Monday 12 March 2018

Re: [17.10] libssl-dev 1.0.2g is 1.0.0

Hello,

On 11 March 2018 at 09:05, Frank Rehberger <frehberg@gmail.com> wrote:
> Hi
>
> distribution : artful (ubuntu 17.10)
> package libssl-dev [1.0.2g]
>
> the package libssl-dev claims to be 1.0.2g, but it seems to be older
> header-version 1.0.0, as it lacks the constant
>
> ./crypto/x509/x509_vfy.h:# define X509_V_ERR_INVALID_CALL
> 65
>
> It seems libssl binary package is also 1.0.0
>

Ubuntu has patched openssl1.0 to retain ABI compatibility with 1.0.0
by introducing stub functions, and thus not requiring to recompile
software that was compiled against 1.0.0, as it remains usable with
newer Ubuntu releases that ship 1.0.2 series of OpenSSL. Thus the
version numbers you see are correct - 1.0.2g release with 1.0.0 ABI.

About the following defines:
X509_V_ERR_INVALID_CALL 65
X509_V_ERR_STORE_LOOKUP 66

They appear to have been introduced in
5553a12735e11bc9aa28727afe721e7236788aab upstream on
OpenSSL_1_0_2-stable branch.
Which is shipped in:

$ git tag --contains 5553a12735e11bc9aa28727afe721e7236788aab
OpenSSL_1_0_2i
OpenSSL_1_0_2j
OpenSSL_1_0_2k
OpenSSL_1_0_2l
OpenSSL_1_0_2m
OpenSSL_1_0_2n

1.0.2g pre-dates above, and thus these defines are not available.
Bionic, to become 18.04 LTS, ships openssl1.0 1.0.2n and has above
mentioned defines.

W.R.T. security updates - ubuntu does not use upstream version numbers
to rectify security issues, and instead all security vulnerabilities
are patched as distro patches and an USN (Ubuntu Security Notice) is
issued reverencing full package upload numbers and the matching CVEs
these fix. Please see https://usn.ubuntu.com/ for more details.

>
> ii libssl-dev:amd64 1.0.2g-1ubuntu13.3
> amd64 Secure Sockets Layer toolkit -
> development files
> ii libssl-doc 1.0.2g-1ubuntu13.3
> all Secure Sockets Layer toolkit -
> development documentation
> ii libssl1.0.0:amd64 1.0.2g-1ubuntu13.3
> amd64 Secure Sockets Layer toolkit - shared
> libraries
>
>
> This could be a security issue, shipping a library 1.0.0 claiming to be
> 1.0.2g
>
>
> --
> ubuntu-devel mailing list
> ubuntu-devel@lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

--
Regards,

Dimitri.

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Posted by at