hashicorp/vault patch for SmartOS/Solaris #309
Comments
|
RE: terminal/ReadPassword calls, a similar patch is needed at hashicorp/consul#159, to build Consul on SmartOS. |
|
GitHub auto-closing trolls at work. |
|
vault 0.5.2 doesn't seem to require any patching and I just imported it into the pkgsrc tree as security/vault. |
jperkin
pushed a commit
that referenced
this issue
Sep 16, 2016
Security - Fixed missing padding length check required by PKCS1 v2.2 in mbedtls_rsa_rsaes_pkcs1_v15_decrypt(). (considered low impact) - Fixed potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt() and mbedtls_rsa_rsaes_oaep_encrypt(). (not triggerable remotely in (D)TLS). - Fixed potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt(). It is not triggerable remotely in SSL/TLS. Bugfix - Fixed bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments were the same (in-place doubling). #309 - Fixed issue in Makefile that prevented building using armar. #386 - Fixed issue that caused a hang when generating RSA keys of odd bitlength. - Fixed bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt() that made null pointer dereference possible. - Fixed issue that caused a crash if invalid curves were passed to mbedtls_ssl_conf_curves(). #373 Changes - On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, don't use the optimized assembly for bignum multiplication. This removes the need to pass -fomit-frame-pointer to avoid a build error with -O0. - Disabled SSLv3 in the default configuration.
|
@mamash Hi, I do not see vault available from pkgsrc in Q2. I see consul was added in 2016Q2 as well, and I see it in my 2016Q2 release when using pkgin on the JPC. consul has an additional commit, to add I don't know how pkgsrc works in this regard and why vault would miss inclusion, despite being included in the Q2 repo and the Q2 release notes. |
|
Here's the build failure for vault 0.5.2 in 2016Q2: It's been updated since, which likely fixed the problem and 0.6.1 is available in the brand new 2016Q3 package set. |
|
I'm not sure why it worked for me in May - I may have tested the package with Go older than what eventually went into 2016Q2? |
|
Thanks, just wanted to check on it. I had no idea where to look for those build logs! |
jperkin
pushed a commit
that referenced
this issue
Oct 22, 2016
Changes in 2.8.2
Aug 15, 2016 - version 2.8.2
* Bug
o 2.8.1 introduced JRuby + SSL connection problem; in some cases it cannot
connect to trusted TLS server. 2.8.1 failed to load multiple CA
certificates in a file. #327.
Aug 16, 2016 - version 2.8.2.1
* Bug
o 2.8.1 introduced another bug that causes NPE from JRuby when JRuby
program loads httpclient and uses OpenSSL::X509::Store outside of
httpclient. 2.8.3 fixed this problem. #325
Aug 28, 2016 - version 2.8.2.3
* Bug
o 2.8.2 fixed VERIFY_NONE at JRuby but the fix was not enough.
Sep 11, 2016 - version 2.8.2.4
* Bug
o 2.8.2 caused unexpected resulting value change of
OpenSSL::X509::Store#add_cert method. Fixed.
Changes in 2.8.1
Aug 8, 2016 - version 2.8.1
* Changes
o Use TLSv1.2 always on JRuby #320
o Do not reset keep-alive connection by configuration change #315
o Add strict_response_size_check option #316 false by default, meaning it
behavies like browsers by default.
o Add MIME type for XML #308
* Bug
o Direct access to SSLConfig#cert_store in JRuby was broken from 2.7
#276 #317
o OpenSSL::SSL::VERIFY_NONE does not work in JRuby #319
o Allow receiving response body in block when follow_redirects => true. #304
o Fix blocking issue with request_async when Encoding.default_internal is
set. #307
o Apply timeouts for chunked transfer encoding #309
Changes in 2.8.0
Apr 24, 2016 - version 2.8.0
* Changes
o Force using RSA 2048bit CA cert set
Use RSA 2048bit CA cert set every time if it runs with OpenSSL (==
except JRuby.)
Old openssl (<1.0.1p or <1.0.2d) cannot handle this CA set and causes
SSL connection failure against some SSL servers including AWS S3
API. For such case you can manually specify RSA 1024bit CA cert set as a
workaround.
c = HTTPClient.new { |c| c.ssl_config.add_trust_ca("cacert1024.pem") }
c.get("https://www.ruby-lang.org/")
RSA 1024bit CA cert set is not maintained over years so you should
consider updating OpenSSL version so that HTTPClient uses RSA 2048 bit
CA cert set.
Changes in 2.7.2
Apr 22, 2016 - version 2.7.2
* Changes
o Use RSA 1024bit CA cert when linked to old openssl
Based on comments to #297 this commit silently (without warning) accepts
RSA 1024bit certificate set when runtime ruby is liked with old OpenSSL
(<1.0.1p or <1.0.2d.)
If you're unsure that your OpenSSL is patched or not, and want to make
sure to use RSA 2048bit certificate set, please call
HTTPClient::SSLConfig#add_trust_ca("cacert.pem").
c = HTTPClient.new { |c| c.ssl_config.add_trust_ca("cacert.pem") }
c.get("https://www.ruby-lang.org/")
I'm going to remove RSA 1024bit certificate set and bump httpclient
version to 2.8.0 soon after I release this as 2.7.2. I believe almost
all OpenSSL installation is patched quickly these days so it should not
cause SSL connectivity problem.
jperkin
pushed a commit
that referenced
this issue
Feb 6, 2017
Upstream Changelog:
Security
gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317)
double-free in gdImageWebPtr() (CVE-2016-6912)
potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Fixed
Fix #354: Signed Integer Overflow gd_io.c
Fix #340: System frozen
Fix OOB reads of the TGA decompression buffer
Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Fix potential unsigned underflow
Fix double-free in gdImageWebPtr()
Fix invalid read in gdImageCreateFromTiffPtr()
Fix OOB reads of the TGA decompression buffer
Fix #68: gif: buffer underflow reported by AddressSanitizer
Avoid potentially dangerous signed to unsigned conversion
Fix #304: test suite failure in gif/bug00006 [2.2.3]
Fix #329: GD_BILINEAR_FIXED gdImageScale() can cause black border
Fix #330: Integer overflow in gdImageScaleBilinearPalette()
Fix 321: Null pointer dereferences in gdImageRotateInterpolated
Fix whitespace and add missing comment block
Fix #319: gdImageRotateInterpolated can have wrong background color
Fix color quantization documentation
Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
Fix #307: GD_QUANT_NEUQUANT fails to unset trueColor flag
Fix #300: gdImageClone() assigns res_y = res_x
Fix #299: Regression regarding gdImageRectangle() with gdImageSetThickness()
Replace GNU old-style field designators with C89 compatible initializers
Fix #297: gdImageCrop() converts palette image to truecolor image
Fix #290: TGA RLE decoding is broken
Fix unnecessary non NULL checks
Fix #289: Passing unrecognized formats to gdImageGd2 results in corrupted files
Fix #280: gdImageWebpEx() quantization parameter is a misnomer
Publish all gdImageCreateFromWebp*() functions and gdImageWebpCtx()
Fix issue #276: Sometimes pixels are missing when storing images as BMPs
Fix issue #275: gdImageBmpCtx() may segfault for non-seekable contexts
Fix copy&paste error in gdImageScaleBicubicFixed()
Added
More documentation
Documentation on GD and GD2 formats
More tests
jperkin
pushed a commit
that referenced
this issue
Mar 8, 2017
graphics/gd: security fix
Revisions pulled up:
- graphics/gd/Makefile 1.113
- graphics/gd/distinfo 1.43
- graphics/gd/patches/patch-src_gd__webp.c deleted
---
Module Name: pkgsrc
Committed By: spz
Date: Sat Feb 4 23:05:52 UTC 2017
Modified Files:
pkgsrc/graphics/gd: Makefile distinfo
Removed Files:
pkgsrc/graphics/gd/patches: patch-src_gd__webp.c
Log Message:
update of gd to 2.2.4.
Upstream Changelog:
Security
gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317)
double-free in gdImageWebPtr() (CVE-2016-6912)
potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Fixed
Fix #354: Signed Integer Overflow gd_io.c
Fix #340: System frozen
Fix OOB reads of the TGA decompression buffer
Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Fix potential unsigned underflow
Fix double-free in gdImageWebPtr()
Fix invalid read in gdImageCreateFromTiffPtr()
Fix OOB reads of the TGA decompression buffer
Fix #68: gif: buffer underflow reported by AddressSanitizer
Avoid potentially dangerous signed to unsigned conversion
Fix #304: test suite failure in gif/bug00006 [2.2.3]
Fix #329: GD_BILINEAR_FIXED gdImageScale() can cause black border
Fix #330: Integer overflow in gdImageScaleBilinearPalette()
Fix 321: Null pointer dereferences in gdImageRotateInterpolated
Fix whitespace and add missing comment block
Fix #319: gdImageRotateInterpolated can have wrong background color
Fix color quantization documentation
Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
Fix #307: GD_QUANT_NEUQUANT fails to unset trueColor flag
Fix #300: gdImageClone() assigns res_y = res_x
Fix #299: Regression regarding gdImageRectangle() with gdImageSetThickness()
Replace GNU old-style field designators with C89 compatible initializers
Fix #297: gdImageCrop() converts palette image to truecolor image
Fix #290: TGA RLE decoding is broken
Fix unnecessary non NULL checks
Fix #289: Passing unrecognized formats to gdImageGd2 results in corrupted files
Fix #280: gdImageWebpEx() quantization parameter is a misnomer
Publish all gdImageCreateFromWebp*() functions and gdImageWebpCtx()
Fix issue #276: Sometimes pixels are missing when storing images as BMPs
Fix issue #275: gdImageBmpCtx() may segfault for non-seekable contexts
Fix copy&paste error in gdImageScaleBicubicFixed()
Added
More documentation
Documentation on GD and GD2 formats
More tests
jperkin
pushed a commit
that referenced
this issue
Mar 20, 2017
## 2.0.7 (2017-03-19) * Do not modify BasicObject during template compilation on ruby 2.0+ (#309, jeremyevans) ## 2.0.6 (2017-01-26) * Add support for LiveScript (#286, @Announcement Jacob Francis Powers) * Add support for Sigil (#302, winebarrel) * Add support for Erubi (#308, jeremyevans) * Add support for options in Liquid (#298, #299, laCour) * Always sort locals by strings (#307, jeremyevans) * Fix test warnings (#305, amatsuda) * Fix indentation (#293, yui-knk) * Use SVG badges in README (#294, vasinov) * Fix typo and trailing space (#295, #296, karloescota) ## 2.0.5 (2016-06-02) * Add support for reST using Pandoc (#284, mfenner) * Make lazy loading thread-safe; remove warning (judofyr) ## 2.0.4 (2016-05-16) * Fix regression in BuilderTemplate (#283, judofyr) ## 2.0.3 (2016-05-12) * Add Pandoc support (#276, jmuheim) * Add CommonMark support (#282, raphink) * Add TypeScript support (#278, nghitran) * Work with frozen string literal (#274, jeremyevans) * Add MIME type for Babel (#273, SaitoWu) ## 2.0.2 (2016-01-06) * Pass options to Redcarpet (#250, hughbien) * Haml: Improve error message on frozen self (judofyr) * Add basic support for Babel (judofyr) * Add support for .litcoffee (#243, judofyr, mr-vinn) * Document Tilt::Cache (#266, tommay) * Sort local keys for better caching (#257, jeremyevans) * Add more CSV options (#256, Juanmcuello) * Add Prawn template (kematzy) * Improve cache-miss performance in Tilt::Cache (#251, tommay) * Add man page (#241, josephholsten) * Support YAML/JSON data in bin/tilt (#241, josephholsten) ## 2.0.1 (2014-03-21) * Fix Tilt::Mapping bug in Ruby 2.1.0 (9589652c569760298f2647f7a0f9ed4f85129f20) * Fix `tilt --list` (#223, Achrome) * Fix circular require (#221, amarshall) ## 2.0.0 (2013-11-30) * Support Pathname in Template#new (#219, kabturek) * Add Mapping#templates_for (judofyr) * Support old-style #register (judofyr) * Add Handlebars as external template engine (#204, judofyr, jimothyGator) * Add org-ruby as external template engine (#207, judofyr, minad) * Documentation typo (#208, elgalu) ## 2.0.0.beta1 (2013-07-16) * Documentation typo (#202, chip) * Use YARD for documentation (#189, judofyr) * Add Slim as an external template engine (judofyr) * Add Tilt.templates_for (#121, judofyr) * Add Tilt.current_template (#151, judofyr) * Avoid loading all files in tilt.rb (#160, #187, judofyr) * Implement lazily required templates classes (#178, #187, judofyr) * Move #allows_script and default_mime_type to metadata (#187, judofyr) * Introduce Tilt::Mapping (#187, judofyr) * Make template compilation thread-safe (#191, judofyr)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was recommended by @rmustacc in #smartos to file an issue here for tracking purposes.
I would like to see hashicorp/vault in pkgsrc, when compiled it is a self-contained binary that only needs a minimal configuration file.
The main patch needed is in my PR hashicorp/vault#862. However, a couple terminal calls and readPassword must be patched with a Solaris variant as well.
The text was updated successfully, but these errors were encountered: