securityonline.info 7/6/2026, 5:42:32 PM · external

OpenSSL error queue bug disrupts apt HTTPS on Debian FIPS systems

OpenSSL error queue bug disrupts apt HTTPS on Debian FIPS systems
CyberSIXT Evidence Panel
Primary Source seclists.org

A Debian maintainer identified a widespread error handling issue in OpenSSL affecting HTTPS access on FIPS-only systems, traced to coding shortcuts in error management. Although there's no CVE or active exploitation linked, the problem can mask critical errors, risking security. The issue stems from OpenSSL's per-thread error queue, where apt does not clear the queue before TLS operations, causing it to misinterpret benign errors as fatal.

Klode highlights two bad coding practices contributing to this: premature error clearing and incomplete error checks. The issue primarily affects Debian 13 with apt 3.0 and OpenSSL 3.5.6. To mitigate, developers are advised to clear the queue appropriately, and a specific patch for apt is being considered. For immediate relief, enabling the default OpenSSL provider can restore repository access.

View Primary Source Via securityonline.info

Article by CyberSIXT