| Message ID | cover.1690845769.git.GNUtoo@cyberdimension.org |
|---|---|
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3854127BBE2; Tue, 1 Aug 2023 00:34:17 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6C79627BBE9 for <patchwork@mira.cbaines.net>; Tue, 1 Aug 2023 00:34:15 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1qQcOr-0007rP-2b; Mon, 31 Jul 2023 19:34:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qQcOp-0007rG-1O for guix-patches@gnu.org; Mon, 31 Jul 2023 19:34:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qQcOo-000718-Pw for guix-patches@gnu.org; Mon, 31 Jul 2023 19:34:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qQcOo-0000cz-B0 for guix-patches@gnu.org; Mon, 31 Jul 2023 19:34:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Resent-From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 31 Jul 2023 23:34:02 +0000 Resent-Message-ID: <handler.64982.B.16908464202373@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64982 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64982@debbugs.gnu.org Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16908464202373 (code B ref -1); Mon, 31 Jul 2023 23:34:02 +0000 Received: (at submit) by debbugs.gnu.org; 31 Jul 2023 23:33:40 +0000 Received: from localhost ([127.0.0.1]:46854 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1qQcOS-0000cC-5p for submit@debbugs.gnu.org; Mon, 31 Jul 2023 19:33:40 -0400 Received: from lists.gnu.org ([2001:470:142::17]:47618) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <GNUtoo@cyberdimension.org>) id 1qQcOQ-0000bz-6v for submit@debbugs.gnu.org; Mon, 31 Jul 2023 19:33:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <GNUtoo@cyberdimension.org>) id 1qQcOK-0007pX-PA for guix-patches@gnu.org; Mon, 31 Jul 2023 19:33:32 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1] helo=gnutoo.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from <GNUtoo@cyberdimension.org>) id 1qQcOI-0006vE-RO for guix-patches@gnu.org; Mon, 31 Jul 2023 19:33:32 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id 7da09657; Mon, 31 Jul 2023 23:33:27 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id b13c3b3a; Mon, 31 Jul 2023 23:33:26 +0000 (UTC) From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Date: Tue, 1 Aug 2023 01:33:17 +0200 Message-ID: <cover.1690845769.git.GNUtoo@cyberdimension.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:910:1314:ffff::1; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)
|
|
Message
Denis 'GNUtoo' Carikli
July 31, 2023, 11:33 p.m. UTC
Hi, The patch that will follow updates LibreSSL to the last version to fix the CVE-2023-35784[1]. That CVE consist of a double free and a use after free and is considered critical according to the NIST. [1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784 While LibreSSL builds fine and that all its test pass on x86_64, it also has a significant number of reverse dependencies (a bit more than 30) that need to be rebuilt, so I would need help with testing: * axel * catgirl * ceph * clamav * epic5 * gmid * httrack * litterbox * openboard * openntpd * openscad * opensmtpd-extras * opensmtpd-filter-rspamd * pam-u2f * pounce * python-astroalign * python-duckdb * python-feather-format * python-ikarus * python-jwst * python-modin * python-poliastro * python-regions * python-sunpy * python-tslearn * python-vaex-core * r-chromunity * r-cistopic * r-cistopic-next * seek * telescope * xarcan * zbackup Denis. Denis 'GNUtoo' Carikli (1): gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784]. gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
Comments
Hello Denis,
thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Sun Aug 13 02:00:00 2023 +0200
gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
* gnu/packages/tls.scm (libressl): Update to 3.7.3.
Indeed QA shows that opensmtpd fails:
https://qa.guix.gnu.org/issue/64982
https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log
I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.
Andreas