I've upgraded openssl with a minor patch level update from upstream 1.0.0a->1.0.0b which fixes a potentially serious security vulnerability. Unfortunately the update breaks libguestfs. Would it be possible to modify libguestfs so it does not depend on the full file names, but on the soname file names? There are the /lib64/libcrypto.so.10 and /lib64/.libcrypto.so.10.hmac which are symlinks that can be dereferenced to obtain the full file names. These symlink names will not change in released Fedora versions as that would be of course an ABI break.
We should just not depend on the hmac files, which is what seems to cause the problem. AIUI they are not useful for general users. The issue of depending on file paths is discussed here, and nothing has changed since this was written: http://lists.fedoraproject.org/pipermail/devel/2010-April/134663.html BTW I'm already doing new builds for F13 and F14: http://koji.fedoraproject.org/koji/buildinfo?buildID=205415 http://koji.fedoraproject.org/koji/buildinfo?buildID=205413
Yes, the hmac files are not needed if the system is not run in the FIPS mode which itself is not very useful for regular Fedora users.
I pushed this patch upstream and into the F13 and F14 branches: http://git.annexia.org/?p=libguestfs.git;a=commitdiff;h=16e39ac0b8583c60fb1bc3378483b91886ed6f85 New builds: http://koji.fedoraproject.org/koji/taskinfo?taskID=2608591 http://koji.fedoraproject.org/koji/taskinfo?taskID=2608593
I made openssl-1.0.0b update for F-12 as well. Is libguestfs requiring the hmac file there or not?
Yes, I think it is. I've kicked off a rebuild for F12 including this patch: http://koji.fedoraproject.org/koji/taskinfo?taskID=2608622
libguestfs-1.6.2-1.fc13.4 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc13.4
libguestfs-1.6.2-1.fc14.4 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4
libguestfs-1.2.11-1.fc12.1 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/libguestfs-1.2.11-1.fc12.1
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libguestfs'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4
*** Bug 655505 has been marked as a duplicate of this bug. ***
In case you didn't already know, the openssl update is in stable for F12 while libguestfs is still in updates-testing. This leads to broken updates for those with libguestfs installed.
*** Bug 655937 has been marked as a duplicate of this bug. ***
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Reopen, otherwise it won't appear in some searches. Still waiting for enough karma to push this to F12, F13.
With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b on Fedora 12. 1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64 Failed dependencies: /usr/lib64/libcrypto.so.10 is needed by (installed) libguestfs-1:1.2.11-1.fc12.1.x86_64
(In reply to comment #15) > With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b on > Fedora 12. > > 1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64 Oops, that was unintentional change in F12 openssl package caused by my too eager merge with newer branches. I'll correct that in the openssl package.
We can also fix this in libguestfs if you prefer.
No, this was really unintentional change and I'm building fixed openssl package just now.
Richard, please can you add the new openssl-1.0.0b-1.fc12.1 package to the libguestfs Fedora 12 update so both packages can be updated simultaneously?
With any luck, this is correct ... https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
libguestfs-1.6.2-1.fc13.4 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Still open in F12. https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
*** Bug 656517 has been marked as a duplicate of this bug. ***
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libguestfs openssl'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
I can confirm that the new openssl packages install correctly with the updated libguestfs on F12 x86_64.
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.