[PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)

  • Done
  • quality assurance status badge
Details
2 participants
  • Denis 'GNUtoo' Carikli
  • Ludovic Courtès
Owner
unassigned
Submitted by
Denis 'GNUtoo' Carikli
Severity
normal
D
D
Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 15:45
(address . guix-patches@gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
cover.1690895675.git.GNUtoo@cyberdimension.org
The patch that will follow updates OpenSSL 1.1 to the last version to fix the following CVEs:
* CVE-2023-0215 [1]
* CVE-2023-0286 [2]
* CVE-2023-0464 [3]
* CVE-2023-0465 [4]
* CVE-2023-0466 [5]
* CVE-2023-2650 [6]
* CVE-2022-4304 [7]
* CVE-2022-4450 [8]


While OpenSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (about 6850, so more than 300) that
need to be rebuilt.

Denis 'GNUtoo' Carikli (1):
gnu: openssl-1.1: Update to 1.1.1u [security fixes].

gnu/packages/tls.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
--
2.41.0
D
D
Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 15:52
[PATCH 1/1] gnu: openssl-1.1: Update to 1.1.1u [security fixes].
(address . 64991@debbugs.gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
f3c672946b8d11aefca44844a395c440095b7cfd.1690895675.git.GNUtoo@cyberdimension.org
Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.

* gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
gnu/packages/tls.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..0c37d452c7 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -22,6 +22,7 @@
;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org>
;;; Copyright © 2021 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2022 Greg Hogan <code@greghogan.com>
+;;; Copyright © 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -425,7 +426,7 @@ (define (target->openssl-target target)
(define-public openssl-1.1
(package
(name "openssl")
- (version "1.1.1q")
+ (version "1.1.1u")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -438,7 +439,7 @@ (define-public openssl-1.1
(patches (search-patches "openssl-1.1-c-rehash-in.patch"))
(sha256
(base32
- "1jhhzp4gh6ymidxm1ckjk948l583awp0w3y2nvqdz7022kk9r4yp"))))
+ "1ipbcdlqyxbj5lagasrq2p6gn0036wq6hqp7gdnd1v1ya95xiy72"))))
(build-system gnu-build-system)
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
--
2.41.0
L
L
Ludovic Courtès wrote on 28 Sep 2023 12:08
Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)
(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
87y1gqwqy0.fsf_-_@gnu.org
Hi,

Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> skribis:

Toggle quote (5 lines)
> Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
> CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.
>
> * gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

[...]

Toggle quote (6 lines)
> (define-public openssl-1.1
> (package
> (name "openssl")
> - (version "1.1.1q")
> + (version "1.1.1u")

Finally applied but as a graft, in commit
51e1df07b1d21840551eb8dc15b4bfe5612e1bf9.

Thanks,
Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 64991@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 64991
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch