Message ID | 20210320230337.1841-1-ismael@iodev.co.uk |
---|---|
State | Accepted |
Headers | show |
Series | package/libressl: security bump to 3.2.5 | expand |
Ismael, All, On 2021-03-21 00:03 +0100, Ismael Luceno spake thusly: > It includes the following bug fix: > > * A TLS client using session resumption may cause a use-after-free. > > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt > > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/libressl/libressl.hash | 2 +- > package/libressl/libressl.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/libressl/libressl.hash b/package/libressl/libressl.hash > index 0dd0ffcaed03..9f216bf2f143 100644 > --- a/package/libressl/libressl.hash > +++ b/package/libressl/libressl.hash > @@ -1,4 +1,4 @@ > # From https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/SHA256 > -sha256 412dc2baa739228c7779e93eb07cd645d5c964d2f2d837a9fd56db7498463d73 libressl-3.2.3.tar.gz > +sha256 798a65fd61d385e09d559810cdfa46512f8def5919264cfef241a7b086ce7cfe libressl-3.2.5.tar.gz > # Locally computed > sha256 5c63613f008f16a9c0025c096bbd736cecf720494d121b5c5203e0ec6e5955b1 COPYING > diff --git a/package/libressl/libressl.mk b/package/libressl/libressl.mk > index 654b8bda2622..ad345ba3f091 100644 > --- a/package/libressl/libressl.mk > +++ b/package/libressl/libressl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBRESSL_VERSION = 3.2.3 > +LIBRESSL_VERSION = 3.2.5 > LIBRESSL_SITE = https://ftp.openbsd.org/pub/OpenBSD/LibreSSL > LIBRESSL_LICENSE = ISC (new additions), OpenSSL or SSLeay (original OpenSSL code) > LIBRESSL_LICENSE_FILES = COPYING > -- > 2.31.0 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
>>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes: > It includes the following bug fix: > * A TLS client using session resumption may cause a use-after-free. > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> Committed to 2020.11.x and 2021.02.x, thanks. It it not really clear to me if this is only an issue in 3.2.x / TLSv1.3?
On 26/Mar/2021 23:47, Peter Korsgaard wrote: > >>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes: > > > It includes the following bug fix: > > * A TLS client using session resumption may cause a use-after-free. > > > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt > > > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> > > Committed to 2020.11.x and 2021.02.x, thanks. > > It it not really clear to me if this is only an issue in 3.2.x / > TLSv1.3? AFAICT, it's covered; 3.1 branch is unaffected, the field causing the issue was introduced in the 3.2 branch. BTW, 3.3.1 also seems to be affected.
>>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes: > On 26/Mar/2021 23:47, Peter Korsgaard wrote: >> >>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes: >> >> > It includes the following bug fix: >> > * A TLS client using session resumption may cause a use-after-free. >> >> > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt >> >> > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> >> >> Committed to 2020.11.x and 2021.02.x, thanks. >> >> It it not really clear to me if this is only an issue in 3.2.x / >> TLSv1.3? > AFAICT, it's covered; 3.1 branch is unaffected, the field causing the issue > was introduced in the 3.2 branch. BTW, 3.3.1 also seems to be affected. Ok, thanks!
diff --git a/package/libressl/libressl.hash b/package/libressl/libressl.hash index 0dd0ffcaed03..9f216bf2f143 100644 --- a/package/libressl/libressl.hash +++ b/package/libressl/libressl.hash @@ -1,4 +1,4 @@ # From https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/SHA256 -sha256 412dc2baa739228c7779e93eb07cd645d5c964d2f2d837a9fd56db7498463d73 libressl-3.2.3.tar.gz +sha256 798a65fd61d385e09d559810cdfa46512f8def5919264cfef241a7b086ce7cfe libressl-3.2.5.tar.gz # Locally computed sha256 5c63613f008f16a9c0025c096bbd736cecf720494d121b5c5203e0ec6e5955b1 COPYING diff --git a/package/libressl/libressl.mk b/package/libressl/libressl.mk index 654b8bda2622..ad345ba3f091 100644 --- a/package/libressl/libressl.mk +++ b/package/libressl/libressl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBRESSL_VERSION = 3.2.3 +LIBRESSL_VERSION = 3.2.5 LIBRESSL_SITE = https://ftp.openbsd.org/pub/OpenBSD/LibreSSL LIBRESSL_LICENSE = ISC (new additions), OpenSSL or SSLeay (original OpenSSL code) LIBRESSL_LICENSE_FILES = COPYING
It includes the following bug fix: * A TLS client using session resumption may cause a use-after-free. https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> --- package/libressl/libressl.hash | 2 +- package/libressl/libressl.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)