Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppImage: Update OpenSSL to version 1.1.1-1ubuntu2.1~18.04.9 #2231

Merged
merged 1 commit into from Apr 5, 2021
Merged

AppImage: Update OpenSSL to version 1.1.1-1ubuntu2.1~18.04.9 #2231

merged 1 commit into from Apr 5, 2021

Conversation

EchterAgo
Copy link

This has some important fixes:

  • SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
    • debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
      ssl/statem/extensions.c.
    • debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
      <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
    • debian/patches/CVE-2021-3449-3.patch: add a test to
      test/recipes/70-test_renegotiation.t.
    • debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
      always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
      ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
      ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
    • CVE-2021-3449

This also updates libudev-dev to version 237-3ubuntu10.45, the old version is not available anymore.

I tested the AppImage.

https://ec.loping.net/4.2.4-50-gfea82b9b2/

@EchterAgo
AppImage: Update OpenSSL to version 1.1.1-1ubuntu2.1~18.04.9
fea82b9 
This has some important fixes:

* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
  - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
    ssl/statem/extensions.c.
  - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
    <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
  - debian/patches/CVE-2021-3449-3.patch: add a test to
    test/recipes/70-test_renegotiation.t.
  - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
    always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
    ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
    ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
  - CVE-2021-3449

This also updates libudev-dev to version 237-3ubuntu10.45, the old
version is not available anymore.
@cculianu cculianu added Security & Privacy packaging Issues related to building/packaging and not the app itself. labels Apr 5, 2021
@cculianu cculianu merged commit a3ff4e1 into Electron-Cash:master Apr 5, 2021
@EchterAgo EchterAgo deleted the appimage_ssl_update branch April 5, 2021 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
packaging Issues related to building/packaging and not the app itself. Security & Privacy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@EchterAgo @cculianu