From unknown Sun Jun 22 00:40:28 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64991] [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages) Resent-From: Denis 'GNUtoo' Carikli Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 13:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64991 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64991@debbugs.gnu.org Cc: Denis 'GNUtoo' Carikli X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.169089758118891 (code B ref -1); Tue, 01 Aug 2023 13:47:02 +0000 Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 13:46:21 +0000 Received: from localhost ([127.0.0.1]:47414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQphd-0004uc-7u for submit@debbugs.gnu.org; Tue, 01 Aug 2023 09:46:21 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45690) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQphc-0004uO-3W for submit@debbugs.gnu.org; Tue, 01 Aug 2023 09:46:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQphU-0003UU-GT for guix-patches@gnu.org; Tue, 01 Aug 2023 09:46:12 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1] helo=gnutoo.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1qQphS-0007Br-FC for guix-patches@gnu.org; Tue, 01 Aug 2023 09:46:12 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id e4a9862a; Tue, 1 Aug 2023 13:46:03 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id f4706c76; Tue, 1 Aug 2023 13:46:03 +0000 (UTC) From: Denis 'GNUtoo' Carikli Date: Tue, 1 Aug 2023 15:45:37 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:910:1314:ffff::1; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) The patch that will follow updates OpenSSL 1.1 to the last version to fix the following CVEs: * CVE-2023-0215 [1] * CVE-2023-0286 [2] * CVE-2023-0464 [3] * CVE-2023-0465 [4] * CVE-2023-0466 [5] * CVE-2023-2650 [6] * CVE-2022-4304 [7] * CVE-2022-4450 [8] [1]https://nvd.nist.gov/vuln/detail/CVE-2023-0215 [2]https://nvd.nist.gov/vuln/detail/CVE-2023-0286 [3]https://nvd.nist.gov/vuln/detail/CVE-2023-0464 [4]https://nvd.nist.gov/vuln/detail/CVE-2023-0465 [5]https://nvd.nist.gov/vuln/detail/CVE-2023-0466 [6]https://nvd.nist.gov/vuln/detail/CVE-2023-2650 [7]https://nvd.nist.gov/vuln/detail/CVE-2022-4304 [8]https://nvd.nist.gov/vuln/detail/CVE-2022-4450 While OpenSSL builds fine and that all its test pass on x86_64, it also has a significant number of reverse dependencies (about 6850, so more than 300) that need to be rebuilt. Denis 'GNUtoo' Carikli (1): gnu: openssl-1.1: Update to 1.1.1u [security fixes]. gnu/packages/tls.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) base-commit: 39fbc041f92489ec30075a85937c8a38723752dc -- 2.41.0 From unknown Sun Jun 22 00:40:28 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64991] [PATCH 1/1] gnu: openssl-1.1: Update to 1.1.1u [security fixes]. Resent-From: Denis 'GNUtoo' Carikli Original-Sender: "Debbugs-submit" Resent-CC: , guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 13:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 64991 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64991@debbugs.gnu.org Cc: Denis 'GNUtoo' Carikli , ( , Christopher Baines , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Mathieu Othacehe , Raghav Gururajan , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice , jgart X-Debbugs-Original-Xcc: ( , Christopher Baines , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Mathieu Othacehe , Raghav Gururajan , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice , jgart Received: via spool by 64991-submit@debbugs.gnu.org id=B64991.169089793319790 (code B ref 64991); Tue, 01 Aug 2023 13:53:02 +0000 Received: (at 64991) by debbugs.gnu.org; 1 Aug 2023 13:52:13 +0000 Received: from localhost ([127.0.0.1]:47424 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQpnJ-000596-Du for submit@debbugs.gnu.org; Tue, 01 Aug 2023 09:52:13 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1]:36936 helo=gnutoo.cyberdimension.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQpnG-00058y-Lt for 64991@debbugs.gnu.org; Tue, 01 Aug 2023 09:52:12 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id b679d3a9; Tue, 1 Aug 2023 13:52:09 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id 5ee3580f; Tue, 1 Aug 2023 13:52:09 +0000 (UTC) From: Denis 'GNUtoo' Carikli Date: Tue, 1 Aug 2023 15:52:05 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450. * gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u. Signed-off-by: Denis 'GNUtoo' Carikli --- gnu/packages/tls.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index f51c47db04..0c37d452c7 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -22,6 +22,7 @@ ;;; Copyright © 2021 Matthew James Kraai ;;; Copyright © 2021 John Kehayias ;;; Copyright © 2022 Greg Hogan +;;; Copyright © 2023 Denis 'GNUtoo' Carikli ;;; ;;; This file is part of GNU Guix. ;;; @@ -425,7 +426,7 @@ (define (target->openssl-target target) (define-public openssl-1.1 (package (name "openssl") - (version "1.1.1q") + (version "1.1.1u") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -438,7 +439,7 @@ (define-public openssl-1.1 (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "1jhhzp4gh6ymidxm1ckjk948l583awp0w3y2nvqdz7022kk9r4yp")))) + "1ipbcdlqyxbj5lagasrq2p6gn0036wq6hqp7gdnd1v1ya95xiy72")))) (build-system gnu-build-system) (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation -- 2.41.0 From unknown Sun Jun 22 00:40:28 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Denis 'GNUtoo' Carikli Subject: bug#64991: closed (Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)) Message-ID: References: <87y1gqwqy0.fsf_-_@gnu.org> X-Gnu-PR-Message: they-closed 64991 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 64991@debbugs.gnu.org Date: Thu, 28 Sep 2023 10:09:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1695895742-17711-1" This is a multi-part message in MIME format... ------------=_1695895742-17711-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 depe= ndent packages) which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 64991@debbugs.gnu.org. --=20 64991: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D64991 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1695895742-17711-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 64991-done) by debbugs.gnu.org; 28 Sep 2023 10:08:53 +0000 Received: from localhost ([127.0.0.1]:53061 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qlnwz-0004bJ-Dt for submit@debbugs.gnu.org; Thu, 28 Sep 2023 06:08:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qlnwu-0004b2-Nl for 64991-done@debbugs.gnu.org; Thu, 28 Sep 2023 06:08:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qlnwY-0001Km-L2; Thu, 28 Sep 2023 06:08:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=3RPEI+Yb3fD7xIkHG445/I3wOp3LNy/0Cb83+NhkxrE=; b=Qrdz7SoVWAEeJZdca+W6 cmWR7b/j5o8fIOYgNPEwZLr7xwS/X3FEpCiJ+iz2WP3kQgFWmia7+lzDY/DEt6tMChT2/F3k+Yt1W JNld3e/uX/uP8W9bYW4c3Cwpj0HWbYiVASNYzlA+QGCwDa68IFdInKf8KgzC0Llq7VnJKi2DL2ArG CnzgHOVT9U4cwzGvpJkcwA1sKawLJrYkGj2+E8Jaon1YRS+ZuwyMOlm8xdBAMoiSLXhvrPIp7/FCA Vk3K+Y5lDat8pz9dO1Od9RcTj4Fp0LaGutFnLDbsMAXrHCq1V27AbJME9EH+Sw8oqw4Rsl19DaM9s URNbZAleI81SDA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Denis 'GNUtoo' Carikli Subject: Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages) References: Date: Thu, 28 Sep 2023 12:08:23 +0200 In-Reply-To: (Denis Carikli's message of "Tue, 1 Aug 2023 15:52:05 +0200") Message-ID: <87y1gqwqy0.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 64991-done Cc: Tobias Geerinckx-Rice , Simon Tournier , paren@disroot.org, Christopher Baines , Ricardo Wurmus , Raghav Gururajan , jgart , Mathieu Othacehe , 64991-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Denis 'GNUtoo' Carikli skribis: > Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-= 0465, > CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450. > > * gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u. [...] > (define-public openssl-1.1 > (package > (name "openssl") > - (version "1.1.1q") > + (version "1.1.1u") Finally applied but as a graft, in commit 51e1df07b1d21840551eb8dc15b4bfe5612e1bf9. Thanks, Ludo=E2=80=99. ------------=_1695895742-17711-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 13:46:21 +0000 Received: from localhost ([127.0.0.1]:47414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQphd-0004uc-7u for submit@debbugs.gnu.org; Tue, 01 Aug 2023 09:46:21 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45690) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQphc-0004uO-3W for submit@debbugs.gnu.org; Tue, 01 Aug 2023 09:46:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQphU-0003UU-GT for guix-patches@gnu.org; Tue, 01 Aug 2023 09:46:12 -0400 Received: from cyberdimension.org ([2001:910:1314:ffff::1] helo=gnutoo.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1qQphS-0007Br-FC for guix-patches@gnu.org; Tue, 01 Aug 2023 09:46:12 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id e4a9862a; Tue, 1 Aug 2023 13:46:03 +0000 (UTC) Received: from localhost.localdomain (localhost [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id f4706c76; Tue, 1 Aug 2023 13:46:03 +0000 (UTC) From: Denis 'GNUtoo' Carikli To: guix-patches@gnu.org Subject: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages) Date: Tue, 1 Aug 2023 15:45:37 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:910:1314:ffff::1; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit Cc: Denis 'GNUtoo' Carikli X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) The patch that will follow updates OpenSSL 1.1 to the last version to fix the following CVEs: * CVE-2023-0215 [1] * CVE-2023-0286 [2] * CVE-2023-0464 [3] * CVE-2023-0465 [4] * CVE-2023-0466 [5] * CVE-2023-2650 [6] * CVE-2022-4304 [7] * CVE-2022-4450 [8] [1]https://nvd.nist.gov/vuln/detail/CVE-2023-0215 [2]https://nvd.nist.gov/vuln/detail/CVE-2023-0286 [3]https://nvd.nist.gov/vuln/detail/CVE-2023-0464 [4]https://nvd.nist.gov/vuln/detail/CVE-2023-0465 [5]https://nvd.nist.gov/vuln/detail/CVE-2023-0466 [6]https://nvd.nist.gov/vuln/detail/CVE-2023-2650 [7]https://nvd.nist.gov/vuln/detail/CVE-2022-4304 [8]https://nvd.nist.gov/vuln/detail/CVE-2022-4450 While OpenSSL builds fine and that all its test pass on x86_64, it also has a significant number of reverse dependencies (about 6850, so more than 300) that need to be rebuilt. Denis 'GNUtoo' Carikli (1): gnu: openssl-1.1: Update to 1.1.1u [security fixes]. gnu/packages/tls.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) base-commit: 39fbc041f92489ec30075a85937c8a38723752dc -- 2.41.0 ------------=_1695895742-17711-1--