openssl 1.1.1-1ubuntu2.1~18.04.1 contains upstream bug 7350

Can you please provide sources of your app / example of behaviour that needs fixing?

For us to prepare an SRU, we'd need to provide the following details:

https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

Would you be able to provide details requested there? as in fill out the below template's Impact, Test Case, Regression Potential sections

I've tried to understand the upstream issue linked, but i'm not affected so I am struggling a bit.

Something minimal is ideal, like a tiny main(){}; C function that like calls double init, and works with openssl 1.1.0 from bionic-release, but fails with openssl 1.1.1 from bionic-updates.

[Impact]

 * An explanation of the effects of the bug on users and

 * justification for backporting the fix to the stable release.

 * In addition, it is helpful, but not required, to include an
   explanation of how the upload fixes this bug.

[Test Case]

 * detailed instructions how to reproduce the bug

 * these should allow someone who is not familiar with the affected
   package to reproduce the bug and verify that the updated package fixes
   the problem.

[Regression Potential]

 * discussion of how regressions are most likely to manifest as a result of this change.

 * It is assumed that any SRU candidate patch is well-tested before
   upload and has a low overall risk of regression, but it's important
   to make the effort to think about what ''could'' happen in the
   event of a regression.

 * This both shows the SRU team that the risks have been considered,
   and provides guidance to testers in regression-testing the SRU.

[Other Info]

 * Anything else you think is useful to include
 * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
 * and address these questions in advance

The issue mentioned should be included in openssl 1.1.1b and hence fix released in disco and eoan.

FWIW, here's the code that's being used and the output before the patch is built and put in place:

https://github.com/saltstack/salt/blob/v2016.11.1/salt/utils/rsax931.py#L36

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 374, in salt_call
    import salt.cli.call
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 9, in <module>
    import salt.cli.caller
  File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 18, in <module>
    import salt.loader
  File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 29, in <module>
    import salt.utils.event
  File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module>
    import salt.payload
  File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module>
    import salt.crypt
  File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 43, in <module>
    import salt.utils.rsax931
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 84, in <module>
    libcrypto = _init_libcrypto()
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 74, in _init_libcrypto
    raise OSError("Failed to initialize OpenSSL library (OPENSSL_init_crypto failed)")
OSError: Failed to initialize OpenSSL library (OPENSSL_init_crypto failed)

@Steve

Ubuntu 18.04 ships salt 2017.7.4 which has been patched for openssl 1.1.1 compatibility.

Please see:

https://launchpad.net/ubuntu/+source/salt/2017.7.4+dfsg1-1ubuntu18.04.1

salt (2017.7.4+dfsg1-1ubuntu18.04.1) bionic; urgency=medium

  * Cherrypick two upstream patches to fix compat with OpenSSL 1.1.1,
    without these salt fails to start when OpenSSL is upgraded from 1.1.0
    to 1.1.1. LP: #1823332
  * Fix up install call in debian/rules to resolve FTBFS.

Are there reasons why you use v2016 salt? Why not use v2017 salt from ubuntu? Do you need to request upstream backport of https://github.com/saltstack/salt/pull/51655/files for v2016? Does patch from https://github.com/saltstack/salt/pull/51655/files work on v2016?

Yes, we have to use 2016 salt due to in house modules that need to be updated. If salt 2016 was updated, we would still have quite a bit of work to do. The fix in upstream works, in fact just removing OPENSSL_INIT_NO_LOAD_CONFIG works. But, it also worked before the openssl update. And I think that is really only a work around. I suspect others will hit similar issues separate from Salt, like mentioned in the upstream bug. I'm wondering, why did you use 1.1.1 instead of 1.1.1c?

Here's a reduced reproducer that is python but isn't salt. All it does is verify the bug in OpenSSL, should return 1 for both calls. I can post a version in C if that would be helpful. It fails with the current version in Bionic and succeeds with the bug fixed version.

So bionic-release, disco, eoan are all good.

Regressions are in bionic-updates|-proposed and cosmic.

I.e. regression introduced in 1.1.1, present in 1.1.1a, fixed in 1.1.1b and later.

Hello Steve, or anyone else affected,

Accepted openssl into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Steve, or anyone else affected,

Accepted openssl into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi,

The package version 1.1.1-1ubuntu2.1~18.04.3 does fix it for me, thanks!

Thank you for taking the time to verify this stable release fix. We have noticed that you have used the verification-done tag for marking the bug as verified and would like to point out that due to a recent change in SRU bug verification policy fixes now have to be marked with per-release tags (i.e. verification-done-$RELEASE). Please remove the verification-done tag and add one for the release you have tested the package in. Thank you!

https://wiki.ubuntu.com/StableReleaseUpdates#Verification

It looks like the verification-done-bionic tag was added, so I don't understand this comment.

This bug was fixed in the package openssl - 1.1.1-1ubuntu2.1~18.04.3

---------------
openssl (1.1.1-1ubuntu2.1~18.04.3) bionic; urgency=medium

  * Fix path to Xorg for reboot notifications on desktop. LP: #1832421
  * Cherrypick upstream fix to allow succesful init of libssl and
    libcrypto using separate calls with different options. LP: #1832659

 -- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:50:28 +0100

The verification of the Stable Release Update for openssl has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.