This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core188 has been created
at a80d817716406d88b8c7e82397f4618d64e499a9 (commit)
- Log -----------------------------------------------------------------
commit a80d817716406d88b8c7e82397f4618d64e499a9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Sep 3 18:02:34 2024 +0000
core188: Ship OpenSSL
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 74a02d3372fe99bfa5dee8bfed6b64670d99775f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Sep 3 18:00:17 2024 +0000
openssl: Update to 3.3.2
Possible denial of service in X.509 name checks (CVE-2024-6119)
===============================================================
Severity: Moderate
Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a "reference identifier" (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.
OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3ce4d238d255477a240c3b1479cb34828c87fb59
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Aug 29 07:58:00 2024 +0000
.gitignore: Keep ignoring the deleted doc files
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b95199a3824170778acafbc4de86a9dccde807d2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Aug 28 15:41:55 2024 +0000
make.sh: Don't try to create a time NS on older kernels
This is not supported on kernels < 5.6.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 1c1838509c0180c331cd267a8e728497939f60ee
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Aug 28 15:28:42 2024 +0000
make.sh: Bind-mount /proc as a workaround for unshare
unshare seems to want to change the mount propagation for /proc
before it has been mounted. In order to workaround that problem,
we bind-mount /proc to itself before.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3d971965256c3bd9d6c233675b6b20fc5e51f810
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Aug 26 14:24:19 2024 +0200
openssl: Update to version 3.3.1
- Update from 3.3.0 to 3.3.1
- Update of rootfile not required
- This version has 2 CVE fixes both of which are classified as Low Severity so looks like
they can wait for CU189
- Changelog
3.3.1
* Fixed potential use after free after SSL_free_buffers() is called.
The SSL_free_buffers function is used to free the internal OpenSSL
buffer used when processing an incoming record from the network.
The call is only expected to succeed if the buffer is not currently
in use. However, two scenarios have been identified where the buffer
is freed even when still in use.
The first scenario occurs where a record header has been received
from the network and processed by OpenSSL, but the full record body
has not yet arrived. In this case calling SSL_free_buffers will succeed
even though a record has only been partially processed and the buffer
is still in use.
The second scenario occurs where a full record containing application
data has been received and processed by OpenSSL but the application has
only read part of this data. Again a call to SSL_free_buffers will
succeed even though the buffer is still in use.
([CVE-2024-4741])
* Fixed an issue where checking excessively long DSA keys or parameters may
be very slow.
Applications that use the functions EVP_PKEY_param_check() or
EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
experience long delays. Where the key or parameters that are being checked
have been obtained from an untrusted source this may lead to a Denial of
Service.
To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
reason.
([CVE-2024-4603])
* Improved EC/DSA nonce generation routines to avoid bias and timing
side channel leaks.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 8e6bb176b126579f970452ee54effe3e84422e6b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Aug 27 09:39:27 2024 +0000
core-updates: Honour the excluded file list
This was not implement when refactoring the code to compress the
updater's tarball.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d7ee801712705c97fda658bb71209d814d1db841
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Aug 23 09:50:39 2024 +0000
make.sh: Integrate the rootfile consistency check
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 974d274ea70e6a1500536cdeace80fee0fe34c90
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Aug 23 09:33:31 2024 +0000
make.sh: Refactor the broken rootfile check
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6fc9957e62b4f5fe9b47e9d340480b9bc33788cd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Aug 23 15:29:36 2024 +0000
core-update: Append the release number to the meta file
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit cd2069f07f611a0d0d240d2c5efe0e955763a1f1
Merge: c842b7e1cd cc4a17f46c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Aug 23 09:22:37 2024 +0000
Merge branch 'next'
-----------------------------------------------------------------------
hooks/post-receive
--
IPFire 2.x development tree