Bug 24433 - openssl versions in Mageia 7 are EOL
Summary: openssl versions in Mageia 7 are EOL
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: Mageia 8
Assignee: Nicolas Lécureuil
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-27 03:58 CET by David Walser
Modified: 2020-11-12 21:38 CET (History)
2 users (show)

See Also:
Source RPM: openssl-1.1.0j-1.mga7.src.rpm, compat-openssl10-1.0.2r-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-27 03:58:56 CET
Upstream has issued an advisory today (February 26):
https://www.openssl.org/news/secadv/20190226.txt

It contains this note:
OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

Both OpenSSL versions in Cauldron will be EOL this year.  We should drop the compat-openssl10 package and migrate the openssl package to 1.1.1.
David Walser 2019-02-27 03:59:06 CET

Target Milestone: --- => Mageia 7
Priority: Normal => release_blocker

Comment 1 Marja Van Waes 2019-02-28 19:04:40 CET
Assigning to neoclust, because he is the registered maintainer of compat-openssl10 and there's no registered maintainer of openssl

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 Jani Välimaa 2019-03-03 14:23:11 CET
Source rpm list for packages still using oldest 1.0.x:
afbackup
botan
c-client
freepops
freeswitch
ghpsdr3-alex
harbour
ice
ipsec-tools
ircd-hybrid
jboss-web-native
libmsn
libofetion
libqxt
mongo-tools
netty-tcnative
pam_ssh
ptlib
sslscan
sslsniff
ucommon
ufdbguard
vdr-plugin-sc
w3c-libwww
wvstreams

There might be more pkgs BR'ing openssl 1.0.x, but mentioned pkgs uses the libs from it.
Comment 4 David Walser 2019-05-13 04:13:54 CEST
Just a reminder that nothing has been done with this yet.
Comment 5 David Walser 2019-09-11 02:15:53 CEST
OpenSSL 1.1.0 will be EOL in a few hours, and 1.0.2 will be in a few months...

Whiteboard: (none) => MGA7TOO

Comment 6 Bjarne Thomsen 2019-10-31 22:35:07 CET
Is it possible to have OpenSSL 1.1.1 just for apache, along with 1.1.0 and 1.0.2?
It is important with support considering (31 October 2019):
Elliptic curve implementations vulnerable to Minerva timing attack

CC: (none) => bjarne.thomsen

Comment 8 David Walser 2019-10-31 23:59:04 CET
That would be highly undesirable.  It's bad enough we already have to support two versions.  We need to get rid of at least one of the current ones.
Comment 9 Bjarne Thomsen 2019-11-01 10:59:57 CET
I agree. A Cloudflare Blog explains why TLS 1.3 has been a long time on the way because the implementation in OpenSSL 1.1.1 had to be compatible with OpenSSL 1.1.0:
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/
OpenSSL: All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible. 
The transition 1.1.0 -> 1.1.1 should accordingly be easy, unless there are some hidden problems with e.g. the gcc compiler. OpenSSL 1.0.x is another matter, as the long list above shows.
Comment 10 Aurelien Oudelet 2020-09-19 18:03:33 CEST
Hi,

This is release_blocker for a reason.
Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.

Packagers, please change the status to "Assigned" when you are working on this.


We will make a decision on the relevance of the release_blocker tag on 1st October 2020 QA meeting.
David Walser 2020-09-19 18:58:23 CEST

Target Milestone: Mageia 7 => Mageia 8

Comment 11 David Walser 2020-09-22 18:52:26 CEST
We will remain vulnerable to CVE-2020-1968 as long as we don't fix this:
https://www.openssl.org/news/secadv/20200909.txt

In Cauldron / Mageia 8 only compat-openssl10 is vulnerable.  It needs to go.

Summary: openssl versions in Mageia 7 will be EOL in less than a year => openssl versions in Mageia 7 are EOL

Comment 12 David Walser 2020-11-12 21:38:04 CET
compat-openssl10 dropped in Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Priority: release_blocker => Normal


Note You need to log in before you can comment on or make changes to this bug.