GNU bug report logs - #64991
[PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64991 in the body.
You can then email your comments to 64991 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: guix-patches <at> gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high,
 6850 dependent packages)
Date: Tue,  1 Aug 2023 15:45:37 +0200

The patch that will follow updates OpenSSL 1.1 to the last version to fix the following CVEs:
* CVE-2023-0215 [1]
* CVE-2023-0286 [2]
* CVE-2023-0464 [3]
* CVE-2023-0465 [4]
* CVE-2023-0466 [5]
* CVE-2023-2650 [6]
* CVE-2022-4304 [7]
* CVE-2022-4450 [8]

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-0215
[2]https://nvd.nist.gov/vuln/detail/CVE-2023-0286
[3]https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[4]https://nvd.nist.gov/vuln/detail/CVE-2023-0465
[5]https://nvd.nist.gov/vuln/detail/CVE-2023-0466
[6]https://nvd.nist.gov/vuln/detail/CVE-2023-2650
[7]https://nvd.nist.gov/vuln/detail/CVE-2022-4304
[8]https://nvd.nist.gov/vuln/detail/CVE-2022-4450

While OpenSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (about 6850, so more than 300) that
need to be rebuilt.

Denis 'GNUtoo' Carikli (1):
  gnu: openssl-1.1: Update to 1.1.1u [security fixes].

 gnu/packages/tls.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0

Message #8 received at 64991 <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: 64991 <at> debbugs.gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH 1/1] gnu: openssl-1.1: Update to 1.1.1u [security fixes].
Date: Tue,  1 Aug 2023 15:52:05 +0200

Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.

* gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
---
 gnu/packages/tls.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..0c37d452c7 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -22,6 +22,7 @@
 ;;; Copyright © 2021 Matthew James Kraai <kraai <at> ftbfs.org>
 ;;; Copyright © 2021 John Kehayias <john.kehayias <at> protonmail.com>
 ;;; Copyright © 2022 Greg Hogan <code <at> greghogan.com>
+;;; Copyright © 2023 Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -425,7 +426,7 @@ (define (target->openssl-target target)
 (define-public openssl-1.1
   (package
     (name "openssl")
-    (version "1.1.1q")
+    (version "1.1.1u")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -438,7 +439,7 @@ (define-public openssl-1.1
               (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
               (sha256
                (base32
-                "1jhhzp4gh6ymidxm1ckjk948l583awp0w3y2nvqdz7022kk9r4yp"))))
+                "1ipbcdlqyxbj5lagasrq2p6gn0036wq6hqp7gdnd1v1ya95xiy72"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"        ;6.8 MiB of man3 pages and full HTML documentation
-- 
2.41.0

Message #13 received at 64991-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Cc: Tobias Geerinckx-Rice <me <at> tobias.gr>,
 Simon Tournier <zimon.toutoune <at> gmail.com>, paren <at> disroot.org,
 Christopher Baines <mail <at> cbaines.net>, Ricardo Wurmus <rekado <at> elephly.net>,
 Raghav Gururajan <rg <at> raghavgururajan.name>, jgart <jgart <at> dismail.de>,
 Mathieu Othacehe <othacehe <at> gnu.org>, 64991-done <at> debbugs.gnu.org
Subject: Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5
 high, 6850 dependent packages)
Date: Thu, 28 Sep 2023 12:08:23 +0200

Hi,

Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org> skribis:

> Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
> CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.
>
> * gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

[...]

>  (define-public openssl-1.1
>    (package
>      (name "openssl")
> -    (version "1.1.1q")
> +    (version "1.1.1u")

Finally applied but as a graft, in commit
51e1df07b1d21840551eb8dc15b4bfe5612e1bf9.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.