Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1075828,
regarding bookworm-pu: package openssl/3.0.13-1~deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1075828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075828
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: open...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
Well. There was a bug against openssl in unstable (and according to the
bug report I filled it against 3.0.12 [0]) that broke the SoftHSM
testsuite via libp11. This went nowhere; however I got a patch against
the openssl binary which worked around the issue (the testsuite used the
openssl binary and libp11 with a module from SoftHSM).
Due to mysteries circumstances I forgot about that patch while preparing
the update 3.0.13-1~deb12u1. On the bright side, #1074764 [1] was
reported against src:openssl affecting osslsigncode and the patch, I
forgot about, would not have helped. ¯\_(ツ)_/¯
In the meantime the patch, that broke it, was reverted and this change
is part of 3.0.14. I didn't propose 3.0.14 for Bookworm because it was
close to the point release. (This change is also part of 3.2.2 release
in unstable.) As a side note: The reporter of #1074764 confirmed that
thsi changes fixes the osslsigncode issue for him.
Now that osslsigncode is broken in Bookworm I propose to apply that one
patch (from upstream) to revert the code that broke osslsigncode as well
as libp11+SoftHSM.
There are still a few CVEs open against the Bookworm version but they
all are minor/ low severity. I would be more comfortable to just fix the
one issue at hand which would also make the review easier. Also maybe
route this via bookwork/updates.
I will start looking into a 3.0.14 pu in August at the earliest.
Please find attached the proposed debdiff.
[0] https://github.com/openssl/openssl/issues/22508
[1] https://bugs.debian.org/1074764
Sebastian
diff -Nru openssl-3.0.13/debian/changelog openssl-3.0.13/debian/changelog
--- openssl-3.0.13/debian/changelog 2024-03-03 10:47:43.000000000 +0100
+++ openssl-3.0.13/debian/changelog 2024-07-05 23:04:47.000000000 +0200
@@ -1,3 +1,10 @@
+openssl (3.0.13-1~deb12u2) bookworm; urgency=medium
+
+ * Revert "Improved detection of engine-provided private "classic"
+ keys" (Closes: #1074764).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Fri, 05 Jul 2024 23:04:47 +0200
+
openssl (3.0.13-1~deb12u1) bookworm; urgency=medium
* Import 3.0.13
diff -Nru openssl-3.0.13/debian/patches/Revert-Improved-detection-of-engine-provided-private-clas.patch openssl-3.0.13/debian/patches/Revert-Improved-detection-of-engine-provided-private-clas.patch
--- openssl-3.0.13/debian/patches/Revert-Improved-detection-of-engine-provided-private-clas.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.13/debian/patches/Revert-Improved-detection-of-engine-provided-private-clas.patch 2024-07-05 23:04:41.000000000 +0200
@@ -0,0 +1,78 @@
+From: Tomas Mraz <to...@openssl.org>
+Date: Fri, 15 Dec 2023 13:45:50 +0100
+Subject: Revert "Improved detection of engine-provided private "classic"
+ keys"
+
+This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
+
+The commit was wrong. With 3.x versions the engines must be themselves
+responsible for creating their EVP_PKEYs in a way that they are treated
+as legacy - either by using the respective set1 calls or by setting
+non-default EVP_PKEY_METHOD.
+
+The workaround has caused more problems than it solved.
+
+Fixes #22945
+
+Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
+Reviewed-by: Neil Horman <nhor...@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23063)
+
+(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
+---
+ crypto/engine/eng_pkey.c | 42 ------------------------------------------
+ 1 file changed, 42 deletions(-)
+
+diff --git a/crypto/engine/eng_pkey.c b/crypto/engine/eng_pkey.c
+index f84fcde46016..075a61b5bfbf 100644
+--- a/crypto/engine/eng_pkey.c
++++ b/crypto/engine/eng_pkey.c
+@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+ return NULL;
+ }
+- /* We enforce check for legacy key */
+- switch (EVP_PKEY_get_id(pkey)) {
+- case EVP_PKEY_RSA:
+- {
+- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+- EVP_PKEY_set1_RSA(pkey, rsa);
+- RSA_free(rsa);
+- }
+- break;
+-# ifndef OPENSSL_NO_EC
+- case EVP_PKEY_SM2:
+- case EVP_PKEY_EC:
+- {
+- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+- EVP_PKEY_set1_EC_KEY(pkey, ec);
+- EC_KEY_free(ec);
+- }
+- break;
+-# endif
+-# ifndef OPENSSL_NO_DSA
+- case EVP_PKEY_DSA:
+- {
+- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+- EVP_PKEY_set1_DSA(pkey, dsa);
+- DSA_free(dsa);
+- }
+- break;
+-#endif
+-# ifndef OPENSSL_NO_DH
+- case EVP_PKEY_DH:
+- {
+- DH *dh = EVP_PKEY_get1_DH(pkey);
+- EVP_PKEY_set1_DH(pkey, dh);
+- DH_free(dh);
+- }
+- break;
+-#endif
+- default:
+- /*Do nothing */
+- break;
+- }
+-
+ return pkey;
+ }
+
diff -Nru openssl-3.0.13/debian/patches/series openssl-3.0.13/debian/patches/series
--- openssl-3.0.13/debian/patches/series 2024-03-03 10:47:43.000000000 +0100
+++ openssl-3.0.13/debian/patches/series 2024-07-05 23:04:41.000000000 +0200
@@ -7,3 +7,4 @@
Remove-the-provider-section.patch
conf-Serialize-allocation-free-of-ssl_names.patch
Fix-tests-for-new-default-security-level.patch
+Revert-Improved-detection-of-engine-provided-private-clas.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.7
Hi,
Each of these bugs relates to an update including in today's bookworm
12.7 point release.
Regards,
Adam
--- End Message ---
