Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wolfssl: 4.1.0 -> 4.2.0 #72705

Merged
merged 1 commit into from Nov 3, 2019
Merged

wolfssl: 4.1.0 -> 4.2.0 #72705

merged 1 commit into from Nov 3, 2019

Conversation

r-ryantm
Copy link
Contributor

@r-ryantm r-ryantm commented Nov 3, 2019

Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/wolfssl/versions.

meta.description for wolfssl is: '"A small, fast, portable implementation of TLS/SSL for embedded devices"'.

meta.homepage for wolfssl is: '"https://www.wolfssl.com/"

Release on GitHub

Compare changes on GitHub

Checks done (click to expand)
Rebuild report (if merged into master) (click to expand)

4 total rebuild path(s)

1 package rebuild(s)

1 x86_64-linux rebuild(s)
1 i686-linux rebuild(s)
1 x86_64-darwin rebuild(s)
1 aarch64-linux rebuild(s)

First fifty rebuilds by attrpath
wolfssl

Instructions to test this update (click to expand)

Either download from Cachix:

nix-store -r /nix/store/gajfdg4x7wc3blnzyrl1r35hv9m44m8i-wolfssl-4.2.0 \
  --option binary-caches 'https://cache.nixos.org/ https://r-ryantm.cachix.org/' \
  --option trusted-public-keys '
  r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=
  cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
  '

(r-ryantm's Cachix cache is only trusted for this store-path realization.)

Or, build yourself:

nix-build -A wolfssl https://github.com/r-ryantm/nixpkgs/archive/7befcddb33da92e0cd55a13263fb8de4e08254f1.tar.gz

After you've downloaded or built it, look at the files and if there are any, run the binaries:

ls -la /nix/store/gajfdg4x7wc3blnzyrl1r35hv9m44m8i-wolfssl-4.2.0
ls -la /nix/store/gajfdg4x7wc3blnzyrl1r35hv9m44m8i-wolfssl-4.2.0/bin

Experimental: CVE security report (click to expand)

CVEs resolved by this update:

CVEs introduced by this update:
none

CVEs present in both versions:
none


cc @mcmtroffaes for testing.

@ofborg ofborg bot requested a review from mcmtroffaes November 3, 2019 12:04
@marsam marsam merged commit d21aab4 into NixOS:master Nov 3, 2019
@c0bw3b
Copy link
Contributor

c0bw3b commented Nov 3, 2019

Upstream changelog and https://www.wolfssl.com/docs/security-vulnerabilities/ indicates this fixes 5 vulnerabilities. This probably needs to be backported to r19.09.

@c0bw3b c0bw3b added 1.severity: security 9.needs: port to stable A PR needs a backport to the stable release. labels Nov 3, 2019
@r-ryantm r-ryantm deleted the auto-update/wolfssl branch November 4, 2019 05:04
@mcmtroffaes
Copy link
Contributor

Thanks for the update!

No package currently depends on wolfssl, so for testing I recompiled curl against wolfssl using the following shell.nix:

with import <nixpkgs> {};
let
  curlwolfssl = (curl.override {
    openssl = wolfssl;
  }).overrideDerivation (oldAttrs: {
    configureFlags =
      # --with-ca-fallback does not work with wolfssl
      (builtins.filter (x: x != "--with-ca-fallback") oldAttrs.configureFlags)
      ++ ["--with-wolfssl=${wolfssl}" "--without-ssl"];
  });
in
{
  my-env = stdenv.mkDerivation {
    name = "my-env";
    buildInputs = [
      curlwolfssl
    ];
  };
}

I tested the resulting curl binary and compared its output against my local curl binary provided by Fedora:

curl -2 https://nixos.org
curl --cacert /etc/ssl/certs/ca-bundle.crt https://nixos.org > 1.txt
/usr/bin/curl https://nixos.org > 2.txt
diff 1.txt 2.txt

The first line gives an error message "curl: (35) wolfSSL does not support SSLv2" confirming that wolfssl is indeed used. Diff of output of local curl and this new curl shows identical outputs as expected.

@c0bw3b c0bw3b added the 8.has: port to stable A PR already has a backport to the stable release. label Nov 4, 2019
@c0bw3b
Copy link
Contributor

c0bw3b commented Nov 4, 2019

Backported in fdac1c5

@c0bw3b c0bw3b removed the 9.needs: port to stable A PR needs a backport to the stable release. label Nov 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcmtroffaes mcmtroffaes Awaiting requested review from mcmtroffaes

Assignees
No one assigned
Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@r-ryantm @c0bw3b @mcmtroffaes @marsam