GNU bug report logs - #54402
[SECURITY]: OpenSSL CVE-2022-0778

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Tue, 15 Mar 2022 17:40:02 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 54402 in the body.
You can then email your comments to 54402 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#54402; Package guix-patches. (Tue, 15 Mar 2022 17:40:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 15 Mar 2022 17:40:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [SECURITY]: OpenSSL CVE-2022-0778
Date: Tue, 15 Mar 2022 13:34:53 -0400

[Message part 1 (text/plain, inline)]
What follows are patches to fix CVE-2022-0778 in both series of OpenSSL.

https://www.openssl.org/news/secadv/20220315.txt

[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#54402; Package guix-patches. (Tue, 15 Mar 2022 17:45:02 GMT) Full text and rfc822 format available.

Message #8 received at 54402 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 54402 <at> debbugs.gnu.org
Subject: [PATCH 1/2] gnu: OpenSSL: Fix CVE-2022-0778.
Date: Tue, 15 Mar 2022 13:44:18 -0400

For more information about this vulnerability:

https://www.openssl.org/news/secadv/20220315.txt

* gnu/packages/tls.scm (openssl/fixed): Update to 1.1.1n.
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 11c01a8d2a..9ed0f3dea4 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -513,7 +513,7 @@ (define openssl/fixed
   (package
     (inherit openssl)
     (name "openssl")
-    (version "1.1.1m")
+    (version "1.1.1n")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -526,7 +526,7 @@ (define openssl/fixed
               (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
               (sha256
                (base32
-                "15kcvdi69jka67sk1l3a50c26cb7xv9xiwdrgky4bji3ifz9k4gq"))))))
+                "0ymif8rlc5cf5qp5bh2pxlrgq6xryh7g4sqfvrdjg9gnli8ypp20"))))))
 
 (define-public openssl-3.0
   (package
-- 
2.34.0
Information forwarded to guix-patches <at> gnu.org:
bug#54402; Package guix-patches. (Tue, 15 Mar 2022 17:45:03 GMT) Full text and rfc822 format available.

Message #11 received at 54402 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 54402 <at> debbugs.gnu.org
Subject: [PATCH 2/2] gnu: OpenSSL 3: Fix CVE-2022-0778.
Date: Tue, 15 Mar 2022 13:44:19 -0400

For more information about this vulnerability:

https://www.openssl.org/news/secadv/20220315.txt

* gnu/packages/tls.scm (openssl): Update to 3.0.2.
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 9ed0f3dea4..c776085cad 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -531,7 +531,7 @@ (define openssl/fixed
 (define-public openssl-3.0
   (package
     (inherit openssl)
-    (version "3.0.1")
+    (version "3.0.2")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -544,7 +544,7 @@ (define-public openssl-3.0
               (patches (search-patches "openssl-3.0-c-rehash-in.patch"))
               (sha256
                (base32
-                "1l86kgn57av5yh711qp7c9zmi2haqmiah0ddxnbfgg2k6f2ss4f3"))))
+                "0qyvvw8n97f0gs786l2dkxnmi3hs344mxplw7jp5cisdmp71rscq"))))
     (arguments
      (substitute-keyword-arguments (package-arguments openssl)
        ((#:phases phases '%standard-phases)
-- 
2.34.0
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Wed, 16 Mar 2022 21:21:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Wed, 16 Mar 2022 21:21:02 GMT) Full text and rfc822 format available.

Message #16 received at 54402-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 54402-done <at> debbugs.gnu.org
Subject: Re: [SECURITY]: OpenSSL CVE-2022-0778
Date: Wed, 16 Mar 2022 17:20:03 -0400

I improved the commit messages and pushed these patches as
62ea3d510f1d1af76ba7fd573eea9c666558f299
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 14 Apr 2022 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 68 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.