Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 888569 - Emerge of openssl-3.0.7-r2 does not appear to satisfy package dependencies.
Summary: Emerge of openssl-3.0.7-r2 does not appear to satisfy package dependencies.
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-26 22:10 UTC by contactopublico57
Modified: 2022-12-26 22:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description contactopublico57 2022-12-26 22:10:45 UTC 
If emerging openssl-3.0.7-r2 is intended to obsolete vulnerable lesser versions, portage does not appear to be updating to openssl-3.0.7-r2 and also satisfying the specific dependency requirements for other packages.

Reproducible: Always

Steps to Reproduce:
1.sudo emerge -a =dev-libs/openssl-3.0.7-r2
2.emerge completes if dev-libs/openssl-1.1.1s first unemerged
3.emerge of dev-libs/openssl-3.0.7-r2 does not appear to satisfy specific dev-libs/openssl-1.1.1s dependencies of other packages.
Actual Results:  
sudo emerge -avuDN --ask --keep-going world

emerge of dev-libs/openssl-3.0.7-r2 does not replace dev-libs/openssl-1.1.1s package dependencies even when dev-libs/openssl-1.1.1s is uninstalled and masked to prevent reinstallation.

!!! All ebuilds that could satisfy "=dev-libs/openssl-1.1*:0=" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/openssl-1.1.1s::gentoo (masked by: package.mask)
/etc/portage/package.mask:

Expected Results:  
Expectation that openssl-3.0.7-r2 was issued to obsolete vulnerable lesser versions, and eliminate the package dependencies for lesser versions.

Pursuant to the recently published vulnerabilities in openssl, a new version, dev-libs/openssl-3.0.7-r2, appeared in the proposed package emerge, albeit with many conflicting installed package dependencies continuing to require dev-libs/openssl-1.1.1s.

^^^^^^^
examples: 

 (dev-libs/openssl-3.0.7-r2:0/3::gentoo, ebuild scheduled for merge) USE="asm vanilla -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" conflicts with
    dev-libs/openssl:0/1.1=[abi_x86_64(-)] required by (app-arch/xar-1.8.0.0.487.100.1:0/0::gentoo, installed) USE="" ABI_X86="(64) -32 (-x32)"
                                   
    >=dev-libs/openssl-1.0.2k:0/1.1= required by (net-wireless/wpa_supplicant-2.10-r1-1:0/0::gentoo, installed) USE="crda dbus fils hs2-0 mbo mesh qt5 readline -ap -broadcom-sta -eap-sim -eapol-test -fasteap -macsec -p2p -privsep (-ps3) (-selinux) -smartcard -tdls -tkip -uncommon-eap-types -wep (-wimax) -wps" ABI_X86="(64)"

    >=dev-libs/openssl-1.1.1:0/1.1= required by (dev-lang/python-3.10.9:3.10/3.10::gentoo, installed) USE="build ensurepip gdbm ncurses readline sqlite ssl xml -bluetooth -examples -hardened -libedit -lto -pgo -test -tk -valgrind -verify-sig" ABI_X86="(64)"
^^^^^^^

If dev-libs/openssl-3.0.7-r2 is meant to replace lesser versioned openssl, including a vulnerable dev-libs/openssl-1.1.1s, it does not appear to emerge and eliminate the requirement for dev-libs/openssl-1.1.1s.

Uninstalling dev-libs/openssl-1.1.1s and emerging dev-libs/openssl-3.0.7-r2 does not appear to force rebuilds for openssl-1.1.1s dependent packages. 

Masking openssl <=dev-libs/openssl-3.0.7 does not resolve the issue: 

!!! All ebuilds that could satisfy "=dev-libs/openssl-1.1*:0=" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/openssl-1.1.1s::gentoo masked by: package.mask)
/etc/portage/package.mask:
^^^^^^^

At one point it appears to me that portage was proposing to install both openssl versions:

sudo emerge @preserved-rebuild

[ebuild  rR    ] dev-libs/openssl-1.1.1s:0/1.1::gentoo  USE="asm vanilla -rfc3779 -sctp -sslv3 -static-libs -test -tls-compression -tls-heartbeat -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 9,638 KiB

[ebuild  r  U  ] dev-libs/openssl-3.0.7-r1:0/3::gentoo [1.1.1s:0/1.1::gentoo] USE="asm vanilla -fips% -ktls% -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers (-sslv3%) (-tls-heartbeat%)" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 14,754 KiB
^^^^^^^

And here complaining of a slot conflict:

sudo emerge -a =dev-libs/openssl-3.0.7-r2

These are the packages that would be merged, in order:

Calculating dependencies               ... done!             
[ebuild  r  U  ] dev-libs/openssl-3.0.7-r2 [1.1.1s] USE="-fips% -ktls%" 
[ebuild  rR    ] sys-apps/coreutils-9.1-r2 
[ebuild  rR    ] net-misc/rsync-3.2.7-r1 
[ebuild  rR    ] dev-libs/libevent-2.1.12 
[ebuild  rR    ] dev-perl/Net-SSLeay-1.920.0 
[ebuild  rR    ] sys-fs/diskdev_cmds-332.14_p1-r4 
[ebuild  rR    ] dev-lang/python-3.10.9 
[ebuild  rR    ] net-misc/curl-7.87.0 
[ebuild  rR    ] sys-fs/cryptsetup-2.4.3-r2 
[ebuild  rR    ] sys-apps/systemd-252.4 
[ebuild  rR    ] net-misc/wget-1.21.3-r1 
[ebuild  rR    ] dev-lang/python-3.9.16 
[ebuild  rR    ] app-crypt/rhash-1.4.3 
[ebuild  rR    ] app-arch/xar-1.8.0.0.487.100.1 
[ebuild  rR    ] media-libs/opusfile-0.12-r1 
[ebuild  rR    ] net-libs/neon-0.32.4 
[ebuild  rR    ] app-arch/libarchive-3.6.1-r1 
[ebuild  rR    ] net-vpn/tor-0.4.7.12 
[ebuild  rR    ] net-misc/openssh-9.1_p1-r1 
[ebuild  rR    ] dev-lang/ruby-3.1.3 
[ebuild  rR    ] dev-python/m2crypto-0.38.0 
[ebuild  rR    ] net-wireless/crda-4.14 
[ebuild  rR    ] dev-python/cryptography-38.0.4 
[ebuild  rR    ] app-crypt/mit-krb5-1.20.1 
[ebuild  rR    ] app-editors/xemacs-21.5.34-r13 
[ebuild  rR    ] app-admin/sudo-1.9.12_p1 
[ebuild  rR    ] app-text/qpdf-11.2.0-r1 
[ebuild  rR    ] net-libs/libtorrent-rasterbar-1.2.18 
[ebuild  rR    ] net-libs/libssh-0.10.4 
[ebuild  r  U  ] net-libs/libtorrent-rasterbar-2.0.8 [1.2.18] USE="-gnutls%" PYTHON_SINGLE_TARGET="-python3_11%" 
[ebuild  rR    ] net-wireless/wpa_supplicant-2.10-r1 
[ebuild  rR    ] dev-vcs/git-2.39.0 
[ebuild  rR    ] app-portage/portage-utils-0.94.4 
[ebuild  rR    ] net-dialup/ppp-2.4.9-r8 
[ebuild  rR    ] dev-qt/qtnetwork-5.15.7 
[ebuild  rR    ] net-p2p/qbittorrent-4.4.5-r2 
[ebuild  rR    ] media-sound/pulseaudio-daemon-16.1-r6 

!!! Multiple package instances within a single package slot have been pulled
!!! into the dependency graph, resulting in a slot conflict:

dev-libs/openssl:0

  (dev-libs/openssl-3.0.7-r2:0/3::gentoo, ebuild scheduled for merge) USE="asm vanilla -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" pulled in by
    =dev-libs/openssl-3.0.7-r2 (Argument)

  (dev-libs/openssl-1.1.1s:0/1.1::gentoo, installed) USE="asm vanilla -rfc3779 -sctp -sslv3 -static-libs -test -tls-compression -tls-heartbeat -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" pulled in by
    dev-libs/openssl:0/1.1= required by (www-client/w3m-0.5.3_p20220429-r1:0/0::gentoo, installed) USE="X fbcon nls ssl unicode -gdk-pixbuf -gpm -imlib -lynxkeymap -nntp -xface" ABI_X86="(64)" L10N="-ja"

The following packages are causing rebuilds:

  (dev-libs/openssl-3.0.7-r2:0/3::gentoo, ebuild scheduled for merge) causes rebuilds for:
    (net-misc/wget-1.21.3-r1:0/0::gentoo, ebuild scheduled for merge)
    (net-vpn/tor-0.4.7.12:0/0::gentoo, ebuild scheduled for merge)
    (media-sound/pulseaudio-daemon-16.1-r6:0/0::gentoo, ebuild scheduled for merge)
    (net-libs/libssh-0.10.4:0/4::gentoo, ebuild scheduled for merge)
    (net-wireless/wpa_supplicant-2.10-r1:0/0::gentoo, ebuild scheduled for merge)
    (dev-libs/libevent-2.1.12:0/2.1-7::gentoo, ebuild scheduled for merge)
    (sys-fs/cryptsetup-2.4.3-r2:0/12::gentoo, ebuild scheduled for merge)
    (sys-fs/diskdev_cmds-332.14_p1-r4:0/0::gentoo, ebuild scheduled for merge)
    (net-misc/openssh-9.1_p1-r1:0/0::gentoo, ebuild scheduled for merge)
    (app-text/qpdf-11.2.0-r1:0/11::gentoo, ebuild scheduled for merge)
    (net-wireless/crda-4.14:0/0::gentoo, ebuild scheduled for merge)
    (app-arch/libarchive-3.6.1-r1:0/13::gentoo, ebuild scheduled for merge)
    (net-libs/libtorrent-rasterbar-1.2.18:0/10::gentoo, ebuild scheduled for merge)
    (dev-lang/python-3.10.9:3.10/3.10::gentoo, ebuild scheduled for merge)
    (dev-qt/qtnetwork-5.15.7:5/5.15::gentoo, ebuild scheduled for merge)
    (sys-apps/coreutils-9.1-r2:0/0::gentoo, ebuild scheduled for merge)
    (app-arch/xar-1.8.0.0.487.100.1:0/0::gentoo, ebuild scheduled for merge)
    (dev-vcs/git-2.39.0:0/0::gentoo, ebuild scheduled for merge)
    (dev-python/m2crypto-0.38.0:0/0::gentoo, ebuild scheduled for merge)
    (net-misc/rsync-3.2.7-r1:0/0::gentoo, ebuild scheduled for merge)
    (app-crypt/rhash-1.4.3:0/0::gentoo, ebuild scheduled for merge)
    (dev-python/cryptography-38.0.4:0/0::gentoo, ebuild scheduled for merge)
    (dev-lang/python-3.9.16:3.9/3.9::gentoo, ebuild scheduled for merge)
    (net-libs/neon-0.32.4:0/27::gentoo, ebuild scheduled for merge)
    (media-libs/opusfile-0.12-r1:0/0::gentoo, ebuild scheduled for merge)
    (net-p2p/qbittorrent-4.4.5-r2:0/0::gentoo, ebuild scheduled for merge)
    (dev-lang/ruby-3.1.3:3.1/3.1::gentoo, ebuild scheduled for merge)
    (app-admin/sudo-1.9.12_p1:0/0::gentoo, ebuild scheduled for merge)
    (net-misc/curl-7.87.0:0/0::gentoo, ebuild scheduled for merge)
    (net-dialup/ppp-2.4.9-r8:0/2.4.9::gentoo, ebuild scheduled for merge)
    (dev-perl/Net-SSLeay-1.920.0:0/0::gentoo, ebuild scheduled for merge)
    (app-portage/portage-utils-0.94.4:0/0::gentoo, ebuild scheduled for merge)
    (sys-apps/systemd-252.4:0/2::gentoo, ebuild scheduled for merge)
    (app-editors/xemacs-21.5.34-r13:0/0::gentoo, ebuild scheduled for merge)
    (app-crypt/mit-krb5-1.20.1:0/0::gentoo, ebuild scheduled for merge)

!!! The following installed packages are masked:
- dev-libs/openssl-1.1.1s::gentoo (masked by: package.mask)
^^^^^^^

After unemerging openssl-1.1.1s and installing dev-libs/openssl-3.0.7-r2:

sudo emerge --info openssl

dev-libs/openssl-3.0.7-r2::gentoo was built with the following:
USE="asm vanilla -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)"
CFLAGS="-march=native -O2 -pipe -fno-strict-aliasing -Wa,--noexecstack"
CXXFLAGS="-march=native -O2 -pipe -fno-strict-aliasing -Wa,--noexecstack"
FEATURES="binpkg-docompress distlocks config-protect-if-modified unmerge-orphans ipc-sandbox unknown-features-warn qa-unresolved-soname-deps ebuild-locks usersync userpriv assume-digests multilib-strict sandbox fixlafiles sfperms news binpkg-logs pid-sandbox protect-owned binpkg-dostrip parallel-fetch nodoc strict network-sandbox xattr usersandbox preserve-libs merge-sync buildpkg-live unmerge-logs binpkg-multi-instance candy"

sudo emerge -avuDN --ask --keep-going world

Still calling for "=dev-libs/openssl-1.1*:0="

!!! All ebuilds that could satisfy "=dev-libs/openssl-1.1*:0=" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/openssl-1.1.1s::gentoo (masked by: package.mask)
/etc/portage/package.mask:
^^^^^^^

If emerging openssl-3.0.7-r2 is intended to obsolete vulnerable lesser versions, portage does not appear to be updating to openssl-3.0.7-r2 and also eliminating the requirement for lesser versions.
Comment 1 Ionen Wolkens gentoo-dev 2022-12-26 22:21:24 UTC 
1.1.1s is not vulnerable, it's currently still supported and getting new releases whenever there's issues (it's also the current stable version still).

If you remove masks and attempt a normal world upgrade, e.g. emerge -uUDav @world, it may either successfully upgrade to 3 or there may be a "WARNING:" telling you why it can't be upgraded yet (it's possible you still have a package installed that hasn't been ported to openssl-3 yet and prevent upgrading for now).