GNU bug report logs - #66197
[PATCH] gnu: openssl-1.1: replace with 1.1.1w.

Previous Next

Package: guix-patches;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Mon, 25 Sep 2023 19:52:02 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 66197 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#66197; Package guix-patches. (Mon, 25 Sep 2023 19:52:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Christopher Baines <mail <at> cbaines.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 25 Sep 2023 19:52:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: openssl-1.1: replace with 1.1.1w.
Date: Mon, 25 Sep 2023 20:50:50 +0100

From: Sevan Janiyan <venture37 <at> geeklan.co.uk>

Address various CVEs.

* gnu/packages/tls.scm (openssl/fixed): Update to 1.1.1w.
(openssl-1.1)[replacement]: Use openssl/fixed
---
 gnu/packages/tls.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..6a26abd6c5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -426,6 +426,7 @@ (define-public openssl-1.1
   (package
     (name "openssl")
     (version "1.1.1q")
+    (replacement openssl/fixed)
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -552,7 +553,7 @@ (define openssl/fixed
   (package
     (inherit openssl-1.1)
     (name "openssl")
-    (version "1.1.1t")
+    (version "1.1.1w")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -565,7 +566,7 @@ (define openssl/fixed
               (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
               (sha256
                (base32
-                "0fwxhlv7ary9nzg5mx07x1jj3wkbizxh56qy7l6bzp5iplj9pvld"))))))
+                "1j3anw4554lk3m9cvjngvh1c2gbdkhgiz160jnnm7n5l1jarhc6g"))))))
 
 (define-public openssl-3.0
   (package

base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
-- 
2.41.0
Information forwarded to guix-patches <at> gnu.org:
bug#66197; Package guix-patches. (Thu, 24 Apr 2025 14:58:02 GMT) Full text and rfc822 format available.

Message #8 received at 66197 <at> debbugs.gnu.org (full text, mbox):

From: Greg Hogan <code <at> greghogan.com>
To: Christopher Baines <mail <at> cbaines.net>, Andreas Enge <andreas <at> enge.fr>,
 janneke <at> gnu.org, Ludovic Courtès <ludo <at> gnu.org>, 
 Zheng Junjie <z572 <at> z572.online>
Cc: 66197 <at> debbugs.gnu.org
Subject: Re: [bug#66197] [PATCH] gnu: openssl-1.1: replace with 1.1.1w.
Date: Thu, 24 Apr 2025 10:57:10 -0400

On Mon, Sep 25, 2023 at 3:52 PM Christopher Baines <mail <at> cbaines.net> wrote:
>
> From: Sevan Janiyan <venture37 <at> geeklan.co.uk>
>
> Address various CVEs.
>
> * gnu/packages/tls.scm (openssl/fixed): Update to 1.1.1w.
> (openssl-1.1)[replacement]: Use openssl/fixed
> ---
>  gnu/packages/tls.scm | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index b669ac2e8d..6a26abd6c5 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -426,6 +426,7 @@ (define-public openssl-1.1
>    (package
>      (name "openssl")
>      (version "1.1.1q")
> +    (replacement openssl/fixed)
>      (source (origin
>                (method url-fetch)
>                (uri (list (string-append "https://www.openssl.org/source/openssl-"
> @@ -552,7 +553,7 @@ (define openssl/fixed
>    (package
>      (inherit openssl-1.1)
>      (name "openssl")
> -    (version "1.1.1t")
> +    (version "1.1.1w")
>      (source (origin
>                (method url-fetch)
>                (uri (list (string-append "https://www.openssl.org/source/openssl-"
> @@ -565,7 +566,7 @@ (define openssl/fixed
>                (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
>                (sha256
>                 (base32
> -                "0fwxhlv7ary9nzg5mx07x1jj3wkbizxh56qy7l6bzp5iplj9pvld"))))))
> +                "1j3anw4554lk3m9cvjngvh1c2gbdkhgiz160jnnm7n5l1jarhc6g"))))))
>
>  (define-public openssl-3.0
>    (package
>
> base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
> --
> 2.41.0

Core packages team,

Your branch has updated openssl to 3.4.0. There is now a 3.4.1 security release:
  https://github.com/openssl/openssl/releases/tag/openssl-3.4.1

Also, can this patch for openssl 1.1.1w be applied?

Greg
Information forwarded to guix-patches <at> gnu.org:
bug#66197; Package guix-patches. (Thu, 24 Apr 2025 21:40:03 GMT) Full text and rfc822 format available.

Message #11 received at 66197 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Greg Hogan <code <at> greghogan.com>
Cc: Zheng Junjie <z572 <at> z572.online>, Andreas Enge <andreas <at> enge.fr>,
 Christopher Baines <mail <at> cbaines.net>, 66197 <at> debbugs.gnu.org, janneke <at> gnu.org
Subject: Re: [bug#66197] [PATCH] gnu: openssl-1.1: replace with 1.1.1w.
Date: Thu, 24 Apr 2025 22:32:38 +0200

Hi,

Greg Hogan <code <at> greghogan.com> writes:

> Core packages team,
>
> Your branch has updated openssl to 3.4.0. There is now a 3.4.1 security release:
>   https://github.com/openssl/openssl/releases/tag/openssl-3.4.1
>
> Also, can this patch for openssl 1.1.1w be applied?

Yes, to both.

Though really, I think OpenSSL, GnuTLS, etc. are outside the scope of
‘core-packages-team’ and should be treated separately.

Ludo’.
This bug report was last modified 4 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.