[kirkstone,4/7] openssl: Upgrade 3.0.11 -> 3.0.12

Message ID	5cf9f9426de71a35b06c7b4b9b092f22243676fb.1698632320.git.steve@sakoman.com
State	Accepted, archived
Commit	5cf9f9426de71a35b06c7b4b9b092f22243676fb
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.128.170, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/7] openssl: Upgrade 3.0.11 -> 3.0.12 Date: Sun, 29 Oct 2023 16:20:55 -1000 Message-Id: <5cf9f9426de71a35b06c7b4b9b092f22243676fb.1698632320.git.steve@sakoman.com> In-Reply-To: <cover.1698632320.git.steve@sakoman.com> References: <cover.1698632320.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,1/7] cve-exclusion_5.10.inc: update for 5.10.197 \| expand [kirkstone,1/7] cve-exclusion_5.10.inc: update for 5.10.197 [kirkstone,2/7] curl: fix CVE-2023-38545 [kirkstone,3/7] curl: fix CVE-2023-38546 [kirkstone,4/7] openssl: Upgrade 3.0.11 -> 3.0.12 [kirkstone,5/7] package_rpm: Allow compression mode override [kirkstone,6/7] linux-firmware: create separate package for cirrus and cnm firmwares [kirkstone,7/7] linux-firmware: create separate packages

Message ID

5cf9f9426de71a35b06c7b4b9b092f22243676fb.1698632320.git.steve@sakoman.com

State

Accepted, archived

Commit

5cf9f9426de71a35b06c7b4b9b092f22243676fb

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/7] openssl: Upgrade 3.0.11 -> 3.0.12
Date: Sun, 29 Oct 2023 16:20:55 -1000
Message-Id: 
 <5cf9f9426de71a35b06c7b4b9b092f22243676fb.1698632320.git.steve@sakoman.com>
In-Reply-To: <cover.1698632320.git.steve@sakoman.com>
References: <cover.1698632320.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,1/7] cve-exclusion_5.10.inc: update for 5.10.197 | expand

Commit Message

Steve Sakoman Oct. 30, 2023, 2:20 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023

Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb} (99%)

Comments

Andrey Zhizhikin Nov. 15, 2023, 5:20 p.m. UTC | #1

Hello Steve,

I've just stumbled upon the fact that this upgrade causes softhsm 
package to throw SIGSEGV when PKCS#11 engine is used.

There is an ongoing discussion on both OpenSSL [1] and SoftHSM [2] 
repositories on how to address this issue, but there is no definitive 
solution presented at the moment.

Please note, that master openssl version 3.1.4 is also affected in the 
same way, as it looks like that patch(es) applied in openssl were 
back-ported onto both 'openssl-3.0' and 'openssl-3.1' branches.

Since softhsm is used in quite few scenarios to serve as PKCS#11 
provider, I guess this upgrade would break those for quite some people 
that are using LTS release. Therefore, I would suggest to rather revert 
it and wait for appropriate solution to be developed in either of those 
packages, at the costs of having CVE-2023-5363 un-patched.

I would leave it up to you to decide on how to proceed with this further.

On 10/30/2023 3:20 AM, Steve Sakoman wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023
> 
> Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
> * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>   .../openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb}            | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>   rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb} (99%)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb
> index 22eaa3af33..d8c9b073a2 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
> @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
>              file://environment.d-openssl.sh \
>              "
>   
> -SRC_URI[sha256sum] = "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55"
> +SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"
>   
>   inherit lib_package multilib_header multilib_script ptest perlnative
>   MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

Regards,
Andrey

Link: [1]: https://github.com/openssl/openssl/issues/22508
Link: [2]: https://github.com/opendnssec/SoftHSMv2/issues/729

diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb
index 22eaa3af33..d8c9b073a2 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
@@ -18,7 +18,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55"
+SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

[kirkstone,4/7] openssl: Upgrade 3.0.11 -> 3.0.12

Commit Message

Comments

Patch