v1.18: chore: bump openssl to 0.10.66 (backport of #2228)

[mergify]

Problem

https://rustsec.org/advisories/RUSTSEC-2024-0357.html

Crate:     openssl
Version:   0.10.64
Title:     `MemBio::get_buf` has undefined behavior with empty buffers
Date:      2024-07-21
ID:        RUSTSEC-2024-0357
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0357
Solution:  Upgrade to >=0.10.66
Dependency tree:
openssl 0.10.64

---

This is an automatic backport of pull request #2228 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of 02918b8 has failed:

On branch mergify/bp/v1.18/pr-2228
Your branch is up to date with 'origin/v1.18'.

You are currently cherry-picking commit 02918b89f6.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   Cargo.lock
	both modified:   programs/sbf/Cargo.lock

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[willhickey]

If we're going to bump this in v1.18 I'm inclined to soak it for a week in v2.0 on testnet first. Given that v1.18.19 is very similar to v1.18.18 we can skip v1.18.19 and leave mainnet-beta on v1.18.18 this week.

• Today
  • Merge v2.0: chore: bump openssl to 0.10.66 (backport of #2228) #2235
  • Tag v2.0.4 and upgrade our testnet nodes
• Tomorrow
  • Announce v2.0.4 for testnet
• Friday
  • Merge this PR and tag v1.18.20.
• Sunday
  • Recommend v1.18.20 for mainnet-beta

[t-nelson]

the delta between openssl in v1.18 (0.10.63) and the patched open ssl is 87 commits. meanwhile the effective part of the patch for this security advisory is six lines

[CriesofCarrots]

the delta between openssl in v1.18 (0.10.63) and the patched open ssl is 87 commits. meanwhile the effective part of the patch for this security advisory is six lines

@t-nelson , are you trying to make a particular argument here, or just sharing data?
Will did already compile this data and response options on discord: https://discord.com/channels/428295358100013066/910937142182682656/1264781703977762838
If you have opinions, it would be great if you chime in there.

[willhickey]

If we decide to vendor and patch I've got a fork with a suitable branch ready:
https://github.com/anza-xyz/rust-openssl/tree/v0.10.63_with_RUSTSEC-2024-0357_patch

[yihau]

looks like we decide to suppress the openssl => #2263