if everything is okay, can > you write an acknowledgement and approval to a comment on the launchpad bug. > > After that I will seek sponsorship to get this submitted for SRU. > > I am thinking -updates is okay, no need for -security.
I added ubuntu-security to the bug also, and I'm happy to upload if there are no objections from security team > > Thanks, > Matthew > > -- > Mailing list: https://launchpad.net/~sts-sponsors > Post to : [email protected] > Unsubscribe : https://launchpad.net/~sts-sponsors > More help : https://help.launchpad.net/ListHelp -- Mailing list: https://launchpad.net/~sts-sponsors Post to : [email protected] Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
