GNU bug report logs - #64997
[PATCH 0/1] OpenSSL 3.0: Fix 6 CVEs (max score: 7.5 high, 8680 dependent packages)

Previous Next

Package: guix-patches;

Reported by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>

Date: Tue, 1 Aug 2023 16:33:02 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 64997 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#64997; Package guix-patches. (Tue, 01 Aug 2023 16:33:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 01 Aug 2023 16:33:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: guix-patches <at> gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH 0/1] OpenSSL 3.0: Fix 6 CVEs (max score: 7.5 high,
 8680 dependent packages)
Date: Tue,  1 Aug 2023 17:36:22 +0200

The patch that will follow updates OpenSSL 3.0 to the last version to fix the
following CVEs:
* CVE-2023-0464 [1]
* CVE-2023-0465 [2]
* CVE-2023-0466 [3]
* CVE-2023-1255 [4]
* CVE-2023-2650 [5]
* CVE-2023-2975 [6]

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[2]https://nvd.nist.gov/vuln/detail/CVE-2023-0465
[3]https://nvd.nist.gov/vuln/detail/CVE-2023-0466
[4]https://nvd.nist.gov/vuln/detail/CVE-2023-1255
[5]https://nvd.nist.gov/vuln/detail/CVE-2023-2650
[6]https://nvd.nist.gov/vuln/detail/CVE-2023-2975

While OpenSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (about 8680, so more than 300) that
need to be rebuilt.

Denis 'GNUtoo' Carikli (1):
  gnu: openssl: Update to 3.0.10 [security fixes].

 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0
Information forwarded to , guix-patches <at> gnu.org:
bug#64997; Package guix-patches. (Tue, 01 Aug 2023 16:37:02 GMT) Full text and rfc822 format available.

Message #8 received at 64997 <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: 64997 <at> debbugs.gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH 1/1] gnu: openssl: Update to 3.0.10 [security fixes].
Date: Tue,  1 Aug 2023 18:36:50 +0200

Includes fixes for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255,
CVE-2023-2650, CVE-2023-2975.

* gnu/packages/tls.scm (openssl): Update to 3.0.10.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..62d9ce75ac 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -570,7 +570,7 @@ (define openssl/fixed
 (define-public openssl-3.0
   (package
     (inherit openssl-1.1)
-    (version "3.0.8")
+    (version "3.0.10")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -583,7 +583,7 @@ (define-public openssl-3.0
               (patches (search-patches "openssl-3.0-c-rehash-in.patch"))
               (sha256
                (base32
-                "0gjb7qjl2jnzs1liz3rrccrddxbk6q3lg8z27jn1xwzx72zx44vc"))))
+                "08rkx3f2qg8rsxhzwshg6z4ys37bgzhvim7knswjh41sn7sx8q8p"))))
     (arguments
      (substitute-keyword-arguments (package-arguments openssl-1.1)
        ((#:phases phases '%standard-phases)
-- 
2.41.0
This bug report was last modified 1 year and 110 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.