GNU bug report logs - #64991
[PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: bug#64991: closed (Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8
 CVEs (max score: 7.5 high, 6850 dependent packages))
Date: Thu, 28 Sep 2023 10:09:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high, 6850 dependent packages)

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 64991 <at> debbugs.gnu.org.

-- 
64991: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=64991
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Cc: Tobias Geerinckx-Rice <me <at> tobias.gr>,
 Simon Tournier <zimon.toutoune <at> gmail.com>, paren <at> disroot.org,
 Christopher Baines <mail <at> cbaines.net>, Ricardo Wurmus <rekado <at> elephly.net>,
 Raghav Gururajan <rg <at> raghavgururajan.name>, jgart <jgart <at> dismail.de>,
 Mathieu Othacehe <othacehe <at> gnu.org>, 64991-done <at> debbugs.gnu.org
Subject: Re: bug#64991: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5
 high, 6850 dependent packages)
Date: Thu, 28 Sep 2023 12:08:23 +0200

Hi,

Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org> skribis:

> Includes fixes for CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
> CVE-2023-0466, CVE-2023-2650, CVE-2022-4304, CVE-2022-4450.
>
> * gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1u.

[...]

>  (define-public openssl-1.1
>    (package
>      (name "openssl")
> -    (version "1.1.1q")
> +    (version "1.1.1u")

Finally applied but as a graft, in commit
51e1df07b1d21840551eb8dc15b4bfe5612e1bf9.

Thanks,
Ludo’.

[Message part 3 (message/rfc822, inline)]

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: guix-patches <at> gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH 0/1] OpenSSL 1.1: Fix 8 CVEs (max score: 7.5 high,
 6850 dependent packages)
Date: Tue,  1 Aug 2023 15:45:37 +0200

The patch that will follow updates OpenSSL 1.1 to the last version to fix the following CVEs:
* CVE-2023-0215 [1]
* CVE-2023-0286 [2]
* CVE-2023-0464 [3]
* CVE-2023-0465 [4]
* CVE-2023-0466 [5]
* CVE-2023-2650 [6]
* CVE-2022-4304 [7]
* CVE-2022-4450 [8]

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-0215
[2]https://nvd.nist.gov/vuln/detail/CVE-2023-0286
[3]https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[4]https://nvd.nist.gov/vuln/detail/CVE-2023-0465
[5]https://nvd.nist.gov/vuln/detail/CVE-2023-0466
[6]https://nvd.nist.gov/vuln/detail/CVE-2023-2650
[7]https://nvd.nist.gov/vuln/detail/CVE-2022-4304
[8]https://nvd.nist.gov/vuln/detail/CVE-2022-4450

While OpenSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (about 6850, so more than 300) that
need to be rebuilt.

Denis 'GNUtoo' Carikli (1):
  gnu: openssl-1.1: Update to 1.1.1u [security fixes].

 gnu/packages/tls.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.