[regression] 1.14.0-0ubuntu1.4 security update enables TLS1.3 without a choice

Bug #1840404 reported by Bryan Quigley on 2019-08-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Marc Deslauriers

Bug Description

Ubuntu 18.04
With ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
Tests done using testssl.sh

Expected: TLS1.3 should only be enabled if the config says it should.

1.14.0-0ubuntu1.3 reports
 SSLv2 not offered (OK)
 SSLv3 not offered (OK)
 TLS 1 offered
 TLS 1.1 offered
 TLS 1.2 offered (OK)
 TLS 1.3 not offered
 NPN/SPDY http/1.1 (advertised)
 ALPN/HTTP2 http/1.1 (offered)

1.14.0-0ubuntu1.4 reports
 SSLv2 not offered (OK)
 SSLv3 not offered (OK)
 TLS 1 offered
 TLS 1.1 offered
 TLS 1.2 offered (OK)
 TLS 1.3 offered (OK): final
 NPN/SPDY http/1.1 (advertised)
 ALPN/HTTP2 http/1.1 (offered)

How to revert, manually install:
wget http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/libnginx-mod-http-geoip_1.14.0-0ubuntu1.3_amd64.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/libnginx-mod-http-image-filter_1.14.0-0ubuntu1.3_amd64.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/libnginx-mod-http-xslt-filter_1.14.0-0ubuntu1.3_amd64.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/libnginx-mod-mail_1.14.0-0ubuntu1.3_amd64.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/libnginx-mod-stream_1.14.0-0ubuntu1.3_amd64.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/nginx-common_1.14.0-0ubuntu1.3_all.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/nginx-core_1.14.0-0ubuntu1.3_amd64.deb http://us.archive.ubuntu.com/ubuntu/pool/main/n/nginx/nginx_1.14.0-0ubuntu1.3_all.deb

tags: added: regression-update
Marc Deslauriers (mdeslaur) wrote :

Whoops, this is fallout from openssl 1.1.1 in bionic not being in -security yet, resulting in this security update having been built with openssl 1.1 only.

The packages need to be rebuilt with openssl 1.1.1.

Changed in nginx (Ubuntu Bionic):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nginx (Ubuntu):
status: New → Invalid

Hello Bryan, or anyone else affected,

Accepted nginx into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nginx (Ubuntu Bionic):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-bionic
Marc Deslauriers (mdeslaur) wrote :

I have tested the packages currently in bionic-proposed. and they pass the security team test script, and also no longer offer TLSv1.3 when not requested. ACK on releasing.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.14.0-0ubuntu1.5

nginx (1.14.0-0ubuntu1.5) bionic; urgency=medium

  * No change rebuild for bionic outside of security pocket to pick up
    OpenSSL 1.1.1. (LP: #1840404)

 -- Marc Deslauriers <email address hidden> Fri, 16 Aug 2019 07:05:57 -0400

Changed in nginx (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for nginx has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers