New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl: security updates #50846
openssl: security updates #50846
Conversation
They are low-severity, and probably staging should be ok. |
Failure on x86_64-linux (full log) Attempted: openssl, openssl_1_1 Partial log (click to expand)
|
Failure on aarch64-linux (full log) Attempted: openssl, openssl_1_1 Partial log (click to expand)
|
Failure on aarch64-linux (full log) Attempted: openssl, openssl_1_1 Partial log (click to expand)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. The moderate severity issues are either not applicable (no PA-RISC support) or theoretical. The low severity issues are IMHO not even worth backporting.
Debian is also not backporting and waiting for the next release: https://security-tracker.debian.org/tracker/source-package/openssl
@alyssais The build is failing. Could you take another look at the patch? |
Failure on x86_64-linux (full log) Attempted: openssl, openssl_1_1 Partial log (click to expand)
|
Looks like they've changed the formatting in 1.1.1 so we can't use the same patch for both anymore… |
CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734 CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407 No patches can any longer be shared between 1.0.2 and 1.1, so reorganize patches into subdirectories (and remove an unused one).
Success on aarch64-linux (full log) Attempted: openssl, openssl_1_1 Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: openssl, openssl_1_1 Partial log (click to expand)
|
Use upstream NixOS#50846 for openssl updates, instead. Thanks! :)
Motivation for this change
Was unsure if this PR should have been to master or staging given the security impact.
CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734
CVE-2018-0735: https://www.openssl.org/news/vulnerabilities.html#2018-0735
CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)