Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
[19.09] openssl: 1.1.1d -> 1.1.1e #82791
Motivation for this change
a "Low severity"  security issue:
Note: Since the flux of changes to 19.09 is very low I think targeting the release branch without going through staging is fine. Let me know if you think otherwise.
a "Low severity"  security issue: > Fixed an overflow bug in the x64_64 Montgomery squaring procedure used > in exponentiation with 512-bit moduli (CVE-2019-1551)  https://www.openssl.org/news/vulnerabilities.html#y2019 (cherry picked from commit abecf82)
Fixing in #82928. The 1.1.1e changelog contains the following entry:
Which causes the issue. The changelog for this release is rather long, so I think patching the CVE is safer overall.
I'm fine with just the CVE-fixing patch for 19.09 (maybe for 20.03 as well), but how do we proceed on that? Where's the discussion happening?