2022-05-24 18:18:58 |
Athos Ribeiro |
bug |
|
|
added bug |
2022-05-24 18:19:08 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Kinetic |
|
2022-05-24 18:19:08 |
Athos Ribeiro |
bug task added |
|
php8.1 (Ubuntu Kinetic) |
|
2022-05-24 18:19:08 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Jammy |
|
2022-05-24 18:19:08 |
Athos Ribeiro |
bug task added |
|
php8.1 (Ubuntu Jammy) |
|
2022-05-24 18:20:01 |
Athos Ribeiro |
bug |
|
|
added subscriber Ubuntu Server |
2022-05-24 18:20:15 |
Athos Ribeiro |
tags |
|
server-todo |
|
2022-05-24 18:20:21 |
Athos Ribeiro |
php8.1 (Ubuntu Kinetic): assignee |
|
Athos Ribeiro (athos-ribeiro) |
|
2022-05-24 18:20:23 |
Athos Ribeiro |
php8.1 (Ubuntu Jammy): assignee |
|
Athos Ribeiro (athos-ribeiro) |
|
2022-06-11 03:25:52 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1/+git/php8.1/+merge/424446 |
|
2022-06-16 05:11:58 |
Launchpad Janitor |
php8.1 (Ubuntu Kinetic): status |
New |
Fix Released |
|
2022-06-16 05:11:58 |
Launchpad Janitor |
cve linked |
|
2021-21708 |
|
2022-07-13 17:20:23 |
Athos Ribeiro |
description |
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558 |
[Impact]
The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.
Still there are many non complaint servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.
This upload should fix this bug by applying the following upstream patch:
https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
which keeps ssl connections behavior consistent between different openssl versions.
This is done by setting openssl's SSL_OP_IGNORE_UNEXPECTED_EOF option. See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF for further reference.
[Test Plan]
We can test a fix for this bug with the following php script:
# BEGIN #
<?php
$lines = file('https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=11.05.2020', FILE_IGNORE_NEW_LINES);
var_dump($lines);
# END #
A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:
# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /reproduce.php on line 3
PHP Warning: file(): SSL: Success in /reproduce.php on line 3
in STDOUT.
[Where problems could occur]
Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.
If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.
[Other Info]
This fix was included in the last kinetic merge and therefore is already fixed in our development release.
[ Original bug report ]
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558 |
|
2022-07-13 17:37:30 |
Athos Ribeiro |
description |
[Impact]
The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.
Still there are many non complaint servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.
This upload should fix this bug by applying the following upstream patch:
https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
which keeps ssl connections behavior consistent between different openssl versions.
This is done by setting openssl's SSL_OP_IGNORE_UNEXPECTED_EOF option. See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF for further reference.
[Test Plan]
We can test a fix for this bug with the following php script:
# BEGIN #
<?php
$lines = file('https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=11.05.2020', FILE_IGNORE_NEW_LINES);
var_dump($lines);
# END #
A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:
# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /reproduce.php on line 3
PHP Warning: file(): SSL: Success in /reproduce.php on line 3
in STDOUT.
[Where problems could occur]
Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.
If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.
[Other Info]
This fix was included in the last kinetic merge and therefore is already fixed in our development release.
[ Original bug report ]
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558 |
[Impact]
The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.
Still there are many non complaint servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.
This upload should fix this bug by applying the following upstream patch:
https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
which keeps ssl connections behavior consistent between different openssl versions.
This is done by setting openssl's SSL_OP_IGNORE_UNEXPECTED_EOF option. See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF for further reference.
[Test Plan]
We can test a fix for this bug with the following php script:
# BEGIN #
<?php
$lines = file('https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=11.05.2020', FILE_IGNORE_NEW_LINES);
var_dump($lines);
# END #
A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:
# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /reproduce.php on line 3
PHP Warning: file(): SSL: Success in /reproduce.php on line 3
in STDOUT.
[Where problems could occur]
Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.
If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.
Finally, I did consult the security team on this and was let know that it should be OK to SRU the patch.
[Other Info]
This fix was included in the last kinetic merge and therefore is already fixed in our development release.
[ Original bug report ]
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558 |
|
2022-07-13 20:00:58 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1/+git/php8.1/+merge/426844 |
|
2022-07-13 20:47:04 |
Athos Ribeiro |
description |
[Impact]
The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.
Still there are many non complaint servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.
This upload should fix this bug by applying the following upstream patch:
https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
which keeps ssl connections behavior consistent between different openssl versions.
This is done by setting openssl's SSL_OP_IGNORE_UNEXPECTED_EOF option. See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF for further reference.
[Test Plan]
We can test a fix for this bug with the following php script:
# BEGIN #
<?php
$lines = file('https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=11.05.2020', FILE_IGNORE_NEW_LINES);
var_dump($lines);
# END #
A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:
# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /reproduce.php on line 3
PHP Warning: file(): SSL: Success in /reproduce.php on line 3
in STDOUT.
[Where problems could occur]
Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.
If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.
Finally, I did consult the security team on this and was let know that it should be OK to SRU the patch.
[Other Info]
This fix was included in the last kinetic merge and therefore is already fixed in our development release.
[ Original bug report ]
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558 |
[Impact]
The unexpected EOF failure was introduced in OpenSSL 3 to prevent
truncation attacks.
Still there are many non compliant servers around. This have been causing breakage for users, including those not affected by possible truncation attacks.
This upload should fix this bug by applying the following upstream patch:
https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
which keeps ssl connections behavior consistent between different openssl versions.
This is done by setting openssl's SSL_OP_IGNORE_UNEXPECTED_EOF option. See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF for further reference.
[Test Plan]
We can test a fix for this bug with the following php script:
# BEGIN #
<?php
$lines = file('https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=11.05.2020', FILE_IGNORE_NEW_LINES);
var_dump($lines);
# END #
A successful run of this reproducer script should not produce output to STDERR. On the other hand, a failure (i.e., running the script with an affected version of php) should generate:
# php reproduce.php > /dev/null
PHP Warning: file(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in /reproduce.php on line 3
PHP Warning: file(): SSL: Success in /reproduce.php on line 3
in STDOUT.
[Where problems could occur]
Apart from possible issues due to compatibilities with any build dependencies that may have been SRU'd since php8.1 was last built, we could introduce regressions due to the truncation attacks the new openssl3 feature was trying to prevent. Still, we need to compromise on having the latest features of openssl and supporting applications which did not make a full transition to support openssl3 yet.
If this indeed becomes a security issue in the future, we may circle back and drop this patch, requiring users to update their applications to newer versions which support the new openssl3 features. It is also worth mentioning that the patch being applied here was applied in php upstream and that the possibility of dropping it in the future should be discussed with the upstream project as well.
Finally, I did consult the security team on this and was let know that it should be OK to SRU the patch.
[Other Info]
This fix was included in the last kinetic merge and therefore is already fixed in our development release.
[ Original bug report ]
As reported in [1] and [2],
OpenSSL 3 is more strict about unexpected EOF (not sending close notify). This may be an issue for servers with non-compliant implementations.
A fix for the issue is available at [3].
[1] https://bugs.php.net/bug.php?id=79589
[2] https://github.com/php/php-src/issues/8369
[3] https://github.com/php/php-src/pull/8558 |
|
2022-07-14 17:05:10 |
Athos Ribeiro |
php8.1 (Ubuntu Jammy): status |
New |
In Progress |
|
2022-07-14 17:09:35 |
Athos Ribeiro |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-08-17 02:29:28 |
Chris Halse Rogers |
php8.1 (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-08-17 02:29:32 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2022-08-17 02:29:36 |
Chris Halse Rogers |
tags |
server-todo |
server-todo verification-needed verification-needed-jammy |
|
2022-08-17 16:44:28 |
Athos Ribeiro |
tags |
server-todo verification-needed verification-needed-jammy |
server-todo verification-done verification-done-jammy |
|
2022-08-22 10:46:59 |
Jani Uusitalo |
bug |
|
|
added subscriber Jani Uusitalo |
2022-08-24 16:55:59 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-08-24 16:55:58 |
Launchpad Janitor |
php8.1 (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|