-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preparation for upgrading to the forthcoming openssl-1.0.1m #1186
Comments
I don't see that test failure anywhere else though.. |
Yeah, I think I already did sha256-x86_64.pl thing. Otherwise LGTM |
Thanks for you work! |
Agreed in TC meeting today that we'll hold up 1.6.0 for this and that we should release asap after this is merged. |
Thanks for reviews and test check. The release will be between 11:00-15:00 GMT today. I will work it as soon as it is available. |
that window starts at 10pm for me, so I may be up, otherwise it'll have to wait for @chrisdickinson to wake up and finish off a release |
I will write down my progress here. If not, I give it over to @bnoordhuis or @indutny . |
While looking through this I found |
Good catch! I missed to find it. I will update the commits to remove it. |
tick tick tick looks like the details are all available here: https://security-tracker.debian.org/tracker/source-package/openssl and the only one for which a meaningful diff isn't available is CVE-2015-0291 which sounds like it's a 1.0.2 DoS thing which wouldn't apply to us anyway. |
Year, I found that. I feel revealed to know it. |
It's released now. I work it from now on. |
Here is my branch of https://github.com/shigeki/io.js/tree/upgrade_openssl101m and CI is running on https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/345/ |
CI's happy. |
@Fishrock123 Yes, I will submit a PR soon. |
All sources are just extracted from tarball into deps/openssl/openssl. change all openssl/include/openssl/*.h to include resolved symbolic links and openssl/crypto/opensslconf.h to refer config/opensslconf.h sha256-x86_64.pl does not exist in the origin openssl distribution. It was copied from sha512-x86_64.pl and both sha256/sha512 scripts were modified so as to generates only one asm file specified as its key hash length. `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686. removed vpaesni-x86_64.asm in x64-win32-masm - it is no longer used. Fixes: #1186 PR-URL: #1206 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Closing, #1206 landed. |
OpenSSL-1.0.1m is to be released on March 19 which fixes vulnerabilities of high severity. For quick release of iojs, I've just made a branch of upgrading it to the current HEAD of OpenSSL_1_0_1-stable branch in https://github.com/shigeki/io.js/tree/WIP_OpenSSL_1_0_1m .
After extracting all sources of the current HEAD of OpenSSL_1_0_1-stable in 879c4c3 , the following 5 commits are needed.
14a7f46 deps: replace all headers in openssl
f46274e deps: separate sha256/sha512-x86_64.pl for openssl
3d8b231 deps: fix openssl assembly error on ia32 win32
206b3f0 deps: remove vpaesni-x86_64.asm in x64-win32-masm
1efcfd5 openssl: fix keypress requirement in apps on win32
The forthcoming release would not be so much changed from the current HEAD so these commits can easily be cherry-picked.
I also checked asm files are not changed with
asm/Makefile
. CI results of https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/322/ are fine with known test failures except the one oftest-signal-unregister
on Ubuntu10.01 but I think it's not related with this upgrade.@bnoordhuis @indutny Could you please review the above five commits for preparation?
The text was updated successfully, but these errors were encountered: