php8.0: Fail to build against OpenSSL 3.0

The patch for PR 7002 looks like it ought to be sufficient to resolve the build issue with RSA_SSLV23_PADDING macro. It doesn't actually *provide* openssl-3.0 support in php8.0 but at least would be sufficient for your transition.

I am planning to transition to php 8.1 early in 22.04 development[1], and according to these PRs it sounds like these changes already may be included. So, depending on when you plan to do the openssl 3.0 transition, the fixes may already be in place by the time you get to it. (Would be helpful to see the openssl 3.0 transition on the schedule[1]).

[1]: https://discourse.ubuntu.com/t/jj-release-schedule/23906

Hi Bryce,

Thanks for the prompt response!

I didn't have sufficient permissions to edit the release schedule post
(some trust level issue?), waiting for another member of the team to
proxy it for me :).

We're aiming also early in 22.04, and I was actually considering the
second week, which coincides with your schedule for 8.1.

THinking a bit more on it, would it make sense to upload OpenSSL 3.0
*after* the initial upload of php 8.1, so that it builds against 1.1.1
and can have a chance to migrate independantly of OpenSSL?

Yeah, if you could wait until Nov 4th (or 11th) before uploading openssl3, that'd give me a better shot at getting php transitioned.

FWIW, the issue isn't building php 8.1 itself; generally this will come into universe automatically via sync from Debian when the archive first opens. The real issue is that to get it moved into main as the default php version (and deprecate php 8.0) requires rebuilding the entire PHP ecosystem successfully on 8.1. The 8.0->8.1 transition is more modest than 7.4->8.0 was, but even so it might be optimistic that this will be finished in a week.

I'll (ask someone to) move it to the Nov 4th week, as I find it easier to kick it down the line if needed for the PHP transition, and I'd like this transition to start as early as possible.

Sounds great Simon, I'll try to get going asap on php8.1 once JJ opens.

php8.1 has been uploaded to the archive and is now in -proposed for universe.

Hi Simon,

The autopkgtest workers seem to be super bogged down with jobs, and unfortunately as a result autopkgtest still hasn't finished processing php8.1, and I'm guessing may be another week or more before it will.

Meanwhile, I've gotten the bulk of the php ecosystem rebuilds uploaded. There are some scattered build failures needing investigated but those look reasonably straightforward. The autopkgtest failures have typically been the more "interesting" problems but test results still await.

Given this, I've gone ahead and uploaded the openssl 3.0 patch you identified for php8.0. It probably won't matter, but can't hurt. I think, though, that just having php8.1 in -proposed is going to be enough to avoid blockage during your transition.

Hi Bryce,

Thanks for all the work! I don't think the OpenSSL upload will happen
before next Friday though, as I'm off Monday and Tuesday. That should
give the autopkgtests runners some time to process the current backlog
;-)

This bug was fixed in the package php8.0 - 8.0.8-1ubuntu2

---------------
php8.0 (8.0.8-1ubuntu2) jammy; urgency=medium

  * SECURITY UPDATE: Out of bounds read/write
    - debian/patches/CVE-2021-21703.patch: The main change is to
      store scoreboard procs directly to the variable sized
      array rather than indirectly through the pointer in
      sapi/fpm/fpm/fpm_children.c, sapi/fpm/fpm/fpm_request.c,
      sapi/fpm/fpm/fpm_scoreboard.c, sapi/fpm/fpm/fpm_scoreboard.h,
      sapi/fpm/fpm/fpm_status.c, sapi/fpm/fpm/fpm_worker_pool.c.
    - CVE-2021-21703

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 02 Dec 2021 13:34:27 -0300