From unknown Tue Jun 17 20:28:35 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#64982 <64982@debbugs.gnu.org> To: bug#64982 <64982@debbugs.gnu.org> Subject: Status: [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Reply-To: bug#64982 <64982@debbugs.gnu.org> Date: Wed, 18 Jun 2025 03:28:35 +0000 retitle 64982 [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critic= al) reassign 64982 guix-patches submitter 64982 Denis 'GNUtoo' Carikli severity 64982 normal tag 64982 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 31 19:33:40 2023 Received: (at submit) by debbugs.gnu.org; 31 Jul 2023 23:33:40 +0000 Received: from localhost ([127.0.0.1]:46854 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQcOS-0000cC-5p for submit@debbugs.gnu.org; Mon, 31 Jul 2023 19:33:40 -0400 Received: from lists.gnu.org ([2001:470:142::17]:47618) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQcOQ-0000bz-6v for submit@debbugs.gnu.org; Mon, 31 Jul 2023 19:33:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQcOK-0007pX-PA for guix-patches@gnu.org; Mon, 31 Jul 2023 19:33:32 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1] helo=gnutoo.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1qQcOI-0006vE-RO for guix-patches@gnu.org; Mon, 31 Jul 2023 19:33:32 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id 7da09657; Mon, 31 Jul 2023 23:33:27 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id b13c3b3a; Mon, 31 Jul 2023 23:33:26 +0000 (UTC) From: Denis 'GNUtoo' Carikli To: guix-patches@gnu.org Subject: [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Date: Tue, 1 Aug 2023 01:33:17 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:910:1314:ffff::1; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit Cc: Denis 'GNUtoo' Carikli X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi, The patch that will follow updates LibreSSL to the last version to fix the CVE-2023-35784[1]. That CVE consist of a double free and a use after free and is considered critical according to the NIST. [1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784 While LibreSSL builds fine and that all its test pass on x86_64, it also has a significant number of reverse dependencies (a bit more than 30) that need to be rebuilt, so I would need help with testing: * axel * catgirl * ceph * clamav * epic5 * gmid * httrack * litterbox * openboard * openntpd * openscad * opensmtpd-extras * opensmtpd-filter-rspamd * pam-u2f * pounce * python-astroalign * python-duckdb * python-feather-format * python-ikarus * python-jwst * python-modin * python-poliastro * python-regions * python-sunpy * python-tslearn * python-vaex-core * r-chromunity * r-cistopic * r-cistopic-next * seek * telescope * xarcan * zbackup Denis. Denis 'GNUtoo' Carikli (1): gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784]. gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 39fbc041f92489ec30075a85937c8a38723752dc -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 31 20:15:14 2023 Received: (at 64982) by debbugs.gnu.org; 1 Aug 2023 00:15:14 +0000 Received: from localhost ([127.0.0.1]:46884 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQd2f-0001gm-QS for submit@debbugs.gnu.org; Mon, 31 Jul 2023 20:15:14 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1]:51288 helo=gnutoo.cyberdimension.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQd2e-0001gc-Qj for 64982@debbugs.gnu.org; Mon, 31 Jul 2023 20:15:13 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id b17969b6; Tue, 1 Aug 2023 00:15:09 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id 53e5b6a3; Tue, 1 Aug 2023 00:15:09 +0000 (UTC) From: Denis 'GNUtoo' Carikli To: 64982@debbugs.gnu.org Subject: [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784]. Date: Tue, 1 Aug 2023 02:15:05 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: ( , Christopher Baines , Ludovic Courtès , Mathieu Othacehe , Raghav Gururajan , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice , jgart Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 64982 Cc: Denis 'GNUtoo' Carikli X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/tls.scm (libressl): Update to 3.8.0. Signed-off-by: Denis 'GNUtoo' Carikli --- gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index f51c47db04..deec73b43f 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -659,14 +659,14 @@ (define-public bearssl (define-public libressl (package (name "libressl") - (version "3.6.1") + (version "3.8.0") (source (origin (method url-fetch) (uri (string-append "mirror://openbsd/LibreSSL/" "libressl-" version ".tar.gz")) (sha256 (base32 - "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc")))) + "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj")))) (build-system gnu-build-system) (arguments `(#:configure-flags -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 07 12:38:53 2023 Received: (at 64982-done) by debbugs.gnu.org; 7 Sep 2023 16:38:53 +0000 Received: from localhost ([127.0.0.1]:41234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qeI1t-0003v2-9P for submit@debbugs.gnu.org; Thu, 07 Sep 2023 12:38:53 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:54700) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qeI1q-0003ul-GJ for 64982-done@debbugs.gnu.org; Thu, 07 Sep 2023 12:38:51 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id B5981F5F; Thu, 7 Sep 2023 18:38:42 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4fHR__b_Vdh; Thu, 7 Sep 2023 18:38:41 +0200 (CEST) Received: from jurong (unknown [IPv6:2001:861:c4:f2f0::c64]) by hera.aquilenet.fr (Postfix) with ESMTPSA id B9CEB20A; Thu, 7 Sep 2023 18:38:41 +0200 (CEST) Date: Thu, 7 Sep 2023 18:38:40 +0200 From: Andreas Enge To: 64982-done@debbugs.gnu.org Subject: Closing Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 64982-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello Denis, thanks for the patch! This was fixed in commit commit 310b0f72d8749376832fa1f149837a83d8e74629 Author: Tobias Geerinckx-Rice Date: Sun Aug 13 02:00:00 2023 +0200 gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784]. Thanks to Dennis 'GNUtoo' Carikli for , but upgrading to 3.8.0 breaks (at least) OpenSMTPd. * gnu/packages/tls.scm (libressl): Update to 3.7.3. Indeed QA shows that opensmtpd fails: https://qa.guix.gnu.org/issue/64982 https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log I am closing this bug, as updating libressl to the most recent version is a different topic. Actually the 3.8.0 and 3.8.1 releases are called "development releases" in the release notes: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt while 3.7.3 does not have the "development" term: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt so we may be better off sticking with 3.7.x for the moment. Andreas From unknown Tue Jun 17 20:28:35 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 06 Oct 2023 11:24:17 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator