Comment 20 for bug 1626883

Thanks for the fix.

I too can verify that our system doesn't segfault on Ubuntu 14.04 (trusty) using latest libssl1.0.0 (=1.0.1f-1ubuntu2.21);

# dpkg -l |grep libssl1.0.0
ii libssl1.0.0:amd64 1.0.1f-1ubuntu2.21 amd64 Secure Sockets Layer toolkit - shared libraries

# php -r "echo gettype(openssl_x509_parse(file_get_contents('/etc/ssl/certs/ca-certificates.crt')));"
array

We'll definitely be reconsidering which systems will be applying security upgrades unattended in the future.

This experience makes me wonder how patches for the -security suites (default for unattended-upgrades) are tested and QA'ed. Can anything be done to the Ubuntu process to prevent things like this happening again?

I'm unfamiliar with how this is done currently so excuse my ignorance. But I'm wondering why there seem to be no collaboration or correlation between Ubuntu and Debian security updates. Debian seems to have got this one right in the first shot (DSA is here https://www.debian.org/security/2016/dsa-3673).

BTW: the links to upstream patches on the Ubuntu CVE page (http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2182.html) are invalid caused by a version string being appended to the commit hash (looks like borked wiki syntax).