openssl maintainer scripts do not trigger services restart

Bug #1832522 reported by Dimitri John Ledkov on 2019-06-12
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned

Bug Description

[Impact]

 * Major libssl ugprades require services to be restarted, for them to continue to function correctly at runtime.
 * The maintainer scripts were not adjusted to trigger.

[Test Case]

 * Install bionic from release pocket and install ssl using daemon e.g. openssh-server libapache-mod-ssl
 * Upgrade libssl1.1
 * Ensure that services that use openssl are offered to be restarted.

[Regression Potential]

 * We are rebuilding libssl1.1 and changing maintainer scripts. Given that we have missed upgrade trigger, we will ask users to restart services again even if they may have restarted them already.

[Other Info]

 * Previous major libssl upgrade issue of similar nature was
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743889

CVE References

Hello Dimitri, or anyone else affected,

Accepted openssl into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssl (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Dimitri John Ledkov (xnox) wrote :

Launched lxd container, with sshd & apache2 running and old ssl still installed

# dpkg-query -W libssl1.1
libssl1.1:amd64 1.1.0g-2ubuntu4.3

Started journal monitoring to notice services restarts:

# journalctl -f &

Enabled -proposed, and checked that new libssl1.1 from proposed is available

# apt list --upgradable 2>/dev/null | grep ssl
libssl1.1/bionic-proposed 1.1.1-1ubuntu2.1~18.04.2 amd64 [upgradable from: 1.1.0g-2ubuntu4.3]
openssl/bionic-proposed 1.1.1-1ubuntu2.1~18.04.2 amd64 [upgradable from: 1.1.0g-2ubuntu4.3]

And started the upgrade:

# apt full-upgrade

Eventually at libssl1.1 configure time, received debconf prompt about restarting services. Chose to restart them.

Checking journal I could see that apache2 and ssh got restarted, ie.:

Jun 12 18:35:33 nearby-osprey systemd[1]: Started OpenBSD Secure Shell server.
Jun 12 18:35:34 nearby-osprey systemd[1]: Started The Apache HTTP Server.

Messages were seen and present in the logs.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

ACK from the security team on the low CVE being included in this SRU.

Changed in openssl (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.1-1ubuntu2.1~18.04.2

---------------
openssl (1.1.1-1ubuntu2.1~18.04.2) bionic; urgency=medium

  * Cherrypick upstream patch to fix ca -spkac output to be text again.
    LP: #1828215
  * Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
    CVE-2019-1543
  * Bump major version of OpenSSL in postinst to trigger services restart
    upon upgrade. Many services listed there must be restarted when
    upgrading 1.1.0 to 1.1.1. LP: #1832522

 -- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:12:47 +0100

Changed in openssl (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openssl has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Dimitri, or anyone else affected,

Accepted openssl into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1b-1ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssl (Ubuntu Disco):
status: New → Fix Committed
tags: added: verification-needed verification-needed-disco
removed: verification-done
Changed in openssl (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed-cosmic
Steve Langasek (vorlon) wrote :

Hello Dimitri, or anyone else affected,

Accepted openssl into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.1c-1ubuntu2

---------------
openssl (1.1.1c-1ubuntu2) eoan; urgency=medium

  * Bump major version of OpenSSL in postinst to trigger services restart
    upon upgrade. Many services listed there must be restarted when
    upgrading 1.1.0 to 1.1.1. LP: #1832522
  * Fix path to Xorg for reboot notifications on desktop. LP: #1832421

 -- Dimitri John Ledkov <email address hidden> Thu, 13 Jun 2019 15:29:07 +0100

Changed in openssl (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers