Dear Maintainer, After upgrading openssl and its related packages (this one) from version 3.0.16-1~deb12u1 to 3.0.17-1~deb12u1 my sabnzbdplus package crashed on a restart. I saw errors like the following: sabnzbdplus: segfault at 7fc2ec116 ip 00007fc2f68af8d0 sp 00007fc25a7f35b0 error 4 in libcrypto.so.3[7fc2f66c5000+27c000] likely on CPU 2 (core 0, socket 0) kernel: Code: 51 ff ff ff e8 41 d7 e1 ff 90 55 53 48 83 ec 08 48 85 ff 0f 84 81 00 00 00 48 89 fb 48 8b 07 48 8b 7f 10 48 83 7b 08 00 74 60 <ff> 90 c0 00 00 00 48 83 7b 08 00 89 c5 74 46 48 8b 7b 40 48 8b 35 kernel: traps: sabnzbdplus[3456936] general protection fault ip:7f99f2eaf8d0 sp:7f99587ef5b0 error:0 in libcrypto.so.3[7f99f2cc5000+27c000] The openssl packages were the only change. On re-installing the older 3.0.16-1~deb12u1 packages again, sabnzbdplus could start again.
I have noticed a similar issue in calibre: $ unzip /usr/share/calibre/builtin_recipes.zip $ ebook-convert bbc_fast.recipe out.mobi ebook-convert usually crashes (or hangs) for me after 2-3 tries, e.g., malloc(): unsorted double linked list corrupted Aborted It sounds similar to <https://github.com/python/cpython/issues/136881>. If I revert <https://github.com/openssl/openssl/commit/340383f5f49f84ed802dac268e6c12971d837f75> (and also 7141330fb98ceab643729f2d0f445f79f26addce), ebook-convert works fine again. According to the comments, this is a bug in python. It is fixed in python 3.13, but there won't be an upstream backport to older versions.
XIMA MEDIA GmbH Sudhausweg 9 01099 Dresden Geschäftsführung: Sascha Tom Weber, Samer Habib Handelsregister: Amtsgericht Dresden (HRB-Nr. 16098), Sitz der Gesellschaft: Dresden USt-IdNr.: DE 195 031 875
Your assistance in bug reporting will enable us to fix this for the next release. To report this bug, see https://mariadb.com/kb/en/reporting-bugs about how to report a bug on https://jira.mariadb.org/. Please include the information from the server start above, to the end of the information below. Server version: 10.11.11-MariaDB-0+deb12u1-log source revision: e69f8cae1a15e15b9e4f5e0f8497e1f17bdc81a4 The information page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mariadbd/ contains instructions to obtain a better version of the backtrace below. Following these instructions will help MariaDB developers provide a fix quicker. Attempting backtrace. Include this in the bug report. (note: Retrieving this information may fail) Thread pointer: 0x7f4b1c000c68 2025-08-02 19:39:32 0 [Note] /usr/sbin/mariadbd (initiated by: unknown): Normal shutdown stack_bottom = 0x7f4b5412a000 thread_stack 0x49000 2025-08-02 19:39:32 346 [Warning] Aborted connection 346 to db: 'unconnected' user: 'unauthenticated' host: 'x.x.x.x' (This connection closed normally without authentication) 2025-08-02 19:39:32 345 [Warning] Aborted connection 345 to db: 'unconnected' user: 'unauthenticated' host: 'x.x.x.x' (This connection closed normally without authentication) /usr/sbin/mariadbd(my_print_stacktrace+0x2e)[0x556a6c3fc2ee] /usr/sbin/mariadbd(handle_fatal_signal+0x1a3)[0x556a6bedada3] libc_sigaction.c:0(__restore_rt)[0x7f4c0105b050] /lib/x86_64-linux-gnu/libcrypto.so.3(+0x337d09)[0x7f4c01537d09] /lib/x86_64-linux-gnu/libcrypto.so.3(OSSL_STORE_load+0x106)[0x7f4c014b0b36] /lib/x86_64-linux-gnu/libcrypto.so.3(+0x2c0271)[0x7f4c014c0271] /lib/x86_64-linux-gnu/libcrypto.so.3(+0x2c043d)[0x7f4c014c043d] /lib/x86_64-linux-gnu/libcrypto.so.3(X509_STORE_CTX_get_by_subject+0xeb)[0x7f4c014dc1fb] /lib/x86_64-linux-gnu/libcrypto.so.3(X509_STORE_CTX_get1_issuer+0x6a)[0x7f4c014dca6a] /lib/x86_64-linux-gnu/libcrypto.so.3(+0x2e0e87)[0x7f4c014e0e87] /lib/x86_64-linux-gnu/libcrypto.so.3(+0x2e2ad6)[0x7f4c014e2ad6] /lib/x86_64-linux-gnu/libcrypto.so.3(X509_verify_cert+0xbc)[0x7f4c014e3bac] /lib/x86_64-linux-gnu/libssl.so.3(+0x72016)[0x7f4c018c1016] /lib/x86_64-linux-gnu/libssl.so.3(+0x75fd5)[0x7f4c018c4fd5] /lib/x86_64-linux-gnu/libssl.so.3(+0x668ff)[0x7f4c018b58ff] /usr/sbin/mariadbd(+0xc3b7b7)[0x556a6c06f7b7] /usr/sbin/mariadbd(+0x7c25f6)[0x556a6bbf65f6] /usr/sbin/mariadbd(+0x7c2ffe)[0x556a6bbf6ffe] /usr/sbin/mariadbd(+0x79dce9)[0x556a6bbd1ce9] /usr/sbin/mariadbd(+0x79f709)[0x556a6bbd3709] /usr/sbin/mariadbd(_Z16acl_authenticateP3THDj+0x38e)[0x556a6bbf7e5e] /usr/sbin/mariadbd(+0x977785)[0x556a6bdab785] /usr/sbin/mariadbd(_Z16login_connectionP3THD+0x40)[0x556a6bdab910] /usr/sbin/mariadbd(_Z22thd_prepare_connectionP3THD+0x1b)[0x556a6bdac26b] /usr/sbin/mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x362)[0x556a6bdaca12] /usr/sbin/mariadbd(handle_one_connection+0x5d)[0x556a6bdacd8d] /usr/sbin/mariadbd(+0xcd9ee7)[0x556a6c10dee7] nptl/pthread_create.c:442(start_thread)[0x7f4c010a81f5] x86_64/clone3.S:83(clone3)[0x7f4c0112889c] XIMA MEDIA GmbH Sudhausweg 9 01099 Dresden Geschäftsführung: Sascha Tom Weber, Samer Habib Handelsregister: Amtsgericht Dresden (HRB-Nr. 16098), Sitz der Gesellschaft: Dresden USt-IdNr.: DE 195 031 875
Jim, can you confirm this?
Hi Sebastian. I'm happy to give it a go, but will need a bit of guidance since I'm not a Debian developer. I cloned the repo via `git clone https://salsa.debian.org/debian/openssl.git` , but I'm not sure what branch to go to before I try to revert those commits. I ran a `git tag -l` and I saw a tag for `debian/openssl-3.0.16-1_deb12u1` but not one for `debian/openssl-3.0.17-1_deb12u1` Do I just use the `debian/bookworm` branch instead? That's definitely version 3.0.17, but it might not have the deb12-u1 changes? I can't tell because the Debian changelog for the deb12u1 package wasn't updated. Or perhaps I'm just going about things in completely the wrong way? I also downloaded the source package by adding the following to my /etc/apt/sources.list file: ``` deb-src https://deb.debian.org/debian bookworm-updates main non-free contrib ``` And then used `apt-get source openssl` to download the package source. But this isn't a git repository of course, so I don't know if there are Debian tools that can be used to give a git commit hash and have the tool revert it from the package source. Regards, Jim Barber On Mon, 4 Aug 2025 at 04:31, Sebastian Andrzej Siewior <sebastian@breakpoint.cc> wrote:
Hi, I am experiencing the same problems described here: MariaDB and PostgreSQL services are segfaulting after the update to libssl3-3.0.17-1~deb12u1. According to my tests, segfaults only occur in multithreaded conditions - for example if multiple MySQL clients connect at the same time to the MariaDB server. I can confirm that reverting the following patches (which rework the x509 store code) resolves the problem: https://github.com/openssl/openssl/commit/7141330fb98ceab643729f2d0f445f79f26addce https://github.com/openssl/openssl/commit/340383f5f49f84ed802dac268e6c12971d837f75 https://github.com/openssl/openssl/commit/a468bdb02531e47d89119444dafd35e9dbe09cdf My guess is that the code changes broke thread safety of libssl and that additional locking (either in libssl or the caller side) is needed to prevent the race and the resulting corruption.
Hi, I can confirm the issue in conjunction with MariaDB and concurrent connections. We started to see SSL errors after installing the 3.0.17 update on Sunday. Some cronjobs run concurrently, and then bail out with: > TLS/SSL error: unexpected eof while reading Downgrading to libssl3_3.0.16-1~deb12u1_amd64.deb fixes the issue. I would recommend to pull that update until it is fixed. All the best Felicia
Hi Jim, Don't worry, I prepared an update at https://breakpoint.cc/openssl-3.0.17-1~deb12u2.tar Can you check if this work for you? I pushed my changes this time… Sebastian
Thanks Sebastian. I've unpacked the tar file and installed the packages. ``` $ dpkg --list libssl3 openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-================-============-==================================================== ii libssl3:amd64 3.0.17-1~deb12u2 amd64 Secure Sockets Layer toolkit - shared libraries ii openssl 3.0.17-1~deb12u2 amd64 Secure Sockets Layer toolkit - cryptographic utility ``` My sabnzbdplus install is working when I restart it with this package installed by the look of things. Thanks. Jim.
upstream lodged: https://github.com/openssl/openssl/issues/28171
control: forwarded -1 https://github.com/openssl/openssl/issues/28171 Thank you. Sebastian
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1110254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 05 Aug 2025 09:09:41 +0200
Source: openssl
Architecture: source
Version: 3.0.17-1~deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 1110254
Changes:
openssl (3.0.17-1~deb12u2) bookworm; urgency=medium
.
* Revert the following upstream changes to avoid crashes in downstream
software:
- 7141330fb98ce ("Drop "by store"'s by_store_subject_ex()")
- 340383f5f49f8 ("Rework the "by store" X509_LOOKUP method to open the given URI early")
- a468bdb02531e ("Add test_verify tests")
Closes: #1110254
Checksums-Sha1:
1ddc7164ba255c98070584b88d5cd4bc6478adb0 2675 openssl_3.0.17-1~deb12u2.dsc
43dfa463caab92d57abb4a931dfb4395c0a425b6 55224 openssl_3.0.17-1~deb12u2.debian.tar.xz
Checksums-Sha256:
8eff0f04976f65df9a00507f286c18f42644d73124e3844258f037ff47c4f6cf 2675 openssl_3.0.17-1~deb12u2.dsc
e5b4c3e1b9caad2da53572fe2b4c7ce027ec17e778630f342d194608472d52f1 55224 openssl_3.0.17-1~deb12u2.debian.tar.xz
Files:
529888671a6ac5ed84bf8523de6cca50 2675 utils optional openssl_3.0.17-1~deb12u2.dsc
83aa2692c4e3bc3f0ce5cecf113c5cd2 55224 utils optional openssl_3.0.17-1~deb12u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmiRrtAACgkQe5boFiqM
9dHfHA/+Plww8t8pT15G8D9Fw4/Fc1iPLSCvH258ZrmNznHZ7+BX5uGxxk+NXWBm
mhdwX0FwzdRywGAAFwJjiVccZy38btZz2y5KoqfB31VRTzfacipopU3k9bmzZzlI
4Xk5dKUllww4dILw362bAFdInmE3eOdUX1qPw/4M+XrDV5Z4D2bU80C0KwEyqXfc
RcBRzrd+LKsnkffwgJSsAU9v8m58KWQ9bcYuIL6u3hfCyt+TCxJSYyqCjMvVAeQS
ckGIyVdlLvhMOLzT744ifViG8x5brzzkll7YamcaDqtFGtxxTTRif4m9G6u/MGDi
i2EUQOr9ai62PO8eeYVIAuVFuQXHQ0O9w+TEfYixsTQ+7NUl4hVraOhawI/ghPWr
q3XC2BsfCDUbTbGqSY98EkSHxAR8W56ltSNORFQtKuNeQrRMz6KSNVgk6CfC9B92
q9JyTE+n3Gt5j9vzzKj3rnJzAUmdr1i8aBc7vMo1WuRuaG3OU39JiK3ux7J/V3Ax
tGsEFwgrDwPFregTV0hF4uMi+Te8Awzq9VbWxC7PZOkc0XrKwIFuKNJ9M79T/W+/
t3BqlftcQHsAoUDNrNZc2B6XKcbeyUoUhfyw1Mctv+/UN5MTLCD3qkw4rmKrpFlK
3v0IEJZsWE+D7xhIhYVS9nHQc3tPo+20bhD/pK8rcN64GucO8rE=
=gUuc
-----END PGP SIGNATURE-----