From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id +IM6Ic0zyWRZ7gAASxT56A (envelope-from ) for ; Tue, 01 Aug 2023 18:33:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id OMvgIM0zyWR+RQEAauVa8A (envelope-from ) for ; Tue, 01 Aug 2023 18:33:17 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1DBE951910 for ; Tue, 1 Aug 2023 18:33:17 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1690907597; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=QgAKDzguBzMj9yK1SLs0zOmpn9l/zGALiJG6Qzc1B70=; b=ZQUcsuMtAUxWbsVXvVyM2/T8vChrqn+nN00mneGZ9TkTWi+E5snp4zM/FEZ4Wm6y35ZlW/ GKwVfQ1pzxJROzWeuN2qaRbhc54ILtlmKVsOZfghgRVj7H/fyELlnD4K/jbwbHEUFeuC4t DBJCBVAUFy0TWvaOpiGAd5rhV6DLZohhR1Ot5Volo+qAKV2gy22noyyltfEIDWqf2OGAx/ HRgXQdhszy3XF2TLsSkN13qjrz6Qb66VmhlwLdHvL2usKiRxgm8RuSMF4MXU0N8KTj2vLe frJRWxsyXo38bznHjNYQloqlagIyz/mweFXLFvU0s2NTojRZLaog6Ny1jfSCFg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1690907597; a=rsa-sha256; cv=none; b=D2NidtInmlWbjdeTzjeFwNwfl/U2JRO3AdixICBEKx98t1IY4D+BnP9Wa/HNW4ULQKpU2s K8nyN34m738x1OaXXEOcf2zvRvrzLcyzvxwau0WWgZVPvkSaoh2y/J/QShdzVXQrqKxKSP KpfxtYjfOSLGfPEDYDRHRFvoCL/Ok6rmf19EfdFh9CfLv+ffZ1FIkQogkFwEEmjQhUNRC7 vumaWCnKhUXyBFc+q0/VprxofuFurp2Rs00vAOEZC1hPtpRU98wPMNIAP7DlzLmD+0ctV0 1WU5O86byqIgiNI5TxE+/jW1OIVLKEgEiowZHMX4fhucyglcHS8VTl/1wnMWWQ== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qQsIz-0007G5-N4; Tue, 01 Aug 2023 12:33:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQsIw-0007Fh-NH for guix-patches@gnu.org; Tue, 01 Aug 2023 12:33:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qQsIw-0003VL-E7 for guix-patches@gnu.org; Tue, 01 Aug 2023 12:33:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qQsIw-0003aZ-92 for guix-patches@gnu.org; Tue, 01 Aug 2023 12:33:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#64997] [PATCH 0/1] OpenSSL 3.0: Fix 6 CVEs (max score: 7.5 high, 8680 dependent packages) Resent-From: Denis 'GNUtoo' Carikli Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 16:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64997 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64997@debbugs.gnu.org Cc: Denis 'GNUtoo' Carikli X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.169090753413738 (code B ref -1); Tue, 01 Aug 2023 16:33:02 +0000 Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 16:32:14 +0000 Received: from localhost ([127.0.0.1]:48247 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQsI9-0003ZW-RZ for submit@debbugs.gnu.org; Tue, 01 Aug 2023 12:32:14 -0400 Received: from lists.gnu.org ([2001:470:142::17]:51676) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQsI7-0003ZH-6h for submit@debbugs.gnu.org; Tue, 01 Aug 2023 12:32:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQsHz-0006cj-4b for guix-patches@gnu.org; Tue, 01 Aug 2023 12:32:03 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1] helo=gnutoo.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1qQsHx-0002Al-1z for guix-patches@gnu.org; Tue, 01 Aug 2023 12:32:02 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id f8fa9888; Tue, 1 Aug 2023 16:31:53 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id d74242c4; Tue, 1 Aug 2023 16:31:53 +0000 (UTC) From: Denis 'GNUtoo' Carikli Date: Tue, 1 Aug 2023 17:36:22 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:910:1314:ffff::1; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.65 X-Spam-Score: -4.65 X-Migadu-Queue-Id: 1DBE951910 X-Migadu-Scanner: mx1.migadu.com X-TUID: /9zkuxOAIqIn The patch that will follow updates OpenSSL 3.0 to the last version to fix the following CVEs: * CVE-2023-0464 [1] * CVE-2023-0465 [2] * CVE-2023-0466 [3] * CVE-2023-1255 [4] * CVE-2023-2650 [5] * CVE-2023-2975 [6] [1]https://nvd.nist.gov/vuln/detail/CVE-2023-0464 [2]https://nvd.nist.gov/vuln/detail/CVE-2023-0465 [3]https://nvd.nist.gov/vuln/detail/CVE-2023-0466 [4]https://nvd.nist.gov/vuln/detail/CVE-2023-1255 [5]https://nvd.nist.gov/vuln/detail/CVE-2023-2650 [6]https://nvd.nist.gov/vuln/detail/CVE-2023-2975 While OpenSSL builds fine and that all its test pass on x86_64, it also has a significant number of reverse dependencies (about 8680, so more than 300) that need to be rebuilt. Denis 'GNUtoo' Carikli (1): gnu: openssl: Update to 3.0.10 [security fixes]. gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 39fbc041f92489ec30075a85937c8a38723752dc -- 2.41.0