Update outdated OpenSSL version in build images #3839
Comments
|
I'm assuming that the base builder image has an old openssl regardless of what sanitizer build is being done (for sanitizer builds @oliverchang does some magic to build dependencies with MSAN). |
Right, MSan builds are also at the exact same version as what apt has.
+1 |
|
@jonathanmetzman Any update on this? Looks like the fuzzer is bumping into this issue more frequently than needed so it already escalated to the Fuzz-Blocker: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22133#c7 |
|
@Jakuje I don't know we can fix it so easily. We provide ubuntu 16.04 images. I'm not sure the correct thing to do is to update libraries that are old. I think this can be confusing for projects that expect certain settings on Ubuntu 16.04. |
|
Is this still necessary now that #6180 is complete? Ubuntu 20.04 comes with libssl1.1 |
|
When you update to 20.04, it will be just 1.5 year old stuff in the image, which should be good enough for some time. The OpenSSL 1.1.1 should be supported at least until 2023 (assuming the bugs will be updated also in the image) [1]. |
The base image is now Ubuntu 20.04: I think this can be closed. |
|
Closing this as the OSS-Fuzz base image is now Ubuntu 20.04 - for more details see here #6302 |
We got recently an oss-fuzz report for libssh that is pointing deep into the openssl code, which is far from reach of our project. Looking into the traces, the openssl-1.0.2g is used, which is after EOL so I do not believe it is something we should be solving and debugging.
The openssl is installed in the base-runner image already. Would it make sense to update to something more up-to-date?
The oss-fuzz reports showing the openssl issues:
https://oss-fuzz.com/testcase-detail/5152650317529088
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22133
The text was updated successfully, but these errors were encountered: