Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.03] openssl: 1.1.1d -> 1.1.1e #82793

Closed
wants to merge 1 commit into from

Conversation

@andir
Copy link
Member

andir commented Mar 17, 2020

Motivation for this change

a "Low severity" [0] security issue:

Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
a "Low severity" [0] security issue:

> Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
> in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

(cherry picked from commit abecf82)
@xfix
Copy link
Contributor

xfix commented Mar 17, 2020

Note: Since the flux of changes to 19.09 is very low I think targeting the release branch without going through staging is fine. Let me know if you think otherwise.

This is 20.03 change, you may want to remove this line.

@andir
Copy link
Member Author

andir commented Mar 17, 2020

Note: Since the flux of changes to 19.09 is very low I think targeting the release branch without going through staging is fine. Let me know if you think otherwise.

This is 20.03 change, you may want to remove this line.

Oh, thanks! Interesting how that happened.. I guess GH is storing some kind of "draft" of a PR in the browser.

@xfix
xfix approved these changes Mar 17, 2020
@andir
Copy link
Member Author

andir commented Mar 18, 2020

@vcunat
Copy link
Member

vcunat commented Mar 23, 2020

For reference, this commit would break even the -small channel, as-is.

@vcunat
Copy link
Member

vcunat commented Mar 23, 2020

I was tempted to suggest just patching the CVE like in 19.09, but the prospect of backporting all security fixes until next winter doesn't attract me.

@xfix
Copy link
Contributor

xfix commented Mar 23, 2020

I don't think a patch should be backported for 20.03. You may consider skipping the broken test in PyOpenSSL until the upstream fixes it, a lot of applications using OpenSSL likely assume errors won't happen anyway (and are using it indirectly anyway).

Sure, this probably will break something, but that seems acceptable to me.

@vcunat
Copy link
Member

vcunat commented Mar 23, 2020

That approach certainly seems acceptable for unstable/master to me; I'm not so sure about 20.03, given that March ends in about a week.

@flokli flokli mentioned this pull request Apr 2, 2020
0 of 10 tasks complete
@flokli
Copy link
Contributor

flokli commented Apr 2, 2020

Let's close this in favor of bumping to 1.1.1f as described in #82789 (review).

@flokli flokli closed this Apr 2, 2020
@vcunat
Copy link
Member

vcunat commented Apr 2, 2020

Pushed as 0e5ef8c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.