All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Matt Weber <matthew.weber@collins.com>
Subject: [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1o
Date: Wed,  4 May 2022 10:08:46 +0200	[thread overview]
Message-ID: <20220504080847.3209785-1-peter@korsgaard.com> (raw)

Fixes the following security issues:

- The c_rehash script allows command injection (CVE-2022-1292)

The c_rehash script does not properly sanitise shell metacharacters to
prevent command injection.  This script is distributed by some operating
systems in a manner where it is automatically executed.  On such operating
systems, an attacker could execute arbitrary commands with the privileges of
the script.

Use of the c_rehash script is considered obsolete and should be replaced by
the OpenSSL rehash command line tool.

https://www.openssl.org/news/secadv/20220503.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libopenssl/libopenssl.hash | 4 ++--
 package/libopenssl/libopenssl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 22bb365bcc..ec5fd0fe84 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.1.1n.tar.gz.sha256
-sha256  40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a  openssl-1.1.1n.tar.gz
+# From https://www.openssl.org/source/openssl-1.1.1o.tar.gz.sha256
+sha256  9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f  openssl-1.1.1o.tar.gz
 
 # License files
 sha256  c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c  LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index ae6658ed40..0c039dc7d6 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBOPENSSL_VERSION = 1.1.1n
+LIBOPENSSL_VERSION = 1.1.1o
 LIBOPENSSL_SITE = https://www.openssl.org/source
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = OpenSSL or SSLeay
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

             reply	other threads:[~2022-05-04  8:08 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-04  8:08 Peter Korsgaard [this message]
2022-05-04 19:47 ` [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1o Arnout Vandecappelle
2022-05-28  8:40 ` Peter Korsgaard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220504080847.3209785-1-peter@korsgaard.com \
    --to=peter@korsgaard.com \
    --cc=buildroot@buildroot.org \
    --cc=matthew.weber@collins.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.