Re: [OE-core][kirkstone 4/7] openssl: Upgrade 3.0.11 -> 3.0.12

Wed, 15 Nov 2023 09:21:04 -0800 

Hello Steve,
I've just stumbled upon the fact that this upgrade causes softhsm package to throw SIGSEGV when PKCS#11 engine is used. 


There is an ongoing discussion on both OpenSSL [1] and SoftHSM [2] 
repositories on how to address this issue, but there is no definitive 
solution presented at the moment.



Please note, that master openssl version 3.1.4 is also affected in the 
same way, as it looks like that patch(es) applied in openssl were 
back-ported onto both 'openssl-3.0' and 'openssl-3.1' branches.



Since softhsm is used in quite few scenarios to serve as PKCS#11 
provider, I guess this upgrade would break those for quite some people 
that are using LTS release. Therefore, I would suggest to rather revert 
it and wait for appropriate solution to be developed in either of those 
packages, at the costs of having CVE-2023-5363 un-patched.


I would leave it up to you to decide on how to proceed with this further.


On 10/30/2023 3:20 AM, Steve Sakoman wrote:

From: Peter Marko <[email protected]>

https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023

Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. 
(CVE-2023-5363)

Signed-off-by: Peter Marko <[email protected]>
Signed-off-by: Steve Sakoman <[email protected]>
---
  .../openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb}            | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
  rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => 
openssl_3.0.12.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb 
b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb
index 22eaa3af33..d8c9b073a2 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
             file://environment.d-openssl.sh \
             "

  
-SRC_URI[sha256sum] = "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55"

+SRC_URI[sha256sum] = 
"f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"

  
  inherit lib_package multilib_header multilib_script ptest perlnative

  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"


Regards,
Andrey


Link: [1]: https://github.com/openssl/openssl/issues/22508
Link: [2]: https://github.com/opendnssec/SoftHSMv2/issues/729

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190738): 
https://lists.openembedded.org/g/openembedded-core/message/190738
Mute This Topic: https://lists.openembedded.org/mt/102268045/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to