Public bug reported:
[Impact]
* There have been multiple use-after-free bugs fixed in OpenSSL 1.1.1
stable branches which have not yet been applied in Focal. They are
difficult to reproduce, often require an engine to be used, and somehow
fail, as these use-after-free bugs are all in error conditions and error
paths. Usually fixing local configuration, and making engine available
is the right solution. It is however better to return errors than crash.
These patches are in 1.1.1h+ and openssl-3.
[Test Plan]
* The fixes were applied upstream without clear reproducers, or unit
tests
* Check that all autopkgtests pass and there no regressions
* Configure and use openssl with any engine and ensure that it
continues to work
[Where problems could occur]
* There will be behaviour change, such that multithreaded applications
may now notice Null pointers from the openssl engine apis, when
previously they saw valid pointers which were freed already. Meaning
that on connection failures, daemon or application shutdowns, different
messages might be generated i.e. invalid engine context, unallocated
methods, instead of crashing with double free.
[Other Info]
* Multiple customers are using openssl 1.1.1 with engines these days,
reporting various issues, it is better to have more resilient openssl
w.r.t. engine use in case of engine missuse.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: openssl (Ubuntu Focal)
Importance: Undecided
Status: New
** Description changed:
[Impact]
- * There have been multiple use-after-free bugs fixed in OpenSSL 1.1.1
+ * There have been multiple use-after-free bugs fixed in OpenSSL 1.1.1
stable branches which have not yet been applied in Focal. They are
difficult to reproduce, often require an engine to be used, and somehow
fail, as these use-after-free bugs are all in error conditions and error
paths. Usually fixing local configuration, and making engine available
is the right solution. It is however better to return errors than crash.
- These patches are in 1.1.1-stable and openssl-3.
+ These patches are in 1.1.1h+ and openssl-3.
[Test Plan]
- * The fixes were applied upstream without clear reproducers, or unit
+ * The fixes were applied upstream without clear reproducers, or unit
tests
- * Check that all autopkgtests pass and there no regressions
+ * Check that all autopkgtests pass and there no regressions
- * Configure and use openssl with any engine and ensure that it
+ * Configure and use openssl with any engine and ensure that it
continues to work
-
[Where problems could occur]
- * There will be behaviour change, such that multithreaded applications
+ * There will be behaviour change, such that multithreaded applications
may now notice Null pointers from the openssl engine apis, when
previously they saw valid pointers which were freed already. Meaning
that on connection failures, daemon or application shutdowns, different
messages might be generated i.e. invalid engine context, unallocated
methods, instead of crashing with double free.
[Other Info]
-
- * Multiple customers are using openssl 1.1.1 with engines these days,
reporting various issues, it is better to have more resilient openssl w.r.t.
engine use in case of engine missuse.
+
+ * Multiple customers are using openssl 1.1.1 with engines these days,
+ reporting various issues, it is better to have more resilient openssl
+ w.r.t. engine use in case of engine missuse.
** Also affects: openssl (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: openssl (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1940656
Title:
Potential use after free bugs in 1.1.1
Status in openssl package in Ubuntu:
Fix Released
Status in openssl source package in Focal:
New
Bug description:
[Impact]
* There have been multiple use-after-free bugs fixed in OpenSSL 1.1.1
stable branches which have not yet been applied in Focal. They are
difficult to reproduce, often require an engine to be used, and
somehow fail, as these use-after-free bugs are all in error conditions
and error paths. Usually fixing local configuration, and making engine
available is the right solution. It is however better to return errors
than crash. These patches are in 1.1.1h+ and openssl-3.
[Test Plan]
* The fixes were applied upstream without clear reproducers, or unit
tests
* Check that all autopkgtests pass and there no regressions
* Configure and use openssl with any engine and ensure that it
continues to work
[Where problems could occur]
* There will be behaviour change, such that multithreaded
applications may now notice Null pointers from the openssl engine
apis, when previously they saw valid pointers which were freed
already. Meaning that on connection failures, daemon or application
shutdowns, different messages might be generated i.e. invalid engine
context, unallocated methods, instead of crashing with double free.
[Other Info]
* Multiple customers are using openssl 1.1.1 with engines these days,
reporting various issues, it is better to have more resilient openssl
w.r.t. engine use in case of engine missuse.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
