Commit Graph

372 Commits

Author SHA1 Message Date
ajs124
fa8c56b8c7 openssl_3: patch CVE-2022-3996
https://www.openssl.org/news/secadv/20221213.txt
2022-12-13 17:34:42 +01:00
Linus Heckemann
f984417f86
Merge pull request #204165 from lheckemann/openssl-cross-fix
openssl: clean up configure script decision
2022-12-07 15:59:49 +01:00
Linus Heckemann
b7d5205f1a openssl: clean up configure script decision
This also fixes the build for big-endian MIPS systems.
2022-12-02 23:09:13 +01:00
Martin Weinelt
53d777c56f
Merge pull request #202126 from helsinki-systems/init/openssl_legacy 2022-11-26 23:47:31 +01:00
Artturi
821e146f51
Merge pull request #185176 from amjoseph-nixpkgs/pr/openssl/mips32
openssl: Rosetta Stone entry for mips32
2022-11-21 21:44:14 +02:00
ajs124
1996190b65 openssl_legacy: init
openssl_3, but with a openssl.cnf that enables legacy ciphers
this way we can migrate away from openssl_1_1, while not breaking
applications relying on deprecated stuff
2022-11-21 13:46:00 +01:00
Vladimír Čunát
b15a637819
Merge #199009: openssl_1_1: 1.1.1q -> 1.1.1s
...into staging
2022-11-05 16:59:07 +01:00
Vladimír Čunát
70ca403dc2
openssl(_3): enable KTLS only on Linux
This fixes build on *-darwin.
2022-11-02 09:33:15 +01:00
Vladimír Čunát
6aa0c5e918
openssl_1_1: drop a long unused patch 2022-11-01 18:46:44 +01:00
Vladimír Čunát
32ebb91f4b
openssl_1_1: 1.1.1q -> 1.1.1s
I believe this double version jump includes no security fixes.
2022-11-01 17:29:35 +01:00
Martin Weinelt
eeca5969b3
openssl: 3.0.5 -> 3.0.7
Fixes: CVE-2022-3786, CVE-2022-3602
Co-Authored-By: Andreas Schrägle <git@ajs124.de>
2022-11-01 16:44:23 +01:00
ajs124
0755f8c8f8 Revert "openssl: 3.0.5 -> 3.0.6"
This reverts commit 0c743ca36f.

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html
2022-10-13 18:10:42 +02:00
ajs124
b30d687dd0 Revert "openssl: 1.1.1q -> 1.1.1r"
This reverts commit 0bf7095945.

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html
2022-10-13 18:10:13 +02:00
Martin Weinelt
4828dc9d9b Merge remote-tracking branch 'helsinki-systems/upd/openssl' into staging 2022-10-12 02:20:45 +02:00
ajs124
0bf7095945 openssl: 1.1.1q -> 1.1.1r
bugfix release, does not fix any security issues
2022-10-11 22:29:58 +02:00
ajs124
0c743ca36f openssl: 3.0.5 -> 3.0.6
fixes CVE-2022-3358

https://www.openssl.org/news/secadv/20221011.txt
2022-10-11 17:00:34 +02:00
Sandro Jäckel
33944d5ddd
openssl: fix static cross compilation 2022-09-20 16:25:47 +02:00
ajs124
075b852820 openssl: versionAtLeast 1.1.0 -> 1.1.1
we don't have/support 1.1.0 anymore, so 1.1.1 is the new minimum
2022-08-17 20:16:18 +02:00
ajs124
c6de1d4b24 openssl: fix static build
https://mta.openssl.org/pipermail/openssl-users/2022-February/014906.html
2022-08-17 20:16:18 +02:00
Adam Joseph
a381f9bccf openssl: Rosetta Stone entry for mips32 2022-08-04 21:22:27 -07:00
Robert
649646d7b7
openssl: split runtime dependencies of static builds into a separate output (#182444) 2022-07-23 17:06:06 -04:00
Martin Weinelt
82da6eb46d
openssl_1_1: 1.1.1p -> 1.1.1q
https://www.openssl.org/news/secadv/20220705.txt

Fixes: CVE-2022-2097
2022-07-05 23:14:13 +02:00
Martin Weinelt
1dbf7b45e2
openssl_3: 3.0.4 -> 3.0.5
https://www.openssl.org/news/secadv/20220705.txt

We already acted on the first public disclosure, so this release removes
the previous patch and upgrades to the release including the fix.

Related: CVE-2022-2274
Fixes: CVE-2022-2097
2022-07-05 23:14:10 +02:00
Vladimír Čunát
0c4852c7bc
Merge #179333: openssl_3_0: fix apparent x86_64 AVX512 RCE 2022-06-28 01:01:42 +02:00
Martin Weinelt
62b05d9742 Merge remote-tracking branch 'origin/master' into staging-next 2022-06-27 23:50:37 +02:00
Alyssa Ross
fd6a8fb894
openssl_3: rename from openssl_3_0
With their new versioning scheme, OpenSSL have committed[1] to API and
ABI compatibility for the whole 3.x.x release series, so we shouldn't
be overly specific in our attribute name.

[1]: https://www.openssl.org/blog/blog/2018/11/28/version/
2022-06-27 13:35:16 +00:00
Alyssa Ross
c59d1ebd6e
openssl_3_0: fix apparent x86_64 AVX512 RCE
Has been applied upstream.  No CVE.
2022-06-27 13:14:30 +00:00
Martin Weinelt
deb8ef1162 openssl_3_0: 3.0.3 -> 3.0.4
Fixes additional sanitization issues in the c_rehash script.

https://mta.openssl.org/pipermail/openssl-announce/2022-June/000227.html

Fixes: CVE-2022-2068
2022-06-21 18:02:47 +02:00
Martin Weinelt
0c21382922 openssl_1_1: 1.1.1o -> 1.1.1p
Fixes additional sanitization issues in the c_rehash script.

https://mta.openssl.org/pipermail/openssl-announce/2022-June/000226.html

Fixes: CVE-2022-2068
2022-06-21 18:02:47 +02:00
Jörg Thalheim
cc60c24909
openssl: disable ct feature in static mode (#173288)
For static binaries to be relocatable, they can't depend on data files.

Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 11:42:46 +02:00
github-actions[bot]
16684f8bd3
Merge master into staging-next 2022-05-04 12:01:10 +00:00
Martin Weinelt
c62eceb91e
openssl_3_0: 3.0.2 -> 3.0.3
- The c_rehash script allows command injection (CVE-2022-1292)
- OCSP_basic_verify may incorrectly verify the response signing
  certificate (CVE-2022-1343)
- Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
- Resource leakage when decoding certificates and keys (CVE-2022-1473)

https://mta.openssl.org/pipermail/openssl-announce/2022-May/000224.html

Fixes: CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473
2022-05-04 07:17:01 +02:00
Martin Weinelt
a7be3b2607
openssl_1_1: 1.1.1n -> 1.1.1o
Fixes command injection in the c_rehash script, which at the same time
is also considered obsolete and should be replaced by openssl rehash.

https://mta.openssl.org/pipermail/openssl-announce/2022-May/000224.html

Fixes: CVE-2022-1292
2022-05-03 18:05:18 +02:00
sternenseemann
a985b2bd99
Merge pull request #165746 from a-m-joseph/openssl-fix-mips64-abi-detection-when-not-cross-compiling
openssl: fix mips64 abi detection when not cross compiling
2022-04-11 22:41:29 +02:00
Adam Joseph
77d6781cdc openssl: specify the ABI explicitly on mips64
When *not* cross-compiling, OpenSSL will not attempt to detect the
host ABI.  For mips64, the OpenSSL authors have chosen to assume that
the n32 ABI is used.

Since nixpkgs knows the correct ABI based on stdenv.hostPlatform,
let's pass this information to OpenSSL explicitly.

At the moment (bootstrappable) nixpkgs on mips64 can only be used with
the n64 ABI due to the fact that boost-context (required by nix) does
not support the n32 ABI.  Without this commit the openssl expression
can be cross-compiled to a mips64 host, but a mips64 host cannot
self-compile the expression due to OpenSSL's incorrect assumption.

https://github.com/NixOS/nixpkgs/pull/165746#pullrequestreview-924423243
2022-04-11 11:23:19 -07:00
ajs124
49c51cdd51 openssl_1_0_2: drop 2022-04-04 15:37:05 +01:00
ajs124
0fae27376d cipherscan: drop 2022-04-04 15:10:43 +01:00
Martin Weinelt
72bb369245
openssl_1_1: 1.1.1m -> 1.1.1n
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1n/CHANGES#L10

Fixes: CVE-2022-0778
2022-03-15 16:39:33 +01:00
Martin Weinelt
384a708e6d
openssl_3_0: 3.0.1 -> 3.0.2
https://github.com/openssl/openssl/blob/openssl-3.0.2/CHANGES.md#changes-between-301-and-302-15-mar-2022

Fixes: CVE-2022-0778
2022-03-15 16:38:56 +01:00
Tom McLaughlin
d01b2cc71b
openssl: remove assert restricting withPerl=false (#156949) 2022-01-27 00:41:18 -05:00
taku0
7ab79bff9f openssl: remove with lib
See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279764
2022-01-20 09:19:19 -08:00
taku0
4a7fa6456d openssl_1_1: fix build on Darwin
See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279118
2022-01-20 09:19:19 -08:00
Dmitry Kalinkin
2ddda43924
Merge branch 'staging' into staging-next
Conflicts:
	pkgs/os-specific/linux/kernel/common-config.nix
2021-12-25 17:16:26 -05:00
7c6f434c
b0f154fd44
Merge pull request #147027 from Izorkin/update-nginx-ktls
nginxMainline: enable ktls support
2021-12-24 10:23:17 +00:00
Martin Weinelt
8cd976ffdb
Merge pull request #150733 from mweinelt/openssl 2021-12-21 03:33:37 +01:00
Martin Weinelt
29f216c48a
openssl_1_1: 1.1.1l -> 1.1.1m 2021-12-18 15:39:12 +01:00
Martin Weinelt
35a11522ba openssl_3_0: 3.0.0 -> 3.0.1 2021-12-15 10:56:04 +01:00
Izorkin
9419b653ba
openssl 3.0.0: enable ktls support 2021-11-27 09:39:56 +03:00
Janne Heß
83ab81ae89
Merge pull request #137004 from baloo/baloo/openssl/3.0.0-init
openssl3: init at 3.0.0
2021-11-05 13:02:47 +01:00
Zhaofeng Li
42dcdc2c3a openssl: Fix build configuration for riscv64-linux
Without this patch, OpenSSL would use the suboptimal linux-generic32
config when building natively on riscv64.
2021-10-15 15:53:41 -07:00