* [ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1
@ 2024-02-06 19:40 Christian Melki
2024-02-09 16:11 ` [ptxdist] [APPLIED] " Michael Olbrich
0 siblings, 1 reply; 2+ messages in thread
From: Christian Melki @ 2024-02-06 19:40 UTC (permalink / raw)
To: ptxdist
Minor release, security bugfixes. All low severity.
https://www.openssl.org/news/cl32.txt
Plugs CVEs:
CVE-2024-0727: Fixed PKCS12 Decoding crashes
CVE-2023-6237: Fixed excessive time spent checking invalid RSA public keys
CVE-2023-6129: Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07.
* Remove one patch. Code was added to the release.
Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
...frag_len-checking-if-no-Max-Fragment.patch | 41 -------------------
.../0001-debian-targets.patch | 0
.../0002-pic.patch | 0
...to-enable-ktls-if-target-does-not-st.patch | 4 +-
...rialize-allocation-free-of-ssl_names.patch | 0
...zero-call-used-regs-used-gpr-from-De.patch | 0
.../{openssl-3.2.0 => openssl-3.2.1}/series | 3 +-
rules/openssl.make | 4 +-
8 files changed, 5 insertions(+), 47 deletions(-)
delete mode 100644 patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
rename patches/{openssl-3.2.0 => openssl-3.2.1}/0001-debian-targets.patch (100%)
rename patches/{openssl-3.2.0 => openssl-3.2.1}/0002-pic.patch (100%)
rename patches/{openssl-3.2.0 => openssl-3.2.1}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch (96%)
rename patches/{openssl-3.2.0 => openssl-3.2.1}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%)
rename patches/{openssl-3.2.0 => openssl-3.2.1}/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch (100%)
rename patches/{openssl-3.2.0 => openssl-3.2.1}/series (73%)
diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
deleted file mode 100644
index 814bd07be..000000000
--- a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 2 Jan 2024 16:48:43 +0000
-Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
- extension
-
-Don't check the Max Fragment Length if the it hasn't been negotiated. We
-were checking it anyway, and using the default value
-(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
-record length to actually exceed this in some cases.
-
-Fixes #23169
----
- ssl/record/methods/tls_common.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
-index 423777c18dd4..1a9320ae74de 100644
---- a/ssl/record/methods/tls_common.c
-+++ b/ssl/record/methods/tls_common.c
-@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
- }
-
- /*
-- * Check if the received packet overflows the current
-- * Max Fragment Length setting.
-- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
-+ * Record overflow checking (e.g. checking if
-+ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
-+ * the post_process_record() function above. However we check here if
-+ * the received packet overflows the current Max Fragment Length setting
-+ * if there is one.
-+ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
-+ * mutually exclusive. Also note that with KTLS thisrr->length can
-+ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
- */
-- if (thisrr->length > rl->max_frag_len) {
-+ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
-+ && thisrr->length > rl->max_frag_len) {
- RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
- goto end;
- }
diff --git a/patches/openssl-3.2.0/0001-debian-targets.patch b/patches/openssl-3.2.1/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.2.0/0001-debian-targets.patch
rename to patches/openssl-3.2.1/0001-debian-targets.patch
diff --git a/patches/openssl-3.2.0/0002-pic.patch b/patches/openssl-3.2.1/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.2.0/0002-pic.patch
rename to patches/openssl-3.2.1/0002-pic.patch
diff --git a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 96%
rename from patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index 6275de708..6b518ef22 100644
--- a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++ b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,7 +28,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index d1a15a115274..d15d28499a21 100644
+index 2a047caa7d4a..aa2685be93b9 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -693,7 +693,7 @@ my %targets = (
@@ -41,7 +41,7 @@ index d1a15a115274..d15d28499a21 100644
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
diff --git a/Configure b/Configure
-index cbba1749b5a3..a69068121949 100755
+index cca1ac8d162e..c9bbcbbed3e6 100755
--- a/Configure
+++ b/Configure
@@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
diff --git a/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git a/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
similarity index 100%
rename from patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
rename to patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.1/series
similarity index 73%
rename from patches/openssl-3.2.0/series
rename to patches/openssl-3.2.1/series
index 309ec1465..cd66cc21a 100644
--- a/patches/openssl-3.2.0/series
+++ b/patches/openssl-3.2.1/series
@@ -7,5 +7,4 @@
0004-conf-Serialize-allocation-free-of-ssl_names.patch
0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
#tag:upstream --start-number 100
-0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
-# d6f307e5d2ef578b08c895257daa6fbc - git-ptx-patches magic
+# ab24a399a1a602376760e385c08ab320 - git-ptx-patches magic
diff --git a/rules/openssl.make b/rules/openssl.make
index bc1322725..7080bd50b 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
#
# Paths and names
#
-OPENSSL_VERSION := 3.2.0
-OPENSSL_MD5 := 7903549a14abebc5c323ce4e85f2cbb2
+OPENSSL_VERSION := 3.2.1
+OPENSSL_MD5 := c239213887804ba00654884918b37441
OPENSSL := openssl-$(OPENSSL_VERSION)
OPENSSL_SUFFIX := tar.gz
OPENSSL_URL := \
--
2.34.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [ptxdist] [APPLIED] openssl: Version bump. 3.2.0 -> 3.2.1
2024-02-06 19:40 [ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1 Christian Melki
@ 2024-02-09 16:11 ` Michael Olbrich
0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2024-02-09 16:11 UTC (permalink / raw)
To: ptxdist; +Cc: Christian Melki
Thanks, applied as a650ae7f2756701a6df837b2a8f57de57a30f871.
Michael
[sent from post-receive hook]
On Fri, 09 Feb 2024 17:11:26 +0100, Christian Melki <christian.melki@t2data.com> wrote:
> Minor release, security bugfixes. All low severity.
> https://www.openssl.org/news/cl32.txt
>
> Plugs CVEs:
> CVE-2024-0727: Fixed PKCS12 Decoding crashes
> CVE-2023-6237: Fixed excessive time spent checking invalid RSA public keys
> CVE-2023-6129: Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07.
>
> * Remove one patch. Code was added to the release.
>
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20240206194002.673322-1-christian.melki@t2data.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> deleted file mode 100644
> index 814bd07bec63..000000000000
> --- a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +++ /dev/null
> @@ -1,41 +0,0 @@
> -From: Matt Caswell <matt@openssl.org>
> -Date: Tue, 2 Jan 2024 16:48:43 +0000
> -Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> - extension
> -
> -Don't check the Max Fragment Length if the it hasn't been negotiated. We
> -were checking it anyway, and using the default value
> -(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> -record length to actually exceed this in some cases.
> -
> -Fixes #23169
> ----
> - ssl/record/methods/tls_common.c | 14 ++++++++++----
> - 1 file changed, 10 insertions(+), 4 deletions(-)
> -
> -diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
> -index 423777c18dd4..1a9320ae74de 100644
> ---- a/ssl/record/methods/tls_common.c
> -+++ b/ssl/record/methods/tls_common.c
> -@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> - }
> -
> - /*
> -- * Check if the received packet overflows the current
> -- * Max Fragment Length setting.
> -- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> -+ * Record overflow checking (e.g. checking if
> -+ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
> -+ * the post_process_record() function above. However we check here if
> -+ * the received packet overflows the current Max Fragment Length setting
> -+ * if there is one.
> -+ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> -+ * mutually exclusive. Also note that with KTLS thisrr->length can
> -+ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
> - */
> -- if (thisrr->length > rl->max_frag_len) {
> -+ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> -+ && thisrr->length > rl->max_frag_len) {
> - RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
> - goto end;
> - }
> diff --git a/patches/openssl-3.2.0/0001-debian-targets.patch b/patches/openssl-3.2.1/0001-debian-targets.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0001-debian-targets.patch
> rename to patches/openssl-3.2.1/0001-debian-targets.patch
> diff --git a/patches/openssl-3.2.0/0002-pic.patch b/patches/openssl-3.2.1/0002-pic.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0002-pic.patch
> rename to patches/openssl-3.2.1/0002-pic.patch
> diff --git a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> similarity index 96%
> rename from patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> rename to patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> index 6275de7089d7..6b518ef22d49 100644
> --- a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> +++ b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> @@ -28,7 +28,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
> -index d1a15a115274..d15d28499a21 100644
> +index 2a047caa7d4a..aa2685be93b9 100644
> --- a/Configurations/10-main.conf
> +++ b/Configurations/10-main.conf
> @@ -693,7 +693,7 @@ my %targets = (
> @@ -41,7 +41,7 @@ index d1a15a115274..d15d28499a21 100644
> "linux-latomic" => {
> inherit_from => [ "linux-generic32" ],
> diff --git a/Configure b/Configure
> -index cbba1749b5a3..a69068121949 100755
> +index cca1ac8d162e..c9bbcbbed3e6 100755
> --- a/Configure
> +++ b/Configure
> @@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
> diff --git a/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> rename to patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> diff --git a/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> similarity index 100%
> rename from patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> rename to patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.1/series
> similarity index 73%
> rename from patches/openssl-3.2.0/series
> rename to patches/openssl-3.2.1/series
> index 309ec1465b5e..cd66cc21a112 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.1/series
> @@ -7,5 +7,4 @@
> 0004-conf-Serialize-allocation-free-of-ssl_names.patch
> 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> #tag:upstream --start-number 100
> -0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> -# d6f307e5d2ef578b08c895257daa6fbc - git-ptx-patches magic
> +# ab24a399a1a602376760e385c08ab320 - git-ptx-patches magic
> diff --git a/rules/openssl.make b/rules/openssl.make
> index bc1322725260..7080bd50ba55 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
> #
> # Paths and names
> #
> -OPENSSL_VERSION := 3.2.0
> -OPENSSL_MD5 := 7903549a14abebc5c323ce4e85f2cbb2
> +OPENSSL_VERSION := 3.2.1
> +OPENSSL_MD5 := c239213887804ba00654884918b37441
> OPENSSL := openssl-$(OPENSSL_VERSION)
> OPENSSL_SUFFIX := tar.gz
> OPENSSL_URL := \
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-09 16:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 19:40 [ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1 Christian Melki
2024-02-09 16:11 ` [ptxdist] [APPLIED] " Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox