New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade openssl to 1.1.1k for CVE-2021-3450 #5386
Comments
https://github.com/apple/foundationdb/blob/3d81fd490ff6179e7d5a447215053355d5be407a/documentation/sphinx/source/release-notes/release-notes-620.rst |
I had looked at the build/Dockerfile, which still appeared to specify openssl 1.1.1h. Is that no longer an accurate reflection of the dependencies? Even the latest foundationdb/devel docker image appears to still be using Openssl 1.1.1h |
@ammolitor Since we switched to use BoringSSL, maybe we can remove openSSL from the docker files as a dependency? |
@jzhou77, could you please link the layer in the docker image that shows the download and installation of boringssl, or where the build environment is configured to provide it? I can't seem to find it. Even fdb-build-support appears to point to openssl: https://github.com/FoundationDB/fdb-build-support/blob/697af75ce38d0131e70890b0a02773ee6b74e88d/docker/centos7/Dockerfile#L152 ? |
If you look at the build/Dockerfile, boringSSL is installed: Lines 103 to 126 in c1acf5f
|
🤦♂️ It appears I was confused by the disappearance of |
Our appcheck on Foundationdb 6.2.30 (ubuntu packages ) is flagging for the presence of OpenSSL 1.1.1h in @jzhou77 @sfc-gh-almiller - If I get the discussion, Foundationdb has switched to |
@debraj-manna Yes, your understanding is correct. It seems that the switching to boringSSL change was lost in the https://github.com/FoundationDB/fdb-build-support/ repo. The 6.2.30 release (and probably all other releases as well) is not picking up boringSSL and used openSSL instead. |
FoundationDB/fdb-build-support#19 resolves this for 7.x.x and newer builds. |
FoundationDB 6.2.30 and even the latest 6.3.18 is using OpenSSL 1.1.1.h which has the vulnerability as explained in CVE-2021-3450. OpenSSL should be upgraded to at least 1.1.k.
Relevant discussion in forum.
The text was updated successfully, but these errors were encountered: