Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl: 3.0.5 -> 3.0.7 #198999

Merged
merged 1 commit into from
Nov 1, 2022
Merged

openssl: 3.0.5 -> 3.0.7 #198999

merged 1 commit into from
Nov 1, 2022

Conversation

mweinelt
Copy link
Member

@mweinelt mweinelt commented Nov 1, 2022
edited by sternenseemann
Loading 

### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]

 * Fixed two buffer overflows in punycode decoding functions.

   A buffer overrun can be triggered in X.509 certificate verification,
   specifically in name constraint checking. Note that this occurs after
   certificate chain signature verification and requires either a CA to
   have signed the malicious certificate or for the application to continue
   certificate verification despite failure to construct a path to a trusted
   issuer.

   In a TLS client, this can be triggered by connecting to a malicious
   server.  In a TLS server, this can be triggered if the server requests
   client authentication and a malicious client connects.

   An attacker can craft a malicious email address to overflow
   an arbitrary number of bytes containing the `.`  character (decimal 46)
   on the stack.  This buffer overflow could result in a crash (causing a
   denial of service).
   ([CVE-2022-3786])

   An attacker can craft a malicious email address to overflow four
   attacker-controlled bytes on the stack.  This buffer overflow could
   result in a crash (causing a denial of service) or potentially remote code
   execution depending on stack layout for any given platform/compiler.
   ([CVE-2022-3602])

   *Paul Dale*

 * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
   parameters in OpenSSL code.
   Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
   OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
   Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
   Using these invalid names may cause algorithms to use slower methods
   that ignore the CRT parameters.

   *Shane Lontis*

 * Fixed a regression introduced in 3.0.6 version raising errors on some stack
   operations.

   *Tomáš Mráz*

 * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
   data to be signed before signing the certificate.

   *Gibeom Gwon*

 * Added RIPEMD160 to the default provider.

   *Paul Dale*

 * Ensured that the key share group sent or accepted for the key exchange
   is allowed for the protocol version.

   *Matt Caswell*
Description of changes
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@vcunat
Copy link
Member

vcunat commented Nov 1, 2022
edited
Loading

Nothing we need to solve before merging, as our BSD support is close to none, but the patch previously didn't drop the BSD parts and now it does. (doesn't seem intentional)

@mweinelt
Copy link
Member Author

mweinelt commented Nov 1, 2022
edited
Loading

I reused the patch from the 3.0.6 bump and forgot to credit ajs124. The Configure script changed in 3.0.6 and the patch needed an update anyway.

@mweinelt @ajs124
openssl: 3.0.5 -> 3.0.7
eeca596 
Fixes: CVE-2022-3786, CVE-2022-3602
Co-Authored-By: Andreas Schrägle <git@ajs124.de>
@mweinelt mweinelt marked this pull request as ready for review November 1, 2022 15:45
@sternenseemann
Copy link
Member

@ofborg build openssl

@vcunat vcunat merged commit eeca596 into NixOS:staging-next Nov 1, 2022
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/openssl-3-0-7-update-2022-11-01-faq/22875/4

@mweinelt mweinelt deleted the openssl-3.0.7 branch November 1, 2022 15:49
@github-actions github-actions bot mentioned this pull request Nov 1, 2022
Merged
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Nov 1, 2022

Successfully created backport PR #199001 for release-22.05.

@eyenx eyenx mentioned this pull request Nov 1, 2022
Closed
@vcunat
Copy link
Member

vcunat commented Nov 1, 2022

The patch updated here is also used by quictls and now fails to apply there. But I assume it's also vulnerable and we need to update it soon, and might even make the patch apply again by itself :-)

@nh2 nh2 mentioned this pull request Nov 1, 2022
Closed
@vcunat
Copy link
Member

vcunat commented Nov 2, 2022

The patch situation was worse than I anticipated. It broke build on *-darwin. Resolved for now by 70ca403

PetarKirov added a commit to ydm/nix-blockchain-development that referenced this pull request Nov 4, 2022
@PetarKirov
chore(flake.lock): Update all Flake inputs (2022-11-04)
5ea03f0 
The OpenSSL 3.0.7 release fixes a high severity security vulnerability in
OpenSSL versions >= 3.0.0 <= 3.0.6. Nixpkgs switched to this version in
[Nixpkgs PR#198999][1] and the nixos-unstable channel was recently [2] updated.

This commit updates the `nixpkgs` input to the latest nixos-unstable commit.

Flake update details:

```
• Updated input 'flake-utils':
    'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
  → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/285e77efe87df64105ec14b204de6636fb0a7a27' (2022-10-11)
  → 'github:NixOS/nixpkgs/a2a777538d971c6b01c6e54af89ddd6567c055e8' (2022-11-03)
```

See also:
* [OpenSSL security advisory][0]
* [Nixpkgs PR #198999 ("openssl: 3.0.5 -> 3.0.7") progress][2]
* [NixOS Discourse - OpenSSL 3.0.7 update (2022-11-01) FAQ][3]
* [CVE-2022-3602][4]

[0]: https://www.openssl.org/news/secadv/20221101.txt
[1]: NixOS/nixpkgs#198999
[2]: https://nixpk.gs/pr-tracker.html?pr=198999
[3]: https://discourse.nixos.org/t/openssl-3-0-7-update-2022-11-01-faq/22875
[4]: https://nvd.nist.gov/vuln/detail/CVE-2022-3602
PetarKirov added a commit to metacraft-labs/nix-blockchain-development that referenced this pull request Nov 4, 2022
@PetarKirov
chore(flake.lock): Update all Flake inputs (2022-11-04)
7136942 
The OpenSSL 3.0.7 release fixes a high severity security vulnerability in
OpenSSL versions >= 3.0.0 <= 3.0.6. Nixpkgs switched to this version in
[Nixpkgs PR#198999][1] and the nixos-unstable channel was recently [2] updated.

This commit updates the `nixpkgs` input to the latest nixos-unstable commit.

Flake update details:

```
• Updated input 'flake-utils':
    'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
  → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/285e77efe87df64105ec14b204de6636fb0a7a27' (2022-10-11)
  → 'github:NixOS/nixpkgs/a2a777538d971c6b01c6e54af89ddd6567c055e8' (2022-11-03)
```

See also:
* [OpenSSL security advisory][0]
* [Nixpkgs PR #198999 ("openssl: 3.0.5 -> 3.0.7") progress][2]
* [NixOS Discourse - OpenSSL 3.0.7 update (2022-11-01) FAQ][3]
* [CVE-2022-3602][4]

[0]: https://www.openssl.org/news/secadv/20221101.txt
[1]: NixOS/nixpkgs#198999
[2]: https://nixpk.gs/pr-tracker.html?pr=198999
[3]: https://discourse.nixos.org/t/openssl-3-0-7-update-2022-11-01-faq/22875
[4]: https://nvd.nist.gov/vuln/detail/CVE-2022-3602
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajs124 ajs124 Awaiting requested review from ajs124

@vcunat vcunat Awaiting requested review from vcunat

@Artturin Artturin Awaiting requested review from Artturin

Assignees
No one assigned
Labels
1.severity: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mweinelt @vcunat @sternenseemann @nixos-discourse