Message ID | 20231026181904.3218122-1-bernd@kuhls.net |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/libopenssl: security bump version to 3.1.4 | expand |
Bernd, All, On 2023-10-26 20:19 +0200, Bernd Kuhls spake thusly: > Fixes CVE-2023-5363: > https://www.openssl.org/news/secadv/20231024.txt > https://www.openssl.org/news/vulnerabilities.html > > Changelog: https://www.openssl.org/news/cl31.txt > > Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/libopenssl/libopenssl.hash | 4 ++-- > package/libopenssl/libopenssl.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash > index 9126175977..29ced7cddd 100644 > --- a/package/libopenssl/libopenssl.hash > +++ b/package/libopenssl/libopenssl.hash > @@ -1,5 +1,5 @@ > -# From https://www.openssl.org/source/openssl-3.1.3.tar.gz.sha256 > -sha256 f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6 openssl-3.1.3.tar.gz > +# From https://www.openssl.org/source/openssl-3.1.4.tar.gz.sha256 > +sha256 840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 openssl-3.1.4.tar.gz > > # License files > sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt > diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk > index b69ef032f2..b8b6ec6bff 100644 > --- a/package/libopenssl/libopenssl.mk > +++ b/package/libopenssl/libopenssl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBOPENSSL_VERSION = 3.1.3 > +LIBOPENSSL_VERSION = 3.1.4 > LIBOPENSSL_SITE = https://www.openssl.org/source > LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz > LIBOPENSSL_LICENSE = Apache-2.0 > -- > 2.39.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes: > Fixes CVE-2023-5363: > https://www.openssl.org/news/secadv/20231024.txt > https://www.openssl.org/news/vulnerabilities.html > Changelog: https://www.openssl.org/news/cl31.txt > Signed-off-by: Bernd Kuhls <bernd@kuhls.net> For 2023.08.x I will instead bump to 3.0.12, which contains the same fix.
For 2023.02.x branch, it need bump to 1.1.1w version. Scott Fan On Tue, Oct 31, 2023 at 3:52 PM Peter Korsgaard <peter@korsgaard.com> wrote: > > >>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes: > > > Fixes CVE-2023-5363: > > https://www.openssl.org/news/secadv/20231024.txt > > https://www.openssl.org/news/vulnerabilities.html > > > Changelog: https://www.openssl.org/news/cl31.txt > > > Signed-off-by: Bernd Kuhls <bernd@kuhls.net> > > For 2023.08.x I will instead bump to 3.0.12, which contains the same > fix. > > -- > Bye, Peter Korsgaard > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes: > For 2023.02.x branch, it need bump to 1.1.1w version. Why? Isn't 1.1.1w only including the security fix for the Windows-only CVE-2023-4807 vulnerability? https://www.openssl.org/news/secadv/20230908.txt
Sorry, i thought it would always follow the upstream. Scott Fan On Tue, Oct 31, 2023 at 5:48 PM Peter Korsgaard <peter@korsgaard.com> wrote: > > >>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes: > > > For 2023.02.x branch, it need bump to 1.1.1w version. > > Why? Isn't 1.1.1w only including the security fix for the Windows-only > CVE-2023-4807 vulnerability? > > https://www.openssl.org/news/secadv/20230908.txt > > -- > Bye, Peter Korsgaard
>>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes: > Sorry, i thought it would always follow the upstream. We normally do, but given that there is no added value for !windows, I haven't done the work to update the LTS. Normally it would be taken care of once the next update comes out with Linux fixes, but that is unlikely to happen for 1.1.1 given that it is EOL. But if you like to have 1.1.1w then that is fine by me, please send a patch.
I have send the patch, need apply to 2023.02.x brach Scott Fan On Tue, Oct 31, 2023 at 9:18 PM Peter Korsgaard <peter@korsgaard.com> wrote: > > >>>>> "Scott" == Scott Fan <fancp2007@gmail.com> writes: > > > Sorry, i thought it would always follow the upstream. > > We normally do, but given that there is no added value for !windows, I > haven't done the work to update the LTS. Normally it would be taken care > of once the next update comes out with Linux fixes, but that is unlikely > to happen for 1.1.1 given that it is EOL. > > But if you like to have 1.1.1w then that is fine by me, please send a > patch. > > -- > Bye, Peter Korsgaard
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash index 9126175977..29ced7cddd 100644 --- a/package/libopenssl/libopenssl.hash +++ b/package/libopenssl/libopenssl.hash @@ -1,5 +1,5 @@ -# From https://www.openssl.org/source/openssl-3.1.3.tar.gz.sha256 -sha256 f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6 openssl-3.1.3.tar.gz +# From https://www.openssl.org/source/openssl-3.1.4.tar.gz.sha256 +sha256 840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 openssl-3.1.4.tar.gz # License files sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk index b69ef032f2..b8b6ec6bff 100644 --- a/package/libopenssl/libopenssl.mk +++ b/package/libopenssl/libopenssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBOPENSSL_VERSION = 3.1.3 +LIBOPENSSL_VERSION = 3.1.4 LIBOPENSSL_SITE = https://www.openssl.org/source LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz LIBOPENSSL_LICENSE = Apache-2.0
Fixes CVE-2023-5363: https://www.openssl.org/news/secadv/20231024.txt https://www.openssl.org/news/vulnerabilities.html Changelog: https://www.openssl.org/news/cl31.txt Signed-off-by: Bernd Kuhls <bernd@kuhls.net> --- package/libopenssl/libopenssl.hash | 4 ++-- package/libopenssl/libopenssl.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)