Hi Dan, I responded to Seth's question about the re-factor commit in openssl 3.0alpha, and it does not need to be backported.
I think we are good to go for sponsorship now, thanks! Matthew On Sat, May 1, 2021 at 7:52 AM Dan Streetman <[email protected]> wrote: > > On Thu, Apr 29, 2021 at 8:13 PM Matthew Ruffell > <[email protected]> wrote: > > > > Hi Security Team, > > > > VISA opened a case, SF308725 - "openssl unable to process the certificate on > > Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects > > both Focal and Groovy. > > > > [1] > > https://canonical.lightning.force.com/lightning/r/Case/5004K000005pGePQAU/view > > > > A commit was merged in 1.1.1f which disallows certificates which set > > "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, > > but > > this is a common configuration in certificates in the wild, particularly > > self > > signed certificates. > > > > This was reported upstream and fixed in 1.1.1g, to relax this particular > > scenario only, to allow it to be accepted as a valid certificate. > > > > More information and a full reproducer is available on the Launchpad bug, > > LP #1926254 - "x509 Certificate verification fails when > > basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2]. > > > > [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254 > > > > Due to the nature of the package, can you please review the launchpad bug > > and > > debdiffs I have attached to the launchpad bug, and if everything is okay, > > can > > you write an acknowledgement and approval to a comment on the launchpad bug. > > > > After that I will seek sponsorship to get this submitted for SRU. > > > > I am thinking -updates is okay, no need for -security. > > I added ubuntu-security to the bug also, and I'm happy to upload if > there are no objections from security team > > > > > Thanks, > > Matthew > > > > -- > > Mailing list: https://launchpad.net/~sts-sponsors > > Post to : [email protected] > > Unsubscribe : https://launchpad.net/~sts-sponsors > > More help : https://help.launchpad.net/ListHelp -- Mailing list: https://launchpad.net/~sts-sponsors Post to : [email protected] Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
