From da7e737639a077e954426e5400c3ce15754f54da Mon Sep 17 00:00:00 2001 From: Bernard Spil Date: Wed, 22 Jun 2022 08:29:39 +0000 Subject: [PATCH] security/vuxml: Document OpenSSL vulnerability * Pet `make validate` * Fix spacing for 482456fb-e9af-11ec-93b6-318d1419ea39 * Add discovery date for 482456fb-e9af-11ec-93b6-318d1419ea39 using tor wiki page update date. --- .../files/patch-Configurations_10-main.conf | 16 -------- security/openssl/files/patch-config | 20 ---------- security/vuxml/vuln-2022.xml | 40 ++++++++++++++++++- 3 files changed, 38 insertions(+), 38 deletions(-) delete mode 100644 security/openssl/files/patch-Configurations_10-main.conf delete mode 100644 security/openssl/files/patch-config diff --git a/security/openssl/files/patch-Configurations_10-main.conf b/security/openssl/files/patch-Configurations_10-main.conf deleted file mode 100644 index 03be5801b8851..0000000000000 --- a/security/openssl/files/patch-Configurations_10-main.conf +++ /dev/null @@ -1,16 +0,0 @@ ---- Configurations/10-main.conf.orig 2021-12-14 15:45:01 UTC -+++ Configurations/10-main.conf -@@ -988,6 +988,13 @@ my %targets = ( - perlasm_scheme => "elf", - }, - -+ "BSD-aarch64" => { -+ inherit_from => [ "BSD-generic64", asm("aarch64_asm") ], -+ lib_cppflags => add("-DL_ENDIAN"), -+ bn_ops => "SIXTY_FOUR_BIT_LONG", -+ perlasm_scheme => "linux64", -+ }, -+ - "bsdi-elf-gcc" => { - inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], - CC => "gcc", diff --git a/security/openssl/files/patch-config b/security/openssl/files/patch-config deleted file mode 100644 index d83edae81ff78..0000000000000 --- a/security/openssl/files/patch-config +++ /dev/null @@ -1,20 +0,0 @@ ---- config.orig 2021-08-24 13:38:47 UTC -+++ config -@@ -708,14 +708,9 @@ case "$GUESSOS" in - ia64-*-*bsd*) OUT="BSD-ia64" ;; - x86_64-*-dragonfly*) OUT="BSD-x86_64" ;; - amd64-*-*bsd*) OUT="BSD-x86_64" ;; -- *86*-*-*bsd*) # mimic ld behaviour when it's looking for libc... -- if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD -- libc=/usr/lib/libc.so -- else # OpenBSD -- # ld searches for highest libc.so.* and so do we -- libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null` -- fi -- case "`(file -L $libc) 2>/dev/null`" in -+ arm64-*-*bsd*) OUT="BSD-aarch64" ;; -+ *86*-*-*bsd*) -+ case "`(file -L /bin/sh) 2>/dev/null`" in - *ELF*) OUT="BSD-x86-elf" ;; - *) OUT="BSD-x86"; options="$options no-sse2" ;; - esac ;; diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 93de1ddaa75c2..eb6d8c7f454d7 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,39 @@ + + OpenSSL -- Command injection vulnerability + + + openssl + 1.1.1p,1 + + + openssl-devel + 3.0.4 + + + openssl-quictls + 3.0.4 + + + + +

The OpenSSL project reports:

+
+

Circumstances where the c_rehash script does not properly + sanitise shell metacharacters to prevent command injection were + found by code review.

+
+ + + + CVE-2022-2068 + https://www.openssl.org/news/secadv/20220621.txt + + + 2022-06-21 + 2022-06-22 + + + chromium -- multiple vulnerabilities @@ -44,7 +80,7 @@ - Security Vulnerability found in ExifTool leading to RCE + Security Vulnerability found in ExifTool leading to RCE p5-Image-ExifTool @@ -129,7 +165,7 @@ https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE - TBD + 2022-06-14 2022-06-17