Ubuntu

server-cert.pem expired: "Not After : Jan 27 08:54:13 2009 GMT" - ssl related test suites fails because of expired certificates

Reported by Andreas Olsson on 2009-01-31
8
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.0 (Ubuntu)
High
Mathias Gug
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
mysql-dfsg-5.1 (Ubuntu)
Undecided
Mathias Gug
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned

Bug Description

For some reasons it seems if not impossible then atleast non-trivial to build binary packages from the source provided by mysql-dfsg-5.0 in Hardy (5.0 5.0.51a-3ubuntu5.4), Intrepid (5.0.67-0ubuntu6) and Jaunty (5.1.30really5.0.75-0ubuntu3).

While I believe I have a memory of actually succeeding somewhat recently it has been completely impossible these resent days when I have looked closer at it. No matter if I try to use debuild och pbuilder the I always get the same failure during the build test.

----------
Failed 7/494 tests, 98.58% were successful.

The log files in var/log may give you some hint
of what went wrong.
If you want to report this error, please read first the documentation at
http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html
The servers were restarted 121 times
Spent 808.385 of 3127 seconds executing testcases

mysql-test-run in default mode: *** Failing the test(s): openssl_1 rpl_openssl rpl_ssl ssl ssl_8k_key ssl_compress ssl_connect
mysql-test-run: *** ERROR: there were failing test cases
----------

It does by the way seems strange to be testing openssl considering debian/rules includes "--without-openssl".

I've been testing on i386 and amd64 as well as physical and virtual machines.

When I've tested using debuild I've taken a clean install, upgraded it fully, then running these steps
$ sudo apt-get install build-essential fakeroot devscripts
$ sudo apt-get build-dep mysql-server-5.0
$ apt-get source mysql-server-5.0
$ cd mysql-dfsg-5.0-5.0.67/
$ debuild -uc -us

The (few) tests I've ran pbuilder has been in environments created by this command
$ sudo pbuilder create --debootstrapopts --variant=buildd

Andreas Olsson (andol) on 2009-01-31
description: updated
Soren Hansen (soren) wrote :

It's not just you :)

The builds on the buildd's fail as well:

    https://edge.launchpad.net/ubuntu/jaunty/+source/mysql-dfsg-5.0/5.1.30really5.0.75-0ubuntu4

They seem to fail due to SSL failures in the test suite.

Changed in mysql-dfsg-5.0:
status: New → Confirmed
Andreas Olsson (andol) wrote :

Non sure if this is purely an Ubuntu bug.

I downloaded the native MySQL 5.0.75 source directly and tried to compile it separately, without any of "our" patches and special options. A build based on this simple configuration "./configure --with yassl" results in the exactly same build tests failing.

Don't think it is an issue with yassl, since --with-openssl renders the same result. That is also the case when I try to build using others version of gcc.

Tomorrow I'll do some tests on none-Ubuntu systems. If they give me the same failing build tests then, I'll report this as a bug upstream.

By the way, from now on all my tests/builds takes place on a Jaunty system, unless otherwise specified.

Mathias Gug (mathiaz) wrote :

This is because the certificates used in testing have expired.

See http://bugs.mysql.com/bug.php?id=42366.

Andreas Olsson (andol) wrote :

Yes, by applying the mysql patch, supplying a new test cert, everything builds and tests fine.

I'm attaching a debdiff including the mysql patch as a dpatch.

Mathias Gug (mathiaz) on 2009-02-03
Changed in mysql-dfsg-5.0:
importance: Undecided → High
milestone: none → jaunty-alpha-4
Mathias Gug (mathiaz) on 2009-02-03
Changed in mysql-dfsg-5.1:
status: New → Invalid
status: New → Invalid
Mathias Gug (mathiaz) wrote :
Changed in mysql-dfsg-5.0:
assignee: nobody → mathiaz
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.0 - 5.1.30really5.0.75-0ubuntu5

---------------
mysql-dfsg-5.0 (5.1.30really5.0.75-0ubuntu5) jaunty; urgency=low

  [ Andreas Olsson ]
  * debian/patches/92_ssl_test_cert.dpatch: Re-generated the PKI files needed
    for the tests.
    (LP: #323755)

 -- Mathias Gug <email address hidden> Tue, 03 Feb 2009 04:36:21 -0500

Changed in mysql-dfsg-5.0:
status: In Progress → Fix Released
Mathias Gug (mathiaz) on 2009-02-09
Changed in mysql-dfsg-5.1:
assignee: nobody → mathiaz
status: New → In Progress
Andreas Olsson (andol) wrote :

I can (not surprisingly) confirm this issue in Hardy as well as in Intrepid.

Should be same patch be applied towards those packages?

Changed in mysql-dfsg-5.0:
status: New → Confirmed
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.31-1ubuntu1

---------------
mysql-dfsg-5.1 (5.1.31-1ubuntu1) jaunty; urgency=low

  * Merge from debian experimental, remaining changes:
    - debian/mysql-server-5.1.config: ask for MySQL root password at priority
      high instead of medium so that the password prompt is seen on a default
      install. (LP: #319843)
    - debian/control:
      + Don't build mysql-server, mysql-client, mysql-common and
        libmysqlclient15-dev binary packages since they're still provided
        by mysql-dfsg-5.0.
      + Rename libmysqlclient-dev package to libmysqlclient16-dev (LP: #316280).
        Make it conflict with libmysqlclient15-dev.
      + Make mysql-{client,server}-5.1 packages conflict and
        replace mysql-{client,server}-5.0, but not provide
        mysql-{client,server}.
      + Depend on a specific version of mysql-common rather than the src
        version of mysql-dfsg-5.1 since mysql-common is currently part of
        mysql-dfsg-5.0.
    - debian/rules: added -fno-strict-aliasing to CFLAGS to get
      around mysql testsuite build failures.
  * debian/patches/92_ssl_test_cert.dpatch: certificate expiration in
    test suite (LP: #323755).
  * Dropped changes:
    - all of the changes made to support both 5.0 and 5.1 installed at the
      same time have been dropped now that amarok doesn't depend on
      mysql-server-5.1 anymore.

mysql-dfsg-5.1 (5.1.31-1) experimental; urgency=low

  * New upstream release.

 -- Mathias Gug <email address hidden> Tue, 10 Feb 2009 16:42:05 -0500

Changed in mysql-dfsg-5.1:
status: In Progress → Fix Released
Andreas Olsson (andol) wrote :

I would like to nominate this bug for a SRU in regards to Ubuntu 8.04, using the same patch which was applied to mysql-dfsg-5.0 in Ubuntu 9.04. This on the basis of FTBFS(Fails To Build From Source). Right now I'm working on a SRU proposal for bug #296952, and no matter what there will likely be other updates which has to be applied to MySQL during the Hardy lifespan.

TEST CASE: Do a normal build of 5.0.51a-3ubuntu5.4 and it will fail, due to failed ssl tests. Applying this patch will make these tests pass fine.

I have a hard time seeing any regression potential considering this only affects a test certificate used during build tests, which fails anyway.

I'm attaching a debdiff addressed to hardy-proposed.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.0 - 5.0.67-0ubuntu6.1

---------------
mysql-dfsg-5.0 (5.0.67-0ubuntu6.1) intrepid-security; urgency=low

  * SECURITY UPDATE: privilege circumvention via the creation of MyISAM
    tables using the DATA DIRECTORY and INDEX DIRECTORY options to overwrite
    existing table files in the data directory. This fix alters table creation
    behaviour by disallowing the use of the MySQL data directory in DATA
    DIRECTORY and INDEX DIRECTORY options. (LP: #254129)
    - debian/patches/92_CVE-2008-4098.dpatch: Disallow use of MySQL
      data directory in DATA DIRECTORY and INDEX DIRECTORY options.
    - CVE-2008-4098
  * SECURITY UPDATE: Cross-site scripting in the command-line client
    - debian/patches/92_CVE-2008-4456.dpatch: use xmlencode_print in
      client/mysql.cc, add test to mysql-test/*.
    - CVE-2008-4456
  * SECURITY UPDATE: format string vulnerabilities in the dispatch_command
    function
    - debian/patches/92_CVE-2009-2446.dpatch: use correct format string in
      sql/sql_parse.cc, add test to tests/mysql_client_test.c.
    - CVE-2009-2446
  * SECURITY UPDATE: denial of service via certain SELECT statements with
    subqueries and statements that use the GeomFromWKB function
    - debian/patches/92_CVE-2009-4019.dpatch: return proper errors in
      sql/sql_class.cc, handle errors in sql/sql_select.cc, set correct
      null_value in sql/item_geofunc.cc, add tests to mysql-test/*.
    - CVE-2009-4019
  * SECURITY UPDATE: privilege restriction bypass via incorrect calculation
    of the mysql_unpacked_real_data_home value
    - debian/patches/92_CVE-2009-4030.dpatch: fix initialization order in
      sql/mysqld.cc.
    - CVE-2009-4030
  * SECURITY UPDATE: arbitrary code execution via yassl stack overflow
    - debian/patches/93_CVE-2009-4484.dpatch: validate lengths in
      extra/yassl/taocrypt/src/asn.*.
    - CVE-2009-4484
  * debian/patches/94_ssl_test_certs.dpatch: update certificates in the
    test suite as they are expired. The new certs expire 2015-01-28.
    (LP: #323755)
 -- Marc Deslauriers <email address hidden> Mon, 08 Feb 2010 09:00:54 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.0 - 5.0.51a-3ubuntu5.5

---------------
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.5) hardy-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting in the command-line client
    - debian/patches/97_CVE-2008-4456.dpatch: use xmlencode_print in
      client/mysql.cc, add test to mysql-test/*.
    - CVE-2008-4456
  * SECURITY UPDATE: format string vulnerabilities in the dispatch_command
    function
    - debian/patches/97_CVE-2009-2446.dpatch: use correct format string in
      sql/sql_parse.cc, add test to tests/mysql_client_test.c.
    - CVE-2009-2446
  * SECURITY UPDATE: denial of service via certain SELECT statements with
    subqueries and statements that use the GeomFromWKB function
    - debian/patches/97_CVE-2009-4019.dpatch: return proper errors in
      sql/sql_class.cc, handle errors in sql/sql_select.cc, set correct
      null_value in sql/item_geofunc.cc, add tests to mysql-test/*.
    - CVE-2009-4019
  * SECURITY UPDATE: privilege restriction bypass via incorrect calculation
    of the mysql_unpacked_real_data_home value
    - debian/patches/97_CVE-2009-4030.dpatch: fix initialization order in
      sql/mysqld.cc.
    - CVE-2009-4030
  * SECURITY UPDATE: arbitrary code execution via yassl stack overflow
    - debian/patches/98_CVE-2009-4484.dpatch: validate lengths in
      extra/yassl/taocrypt/src/asn.*.
    - CVE-2009-4484
  * debian/patches/99_ssl_test_certs.dpatch: update certificates in the
    test suite as they are expired. The new certs expire 2015-01-28.
    (LP: #323755)
 -- Marc Deslauriers <email address hidden> Mon, 08 Feb 2010 09:01:56 -0500

Changed in mysql-dfsg-5.0 (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in mysql-dfsg-5.0 (Ubuntu Intrepid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.