Re: [OE-core][kirkstone 4/7] openssl: Upgrade 3.0.11 -> 3.0.12

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Andrey Zhizhikin <andrey.z@gmail.com>
To: Steve Sakoman <steve@sakoman.com>,
	openembedded-core@lists.openembedded.org
Cc: peter.marko@siemens.com
Subject: Re: [OE-core][kirkstone 4/7] openssl: Upgrade 3.0.11 -> 3.0.12
Date: Wed, 15 Nov 2023 18:20:56 +0100	[thread overview]
Message-ID: <e7c1441b-bcd8-4861-ae70-39ccefc22041@gmail.com> (raw)
In-Reply-To: <5cf9f9426de71a35b06c7b4b9b092f22243676fb.1698632320.git.steve@sakoman.com>

Hello Steve,

I've just stumbled upon the fact that this upgrade causes softhsm 
package to throw SIGSEGV when PKCS#11 engine is used.

There is an ongoing discussion on both OpenSSL [1] and SoftHSM [2] 
repositories on how to address this issue, but there is no definitive 
solution presented at the moment.

Please note, that master openssl version 3.1.4 is also affected in the 
same way, as it looks like that patch(es) applied in openssl were 
back-ported onto both 'openssl-3.0' and 'openssl-3.1' branches.

Since softhsm is used in quite few scenarios to serve as PKCS#11 
provider, I guess this upgrade would break those for quite some people 
that are using LTS release. Therefore, I would suggest to rather revert 
it and wait for appropriate solution to be developed in either of those 
packages, at the costs of having CVE-2023-5363 un-patched.

I would leave it up to you to decide on how to proceed with this further.


On 10/30/2023 3:20 AM, Steve Sakoman wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023
> 
> Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
> * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>   .../openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb}            | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>   rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb} (99%)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb
> index 22eaa3af33..d8c9b073a2 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
> @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
>              file://environment.d-openssl.sh \
>              "
>   
> -SRC_URI[sha256sum] = "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55"
> +SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"
>   
>   inherit lib_package multilib_header multilib_script ptest perlnative
>   MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

Regards,
Andrey


Link: [1]: https://github.com/openssl/openssl/issues/22508
Link: [2]: https://github.com/opendnssec/SoftHSMv2/issues/729

next prev parent reply	other threads:[~2023-11-15 17:21 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-30  2:20 [OE-core][kirkstone 0/7] Patch review Steve Sakoman
2023-10-30  2:20 ` [OE-core][kirkstone 1/7] cve-exclusion_5.10.inc: update for 5.10.197 Steve Sakoman
2023-10-30  2:20 ` [OE-core][kirkstone 2/7] curl: fix CVE-2023-38545 Steve Sakoman
2023-10-30  2:20 ` [OE-core][kirkstone 3/7] curl: fix CVE-2023-38546 Steve Sakoman
2023-10-30  2:20 ` [OE-core][kirkstone 4/7] openssl: Upgrade 3.0.11 -> 3.0.12 Steve Sakoman
2023-11-15 17:20   ` Andrey Zhizhikin [this message]
2023-10-30  2:20 ` [OE-core][kirkstone 5/7] package_rpm: Allow compression mode override Steve Sakoman
2023-10-30  2:20 ` [OE-core][kirkstone 6/7] linux-firmware: create separate package for cirrus and cnm firmwares Steve Sakoman
2023-10-30  2:20 ` [OE-core][kirkstone 7/7] linux-firmware: create separate packages Steve Sakoman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e7c1441b-bcd8-4861-ae70-39ccefc22041@gmail.com \
    --to=andrey.z@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=peter.marko@siemens.com \
    --cc=steve@sakoman.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox