Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging-24.11] openssl_3: 3.0.15 -> 3.0.16; openssl_3_3: 3.3.2 -> 3.3.3 #381195

Open
wants to merge 2 commits into
base: staging-24.11
Choose a base branch
from
Open

[staging-24.11] openssl_3: 3.0.15 -> 3.0.16; openssl_3_3: 3.3.2 -> 3.3.3 #381195

wants to merge 2 commits into from
+4 −4

Conversation

thillux
Copy link
Contributor

@thillux thillux commented Feb 11, 2025
edited
Loading

https://github.com/openssl/openssl/releases/tag/openssl-3.3.3

Security Fixes in 3.3.3:

This release incorporates the following bug fixes and mitigations:

  • Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. (CVE-2024-12797)
  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)
  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

https://github.com/openssl/openssl/releases/tag/openssl-3.0.16

Security Fixes in 3.0.16:

  • Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)
  • Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@thillux
openssl_3: 3.0.15 -> 3.0.16
cf81911 
Security Fixes in 3.0.16:

* Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Signed-off-by: Markus Theil <[email protected]>
@thillux
openssl_3_3: 3.3.2 -> 3.3.3
f64140e 
This release incorporates the following bug fixes and mitigations:
* Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. (CVE-2024-12797)
* Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

Signed-off-by: Markus Theil <[email protected]>
@thillux thillux requested a review from emilazy February 11, 2025 15:23
@thillux thillux marked this pull request as ready for review February 11, 2025 15:23
@mweinelt mweinelt changed the title openssl_3: 3.0.15 -> 3.0.16; openssl_3_3: 3.3.2 -> 3.3.3 [staging-24.11] openssl_3: 3.0.15 -> 3.0.16; openssl_3_3: 3.3.2 -> 3.3.3 Feb 11, 2025
@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Feb 11, 2025
@nix-owners nix-owners bot requested a review from ulrikstrid February 11, 2025 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ulrikstrid ulrikstrid ulrikstrid approved these changes

@emilazy emilazy Awaiting requested review from emilazy

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thillux @ulrikstrid @mweinelt