[20.03] openssl: 1.1.1d -> 1.1.1e #82793
Conversation
a "Low severity" [0] security issue: > Fixed an overflow bug in the x64_64 Montgomery squaring procedure used > in exponentiation with 512-bit moduli (CVE-2019-1551) [0] https://www.openssl.org/news/vulnerabilities.html#y2019 (cherry picked from commit abecf82)
This is 20.03 change, you may want to remove this line. |
Oh, thanks! Interesting how that happened.. I guess GH is storing some kind of "draft" of a PR in the browser. |
|
cc @NixOS/nixos-release-managers |
|
For reference, this commit would break even the -small channel, as-is. |
|
I was tempted to suggest just patching the CVE like in 19.09, but the prospect of backporting all security fixes until next winter doesn't attract me. |
|
I don't think a patch should be backported for 20.03. You may consider skipping the broken test in PyOpenSSL until the upstream fixes it, a lot of applications using OpenSSL likely assume errors won't happen anyway (and are using it indirectly anyway). Sure, this probably will break something, but that seems acceptable to me. |
|
That approach certainly seems acceptable for unstable/master to me; I'm not so sure about 20.03, given that March ends in about a week. |
|
Let's close this in favor of bumping to 1.1.1f as described in #82789 (review). |
|
Pushed as 0e5ef8c |
Motivation for this change
a "Low severity" [0] security issue:
[0] https://www.openssl.org/news/vulnerabilities.html#y2019
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)