[Bug 2018252] [NEW] [SRU] Fix invalid CSR version in python-acme, jammy

Launchpad Bug Tracker 2018252 at bugs.launchpad.net
Mon May 1 20:45:50 UTC 2023 

You have been subscribed to a public bug by Harlan Lieberman-Berg (hlieberman):

[ Impact ]

This bug causes certbot to generate CSRs which are invalid. These CSRs
are then sent to ACME servers or otherwise parsed. Some software
validate CSR validity more aggressively, whichmeans it will reject these
CSRs.

The principle motivation for backporting this fix is to stop certbot
from generating CSRs. This will both alleviate bugs experienced by
users, as well as reduce pressure on CSR parsers to accept _invalid_
CSRs.

[ Test plan ]

The patch contains a unit test that verifies the patch itself works
correctly. It has been present in certbot upstream since the 1.29.0
release. Further, the fix was backported to both Debian and RHEL.
Therefore, it has received substantial burn-in and is extremely unlikely
to regress anything.

[ Where problems could occur ]

For a problem to occur, it would require software that not only
accepted, but in fact _required_, an invalid CSR, and which also did not
process CSRs from recent versions of certbot or versions from Debian or
RHEL containing the backport.

The worst-case scenario for such software would be something that copied
the version value from a CSR into a certificate it was issuing (CSRs
have only a single valid version, v1. X.509 certificates can be either
v1 or v3, however in practice v3 is the only version in use.). Such
software would end up producing different (and less correct/compatible)
certificates. I am not aware of any software with this behavior.

A more likely (though still improbable) bug would be software which
merely asserts that the CSR's version is something incorrect.

This relates to LP#: 2004073.

** Affects: python-acme (Ubuntu)
     Importance: Undecided
         Status: New

-- 
[SRU] Fix invalid CSR version in python-acme, jammy
https://bugs.launchpad.net/bugs/2018252
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list