This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core188 has been created at a80d817716406d88b8c7e82397f4618d64e499a9 (commit)
- Log ----------------------------------------------------------------- commit a80d817716406d88b8c7e82397f4618d64e499a9 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 3 18:02:34 2024 +0000
core188: Ship OpenSSL
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 74a02d3372fe99bfa5dee8bfed6b64670d99775f Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 3 18:00:17 2024 +0000
openssl: Update to 3.3.2
Possible denial of service in X.509 name checks (CVE-2024-6119) ===============================================================
Severity: Moderate
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of service.
Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.
Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a "reference identifier" (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.
OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3ce4d238d255477a240c3b1479cb34828c87fb59 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Aug 29 07:58:00 2024 +0000
.gitignore: Keep ignoring the deleted doc files
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b95199a3824170778acafbc4de86a9dccde807d2 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 15:41:55 2024 +0000
make.sh: Don't try to create a time NS on older kernels
This is not supported on kernels < 5.6.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1c1838509c0180c331cd267a8e728497939f60ee Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 15:28:42 2024 +0000
make.sh: Bind-mount /proc as a workaround for unshare
unshare seems to want to change the mount propagation for /proc before it has been mounted. In order to workaround that problem, we bind-mount /proc to itself before.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3d971965256c3bd9d6c233675b6b20fc5e51f810 Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Aug 26 14:24:19 2024 +0200
openssl: Update to version 3.3.1
- Update from 3.3.0 to 3.3.1 - Update of rootfile not required - This version has 2 CVE fixes both of which are classified as Low Severity so looks like they can wait for CU189 - Changelog 3.3.1 * Fixed potential use after free after SSL_free_buffers() is called. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. ([CVE-2024-4741]) * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2024-4603]) * Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8e6bb176b126579f970452ee54effe3e84422e6b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 27 09:39:27 2024 +0000
core-updates: Honour the excluded file list
This was not implement when refactoring the code to compress the updater's tarball.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d7ee801712705c97fda658bb71209d814d1db841 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 23 09:50:39 2024 +0000
make.sh: Integrate the rootfile consistency check
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 974d274ea70e6a1500536cdeace80fee0fe34c90 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 23 09:33:31 2024 +0000
make.sh: Refactor the broken rootfile check
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6fc9957e62b4f5fe9b47e9d340480b9bc33788cd Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 23 15:29:36 2024 +0000
core-update: Append the release number to the meta file
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cd2069f07f611a0d0d240d2c5efe0e955763a1f1 Merge: c842b7e1cd cc4a17f46c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 23 09:22:37 2024 +0000
Merge branch 'next'
-----------------------------------------------------------------------
hooks/post-receive -- IPFire 2.x development tree