Message ID | 5cf9f9426de71a35b06c7b4b9b092f22243676fb.1698632320.git.steve@sakoman.com |
---|---|
State | Accepted, archived |
Commit | 5cf9f9426de71a35b06c7b4b9b092f22243676fb |
Headers | show |
Series | [kirkstone,1/7] cve-exclusion_5.10.inc: update for 5.10.197 | expand |
Hello Steve, I've just stumbled upon the fact that this upgrade causes softhsm package to throw SIGSEGV when PKCS#11 engine is used. There is an ongoing discussion on both OpenSSL [1] and SoftHSM [2] repositories on how to address this issue, but there is no definitive solution presented at the moment. Please note, that master openssl version 3.1.4 is also affected in the same way, as it looks like that patch(es) applied in openssl were back-ported onto both 'openssl-3.0' and 'openssl-3.1' branches. Since softhsm is used in quite few scenarios to serve as PKCS#11 provider, I guess this upgrade would break those for quite some people that are using LTS release. Therefore, I would suggest to rather revert it and wait for appropriate solution to be developed in either of those packages, at the costs of having CVE-2023-5363 un-patched. I would leave it up to you to decide on how to proceed with this further. On 10/30/2023 3:20 AM, Steve Sakoman wrote: > From: Peter Marko <peter.marko@siemens.com> > > https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023 > > Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023] > * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363) > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Steve Sakoman <steve@sakoman.com> > --- > .../openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb} | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb} (99%) > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb > similarity index 99% > rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb > rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb > index 22eaa3af33..d8c9b073a2 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb > @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55" > +SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61" > > inherit lib_package multilib_header multilib_script ptest perlnative > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" Regards, Andrey Link: [1]: https://github.com/openssl/openssl/issues/22508 Link: [2]: https://github.com/opendnssec/SoftHSMv2/issues/729
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb similarity index 99% rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb index 22eaa3af33..d8c9b073a2 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55" +SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"