Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pending OpenSSL 1.0.2b upgrade #1921

Closed
rvagg opened this issue Jun 9, 2015 · 4 comments
Closed

Pending OpenSSL 1.0.2b upgrade #1921

rvagg opened this issue Jun 9, 2015 · 4 comments
Labels
openssl Issues and PRs related to the OpenSSL dependency.

Comments

@rvagg
Copy link
Member

rvagg commented Jun 9, 2015

https://mta.openssl.org/pipermail/openssl-announce/2015-June/000027.html

In a couple of days, on the 11th, there will be a new release containing security fixes. The highest of these is classified as "moderate" so this ought not be a big drama but it would be good for us to be on top of this and have a release out within a day or two max.

moderate severity issues. This includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.
@rvagg rvagg closed this as completed Jun 9, 2015
@rvagg rvagg reopened this Jun 9, 2015
@rvagg
Copy link
Member Author

rvagg commented Jun 9, 2015

/cc @nodejs/crypto

@shigeki
Copy link
Contributor

shigeki commented Jun 9, 2015

I've just made a test branch for upgrading the current HEAD of openssl-1.0.2 branch in
https://github.com/shigeki/io.js/commits/openssl-1.0.2b-pre .
CI works fine as https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/782/ . But a test on Win32 is not made yet.

There no longer need to apply several floating patches of openssl to iojs so upgrading procedure gets more simpler. I'll update the doc.

@brendanashworth brendanashworth added crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency. and removed crypto Issues and PRs related to the crypto subsystem. labels Jun 9, 2015
@shigeki
Copy link
Contributor

shigeki commented Jun 11, 2015

OpenSSL-1.0.2b has just been released.

Just looking the advisory at a glance, Malformed ECParameters causes infinite loop (CVE-2015-1788) seems to affect.

Update Branch: https://github.com/shigeki/io.js/tree/openssl-1.0.2b
CI: https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/811/
Win32 build is now testing on my Windows.

@shigeki shigeki mentioned this issue Jun 11, 2015
Closed
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
deps: upgrade openssl sources to 1.0.2b
c21b24d 
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
deps: replace all headers in openssl
3844491 
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
deps: update asm files for openssl-1.0.2b
9480496 
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
deps: upgrade openssl sources to 1.0.2b
2a3367a 
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
deps: replace all headers in openssl
151720f 
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki pushed a commit to shigeki/node that referenced this issue Jun 12, 2015
deps: update asm files for openssl-1.0.2b
1feaa68 
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
@shigeki
Copy link
Contributor

shigeki commented Jun 12, 2015

Upgrading to 1.0.2b were finished to master and v1.x branch in #1950.

@shigeki shigeki closed this as completed Jun 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rvagg @shigeki @brendanashworth