[PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

  • Done
  • quality assurance status badge
Details
2 participants
  • Denis 'GNUtoo' Carikli
  • Andreas Enge
Owner
unassigned
Submitted by
Denis 'GNUtoo' Carikli
Severity
normal
D
D
Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 01:33
(address . guix-patches@gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
cover.1690845769.git.GNUtoo@cyberdimension.org
Hi,

The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.


While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup

Denis.

Denis 'GNUtoo' Carikli (1):
gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
--
2.41.0
D
D
Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 02:15
[PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].
(address . 64982@debbugs.gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)
bdff186d2ba923b6c9b9dadb50c932e1ccb6de2f.1690845769.git.GNUtoo@cyberdimension.org
* gnu/packages/tls.scm (libressl): Update to 3.8.0.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..deec73b43f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -659,14 +659,14 @@ (define-public bearssl
(define-public libressl
(package
(name "libressl")
- (version "3.6.1")
+ (version "3.8.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
"libressl-" version ".tar.gz"))
(sha256
(base32
- "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
+ "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.41.0
A
A
Andreas Enge wrote on 7 Sep 2023 18:38
Closing
(address . 64982-done@debbugs.gnu.org)
ZPn8kNP634pMGEfQ@jurong
Hello Denis,

thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Sun Aug 13 02:00:00 2023 +0200
gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
Thanks to Dennis 'GNUtoo' Carikli for https://issues.guix.gnu.org/64982,
but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
* gnu/packages/tls.scm (libressl): Update to 3.7.3.

Indeed QA shows that opensmtpd fails:

I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
while 3.7.3 does not have the "development" term:
so we may be better off sticking with 3.7.x for the moment.

Andreas
Closed
?