openssl: Import OpenSSL 3.0.15.
ClosedPublic
Actions

Authored by ngie on Sep 7 2024, 3:49 PM.

Details

Reviewers

gordon
emaste
cy

Commits

rGcc43f991ab3e: openssl: Import OpenSSL 3.0.15.
rGa7148ab39c03: openssl: Import OpenSSL 3.0.15.

Summary

This release incorporates the following bug fixes and mitigations:

Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

Co-authored-by: gordon

Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'

Test Plan

make tinderbox ran on universe15a.freebsd.org successfully.

$ openssl version
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
$ python
Python 3.11.9 (main, Aug  1 2024, 01:28:14) [Clang 18.1.6 (https://github.com/llvm/llvm-project.git llvmorg-18.1.6-0-g1118c2 on freebsd15
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> resp = requests.get("https://freebsd.org")
>>> resp.raise_for_status()
>>> resp.text[:250]
>>> exit()
$ fetch -o FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz https://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/14.1/FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz
FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz              94 MB   35 MBps    03s
$ fetch -qo /dev/stdout https://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/14.1/CHECKSUM.SHA256-FreeBSD-14.1-RELEASE-amd64 | grep bootonly.iso.xz
SHA256 (FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz) = 964fc8ea02198be6ecef959a573f121729791b60ec556482487c121cd13f5126
$ sha256 FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz 
SHA256 (FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz) = 964fc8ea02198be6ecef959a573f121729791b60ec556482487c121cd13f5126
$ openssl sha256 FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz 
SHA2-256(FreeBSD-14.1-RELEASE-amd64-bootonly.iso.xz)= 964fc8ea02198be6ecef959a573f121729791b60ec556482487c121cd13f5126

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ngie created this revision.Sep 7 2024, 3:49 PM

Herald added a subscriber: imp. · View Herald TranscriptSep 7 2024, 3:49 PM

ngie requested review of this revision.Sep 7 2024, 3:49 PM

Harbormaster completed remote builds in B59391: Diff 143103.Sep 7 2024, 3:49 PM

ngie edited the test plan for this revision. (Show Details)Sep 7 2024, 3:51 PM

ngie added reviewers: gordon, emaste, cy.

ngie mentioned this in D46603: Update config/build info for OpenSSL 3.0.15.

Assuming this is a straight import, LGTM.

This revision is now accepted and ready to land.Sep 7 2024, 6:02 PM

ngie edited the test plan for this revision. (Show Details)Sep 7 2024, 10:04 PM

In D46602#1062000, @gordon wrote:

Assuming this is a straight import, LGTM.

Yup! My [final] process used was similar to the following:

$ git log -n 1 108164cf95d9594884c2dcccba2691335e6f221b^..108164cf95d9594884c2dcccba2691335e6f221b
commit 108164cf95d9594884c2dcccba2691335e6f221b (tag: vendor/openssl/3.0.15, freebsd/vendor/openssl-3.0)
Author: Gordon Tetlow <gordon@FreeBSD.org>
Date:   Tue Sep 3 20:56:17 2024 -0700

    openssl: Import OpenSSL 3.0.15.
    
    This release incorporates the following bug fixes and mitigations:
    - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
    - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
    
    Release notes can be found at:
    https://openssl-library.org/news/openssl-3.0-notes/index.html

$ git subtree merge -P crypto/openssl 108164cf95d9594884c2dcccba2691335e6f221b
$ cd crypto/openssl
$ ./config
$ git reset --hard
$ gmake include/openssl/opensslv.h
$ cd -
# Update secure/lib/Makefile.inc