[PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

  • Done
  • quality assurance status badge
Details
2 participants
  • Denis 'GNUtoo' Carikli
  • Andreas Enge
Owner
unassigned
Submitted by
Denis 'GNUtoo' Carikli
Severity
normal
D
D
Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 01:33
(address . guix-patches@gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
cover.1690845769.git.GNUtoo@cyberdimension.org
Hi,

The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.


While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup

Denis.

Denis 'GNUtoo' Carikli (1):
gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
--
2.41.0
D
D
Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 02:15
[PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].
(address . 64982@debbugs.gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
bdff186d2ba923b6c9b9dadb50c932e1ccb6de2f.1690845769.git.GNUtoo@cyberdimension.org
* gnu/packages/tls.scm (libressl): Update to 3.8.0.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..deec73b43f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -659,14 +659,14 @@ (define-public bearssl
(define-public libressl
(package
(name "libressl")
- (version "3.6.1")
+ (version "3.8.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
"libressl-" version ".tar.gz"))
(sha256
(base32
- "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
+ "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.41.0
A
A
Andreas Enge wrote on 7 Sep 2023 18:38
Closing
(address . 64982-done@debbugs.gnu.org)
ZPn8kNP634pMGEfQ@jurong
Hello Denis,

thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Sun Aug 13 02:00:00 2023 +0200
gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
Thanks to Dennis 'GNUtoo' Carikli for https://issues.guix.gnu.org/64982,
but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
* gnu/packages/tls.scm (libressl): Update to 3.7.3.

Indeed QA shows that opensmtpd fails:

I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
while 3.7.3 does not have the "development" term:
so we may be better off sticking with 3.7.x for the moment.

Andreas
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 64982@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 64982
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch