[PATCH 0/2] OpenSSL security updates

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* [PATCH 0/2] OpenSSL security updates
@ 2017-01-26 19:19 Leo Famulari
  2017-01-26 19:19 ` [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes] Leo Famulari
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Leo Famulari @ 2017-01-26 19:19 UTC (permalink / raw)
  To: guix-devel

OpenSSL 1.0 and 1.1 have both received security updates:

https://mta.openssl.org/pipermail/openssl-announce/2017-January/000094.html

I built the updated packages successfully but I don't have time to test
them. Please test these and push on my behalf.

Please verify the signatures and hashes of the source code, and read
over the patches to make sure they are correct.

Leo Famulari (2):
  gnu: openssl: Replace with openssl-1.0.2k [security fixes].
  gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730,3731,3732}].

 gnu/packages/tls.scm | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

-- 
2.11.0

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes].
  2017-01-26 19:19 [PATCH 0/2] OpenSSL security updates Leo Famulari
@ 2017-01-26 19:19 ` Leo Famulari
  2017-01-26 19:22   ` Leo Famulari
  2017-01-26 19:19 ` [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730, 3731, 3732}] Leo Famulari
  2017-01-26 21:43 ` [PATCH 0/2] OpenSSL security updates Marius Bakke
  2 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2017-01-26 19:19 UTC (permalink / raw)
  To: guix-devel

Fix CVE-2016-7055 and CVE-2017-{3731,3732}.

* gnu/packages/tls.scm (openssl)[replacement]: New field.
(openssl-1.0.2k): New variable.
(openssl-next)[replacement]: New field.
---
 gnu/packages/tls.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 1198eb7d0..d2abf1223 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -244,6 +244,7 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
+   (replacement openssl-1.0.2k)
    (version "1.0.2j")
    (source (origin
              (method url-fetch)
@@ -381,9 +382,29 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
+(define openssl-1.0.2k
+  (package
+    (inherit openssl)
+    (name "openssl")
+    (version "1.0.2k")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (list (string-append "ftp://ftp.openssl.org/source/"
+                                  name "-" version ".tar.gz")
+                   (string-append "ftp://ftp.openssl.org/source/old/"
+                                  (string-trim-right version char-set:letter)
+                                  "/" name "-" version ".tar.gz")))
+        (sha256
+         (base32
+          "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
+        (patches (search-patches "openssl-runpath.patch"
+                                 "openssl-c-rehash-in.patch"))))))
+
 (define-public openssl-next
   (package
     (inherit openssl)
+    (replacement #f)
     (name "openssl")
     (version "1.1.0c")
     (source (origin
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730, 3731, 3732}].
  2017-01-26 19:19 [PATCH 0/2] OpenSSL security updates Leo Famulari
  2017-01-26 19:19 ` [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes] Leo Famulari
@ 2017-01-26 19:19 ` Leo Famulari
  2017-01-26 19:21   ` [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730,3731,3732}] Leo Famulari
  2017-01-26 21:43 ` [PATCH 0/2] OpenSSL security updates Marius Bakke
  2 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2017-01-26 19:19 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/tls.scm (openssl-next): Update to 1.1.0d.
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index d2abf1223..5dac5dff5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -406,7 +406,7 @@ required structures.")
     (inherit openssl)
     (replacement #f)
     (name "openssl")
-    (version "1.1.0c")
+    (version "1.1.0d")
     (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -417,7 +417,7 @@ required structures.")
               (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
               (sha256
                (base32
-                "1xfn5ydl14myd9wgxm4nxy5a42cpp1g12ijf3g9m4mz0l90n8hzw"))))
+                "1pv0zql3r73qpjini90hn29l28d65b7i777zav0larbmi6gbnpkx"))))
     (outputs '("out"
                "doc"        ;1.3MiB of man3 pages
                "static"))   ; 5.5MiB of .a files
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730,3731,3732}].
  2017-01-26 19:19 ` [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730, 3731, 3732}] Leo Famulari
@ 2017-01-26 19:21   ` Leo Famulari
  0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-01-26 19:21 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1211 bytes --]

On Thu, Jan 26, 2017 at 02:19:36PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl-next): Update to 1.1.0d.

I forgot to sign this email.

> ---
>  gnu/packages/tls.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index d2abf1223..5dac5dff5 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -406,7 +406,7 @@ required structures.")
>      (inherit openssl)
>      (replacement #f)
>      (name "openssl")
> -    (version "1.1.0c")
> +    (version "1.1.0d")
>      (source (origin
>               (method url-fetch)
>               (uri (list (string-append "ftp://ftp.openssl.org/source/"
> @@ -417,7 +417,7 @@ required structures.")
>                (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
>                (sha256
>                 (base32
> -                "1xfn5ydl14myd9wgxm4nxy5a42cpp1g12ijf3g9m4mz0l90n8hzw"))))
> +                "1pv0zql3r73qpjini90hn29l28d65b7i777zav0larbmi6gbnpkx"))))
>      (outputs '("out"
>                 "doc"        ;1.3MiB of man3 pages
>                 "static"))   ; 5.5MiB of .a files
> -- 
> 2.11.0
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes].
  2017-01-26 19:19 ` [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes] Leo Famulari
@ 2017-01-26 19:22   ` Leo Famulari
  0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-01-26 19:22 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1907 bytes --]

On Thu, Jan 26, 2017 at 02:19:35PM -0500, Leo Famulari wrote:
> Fix CVE-2016-7055 and CVE-2017-{3731,3732}.
> 
> * gnu/packages/tls.scm (openssl)[replacement]: New field.
> (openssl-1.0.2k): New variable.
> (openssl-next)[replacement]: New field.

I forgot to sign this email, too.

> ---
>  gnu/packages/tls.scm | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
> 
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 1198eb7d0..d2abf1223 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -244,6 +244,7 @@ required structures.")
>  (define-public openssl
>    (package
>     (name "openssl")
> +   (replacement openssl-1.0.2k)
>     (version "1.0.2j")
>     (source (origin
>               (method url-fetch)
> @@ -381,9 +382,29 @@ required structures.")
>     (license license:openssl)
>     (home-page "http://www.openssl.org/")))
>  
> +(define openssl-1.0.2k
> +  (package
> +    (inherit openssl)
> +    (name "openssl")
> +    (version "1.0.2k")
> +    (source
> +      (origin
> +        (method url-fetch)
> +        (uri (list (string-append "ftp://ftp.openssl.org/source/"
> +                                  name "-" version ".tar.gz")
> +                   (string-append "ftp://ftp.openssl.org/source/old/"
> +                                  (string-trim-right version char-set:letter)
> +                                  "/" name "-" version ".tar.gz")))
> +        (sha256
> +         (base32
> +          "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
> +        (patches (search-patches "openssl-runpath.patch"
> +                                 "openssl-c-rehash-in.patch"))))))
> +
>  (define-public openssl-next
>    (package
>      (inherit openssl)
> +    (replacement #f)
>      (name "openssl")
>      (version "1.1.0c")
>      (source (origin
> -- 
> 2.11.0
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 0/2] OpenSSL security updates
  2017-01-26 19:19 [PATCH 0/2] OpenSSL security updates Leo Famulari
  2017-01-26 19:19 ` [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes] Leo Famulari
  2017-01-26 19:19 ` [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730, 3731, 3732}] Leo Famulari
@ 2017-01-26 21:43 ` Marius Bakke
  2017-01-26 23:53   ` Leo Famulari
  2 siblings, 1 reply; 7+ messages in thread
From: Marius Bakke @ 2017-01-26 21:43 UTC (permalink / raw)
  To: Leo Famulari, guix-devel

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

Leo Famulari <leo@famulari.name> writes:

> OpenSSL 1.0 and 1.1 have both received security updates:
>
> https://mta.openssl.org/pipermail/openssl-announce/2017-January/000094.html
>
> I built the updated packages successfully but I don't have time to test
> them. Please test these and push on my behalf.

Tested and pushed. Thank you!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 0/2] OpenSSL security updates
  2017-01-26 21:43 ` [PATCH 0/2] OpenSSL security updates Marius Bakke
@ 2017-01-26 23:53   ` Leo Famulari
  0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-01-26 23:53 UTC (permalink / raw)
  To: Marius Bakke; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 451 bytes --]

On Thu, Jan 26, 2017 at 10:43:34PM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > OpenSSL 1.0 and 1.1 have both received security updates:
> >
> > https://mta.openssl.org/pipermail/openssl-announce/2017-January/000094.html
> >
> > I built the updated packages successfully but I don't have time to test
> > them. Please test these and push on my behalf.
> 
> Tested and pushed. Thank you!

Thank you Marius!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-01-26 23:53 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-26 19:19 [PATCH 0/2] OpenSSL security updates Leo Famulari
2017-01-26 19:19 ` [PATCH 1/2] gnu: openssl: Replace with openssl-1.0.2k [security fixes] Leo Famulari
2017-01-26 19:22   ` Leo Famulari
2017-01-26 19:19 ` [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730, 3731, 3732}] Leo Famulari
2017-01-26 19:21   ` [PATCH 2/2] gnu: openssl-next: Update to 1.1.0d [fixes CVE-2017-{3730,3731,3732}] Leo Famulari
2017-01-26 21:43 ` [PATCH 0/2] OpenSSL security updates Marius Bakke
2017-01-26 23:53   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).