-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL float backports for 8.x and 6.x #24354
Closed
rvagg
wants to merge
6
commits into
nodejs:v8.x-staging
from
rvagg:rvagg/openssl-8.x-float-backports
Closed
OpenSSL float backports for 8.x and 6.x #24354
rvagg
wants to merge
6
commits into
nodejs:v8.x-staging
from
rvagg:rvagg/openssl-8.x-float-backports
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Only changes to src/base/debug/stack_trace_posix.cc included. Original commit message: Fixes to V8 GN build process on aix platform src/base/debug/stack_trace_posix.cc: suppressed unused function warnings for functions DemangleSymbols, OutputPointer(in order to compile with -Werror flag) test/cctest/test-isolate-independent-builtins.cc: corrections to make ByteInText test case compatible with aix. (affects aix only) Change-Id: I49e45e63545404c77aaed3f51b26557f6f03455e Reviewed-on: https://chromium-review.googlesource.com/927484 Reviewed-by: Jakob Gruber <[email protected]> Reviewed-by: Michael Achenbach <[email protected]> Commit-Queue: Jakob Gruber <[email protected]> Cr-Commit-Position: refs/heads/master@{nodejs#52071} PR-URL: nodejs#23958 Reviewed-By: Refael Ackermann <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Original commit message: ppc64, aix: Pass CallFrequency object by const reference to avoid value copy error. Bug: v8:8193 GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61976 Change-Id: I0d4efca4da03ef82651325e15ddf2160022bc8de Reviewed-on: https://chromium-review.googlesource.com/1228633 Reviewed-by: Michael Starzinger <[email protected]> Reviewed-by: Daniel Clifford <[email protected]> Reviewed-by: Junliang Yan <[email protected]> Commit-Queue: Junliang Yan <[email protected]> Cr-Commit-Position: refs/heads/master@{#56275} PR-URL: nodejs#23958 Reviewed-By: Refael Ackermann <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Floating this patch since the code does not exist upstream anymore. deps/v8/testing/gtest.gyp: Suppress -Wnonnull-compare, -Waddress warnings for deps/v8/testing/gtest project; deps/v8/src/compiler/store-store-elimination.cc, deps/v8/src/conversions.cc: Suppress unused function warnings in order to compile with newer (>4.8.5) gcc on Aix. PR-URL: nodejs#23958 Reviewed-By: Refael Ackermann <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q Ref: openssl/openssl#7486 Ref: openssl/openssl#7513 Ref: https://www.openssl.org/news/secadv/20181030.txt Ref: nodejs#23965 Upstream: openssl/openssl@a9cfb8c2 Upstream: openssl/openssl@43e6a58d Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7486) Original backport commit message: Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl/openssl#7513)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 Ref: openssl/openssl#7512 Ref: nodejs#23965 Upstream: openssl/openssl@415c3356 Upstream: openssl/openssl@ebf65dbe Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7487) Original backport commit message: Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl/openssl#7512)
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: openssl/openssl#7549 Ref: nodejs#24353 Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
nodejs-github-bot
added
openssl
Issues and PRs related to the OpenSSL dependency.
v8.x
labels
Nov 14, 2018
Merged
BethGriggs
force-pushed
the
v8.x-staging
branch
from
November 15, 2018 14:25
e083cc1
to
62dd1d7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports of #23965, #23965 and #24353 for OpenSSL 1.0.2. To go in 8.x and 6.x.
/cc @nodejs/release @nodejs/crypto