From a92c6b1a2b5b8b69f248c732db4a11ddf130f0f1 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 28 Feb 2019 23:53:26 +0100 Subject: gnu: openssl: Fix CVE-2019-1559. * gnu/packages/tls.scm (openssl)[replacement]: New field. (openssl/fixed): New variable. (openssl-next)[inherit]: Inherit from it instead. * gnu/packages/patches/openssl-CVE-2019-1559.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/packages/tls.scm | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index c10b1a5320..6e91a46608 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -10,7 +10,7 @@ ;;; Copyright © 2016 Hartmut Goebel ;;; Copyright © 2017 Ricardo Wurmus ;;; Copyright © 2017, 2018 Marius Bakke -;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice +;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice ;;; Copyright © 2017 Rutger Helling ;;; Copyright © 2018 Clément Lassieur ;;; @@ -271,6 +271,7 @@ required structures.") (define-public openssl (package (name "openssl") + (replacement openssl/fixed) (version "1.0.2p") (source (origin (method url-fetch) @@ -399,9 +400,18 @@ required structures.") (license license:openssl) (home-page "https://www.openssl.org/"))) +(define-public openssl/fixed + (hidden-package + (package + (inherit openssl) + (source (origin + (inherit (package-source openssl)) + (patches (append (origin-patches (package-source openssl)) + (search-patches "openssl-CVE-2019-1559.patch")))))))) + (define-public openssl-next (package - (inherit openssl) + (inherit openssl/fixed) (name "openssl") (version "1.1.1a") (source (origin -- cgit 1.4.1 From a215c938b387f5bbbb78f1e80d81b2e4e2c9f9e3 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Fri, 1 Mar 2019 00:09:31 +0100 Subject: gnu: openssl@1.1.1a: Don't inherit from openssl/fixed. I was a bit hasty in a92c6b1a2b5b8b69f248c732db4a11ddf130f0f1. openssl-next replaces the source, and OpenSSL 1.1.1 is invulnerable. * gnu/packages/tls.scm (openssl-next)[inherit]: Inherit from openssl once more. --- gnu/packages/tls.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 6e91a46608..17dcb407ac 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -411,7 +411,7 @@ required structures.") (define-public openssl-next (package - (inherit openssl/fixed) + (inherit openssl) (name "openssl") (version "1.1.1a") (source (origin -- cgit 1.4.1 From 2833756643674ac11bad8ffc3086988b623a4391 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 1 Mar 2019 16:41:35 +0100 Subject: gnu: OpenSSL: Update to 1.1.1b. * gnu/packages/tls.scm (openssl-next): Update to 1.1.1b. --- gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 17dcb407ac..6b131657f9 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -413,7 +413,7 @@ required structures.") (package (inherit openssl) (name "openssl") - (version "1.1.1a") + (version "1.1.1b") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -426,7 +426,7 @@ required structures.") (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "0hcz7znzznbibpy3iyyhvlqrq44y88plxwdj32wjzgbwic7i687w")))) + "0jza8cmznnyiia43056dij1jdmz62dx17wsn0zxksh9h6817nmaw")))) (outputs '("out" "doc" ; 6.8 MiB of man3 pages and full HTML documentation "static")) ; 6.4 MiB of .a files -- cgit 1.4.1