Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade to OpenSSL 1.0.2j #1436

Merged
merged 2 commits into from Sep 27, 2016
Merged

upgrade to OpenSSL 1.0.2j #1436

merged 2 commits into from Sep 27, 2016

Conversation

robbkidd
Copy link
Contributor

@robbkidd robbkidd commented Sep 22, 2016
edited

Severity: High

  • OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

Severity: Medium

Severity: Low

https://www.openssl.org/news/secadv/20160922.txt

UPDATE: Now includes 1.0.2i and 1.0.2j.

Fixes #1435

@robbkidd
upgrade to OpenSSL 1.0.2i
b1e8544 
Updates omnibus-software (and therefore omnibus) to know about new
version of OpenSSL.

* OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

* SSL_peek() hang on empty record (CVE-2016-6305)

* SWEET32 Mitigation (CVE-2016-2183)
* OOB write in MDC2_Update() (CVE-2016-6303)
* Malformed SHA512 ticket DoS (CVE-2016-6302)
* OOB write in BN_bn2dec() (CVE-2016-2182)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
* Pointer arithmetic undefined behaviour (CVE-2016-2177)
* Constant time flag not preserved in DSA signing (CVE-2016-2178)
* DTLS buffered message DoS (CVE-2016-2179)
* DTLS replay protection DoS (CVE-2016-2181)
* Certificate message OOB reads (CVE-2016-6306)
* Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
* Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)

https://www.openssl.org/news/secadv/20160922.txt

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd robbkidd changed the title upgrade to OpenSSL 1.0.2i upgrade to OpenSSL 1.0.2j Sep 26, 2016
@robbkidd
Copy link
Contributor Author

robbkidd commented Sep 27, 2016
edited

These updates brought to you by the letters I and J. Ready for review in our pipeline.

@robbkidd
upgrade to OpenSSL 1.0.2j
185c3fb 
Update omnibus-software for latest OpenSSL

Severity: Moderate

* Missing CRL sanity check (CVE-2016-7052)

Signed-off-by: Robb Kidd <rkidd@chef.io>
robbkidd
robbkidd commented Sep 27, 2016
View reviewed changes
omnibus/config/projects/supermarket.rb
@@ -34,7 +34,7 @@
override :git, version: "2.2.1"
override :'chef-gem', version: '12.13.37'
override :redis, version: '2.8.21'
override :openssl, version: '1.0.2h'
override :openssl, version: '1.0.2i'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As noted by @nellshamrell elsewhere, this is still i despite bringing in the omnibus-software that provides j.

gif-keyboard-16743417473528928748

@chef-delivery chef-delivery merged commit 185c3fb into master Sep 27, 2016
@robbkidd robbkidd deleted the robb/update-openssl-to-1-0-2i branch November 11, 2016 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@robbkidd @nathenharvey @chef-supermarket @chef-delivery