[PATCH 0/1] OpenSSL 3.0: Fix 6 CVEs (max score: 7.5 high, 8680 dependent packages)

Details

One participant

Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 17:36

Recipients:(address . guix-patches@gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)

Message-ID:cover.1690903854.git.GNUtoo@cyberdimension.org

The patch that will follow updates OpenSSL 3.0 to the last version to fix the

following CVEs:

* CVE-2023-0464 [1]

* CVE-2023-0465 [2]

* CVE-2023-0466 [3]

* CVE-2023-1255 [4]

* CVE-2023-2650 [5]

* CVE-2023-2975 [6]

While OpenSSL builds fine and that all its test pass on x86_64, it also has a

significant number of reverse dependencies (about 8680, so more than 300) that

need to be rebuilt.

Denis 'GNUtoo' Carikli (1):

gnu: openssl: Update to 3.0.10 [security fixes].

gnu/packages/tls.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

base-commit: 39fbc041f92489ec30075a85937c8a38723752dc

2.41.0

Denis 'GNUtoo' Carikli wrote on 1 Aug 2023 18:36

[PATCH 1/1] gnu: openssl: Update to 3.0.10 [security fixes].

Recipients:(address . 64997@debbugs.gnu.org)(name . Denis 'GNUtoo' Carikli)(address . GNUtoo@cyberdimension.org)

Message-ID:a64f840a98dc83d72e7b30a1282618b0676ecad6.1690903854.git.GNUtoo@cyberdimension.org

Includes fixes for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255,

CVE-2023-2650, CVE-2023-2975.

* gnu/packages/tls.scm (openssl): Update to 3.0.10.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>

---

gnu/packages/tls.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..62d9ce75ac 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -570,7 +570,7 @@ (define openssl/fixed
 (define-public openssl-3.0
   (package
     (inherit openssl-1.1)
-    (version "3.0.8")
+    (version "3.0.10")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -583,7 +583,7 @@ (define-public openssl-3.0
               (patches (search-patches "openssl-3.0-c-rehash-in.patch"))
               (sha256
                (base32
-                "0gjb7qjl2jnzs1liz3rrccrddxbk6q3lg8z27jn1xwzx72zx44vc"))))
+                "08rkx3f2qg8rsxhzwshg6z4ys37bgzhvim7knswjh41sn7sx8q8p"))))
     (arguments
      (substitute-keyword-arguments (package-arguments openssl-1.1)
        ((#:phases phases '%standard-phases)
-- 
2.41.0

Your comment

Commenting via the web interface is currently disabled.