error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php8.1 (Ubuntu) |
Fix Released
|
Undecided
|
Athos Ribeiro | ||
Jammy |
Fix Released
|
Undecided
|
Athos Ribeiro | ||
Kinetic |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
[Impact]
The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.
Still there are many non compliant servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.
This upload should fix this bug by applying the following upstream patch:
https:/
which keeps ssl connections behavior consistent between different openssl versions.
This is done by setting openssl's SSL_OP_
[Test Plan]
We can test a fix for this bug with the following php script:
# BEGIN #
<?php
$lines = file('https:/
var_dump($lines);
# END #
A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:
# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines:
PHP Warning: file(): SSL: Success in /reproduce.php on line 3
in STDOUT.
[Where problems could occur]
Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.
If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.
Finally, I did consult the security team on this and was let know that it should be OK to SRU the patch.
[Other Info]
This fix was included in the last kinetic merge and therefore is already fixed in our development release.
[ Original bug report ]
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https:/
[2] https:/
[3] https:/
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 113 lines (+88/-0)3 files modifieddebian/changelog (+11/-0)
debian/patches/0046-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server: Pending requested
-
Diff: 369 lines (+238/-4)7 files modifieddebian/changelog (+60/-0)
debian/control (+28/-1)
debian/control.in (+28/-1)
debian/patches/0046-Update-gcc-func-attr-macro.patch (+29/-0)
debian/patches/0047-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/series (+2/-0)
debian/rules (+15/-2)
CVE References
tags: | added: server-todo |
Changed in php8.1 (Ubuntu Kinetic): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in php8.1 (Ubuntu Jammy): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
description: | updated |
description: | updated |
description: | updated |
Changed in php8.1 (Ubuntu Jammy): | |
status: | New → In Progress |
This bug was fixed in the package php8.1 - 8.1.5-1ubuntu1
---------------
php8.1 (8.1.5-1ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1978364). Remaining changes: Update- gcc-func- attr-macro. patch: fix detection of unknown gcc patches/ CVE-2021- 21708.patch: fix int handling in
ext/filter/ logical_ filters. c, ext/filter/tests/bug81708.phpt. Fix-ssl3- unexpected- eof.patch: fix OpenSSL3 related
- Force upgrade from earlier mod-php's to version 8.1 (LP #1890263):
+ d/control: add transitional packages and Breaks/Replaces.
+ d/rules: exclude transitional packages in dh_install.
- d/rules: Don't fill up build log with pedantic warnings.
- d/p/0046-
function attributes. (LP #1882279)
- d/rules: document garbage collection in ini files. (LP #1772915)
* Dropped changes:
- SECURITY UPDATE: use-after-free in php_filter_float()
+ debian/
+ CVE-2021-21708
[ Fixed in 8.1.3-1 ]
* New changes:
- d/p/0047-
unexpected EOF failure. (LP: #1975626)
-- Athos Ribeiro <email address hidden> Sat, 11 Jun 2022 00:08:45 -0300