[1/1] package/libopenssl: security bump version to 3.1.4

Fixes CVE-2023-5363:
https://www.openssl.org/news/secadv/20231024.txt
https://www.openssl.org/news/vulnerabilities.html

Changelog: https://www.openssl.org/news/cl31.txt

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/libopenssl/libopenssl.hash | 4 ++--
 package/libopenssl/libopenssl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

Bernd, All,

On 2023-10-26 20:19 +0200, Bernd Kuhls spake thusly:
> Fixes CVE-2023-5363:
> https://www.openssl.org/news/secadv/20231024.txt
> https://www.openssl.org/news/vulnerabilities.html
> 
> Changelog: https://www.openssl.org/news/cl31.txt
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/libopenssl/libopenssl.hash | 4 ++--
>  package/libopenssl/libopenssl.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
> index 9126175977..29ced7cddd 100644
> --- a/package/libopenssl/libopenssl.hash
> +++ b/package/libopenssl/libopenssl.hash
> @@ -1,5 +1,5 @@
> -# From https://www.openssl.org/source/openssl-3.1.3.tar.gz.sha256
> -sha256  f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6  openssl-3.1.3.tar.gz
> +# From https://www.openssl.org/source/openssl-3.1.4.tar.gz.sha256
> +sha256  840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3  openssl-3.1.4.tar.gz
>  
>  # License files
>  sha256  7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a  LICENSE.txt
> diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> index b69ef032f2..b8b6ec6bff 100644
> --- a/package/libopenssl/libopenssl.mk
> +++ b/package/libopenssl/libopenssl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBOPENSSL_VERSION = 3.1.3
> +LIBOPENSSL_VERSION = 3.1.4
>  LIBOPENSSL_SITE = https://www.openssl.org/source
>  LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
>  LIBOPENSSL_LICENSE = Apache-2.0
> -- 
> 2.39.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:

 > Fixes CVE-2023-5363:
 > https://www.openssl.org/news/secadv/20231024.txt
 > https://www.openssl.org/news/vulnerabilities.html

 > Changelog: https://www.openssl.org/news/cl31.txt

 > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

For 2023.08.x I will instead bump to 3.0.12, which contains the same
fix.

For 2023.02.x branch, it need bump to 1.1.1w version.

Scott Fan

On Tue, Oct 31, 2023 at 3:52 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:
>
>  > Fixes CVE-2023-5363:
>  > https://www.openssl.org/news/secadv/20231024.txt
>  > https://www.openssl.org/news/vulnerabilities.html
>
>  > Changelog: https://www.openssl.org/news/cl31.txt
>
>  > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
>
> For 2023.08.x I will instead bump to 3.0.12, which contains the same
> fix.
>
> --
> Bye, Peter Korsgaard
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

>>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes:

 > For 2023.02.x branch, it need bump to 1.1.1w version.

Why? Isn't 1.1.1w only including the security fix for the Windows-only
CVE-2023-4807 vulnerability?

https://www.openssl.org/news/secadv/20230908.txt

Sorry, i thought it would always follow the upstream.

Scott Fan

On Tue, Oct 31, 2023 at 5:48 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes:
>
>  > For 2023.02.x branch, it need bump to 1.1.1w version.
>
> Why? Isn't 1.1.1w only including the security fix for the Windows-only
> CVE-2023-4807 vulnerability?
>
> https://www.openssl.org/news/secadv/20230908.txt
>
> --
> Bye, Peter Korsgaard

>>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes:

 > Sorry, i thought it would always follow the upstream.

We normally do, but given that there is no added value for !windows, I
haven't done the work to update the LTS. Normally it would be taken care
of once the next update comes out with Linux fixes, but that is unlikely
to happen for 1.1.1 given that it is EOL.

But if you like to have 1.1.1w then that is fine by me, please send a
patch.

I have send the patch, need apply to 2023.02.x brach

Scott Fan

On Tue, Oct 31, 2023 at 9:18 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes:
>
>  > Sorry, i thought it would always follow the upstream.
>
> We normally do, but given that there is no added value for !windows, I
> haven't done the work to update the LTS. Normally it would be taken care
> of once the next update comes out with Linux fixes, but that is unlikely
> to happen for 1.1.1 given that it is EOL.
>
> But if you like to have 1.1.1w then that is fine by me, please send a
> patch.
>
> --
> Bye, Peter Korsgaard