[ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1
@ 2024-02-06 19:40 Christian Melki
  2024-02-09 16:11 ` [ptxdist] [APPLIED] " Michael Olbrich
  0 siblings, 1 reply; 2+ messages in thread
From: Christian Melki @ 2024-02-06 19:40 UTC (permalink / raw)
  To: ptxdist

Minor release, security bugfixes. All low severity.
https://www.openssl.org/news/cl32.txt

Plugs CVEs:
CVE-2024-0727: Fixed PKCS12 Decoding crashes
CVE-2023-6237: Fixed excessive time spent checking invalid RSA public keys
CVE-2023-6129: Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07.

* Remove one patch. Code was added to the release.

Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
 ...frag_len-checking-if-no-Max-Fragment.patch | 41 -------------------
 .../0001-debian-targets.patch                 |  0
 .../0002-pic.patch                            |  0
 ...to-enable-ktls-if-target-does-not-st.patch |  4 +-
 ...rialize-allocation-free-of-ssl_names.patch |  0
 ...zero-call-used-regs-used-gpr-from-De.patch |  0
 .../{openssl-3.2.0 => openssl-3.2.1}/series   |  3 +-
 rules/openssl.make                            |  4 +-
 8 files changed, 5 insertions(+), 47 deletions(-)
 delete mode 100644 patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0001-debian-targets.patch (100%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0002-pic.patch (100%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch (96%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch (100%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/series (73%)

diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
deleted file mode 100644
index 814bd07be..000000000
--- a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 2 Jan 2024 16:48:43 +0000
-Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
- extension
-
-Don't check the Max Fragment Length if the it hasn't been negotiated. We
-were checking it anyway, and using the default value
-(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
-record length to actually exceed this in some cases.
-
-Fixes #23169
----
- ssl/record/methods/tls_common.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
-index 423777c18dd4..1a9320ae74de 100644
---- a/ssl/record/methods/tls_common.c
-+++ b/ssl/record/methods/tls_common.c
-@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
-         }
- 
-         /*
--         * Check if the received packet overflows the current
--         * Max Fragment Length setting.
--         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
-+         * Record overflow checking (e.g. checking if
-+         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
-+         * the post_process_record() function above. However we check here if
-+         * the received packet overflows the current Max Fragment Length setting
-+         * if there is one.
-+         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
-+         * mutually exclusive. Also note that with KTLS thisrr->length can
-+         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
-          */
--        if (thisrr->length > rl->max_frag_len) {
-+        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
-+                && thisrr->length > rl->max_frag_len) {
-             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
-             goto end;
-         }
diff --git a/patches/openssl-3.2.0/0001-debian-targets.patch b/patches/openssl-3.2.1/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.2.0/0001-debian-targets.patch
rename to patches/openssl-3.2.1/0001-debian-targets.patch
diff --git a/patches/openssl-3.2.0/0002-pic.patch b/patches/openssl-3.2.1/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.2.0/0002-pic.patch
rename to patches/openssl-3.2.1/0002-pic.patch
diff --git a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 96%
rename from patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index 6275de708..6b518ef22 100644
--- a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++ b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,7 +28,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index d1a15a115274..d15d28499a21 100644
+index 2a047caa7d4a..aa2685be93b9 100644
 --- a/Configurations/10-main.conf
 +++ b/Configurations/10-main.conf
 @@ -693,7 +693,7 @@ my %targets = (
@@ -41,7 +41,7 @@ index d1a15a115274..d15d28499a21 100644
      "linux-latomic" => {
          inherit_from     => [ "linux-generic32" ],
 diff --git a/Configure b/Configure
-index cbba1749b5a3..a69068121949 100755
+index cca1ac8d162e..c9bbcbbed3e6 100755
 --- a/Configure
 +++ b/Configure
 @@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
diff --git a/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git a/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
similarity index 100%
rename from patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
rename to patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.1/series
similarity index 73%
rename from patches/openssl-3.2.0/series
rename to patches/openssl-3.2.1/series
index 309ec1465..cd66cc21a 100644
--- a/patches/openssl-3.2.0/series
+++ b/patches/openssl-3.2.1/series
@@ -7,5 +7,4 @@
 0004-conf-Serialize-allocation-free-of-ssl_names.patch
 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
 #tag:upstream --start-number 100
-0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
-# d6f307e5d2ef578b08c895257daa6fbc  - git-ptx-patches magic
+# ab24a399a1a602376760e385c08ab320  - git-ptx-patches magic
diff --git a/rules/openssl.make b/rules/openssl.make
index bc1322725..7080bd50b 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_VERSION	:= 3.2.0
-OPENSSL_MD5	:= 7903549a14abebc5c323ce4e85f2cbb2
+OPENSSL_VERSION	:= 3.2.1
+OPENSSL_MD5	:= c239213887804ba00654884918b37441
 OPENSSL		:= openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX	:= tar.gz
 OPENSSL_URL	:= \
-- 
2.34.1




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ptxdist] [APPLIED] openssl: Version bump. 3.2.0 -> 3.2.1
  2024-02-06 19:40 [ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1 Christian Melki
@ 2024-02-09 16:11 ` Michael Olbrich
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2024-02-09 16:11 UTC (permalink / raw)
  To: ptxdist; +Cc: Christian Melki

Thanks, applied as a650ae7f2756701a6df837b2a8f57de57a30f871.

Michael

[sent from post-receive hook]

On Fri, 09 Feb 2024 17:11:26 +0100, Christian Melki <christian.melki@t2data.com> wrote:
> Minor release, security bugfixes. All low severity.
> https://www.openssl.org/news/cl32.txt
> 
> Plugs CVEs:
> CVE-2024-0727: Fixed PKCS12 Decoding crashes
> CVE-2023-6237: Fixed excessive time spent checking invalid RSA public keys
> CVE-2023-6129: Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07.
> 
> * Remove one patch. Code was added to the release.
> 
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20240206194002.673322-1-christian.melki@t2data.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> deleted file mode 100644
> index 814bd07bec63..000000000000
> --- a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +++ /dev/null
> @@ -1,41 +0,0 @@
> -From: Matt Caswell <matt@openssl.org>
> -Date: Tue, 2 Jan 2024 16:48:43 +0000
> -Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> - extension
> -
> -Don't check the Max Fragment Length if the it hasn't been negotiated. We
> -were checking it anyway, and using the default value
> -(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> -record length to actually exceed this in some cases.
> -
> -Fixes #23169
> ----
> - ssl/record/methods/tls_common.c | 14 ++++++++++----
> - 1 file changed, 10 insertions(+), 4 deletions(-)
> -
> -diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
> -index 423777c18dd4..1a9320ae74de 100644
> ---- a/ssl/record/methods/tls_common.c
> -+++ b/ssl/record/methods/tls_common.c
> -@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> -         }
> - 
> -         /*
> --         * Check if the received packet overflows the current
> --         * Max Fragment Length setting.
> --         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> -+         * Record overflow checking (e.g. checking if
> -+         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
> -+         * the post_process_record() function above. However we check here if
> -+         * the received packet overflows the current Max Fragment Length setting
> -+         * if there is one.
> -+         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> -+         * mutually exclusive. Also note that with KTLS thisrr->length can
> -+         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
> -          */
> --        if (thisrr->length > rl->max_frag_len) {
> -+        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> -+                && thisrr->length > rl->max_frag_len) {
> -             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
> -             goto end;
> -         }
> diff --git a/patches/openssl-3.2.0/0001-debian-targets.patch b/patches/openssl-3.2.1/0001-debian-targets.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0001-debian-targets.patch
> rename to patches/openssl-3.2.1/0001-debian-targets.patch
> diff --git a/patches/openssl-3.2.0/0002-pic.patch b/patches/openssl-3.2.1/0002-pic.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0002-pic.patch
> rename to patches/openssl-3.2.1/0002-pic.patch
> diff --git a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> similarity index 96%
> rename from patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> rename to patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> index 6275de7089d7..6b518ef22d49 100644
> --- a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> +++ b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> @@ -28,7 +28,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   2 files changed, 2 insertions(+), 2 deletions(-)
>  
>  diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
> -index d1a15a115274..d15d28499a21 100644
> +index 2a047caa7d4a..aa2685be93b9 100644
>  --- a/Configurations/10-main.conf
>  +++ b/Configurations/10-main.conf
>  @@ -693,7 +693,7 @@ my %targets = (
> @@ -41,7 +41,7 @@ index d1a15a115274..d15d28499a21 100644
>       "linux-latomic" => {
>           inherit_from     => [ "linux-generic32" ],
>  diff --git a/Configure b/Configure
> -index cbba1749b5a3..a69068121949 100755
> +index cca1ac8d162e..c9bbcbbed3e6 100755
>  --- a/Configure
>  +++ b/Configure
>  @@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
> diff --git a/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> rename to patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> diff --git a/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> rename to patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.1/series
> similarity index 73%
> rename from patches/openssl-3.2.0/series
> rename to patches/openssl-3.2.1/series
> index 309ec1465b5e..cd66cc21a112 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.1/series
> @@ -7,5 +7,4 @@
>  0004-conf-Serialize-allocation-free-of-ssl_names.patch
>  0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
>  #tag:upstream --start-number 100
> -0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> -# d6f307e5d2ef578b08c895257daa6fbc  - git-ptx-patches magic
> +# ab24a399a1a602376760e385c08ab320  - git-ptx-patches magic
> diff --git a/rules/openssl.make b/rules/openssl.make
> index bc1322725260..7080bd50ba55 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
>  #
>  # Paths and names
>  #
> -OPENSSL_VERSION	:= 3.2.0
> -OPENSSL_MD5	:= 7903549a14abebc5c323ce4e85f2cbb2
> +OPENSSL_VERSION	:= 3.2.1
> +OPENSSL_MD5	:= c239213887804ba00654884918b37441
>  OPENSSL		:= openssl-$(OPENSSL_VERSION)
>  OPENSSL_SUFFIX	:= tar.gz
>  OPENSSL_URL	:= \



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-02-09 16:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 19:40 [ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1 Christian Melki
2024-02-09 16:11 ` [ptxdist] [APPLIED] " Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox