Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[19.09] openssl: 1.1.1d -> 1.1.1e #82791

Merged
merged 1 commit into from Mar 18, 2020
Merged

[19.09] openssl: 1.1.1d -> 1.1.1e #82791

merged 1 commit into from Mar 18, 2020

Conversation

@andir
Copy link
Member

andir commented Mar 17, 2020

Motivation for this change

a "Low severity" [0] security issue:

Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

Note: Since the flux of changes to 19.09 is very low I think targeting the release branch without going through staging is fine. Let me know if you think otherwise.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
a "Low severity" [0] security issue:

> Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
> in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

(cherry picked from commit abecf82)
@xfix
xfix approved these changes Mar 17, 2020
@ofborg ofborg bot requested a review from peti Mar 17, 2020
@andir andir merged commit 87834cb into NixOS:release-19.09 Mar 18, 2020
16 checks passed
16 checks passed
openssl on x86_64-darwin Timed out, unknown build status
Details
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
openssl on aarch64-linux Success
Details
openssl on x86_64-linux Success
Details
@andir andir deleted the andir:19.09/openssl branch Mar 18, 2020
@vcunat
Copy link
Member

vcunat commented Mar 18, 2020

This apparently broke python3Packages.pyopenssl and thus is blocking both channels. Example failure: https://hydra.nixos.org/build/115097885 (I can reproduce it locally)

@vcunat
Copy link
Member

vcunat commented Mar 18, 2020

I don't know now. The NEWS only contains the CVE-fixing entry.

@xfix
Copy link
Contributor

xfix commented Mar 19, 2020

Fixing in #82928. The 1.1.1e changelog contains the following entry:

Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong.

Which causes the issue. The changelog for this release is rather long, so I think patching the CVE is safer overall.

@flokli
Copy link
Contributor

flokli commented Apr 2, 2020

So, apparently this was reverted, and just the CVE-fixing patch applied to 19.09 (but probably not to 20.03 and master, and #82793 and #82789 are still open).

I'm fine with just the CVE-fixing patch for 19.09 (maybe for 20.03 as well), but how do we proceed on that? Where's the discussion happening?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.