[Bug 2081763] [NEW] [SRU] mellon_create_metadata is incompatible with OpenSSL 3 in jammy
Weii Wang
2081763 at bugs.launchpad.net
Mon Sep 23 18:00:39 UTC 2024
Public bug reported:
[ Impact ]
The upgrade to OpenSSL 3 results in the failure of the
mellon_create_metadata helper script to generate the initial SP metadata
files required by apache mod_auth_mellon. Since ubuntu jammy uses
OpenSSL 3, this fix is essential to restore the functionality of
mellon_create_metadata. The issue arises because OpenSSL 3 no longer
supports using device files, such as /dev/urandom, as RANDFILE input,
which mellon_create_metadata depends on to generate SAML service
provider metadata, including a public key pair and configuration
XML file.
[ Test Plan ]
Run the following command:
mellon_create_metadata urn:someservice https://sp.example.org/mellon
Only two files, urn_someservice.cert and urn_someservice.key will be
created in the current working directory. The expected output should
include a third file, urn_someservice.xml. Note that there are no
error messages indicating a problem, as stderr is suppressed in the
script.
[ Where problems could occur ]
The upstream changes involve writing 256 bytes from /dev/urandom to
a temporary file, which is then used as input for OpenSSL RANDFILE.
While these changes are unlikely to cause significant regressions,
there is a hypothetical issue where, in rare cases, the OpenSSL command
might fail due to unrelated reasons. In such scenarios, the updated
script could leave behind two residual temporary files instead of the
single file left by the current version. However, since these files
are small and typically cleaned up regularly by the system, this
behavior should not negatively impact the user.
[ Other Info ]
Upstream fix: https://github.com/latchset/mod_auth_mellon/issues/105
Fixes: LP: #1945774, LP: #2052795
** Affects: libapache2-mod-auth-mellon (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-mellon in Ubuntu.
https://bugs.launchpad.net/bugs/2081763
Title:
[SRU] mellon_create_metadata is incompatible with OpenSSL 3 in jammy
Status in libapache2-mod-auth-mellon package in Ubuntu:
New
Bug description:
[ Impact ]
The upgrade to OpenSSL 3 results in the failure of the
mellon_create_metadata helper script to generate the initial SP metadata
files required by apache mod_auth_mellon. Since ubuntu jammy uses
OpenSSL 3, this fix is essential to restore the functionality of
mellon_create_metadata. The issue arises because OpenSSL 3 no longer
supports using device files, such as /dev/urandom, as RANDFILE input,
which mellon_create_metadata depends on to generate SAML service
provider metadata, including a public key pair and configuration
XML file.
[ Test Plan ]
Run the following command:
mellon_create_metadata urn:someservice https://sp.example.org/mellon
Only two files, urn_someservice.cert and urn_someservice.key will be
created in the current working directory. The expected output should
include a third file, urn_someservice.xml. Note that there are no
error messages indicating a problem, as stderr is suppressed in the
script.
[ Where problems could occur ]
The upstream changes involve writing 256 bytes from /dev/urandom to
a temporary file, which is then used as input for OpenSSL RANDFILE.
While these changes are unlikely to cause significant regressions,
there is a hypothetical issue where, in rare cases, the OpenSSL command
might fail due to unrelated reasons. In such scenarios, the updated
script could leave behind two residual temporary files instead of the
single file left by the current version. However, since these files
are small and typically cleaned up regularly by the system, this
behavior should not negatively impact the user.
[ Other Info ]
Upstream fix: https://github.com/latchset/mod_auth_mellon/issues/105
Fixes: LP: #1945774, LP: #2052795
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/+bug/2081763/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list