Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pending OpenSSL 1.0.2b upgrade #1921

Closed
rvagg opened this issue Jun 9, 2015 · 4 comments
Closed

Pending OpenSSL 1.0.2b upgrade #1921

rvagg opened this issue Jun 9, 2015 · 4 comments
Labels
openssl Issues and PRs related to the OpenSSL dependency.

Comments

@rvagg
Copy link
Member

rvagg commented Jun 9, 2015

https://mta.openssl.org/pipermail/openssl-announce/2015-June/000027.html

In a couple of days, on the 11th, there will be a new release containing security fixes. The highest of these is classified as "moderate" so this ought not be a big drama but it would be good for us to be on top of this and have a release out within a day or two max.

moderate severity issues. This includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.

@rvagg rvagg closed this as completed Jun 9, 2015
@rvagg rvagg reopened this Jun 9, 2015
@rvagg
Copy link
Member Author

rvagg commented Jun 9, 2015

/cc @nodejs/crypto

@shigeki
Copy link
Contributor

shigeki commented Jun 9, 2015

I've just made a test branch for upgrading the current HEAD of openssl-1.0.2 branch in
https://github.com/shigeki/io.js/commits/openssl-1.0.2b-pre .
CI works fine as https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/782/ . But a test on Win32 is not made yet.

There no longer need to apply several floating patches of openssl to iojs so upgrading procedure gets more simpler. I'll update the doc.

@brendanashworth brendanashworth added crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency. and removed crypto Issues and PRs related to the crypto subsystem. labels Jun 9, 2015
@shigeki
Copy link
Contributor

shigeki commented Jun 11, 2015

OpenSSL-1.0.2b has just been released.

Just looking the advisory at a glance, Malformed ECParameters causes infinite loop (CVE-2015-1788) seems to affect.

Update Branch: https://github.com/shigeki/io.js/tree/openssl-1.0.2b
CI: https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/811/
Win32 build is now testing on my Windows.

shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
Copy link
Contributor

shigeki commented Jun 12, 2015

Upgrading to 1.0.2b were finished to master and v1.x branch in #1950.

@shigeki shigeki closed this as completed Jun 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

No branches or pull requests

3 participants