| Message ID | 20220216035900.851949-1-tim.orling@konsulko.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell,v2] openssl: upgrade to 1.1.1m for CVE-2021-4160 | expand |
On Tue, Feb 15, 2022 at 5:59 PM Tim Orling <ticotimo@gmail.com> wrote: > > Changes are only security and bug fixes. I'm seeing ptest errors: WARNING: core-image-sato-sdk-ptest-1.0-r0 do_testimage: There were failing ptests. Traceback (most recent call last): File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", line 36, in wrapped_f return func(*args, **kwargs) File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", line 36, in wrapped_f return func(*args, **kwargs) File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", line 36, in wrapped_f return func(*args, **kwargs) File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/runtime/cases/ptest.py", line 25, in test_ptestrunner_expectfail self.do_ptestrunner() File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/runtime/cases/ptest.py", line 108, in do_ptestrunner self.fail(failmsg) AssertionError: Failed ptests: {'openssl': ['test/recipes/30-test_evp_extra.t,_test_returned_1']} Happens with both qemuarm64-ptest and qemux86-64-ptest: https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/2863 https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/3124 Steve > https://www.openssl.org/news/cl111.txt > https://git.openssl.org/?p=openssl.git;a=log;h=refs/tags/OpenSSL_1_1_1m > > CVE: CVE-2021-4160 > > https://nvd.nist.gov/vuln/detail/CVE-2021-4160 > > Signed-off-by: Tim Orling <tim.orling@konsulko.com> > --- > Changes in v2: > - drop SRC_URI[md5sum] that devtool snuck in. > > .../openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} (98%) > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb > similarity index 98% > rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > rename to meta/recipes-connectivity/openssl/openssl_1.1.1m.bb > index bf7cd6527ef..c6f8499d4f5 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb > @@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" > +SRC_URI[sha256sum] = "f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96" > > inherit lib_package multilib_header multilib_script ptest > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > -- > 2.30.2 >
On Fri, Feb 18, 2022 at 3:36 PM Steve Sakoman <steve@sakoman.com> wrote: > On Tue, Feb 15, 2022 at 5:59 PM Tim Orling <ticotimo@gmail.com> wrote: > > > > Changes are only security and bug fixes. > > I'm seeing ptest errors: > > WARNING: core-image-sato-sdk-ptest-1.0-r0 do_testimage: There were > failing ptests. > Traceback (most recent call last): > File > "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", > line 36, in wrapped_f > return func(*args, **kwargs) > File > "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", > line 36, in wrapped_f > return func(*args, **kwargs) > File > "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", > line 36, in wrapped_f > return func(*args, **kwargs) > File > "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/runtime/cases/ptest.py", > line 25, in test_ptestrunner_expectfail > self.do_ptestrunner() > File > "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/runtime/cases/ptest.py", > line 108, in do_ptestrunner > self.fail(failmsg) > AssertionError: Failed ptests: > {'openssl': ['test/recipes/30-test_evp_extra.t,_test_returned_1']} > I saw this on qemux86-64, but was not sure it was due to the upgrade or a one off infra issue. I’ll dig deeper and see what might be happening. > Happens with both qemuarm64-ptest and qemux86-64-ptest: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/2863 > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/3124 > > Steve > > > https://www.openssl.org/news/cl111.txt > > https://git.openssl.org/?p=openssl.git;a=log;h=refs/tags/OpenSSL_1_1_1m > > > > CVE: CVE-2021-4160 > > > > https://nvd.nist.gov/vuln/detail/CVE-2021-4160 > > > > Signed-off-by: Tim Orling <tim.orling@konsulko.com> > > --- > > Changes in v2: > > - drop SRC_URI[md5sum] that devtool snuck in. > > > > .../openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => > openssl_1.1.1m.bb} (98%) > > > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb > > similarity index 98% > > rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > > rename to meta/recipes-connectivity/openssl/openssl_1.1.1m.bb > > index bf7cd6527ef..c6f8499d4f5 100644 > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb > > @@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \ > > file://environment.d-openssl.sh \ > > " > > > > -SRC_URI[sha256sum] = > "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" > > +SRC_URI[sha256sum] = > "f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96" > > > > inherit lib_package multilib_header multilib_script ptest > > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > > -- > > 2.30.2 > > >
On Fri, Feb 18, 2022 at 2:27 PM Tim Orling <ticotimo@gmail.com> wrote: > > > > On Fri, Feb 18, 2022 at 3:36 PM Steve Sakoman <steve@sakoman.com> wrote: >> >> On Tue, Feb 15, 2022 at 5:59 PM Tim Orling <ticotimo@gmail.com> wrote: >> > >> > Changes are only security and bug fixes. >> >> I'm seeing ptest errors: >> >> WARNING: core-image-sato-sdk-ptest-1.0-r0 do_testimage: There were >> failing ptests. >> Traceback (most recent call last): >> File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", >> line 36, in wrapped_f >> return func(*args, **kwargs) >> File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", >> line 36, in wrapped_f >> return func(*args, **kwargs) >> File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/core/decorator/__init__.py", >> line 36, in wrapped_f >> return func(*args, **kwargs) >> File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/runtime/cases/ptest.py", >> line 25, in test_ptestrunner_expectfail >> self.do_ptestrunner() >> File "/home/pokybuild/yocto-worker/qemux86-64-ptest/build/meta/lib/oeqa/runtime/cases/ptest.py", >> line 108, in do_ptestrunner >> self.fail(failmsg) >> AssertionError: Failed ptests: >> {'openssl': ['test/recipes/30-test_evp_extra.t,_test_returned_1']} > > > I saw this on qemux86-64, but was not sure it was due to the upgrade or a one off infra issue. I’ll dig deeper and see what might be happening. I re-ran the test and got the same error, so it doesn't seem to be intermittent. Thanks! Steve > >> >> Happens with both qemuarm64-ptest and qemux86-64-ptest: >> >> https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/2863 >> https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/3124 >> >> Steve >> >> > https://www.openssl.org/news/cl111.txt >> > https://git.openssl.org/?p=openssl.git;a=log;h=refs/tags/OpenSSL_1_1_1m >> > >> > CVE: CVE-2021-4160 >> > >> > https://nvd.nist.gov/vuln/detail/CVE-2021-4160 >> > >> > Signed-off-by: Tim Orling <tim.orling@konsulko.com> >> > --- >> > Changes in v2: >> > - drop SRC_URI[md5sum] that devtool snuck in. >> > >> > .../openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} | 2 +- >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> > rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} (98%) >> > >> > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb >> > similarity index 98% >> > rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb >> > rename to meta/recipes-connectivity/openssl/openssl_1.1.1m.bb >> > index bf7cd6527ef..c6f8499d4f5 100644 >> > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb >> > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb >> > @@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \ >> > file://environment.d-openssl.sh \ >> > " >> > >> > -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" >> > +SRC_URI[sha256sum] = "f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96" >> > >> > inherit lib_package multilib_header multilib_script ptest >> > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" >> > -- >> > 2.30.2 >> >
FWIW, there is also the pure patch to fix CVE-2021-4160 in openssl 1.1.1l for dunfell: https://lists.openembedded.org/g/openembedded-core/message/161652 Patch versus letter version update, which one is preferred? -Mikko
On Sun, Feb 20, 2022 at 9:04 PM <Mikko.Rapeli@bmw.de> wrote: > > FWIW, there is also the pure patch to fix CVE-2021-4160 in openssl 1.1.1l for dunfell: > > https://lists.openembedded.org/g/openembedded-core/message/161652 > > Patch versus letter version update, which one is preferred? Yes, I'm aware of the CVE only patch. In this case I'd prefer the letter version update since it also contains bug fixes. But if we can't fix the ptest regression in the next couple of days I'll fall back to the CVE only patch. Steve > > -Mikko
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb rename to meta/recipes-connectivity/openssl/openssl_1.1.1m.bb index bf7cd6527ef..c6f8499d4f5 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1m.bb @@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" +SRC_URI[sha256sum] = "f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
Changes are only security and bug fixes. https://www.openssl.org/news/cl111.txt https://git.openssl.org/?p=openssl.git;a=log;h=refs/tags/OpenSSL_1_1_1m CVE: CVE-2021-4160 https://nvd.nist.gov/vuln/detail/CVE-2021-4160 Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- Changes in v2: - drop SRC_URI[md5sum] that devtool snuck in. .../openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1m.bb} (98%)