GNU bug report logs - #64982
[PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Andreas Enge <andreas <at> enge.fr>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#64982: closed ([PATCH v1 0/1] Fix LibreSSL CVE-2023-35784
 (Score: 9.8 critical))
Date: Thu, 07 Sep 2023 16:39:05 +0000

[Message part 1 (text/plain, inline)]

Your message dated Thu, 7 Sep 2023 18:38:40 +0200
with message-id <ZPn8kNP634pMGEfQ <at> jurong>
and subject line Closing
has caused the debbugs.gnu.org bug report #64982,
regarding [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
64982: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=64982
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: guix-patches <at> gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)
Date: Tue,  1 Aug 2023 01:33:17 +0200

Hi,

The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784

While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup

Denis.

Denis 'GNUtoo' Carikli (1):
  gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0

[Message part 3 (message/rfc822, inline)]

From: Andreas Enge <andreas <at> enge.fr>
To: 64982-done <at> debbugs.gnu.org
Subject: Closing
Date: Thu, 7 Sep 2023 18:38:40 +0200

Hello Denis,

thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me <at> tobias.gr>
Date:   Sun Aug 13 02:00:00 2023 +0200
    gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
    Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
    but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
    * gnu/packages/tls.scm (libressl): Update to 3.7.3.

Indeed QA shows that opensmtpd fails:
   https://qa.guix.gnu.org/issue/64982
   https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log

I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.

Andreas

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.