[Bug 2018252] Re: [SRU] Fix invalid CSR version in python-acme

Steve Langasek 2018252 at bugs.launchpad.net
Fri May 26 23:28:46 UTC 2023 

Hello Harlan, or anyone else affected,

Accepted python-acme into jammy-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/python-
acme/1.21.0-1ubuntu0.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Description changed:

  [ Impact ]
  
  This bug causes certbot to generate CSRs which are invalid. These CSRs
  are then sent to ACME servers or otherwise parsed. Some software
  validate CSR validity more aggressively, whichmeans it will reject these
  CSRs.
  
  The principle motivation for backporting this fix is to stop certbot
  from generating CSRs. This will both alleviate bugs experienced by
  users, as well as reduce pressure on CSR parsers to accept _invalid_
  CSRs.
  
  [ Test plan ]
  
- The patch contains a unit test that verifies the patch itself works
- correctly. It has been present in certbot upstream since the 1.29.0
- release. Further, the fix was backported to both Debian and RHEL.
- Therefore, it has received substantial burn-in and is extremely unlikely
- to regress anything.
+ See https://bugs.launchpad.net/ubuntu/+source/python-
+ acme/+bug/2018252/comments/11 for complete test plan including links to
+ assets.
  
  [ Where problems could occur ]
  
  For a problem to occur, it would require software that not only
  accepted, but in fact _required_, an invalid CSR, and which also did not
  process CSRs from recent versions of certbot or versions from Debian or
  RHEL containing the backport.
  
  The worst-case scenario for such software would be something that copied
  the version value from a CSR into a certificate it was issuing (CSRs
  have only a single valid version, v1. X.509 certificates can be either
  v1 or v3, however in practice v3 is the only version in use.). Such
  software would end up producing different (and less correct/compatible)
  certificates. I am not aware of any software with this behavior.
  
  A more likely (though still improbable) bug would be software which
  merely asserts that the CSR's version is something incorrect.

** Changed in: python-acme (Ubuntu Jammy)
       Status: Incomplete => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to a duplicate bug report (2018260).
https://bugs.launchpad.net/bugs/2018252

Title:
  [SRU] Fix invalid CSR version in python-acme

Status in python-acme package in Ubuntu:
  Fix Released
Status in python-acme source package in Focal:
  Confirmed
Status in python-acme source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  This bug causes certbot to generate CSRs which are invalid. These CSRs
  are then sent to ACME servers or otherwise parsed. Some software
  validate CSR validity more aggressively, whichmeans it will reject
  these CSRs.

  The principle motivation for backporting this fix is to stop certbot
  from generating CSRs. This will both alleviate bugs experienced by
  users, as well as reduce pressure on CSR parsers to accept _invalid_
  CSRs.

  [ Test plan ]

  See https://bugs.launchpad.net/ubuntu/+source/python-
  acme/+bug/2018252/comments/11 for complete test plan including links
  to assets.

  [ Where problems could occur ]

  For a problem to occur, it would require software that not only
  accepted, but in fact _required_, an invalid CSR, and which also did
  not process CSRs from recent versions of certbot or versions from
  Debian or RHEL containing the backport.

  The worst-case scenario for such software would be something that
  copied the version value from a CSR into a certificate it was issuing
  (CSRs have only a single valid version, v1. X.509 certificates can be
  either v1 or v3, however in practice v3 is the only version in use.).
  Such software would end up producing different (and less
  correct/compatible) certificates. I am not aware of any software with
  this behavior.

  A more likely (though still improbable) bug would be software which
  merely asserts that the CSR's version is something incorrect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/2018252/+subscriptions

More information about the Ubuntu-sponsors mailing list