-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update openssl 1.1.1c #28211
Update openssl 1.1.1c #28211
Conversation
Patching the s390 asm rules is no longer required. See: openssl/openssl#8351
This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz $ mv openssl-1.1.1c openssl $ git add --all openssl $ git commit openssl
Sadly, an error occurred when I tried to trigger a build. :( |
After an OpenSSL source update, all the config files need to be regenerated and comitted by: $ cd deps/openssl/config $ make $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit
2a10271
to
66b4930
Compare
backport: #28212 |
@nodejs/releasers @nodejs/lts This cherry-picks clean onto 12.x-staging, but it does not onto v10.x-staging, so I backported. Possibly it needs to "bake" by being in a 12.x release before getting released on 10.x. |
We did reserve a date (June 25th) for a security release across all currently supported versions of Node.js. This OpenSSL update seems like the sort of thing the reserved date was intended for (non-critical security updates). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RSLGTM. I think you'd need to run license-builder.sh
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that #26537 fixed CVE-2019-1543 and leave it for the older version is used in the shared library.
@ryzokuken I've never run license-builder.sh, and its not part of the OpenSSL update instructions (see deps/openssl/config/README.md). Should it be? OpenSSL doesn't change its license in patches, but when I tried running it, I noticed the valgrind license seems out of date. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RSLGTM, thanks Sam.
Patching the s390 asm rules is no longer required. See: openssl/openssl#8351 PR-URL: nodejs#28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz $ mv openssl-1.1.1c openssl $ git add --all openssl $ git commit openssl PR-URL: nodejs#28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
After an OpenSSL source update, all the config files need to be regenerated and comitted by: $ cd deps/openssl/config $ make $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: nodejs#28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Landed in b6326ce...7cb8981 🎉 |
Patching the s390 asm rules is no longer required. See: openssl/openssl#8351 PR-URL: #28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz $ mv openssl-1.1.1c openssl $ git add --all openssl $ git commit openssl PR-URL: #28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
After an OpenSSL source update, all the config files need to be regenerated and comitted by: $ cd deps/openssl/config $ make $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Patching the s390 asm rules is no longer required. See: openssl/openssl#8351 PR-URL: #28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz $ mv openssl-1.1.1c openssl $ git add --all openssl $ git commit openssl PR-URL: #28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
After an OpenSSL source update, all the config files need to be regenerated and comitted by: $ cd deps/openssl/config $ make $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #28211 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Looks like this update causes |
The test still passes given enough time but performance of getDiffieHellman() is much much worse than before. Might be not-a-bug if it’s due to a security fix or something? |
Pummel test issues workarounds/fixes in #28390 |
@Trott re:
I wouldn't expect bisect to work across any openssl updates, because upstream sources are updated in a seperate commit from the config files generated by node's build system, according to our openssl update process, see https://github.com/nodejs/node/blob/master/deps/openssl/config/README.md#4-commit-and-make-test. There are some pros and cons to changing the process we use to vendor in openssl updates. In general, every commit would pass |
@sam-github Ah, thanks for the explanation. That makes a lot of sense. |
Notable changes: This release contains `semver-major` commits. These are in fact not `semver-major` due to follow-up commits that remove all breaking changes. * build: * The startup time is reduced by enabling V8 snapshots by default #28181 * deps: * Updated `V8` to 7.5.288.22 #27375 * The numeric separator (v8.dev/features/numeric-separators) feature is now enabled by default * Updated `OpenSSL` to 1.1.1c #28211 * inspector: * The `--inspect-publish-uid` flag was added to specify ways of the inspector web socket url exposure #27741 * n-api: * Accessors on napi_define_* are now ECMAScript-compliant #27851 * report: * The cpu info got added to the report output #28188 * src: * Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode #24260 * tools,gyp: * Introduce MSVS 2019 #27375 * util: * inspect: * Array grouping became more compact and uses more columns than before #28059 #28070 * Long strings will not be split at 80 characters anymore. Instead they will be split on new lines #28055 * worker: * `worker.terminate()` now returns a promise and using the callback is deprecated #28021 PR-URL: #28268
Notable changes: * build: * The startup time is reduced by enabling V8 snapshots by default #28181 * deps: * Updated `V8` to 7.5.288.22 #27375 * The numeric separator (v8.dev/features/numeric-separators) feature is now enabled by default * Updated `OpenSSL` to 1.1.1c #28211 * inspector: * The `--inspect-publish-uid` flag was added to specify ways of the inspector web socket url exposure #27741 * n-api: * Accessors on napi_define_* are now ECMAScript-compliant #27851 * report: * The cpu info got added to the report output #28188 * src: * Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode #24260 * tools,gyp: * Introduce MSVS 2019 #27375 * util: * inspect: * Array grouping became more compact and uses more columns than before #28059 #28070 * Long strings will not be split at 80 characters anymore. Instead they will be split on new lines #28055 * worker: * `worker.terminate()` now returns a promise and using the callback is deprecated #28021 PR-URL: #28268
Notable changes: * build: * The startup time is reduced by enabling V8 snapshots by default #28181 * deps: * Updated `V8` to 7.5.288.22 #27375 * The numeric separator (v8.dev/features/numeric-separators) feature is now enabled by default * Updated `OpenSSL` to 1.1.1c #28211 * inspector: * The `--inspect-publish-uid` flag was added to specify ways of the inspector web socket url exposure #27741 * n-api: * Accessors on napi_define_* are now ECMAScript-compliant #27851 * report: * The cpu info got added to the report output #28188 * src: * Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode #24260 * tools,gyp: * Introduce MSVS 2019 #27375 * util: * inspect: * Array grouping became more compact and uses more columns than before #28059 #28070 * Long strings will not be split at 80 characters anymore. Instead they will be split on new lines #28055 * worker: * `worker.terminate()` now returns a promise and using the callback is deprecated #28021 PR-URL: #28268
Notable changes: * build: * The startup time is reduced by enabling V8 snapshots by default #28181 * deps: * Updated `V8` to 7.5.288.22 #27375 * The numeric separator (v8.dev/features/numeric-separators) feature is now enabled by default * Updated `OpenSSL` to 1.1.1c #28211 * inspector: * The `--inspect-publish-uid` flag was added to specify ways of the inspector web socket url exposure #27741 * n-api: * Accessors on napi_define_* are now ECMAScript-compliant #27851 * report: * The cpu info got added to the report output #28188 * src: * Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode #24260 * tools,gyp: * Introduce MSVS 2019 #27375 * util: * inspect: * Array grouping became more compact and uses more columns than before #28059 #28070 * Long strings will not be split at 80 characters anymore. Instead they will be split on new lines #28055 * worker: * `worker.terminate()` now returns a promise and using the callback is deprecated #28021 PR-URL: #28268
Notable changes: * build: * The startup time is reduced by enabling V8 snapshots by default nodejs#28181 * deps: * Updated `V8` to 7.5.288.22 nodejs#27375 * The numeric separator (v8.dev/features/numeric-separators) feature is now enabled by default * Updated `OpenSSL` to 1.1.1c nodejs#28211 * inspector: * The `--inspect-publish-uid` flag was added to specify ways of the inspector web socket url exposure nodejs#27741 * n-api: * Accessors on napi_define_* are now ECMAScript-compliant nodejs#27851 * report: * The cpu info got added to the report output nodejs#28188 * src: * Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode nodejs#24260 * tools,gyp: * Introduce MSVS 2019 nodejs#27375 * util: * inspect: * Array grouping became more compact and uses more columns than before nodejs#28059 nodejs#28070 * Long strings will not be split at 80 characters anymore. Instead they will be split on new lines nodejs#28055 * worker: * `worker.terminate()` now returns a promise and using the callback is deprecated nodejs#28021 PR-URL: nodejs#28268
See:
Note openssl 1.1.1c fixes CVE https://www.openssl.org/news/vulnerabilities.html#2019-1543, but I believe this does not affect node since #26537 protects it. Arguably, we could back out #26537, except that it can creep back in if an external OpenSSL 1.1.1a or b is used. Best to leave, I think.
/to @nodejs/crypto
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes