Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[19.09] openssl: 1.1.1d -> 1.1.1e #82791

Merged
merged 1 commit into from
Mar 18, 2020
Merged

[19.09] openssl: 1.1.1d -> 1.1.1e #82791

merged 1 commit into from
Mar 18, 2020

Conversation

andir
Copy link
Member

@andir andir commented Mar 17, 2020

Motivation for this change

a "Low severity" [0] security issue:

Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

Note: Since the flux of changes to 19.09 is very low I think targeting the release branch without going through staging is fine. Let me know if you think otherwise.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@andir
openssl: 1.1.1d -> 1.1.1e
41f1484 
a "Low severity" [0] security issue:

> Fixed an overflow bug in the x64_64 Montgomery squaring procedure used
> in exponentiation with 512-bit moduli (CVE-2019-1551)

[0] https://www.openssl.org/news/vulnerabilities.html#y2019

(cherry picked from commit abecf82)
@andir andir added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Mar 17, 2020
@ofborg ofborg bot added the 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild label Mar 17, 2020
@ofborg ofborg bot requested a review from peti March 17, 2020 17:37
@andir andir merged commit 87834cb into NixOS:release-19.09 Mar 18, 2020
@andir andir deleted the 19.09/openssl branch March 18, 2020 10:09
@vcunat
Copy link
Member

vcunat commented Mar 18, 2020

This apparently broke python3Packages.pyopenssl and thus is blocking both channels. Example failure: https://hydra.nixos.org/build/115097885 (I can reproduce it locally)

@vcunat
Copy link
Member

vcunat commented Mar 18, 2020

I don't know now. The NEWS only contains the CVE-fixing entry.

@KamilaBorowska
Copy link
Member

KamilaBorowska commented Mar 19, 2020
edited
Loading

Fixing in #82928. The 1.1.1e changelog contains the following entry:

Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong.

Which causes the issue. The changelog for this release is rather long, so I think patching the CVE is safer overall.

This was referenced Mar 23, 2020
Closed
Closed
Closed
@flokli
Copy link
Contributor

flokli commented Apr 2, 2020

So, apparently this was reverted, and just the CVE-fixing patch applied to 19.09 (but probably not to 20.03 and master, and #82793 and #82789 are still open).

I'm fine with just the CVE-fixing patch for 19.09 (maybe for 20.03 as well), but how do we proceed on that? Where's the discussion happening?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KamilaBorowska KamilaBorowska KamilaBorowska approved these changes

@peti peti Awaiting requested review from peti

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andir @vcunat @KamilaBorowska @flokli