* [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)
@ 2023-07-31 23:33 Denis 'GNUtoo' Carikli
2023-08-01 0:15 ` [bug#64982] [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784] Denis 'GNUtoo' Carikli
2023-09-07 16:38 ` bug#64982: Closing Andreas Enge
0 siblings, 2 replies; 3+ messages in thread
From: Denis 'GNUtoo' Carikli @ 2023-07-31 23:33 UTC (permalink / raw)
To: 64982; +Cc: Denis 'GNUtoo' Carikli
Hi,
The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.
[1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784
While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup
Denis.
Denis 'GNUtoo' Carikli (1):
gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
--
2.41.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [bug#64982] [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].
2023-07-31 23:33 [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Denis 'GNUtoo' Carikli
@ 2023-08-01 0:15 ` Denis 'GNUtoo' Carikli
2023-09-07 16:38 ` bug#64982: Closing Andreas Enge
1 sibling, 0 replies; 3+ messages in thread
From: Denis 'GNUtoo' Carikli @ 2023-08-01 0:15 UTC (permalink / raw)
To: 64982; +Cc: Denis 'GNUtoo' Carikli
* gnu/packages/tls.scm (libressl): Update to 3.8.0.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..deec73b43f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -659,14 +659,14 @@ (define-public bearssl
(define-public libressl
(package
(name "libressl")
- (version "3.6.1")
+ (version "3.8.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
"libressl-" version ".tar.gz"))
(sha256
(base32
- "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
+ "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* bug#64982: Closing
2023-07-31 23:33 [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Denis 'GNUtoo' Carikli
2023-08-01 0:15 ` [bug#64982] [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784] Denis 'GNUtoo' Carikli
@ 2023-09-07 16:38 ` Andreas Enge
1 sibling, 0 replies; 3+ messages in thread
From: Andreas Enge @ 2023-09-07 16:38 UTC (permalink / raw)
To: 64982-done
Hello Denis,
thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Sun Aug 13 02:00:00 2023 +0200
gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
* gnu/packages/tls.scm (libressl): Update to 3.7.3.
Indeed QA shows that opensmtpd fails:
https://qa.guix.gnu.org/issue/64982
https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log
I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.
Andreas
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-07 16:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-31 23:33 [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Denis 'GNUtoo' Carikli
2023-08-01 0:15 ` [bug#64982] [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784] Denis 'GNUtoo' Carikli
2023-09-07 16:38 ` bug#64982: Closing Andreas Enge
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).