[PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)

Done

Details

2 participants

Denis 'GNUtoo' Carikli
Ludovic Courtès

Owner: unassigned

Submitted by: Denis 'GNUtoo' Carikli

Severity: normal

Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 15:45

Recipients:(address . guix-patches@gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)

Message-ID:cover.1690895675.git.GNUtoo@cyberdimension.org

The patch that will follow updates OpenSSL 1.1 to the last version to fix the following CVEs:
* CVE-2023-0215 [1]
* CVE-2023-0286 [2]
* CVE-2023-0464 [3]
* CVE-2023-0465 [4]
* CVE-2023-0466 [5]
* CVE-2023-2650 [6]
* CVE-2022-4304 [7]
* CVE-2022-4450 [8]

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-0215
[2]https://nvd.nist.gov/vuln/detail/CVE-2023-0286
[3]https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[4]https://nvd.nist.gov/vuln/detail/CVE-2023-0465
[5]https://nvd.nist.gov/vuln/detail/CVE-2023-0466
[6]https://nvd.nist.gov/vuln/detail/CVE-2023-2650
[7]https://nvd.nist.gov/vuln/detail/CVE-2022-4304
[8]https://nvd.nist.gov/vuln/detail/CVE-2022-4450

While OpenSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (about 6850, so more than 300) that
need to be rebuilt.

Denis 'GNUtoo' Carikli (1):
  gnu: openssl-1.1: Update to 1.1.1u [security fixes].

 gnu/packages/tls.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0

Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 15:52

[PATCH 1/1] gnu: openssl-1.1: Update to 1.1.1u [security fixes].

Recipients:(address . 64991@debbugs.gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)

Message-ID:f3c672946b8d11aefca44844a395c440095b7cfd.1690895675.git.GNUtoo@cyberdimension.org

Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,

CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.

* gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>

---

gnu/packages/tls.scm | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..0c37d452c7 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -22,6 +22,7 @@
 ;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org>
 ;;; Copyright © 2021 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2022 Greg Hogan <code@greghogan.com>
+;;; Copyright © 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -425,7 +426,7 @@ (define (target->openssl-target target)
 (define-public openssl-1.1
   (package
     (name "openssl")
-    (version "1.1.1q")
+    (version "1.1.1u")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -438,7 +439,7 @@ (define-public openssl-1.1
               (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
               (sha256
                (base32
-                "1jhhzp4gh6ymidxm1ckjk948l583awp0w3y2nvqdz7022kk9r4yp"))))
+                "1ipbcdlqyxbj5lagasrq2p6gn0036wq6hqp7gdnd1v1ya95xiy72"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"        ;6.8 MiB of man3 pages and full HTML documentation
-- 
2.41.0

Ludovic Courtès wrote on 28 Sep 2023 12:08

Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)

Recipients:(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)

Message-ID:87y1gqwqy0.fsf_-_@gnu.org

Hi,

Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> skribis:

Toggle quote (5 lines)

> Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,

> CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.

> * gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

[...]

Toggle quote (6 lines)

> (define-public openssl-1.1

> (package

> (name "openssl")

> - (version "1.1.1q")

> + (version "1.1.1u")

Finally applied but as a graft, in commit

51e1df07b1d21840551eb8dc15b4bfe5612e1bf9.

Thanks,

Ludo’.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 64991@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date