Hello Dimitri, or anyone else affected, Accepted openssl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.9 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openssl (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: Fix Committed Bug description: [Impact] * There have been multiple use-after-free bugs fixed in OpenSSL 1.1.1 stable branches which have not yet been applied in Focal. They are difficult to reproduce, often require an engine to be used, and somehow fail, as these use-after-free bugs are all in error conditions and error paths. Usually fixing local configuration, and making engine available is the right solution. It is however better to return errors than crash. These patches are in 1.1.1h+ and openssl-3. [Test Plan] * The fixes were applied upstream without clear reproducers, or unit tests * Check that all autopkgtests pass and there no regressions * Configure and use openssl with any engine and ensure that it continues to work [Where problems could occur] * There will be behaviour change, such that multithreaded applications may now notice Null pointers from the openssl engine apis, when previously they saw valid pointers which were freed already. Meaning that on connection failures, daemon or application shutdowns, different messages might be generated i.e. invalid engine context, unallocated methods, instead of crashing with double free. [Other Info] * Multiple customers are using openssl 1.1.1 with engines these days, reporting various issues, it is better to have more resilient openssl w.r.t. engine use in case of engine missuse. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
