Message ID | 20220504080847.3209785-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/libopenssl: security bump to version 1.1.1o | expand |
On 04/05/2022 10:08, Peter Korsgaard wrote: > Fixes the following security issues: > > - The c_rehash script allows command injection (CVE-2022-1292) > > The c_rehash script does not properly sanitise shell metacharacters to > prevent command injection. This script is distributed by some operating > systems in a manner where it is automatically executed. On such operating > systems, an attacker could execute arbitrary commands with the privileges of > the script. > > Use of the c_rehash script is considered obsolete and should be replaced by > the OpenSSL rehash command line tool. > > https://www.openssl.org/news/secadv/20220503.txt > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Arnout > --- > package/libopenssl/libopenssl.hash | 4 ++-- > package/libopenssl/libopenssl.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash > index 22bb365bcc..ec5fd0fe84 100644 > --- a/package/libopenssl/libopenssl.hash > +++ b/package/libopenssl/libopenssl.hash > @@ -1,5 +1,5 @@ > -# From https://www.openssl.org/source/openssl-1.1.1n.tar.gz.sha256 > -sha256 40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a openssl-1.1.1n.tar.gz > +# From https://www.openssl.org/source/openssl-1.1.1o.tar.gz.sha256 > +sha256 9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f openssl-1.1.1o.tar.gz > > # License files > sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE > diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk > index ae6658ed40..0c039dc7d6 100644 > --- a/package/libopenssl/libopenssl.mk > +++ b/package/libopenssl/libopenssl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBOPENSSL_VERSION = 1.1.1n > +LIBOPENSSL_VERSION = 1.1.1o > LIBOPENSSL_SITE = https://www.openssl.org/source > LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz > LIBOPENSSL_LICENSE = OpenSSL or SSLeay
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - The c_rehash script allows command injection (CVE-2022-1292) > The c_rehash script does not properly sanitise shell metacharacters to > prevent command injection. This script is distributed by some operating > systems in a manner where it is automatically executed. On such operating > systems, an attacker could execute arbitrary commands with the privileges of > the script. > Use of the c_rehash script is considered obsolete and should be replaced by > the OpenSSL rehash command line tool. > https://www.openssl.org/news/secadv/20220503.txt > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.02.x, thanks.
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash index 22bb365bcc..ec5fd0fe84 100644 --- a/package/libopenssl/libopenssl.hash +++ b/package/libopenssl/libopenssl.hash @@ -1,5 +1,5 @@ -# From https://www.openssl.org/source/openssl-1.1.1n.tar.gz.sha256 -sha256 40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a openssl-1.1.1n.tar.gz +# From https://www.openssl.org/source/openssl-1.1.1o.tar.gz.sha256 +sha256 9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f openssl-1.1.1o.tar.gz # License files sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk index ae6658ed40..0c039dc7d6 100644 --- a/package/libopenssl/libopenssl.mk +++ b/package/libopenssl/libopenssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBOPENSSL_VERSION = 1.1.1n +LIBOPENSSL_VERSION = 1.1.1o LIBOPENSSL_SITE = https://www.openssl.org/source LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz LIBOPENSSL_LICENSE = OpenSSL or SSLeay
Fixes the following security issues: - The c_rehash script allows command injection (CVE-2022-1292) The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. https://www.openssl.org/news/secadv/20220503.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libopenssl/libopenssl.hash | 4 ++-- package/libopenssl/libopenssl.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)