Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl-src misses 1.1.1 users on RUSTSEC-2022-00[25,26,27] #1262

Closed
pinkforest opened this issue Jun 17, 2022 · 0 comments · Fixed by #1263
Closed

openssl-src misses 1.1.1 users on RUSTSEC-2022-00[25,26,27] #1262

pinkforest opened this issue Jun 17, 2022 · 0 comments · Fixed by #1263

Comments

@pinkforest
Copy link
Contributor

pinkforest commented Jun 17, 2022
edited
Loading

Dependabot is now pinging patched 1.1.1 users about outdated openssl-src and asking to switch to 300 stream

Previous PR #1243 #1244 #1245 #1246 #1247 #1248 #1249

I wonder if dependabot follows the unaffected field how rustadvisory has specified it

This is a bit annoying since vendored openssl pulls 1.1.1o - via 111.20.0 - which is patched

However .. to address the three advisories for 1.1.1 stream users -

I've sent PR to to mark 111.20.0 patched following earlier syntax
#1263

https://www.openssl.org/news/secadv/20220503.txt
OpenSSL 1.0.2 users should upgrade to 1.0.2ze (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1o
OpenSSL 3.0 users should upgrade to 3.0.3

This will currently show up as an issue in dependabot as e.g. vendored openssl pulls 111.20.0+1.1.1o
@pinkforest pinkforest mentioned this issue Jun 17, 2022
Merged
@pinkforest pinkforest changed the title openssl-src needs to have both minimum and maximum for 111 users openssl-src needs to address 1.1.1 users on RUSTSEC-2022-00[24,25,26] Jun 17, 2022
@pinkforest pinkforest changed the title openssl-src needs to address 1.1.1 users on RUSTSEC-2022-00[24,25,26] openssl-src address 1.1.1 users on RUSTSEC-2022-00[24,25,26] Jun 17, 2022
@pinkforest pinkforest changed the title openssl-src address 1.1.1 users on RUSTSEC-2022-00[24,25,26] openssl-src address 1.1.1 users on RUSTSEC-2022-00[25,26,27] Jun 17, 2022
@pinkforest pinkforest changed the title openssl-src address 1.1.1 users on RUSTSEC-2022-00[25,26,27] openssl-src misses 1.1.1 users on RUSTSEC-2022-00[25,26,27] Jun 17, 2022
@pinkforest pinkforest mentioned this issue Jun 17, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix RUSTSEC-2022-0025,26,27 openssl-src for the 111 stream pinkforest/advisory-db
1 participant
@pinkforest