GNU bug report logs -
#64982
[PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64982 in the body.
You can then email your comments to 64982 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#64982
; Package
guix-patches
.
(Mon, 31 Jul 2023 23:34:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Mon, 31 Jul 2023 23:34:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.
[1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784
While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup
Denis.
Denis 'GNUtoo' Carikli (1):
gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
--
2.41.0
Information forwarded
to
, guix-patches <at> gnu.org
:
bug#64982
; Package
guix-patches
.
(Tue, 01 Aug 2023 00:16:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 64982 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/tls.scm (libressl): Update to 3.8.0.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
---
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..deec73b43f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -659,14 +659,14 @@ (define-public bearssl
(define-public libressl
(package
(name "libressl")
- (version "3.6.1")
+ (version "3.8.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
"libressl-" version ".tar.gz"))
(sha256
(base32
- "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
+ "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.41.0
Reply sent
to
Andreas Enge <andreas <at> enge.fr>
:
You have taken responsibility.
(Thu, 07 Sep 2023 16:39:05 GMT)
Full text and
rfc822 format available.
Notification sent
to
Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
:
bug acknowledged by developer.
(Thu, 07 Sep 2023 16:39:05 GMT)
Full text and
rfc822 format available.
Message #13 received at 64982-done <at> debbugs.gnu.org (full text, mbox):
Hello Denis,
thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me <at> tobias.gr>
Date: Sun Aug 13 02:00:00 2023 +0200
gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
* gnu/packages/tls.scm (libressl): Update to 3.7.3.
Indeed QA shows that opensmtpd fails:
https://qa.guix.gnu.org/issue/64982
https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log
I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.
Andreas
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Fri, 06 Oct 2023 11:24:17 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 243 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.