Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL: update to 3.0.11 #852

Closed
wants to merge 2 commits into from
Closed

OpenSSL: update to 3.0.11 #852

wants to merge 2 commits into from

Conversation

khorben
Copy link
Contributor

@khorben khorben commented Sep 22, 2023
edited
Loading

OpenSSL 3.0.11 addresses:

  • POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

This also adds instructions in crypto/openssl/FREEBSD-upgrade to help with subsequent updates.

Sponsored by: The FreeBSD Foundation

@khorben @emaste
openssl: Vendor import of OpenSSL 3.0.11
315108b 
Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11:

* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
  ([CVE-2023-4807])

Release notes can otherwise be found at
https://www.openssl.org/news/openssl-3.0-notes.html.

Obtained from:	https://www.openssl.org/source/openssl-3.0.11.tar.gz
Sponsored by:	The FreeBSD Foundation

Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
$ OSSLVER=3.0.11
$ XLIST=FREEBSD-Xlist
$ (cd ..; fetch https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.11.tar.gz                                   14 MB   17 MBps    01s
openssl-3.0.11.tar.gz.asc                              833  B 8301 kBps    00s
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2011-03-01 [SCA]
  DC34EE5DB2417BCC151E5100E5F8F8212F77A498
uid           [ unknown] Willem Toorop <willem@nlnetlabs.nl>
sub   rsa4096 2011-03-01 [E]

pub   rsa4096 2014-10-04 [SC] [expires: 2024-01-30]
  EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
uid           [ unknown] OpenSSL security team <openssl-security@openssl.org>
uid           [ unknown] OpenSSL OMC <openssl-omc@openssl.org>
uid           [ unknown] OpenSSL Security <openssl-security@openssl.org>
sub   rsa4096 2014-10-04 [E] [expires: 2024-01-30]

$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue Sep 19 15:02:51 2023 CEST
gpg:                using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg: Good signature from "OpenSSL security team <openssl-security@openssl.org>" [unknown]
gpg:                 aka "OpenSSL OMC <openssl-omc@openssl.org>" [unknown]
gpg:                 aka "OpenSSL Security <openssl-security@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EFC0 A467 D613 CB83 C7ED  6D30 D894 E2CE 8B3D 79F5
$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -av ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER}  .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
Only in .: appveyor.yml
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
```
@khorben
Merge commit '315108b81694de474bbc273c0050b195047f5eed' into khorben/…
06acbc8 
…openssl-3.0.11
emaste pushed a commit to emaste/freebsd that referenced this pull request Oct 9, 2023
@khorben @emaste
OpenSSL: update to 3.0.11
9100c06 
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	freebsd#852
Sponsored by:	The FreeBSD Foundation
@emaste emaste added the merged label Oct 9, 2023
@emaste emaste closed this Oct 9, 2023
freebsd-git pushed a commit that referenced this pull request Oct 9, 2023
@khorben @emaste
OpenSSL: update to 3.0.11
6f1af0d 
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	#852
Sponsored by:	The FreeBSD Foundation
freebsd-git pushed a commit that referenced this pull request Oct 12, 2023
@khorben @emaste
OpenSSL: update to 3.0.11
bbecb0f 
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	#852
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit 6f1af0d)
freebsd-git pushed a commit that referenced this pull request Oct 13, 2023
@khorben @emaste
OpenSSL: update to 3.0.11
c4262d1 
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	#852
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit 6f1af0d)
(cherry picked from commit bbecb0f)

Approved by:	re (gjb)
bsdjhb pushed a commit to bsdjhb/cheribsd that referenced this pull request Feb 8, 2024
@khorben @bsdjhb
OpenSSL: update to 3.0.11
7d91c55 
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	freebsd/freebsd-src#852
Sponsored by:	The FreeBSD Foundation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@khorben @emaste