Mageia Bugzilla – Bug 11549
the openssl libs in mageia seem to have this bug
Last modified: 2014-01-05 21:12:32 CET
Description of problem:
Version-Release number of selected component (if applicable):
do some development against openssl.
Steps to Reproduce:
it seems that the openssl people have already fixed it:
Can you describe the problem better please? There really isn't enough information to describe the problem case enough. It might be very obvious to you what is at fault here if you've done development with openssl before, but please keep in mind that not everyone is in that fortunate position.
An example program that should work but fails or some exiting program that fails would be great, such that QA can both verify the problem and also verify any fix.
Given than upstream developpers acknowledged the issue, and already fixed it themselves, it seems overkill to ask our users to prove the issue. Especially given the difficulty to set up a test case here in this specific case. I'd eventually debate the opportunity to provide an update for mageia 3, given the very limited scope of the problem.
I fixed the issue in cauldron, and I submitted an openssl-1.0.1e-1.1.mga3 release in updates_testing.
If you're happy with that then cool. I don't know OpenSSL enough to know if this change has knock on effects etc. hence I couldn't offer any kind of guidance on regression testing etc.
As you seem to be able to provide that info, I'll leave it to you :)
I do have some "source" that did make clear to me that the issue exist, but it is in pascal; lazarus; fpc, and quite frankly not very tidy; just doing some prototyping for myself. So I was a bit reluctant to show this "mesh" to the rest of the world, and was kind of hoping that because OpenSSL did already fixed it themselves, those links would be good enough.
I am glad to here that Mageia will fix this. Thanks and appreciation for the people behind Mageia.
This week I will download and test openssl-1.0.1e-1.1.mga3 and will be happy to let you know the results (against by meshed-up program)
I am happy to report that the bug is fixed with the version of openssl in core/testing.
Thank you Mageia people.
We need to keep it open such that it goes through the proper QA and release cycle.
Guillaume can you write the advisory and test case for QA?
As already said, this seems to be a quite specific problem, and I'm not even sure than standard users could be potentially affected.
I'm unable to set up a test case, nor to provide a better advisory than: "a NULL pointer reference issue have been fixed in SSL_get_certificate". If that's not enough for standard QA procedure, I'm perfectly fine not providing any update until we have any better idea of problem impact.
Dear Mageia people,
Maybe the following does help: squid proxy suffers from the same problem. Google will return the squid patches when searching on squid and the bug in ssl_get_certificate. Maybe squid can be setup in a test case for testing this fix.
Kind regards, Gursimrah
If there is no publicly known poc, it's fine to assign it
to qa, and we'll just test the update to ensure it works in
openssl-1.0.1e-1.2.mga3 update validated in bug 12096, so closing this bug.