Bug 1185637 - openssl-1_1 fails to build after 2022-06-01
openssl-1_1 fails to build after 2022-06-01
Status: RESOLVED FIXED
: 1200153 1200154 (view as bug list)
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
Other All
: P1 - Urgent : Normal (vote)
: ---
Assigned To: Pedro Monreal Gonzalez
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-05 08:47 UTC by Bernhard Wiedemann
Modified: 2022-09-01 15:17 UTC (History)
6 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Wiedemann 2021-05-05 08:47:38 UTC
While working on reproducible builds for openSUSE, I found that
our openssl-1_1/openssl-1.1.1k fails tests after 2022-06-01

Likely reason is one or more of these expiring certs:

for cert in `find test -name \*pem` ; do openssl x509 -text < $cert |
  grep After |grep 2022 && echo $cert ; done 2>&1 |grep -A1 2022
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/D1_Issuer_ICA.pem
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/ISIC_D1_Issuer_ICA.pem
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/WSNIC_D1_Issuer_ICA.pem
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/WKIC_D1_Issuer_ICA.pem
            Not After : Jun  1 00:00:00 2022 GMT
test/certs/embeddedSCTs1_issuer.pem
            Not After : Jun  1 00:00:00 2022 GMT
test/certs/embeddedSCTs1.pem

building further in the future might have more failing tests:

 Test Summary Report
 -------------------
 ../test/recipes/80-test_cms.t                    (Wstat: 1280 Tests: 6 Failed: 5)
   Failed tests:  1-5
   Non-zero exit status: 5
 ../test/recipes/80-test_ssl_new.t                (Wstat: 256 Tests: 29 Failed: 1)
   Failed test:  12
   Non-zero exit status: 1
 Files=160, Tests=1893, 86 wallclock secs ( 1.22 usr  0.11 sys + 71.76 cusr  7.53 csys = 80.62 CPU)
 Result: FAIL


Steps to Reproduce:
osc co openSUSE:Factory/openssl-1_1 && cd $_
osc build --vm-type=kvm --noservice --clean --build-opt=--vm-custom-opt="-rtc base=2022-06-02T00:00:00"

once that issue is fixed, try with 2028 and 2036


SUSE:SLE-15-SP2:GA/openssl-1_1 is also affected.
Likely affects other enterprise codestreams as well.
Comment 1 Pedro Monreal Gonzalez 2021-05-06 11:35:51 UTC
Testing with verbose flags it shows expiring certificates:

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO:  @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 139919277639040:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 2 - iteration 2

I'll report upstream.
Comment 2 Pedro Monreal Gonzalez 2021-05-06 11:41:10 UTC
Reported here: https://github.com/openssl/openssl/issues/15179
Comment 3 Bernhard Wiedemann 2022-03-31 18:56:24 UTC
Only 2 months left...
Comment 4 Bernhard Wiedemann 2022-06-01 10:08:26 UTC
Now the timebomb triggered and upstream is working on it.
Comment 5 Stephan Kulow 2022-06-02 10:01:48 UTC
bsc#1200153 for SLE
Comment 6 Dominique Leuenberger 2022-06-02 12:40:09 UTC
Raising prio: with openssl-1_1 being in ring0 and failing to build, this basically means all ring0 stagings are blocked until openssl-1_1 has a fix/workaround in place
Comment 7 Petr Gajdos 2022-06-03 07:38:26 UTC
https://build.opensuse.org/request/show/980584

Not sure this is correct submission, though (openssl maintenance is reportedly different).
Comment 10 Jason Sikes 2022-06-03 12:32:51 UTC
*** Bug 1200153 has been marked as a duplicate of this bug. ***
Comment 11 Petr Gajdos 2022-06-03 12:36:00 UTC
I think I am superfluous here, good luck!
Comment 12 Jason Sikes 2022-06-03 12:50:39 UTC
Submissions made for the following streams so far:

> | Path                                 | Status                    |
> |--------------------------------------+---------------------------|
> | SUSE:SLE-15-SP4:Update/openssl-3     | created request id 273505 |
> | SUSE:SLE-15-SP4:Update/openssl-1_1   | created request id 273506 |
> | openssl-1_1.SUSE_SLE-15-SP2_Update   |                           |
> | openssl-1_1.SUSE_SLE-12-SP4_Update   |                           |
> | openssl-1_1.SUSE_SLE-15_Update       | created request id 273521 |
> | openssl-1_1.SUSE_SLE-15-SP1_Update   | created request id 273522 |

Only openssl-3 and openssl-1_1 are affected by this issue.

Also, there are two code streams that are having issues. @pgajdos gave me some pointers to deal with them so this is still being worked on.
Comment 13 Marcus Meissner 2022-06-06 18:59:20 UTC
I fixed openssl-1_1 for 15-sp2 by deleting the broken state incident.

any others?
Comment 14 Dominique Leuenberger 2022-06-06 19:25:20 UTC
(In reply to Marcus Meissner from comment #13)
> I fixed openssl-1_1 for 15-sp2 by deleting the broken state incident.
> 
> any others?

I hope tumbleweed won't be forgotten 
Comment 15 OBSbugzilla Bot 2022-06-07 08:40:02 UTC
This is an autogenerated message for OBS integration:
This bug (1185637) was mentioned in
https://build.opensuse.org/request/show/981089 Factory / openssl-1_1
Comment 16 John Paul Adrian Glaubitz 2022-06-07 14:35:19 UTC
(In reply to Marcus Meissner from comment #13)
> I fixed openssl-1_1 for 15-sp2 by deleting the broken state incident.
> 
> any others?

Does that mean that the openssl-1_1 package is being removed from SP2?

SP2 has a different version than SP1 after all.
Comment 17 Marcus Meissner 2022-06-07 14:55:55 UTC
No, it was just a incident with a buggy state of openssl-1_1.

We still expect resubmission for 15-sp2 of openssl-1_1.
Comment 18 John Paul Adrian Glaubitz 2022-06-08 10:24:52 UTC
(In reply to Marcus Meissner from comment #17)
> No, it was just a incident with a buggy state of openssl-1_1.
> 
> We still expect resubmission for 15-sp2 of openssl-1_1.

The patch to update the certificates applies fine for SP2, the other one to fix the CVE does not.
Comment 20 Swamp Workflow Management 2022-06-14 13:20:27 UTC
SUSE-SU-2022:2068-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166
CVE References: CVE-2022-1292
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    openssl-1_1-1.1.0i-150100.14.30.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    openssl-1_1-1.1.0i-150100.14.30.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    openssl-1_1-1.1.0i-150100.14.30.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    openssl-1_1-1.1.0i-150100.14.30.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    openssl-1_1-1.1.0i-150100.14.30.1
SUSE Enterprise Storage 6 (src):    openssl-1_1-1.1.0i-150100.14.30.1
SUSE CaaS Platform 4.0 (src):    openssl-1_1-1.1.0i-150100.14.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-06-14 13:21:09 UTC
SUSE-SU-2022:2075-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166
CVE References: CVE-2022-1292
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    openssl-1_1-1.1.0i-150000.4.69.1
SUSE Linux Enterprise Server 15-LTSS (src):    openssl-1_1-1.1.0i-150000.4.69.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    openssl-1_1-1.1.0i-150000.4.69.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    openssl-1_1-1.1.0i-150000.4.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Jason Sikes 2022-06-22 03:04:58 UTC
Complete.
Comment 25 Swamp Workflow Management 2022-06-24 16:26:53 UTC
SUSE-SU-2022:2182-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185637,1199166,1200550
CVE References: CVE-2022-1292,CVE-2022-2068
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openssl-1_1-1.1.1d-2.66.1
SUSE OpenStack Cloud 9 (src):    openssl-1_1-1.1.1d-2.66.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openssl-1_1-1.1.1d-2.66.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openssl-1_1-1.1.1d-2.66.1
SUSE Linux Enterprise Server 12-SP5 (src):    openssl-1_1-1.1.1d-2.66.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    openssl-1_1-1.1.1d-2.66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-07-04 13:18:31 UTC
SUSE-SU-2022:2251-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185637,1199166,1200550
CVE References: CVE-2022-1292,CVE-2022-2068
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Manager Server 4.1 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Manager Retail Branch Server 4.1 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Manager Proxy 4.1 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise Micro 5.2 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise Micro 5.1 (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    openssl-1_1-1.1.1d-150200.11.48.1
SUSE Enterprise Storage 7 (src):    openssl-1_1-1.1.1d-150200.11.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Adam Majer 2022-07-06 12:43:47 UTC
*** Bug 1200154 has been marked as a duplicate of this bug. ***
Comment 29 Swamp Workflow Management 2022-07-06 16:18:52 UTC
SUSE-SU-2022:2308-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166,1200550,1201099
CVE References: CVE-2022-1292,CVE-2022-2068,CVE-2022-2097
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-1_1-1.1.1l-150400.7.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-1_1-1.1.1l-150400.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-07-06 16:32:47 UTC
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099
CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-3-3.0.1-150400.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-3-3.0.1-150400.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-09-01 15:17:03 UTC
SUSE-SU-2022:2251-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1185637,1199166,1200550
CVE References: CVE-2022-1292,CVE-2022-2068
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    openssl-1_1-1.1.1d-150200.11.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.