sts-sponsors team mailing list archive

[Dan Streetman <ddstreet@xxxxxxxxxxxxx>]

On Thu, Apr 29, 2021 at 8:13 PM Matthew Ruffell
<matthew.ruffell@xxxxxxxxxxxxx> wrote:
>
> Hi Security Team,
>
> VISA opened a case, SF308725 - "openssl unable to process the certificate on
> Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects
> both Focal and Groovy.
>
> [1] https://canonical.lightning.force.com/lightning/r/Case/5004K000005pGePQAU/view
>
> A commit was merged in 1.1.1f which disallows certificates which set
> "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, but
> this is a common configuration in certificates in the wild, particularly self
> signed certificates.
>
> This was reported upstream and fixed in 1.1.1g, to relax this particular
> scenario only, to allow it to be accepted as a valid certificate.
>
> More information and a full reproducer is available on the Launchpad bug,
> LP #1926254 - "x509 Certificate verification fails when
> basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2].
>
> [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254
>
> Due to the nature of the package, can you please review the launchpad bug and
> debdiffs I have attached to the launchpad bug, and if everything is okay, can
> you write an acknowledgement and approval to a comment on the launchpad bug.
>
> After that I will seek sponsorship to get this submitted for SRU.
>
> I am thinking -updates is okay, no need for -security.

I added ubuntu-security to the bug also, and I'm happy to upload if
there are no objections from security team

>
> Thanks,
> Matthew
>
> --
> Mailing list: https://launchpad.net/~sts-sponsors
> Post to     : sts-sponsors@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~sts-sponsors
> More help   : https://help.launchpad.net/ListHelp