Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.18: chore: bump openssl to 0.10.66 (backport of #2228) #2234

Closed
wants to merge 2 commits into from
Closed

v1.18: chore: bump openssl to 0.10.66 (backport of #2228) #2234

wants to merge 2 commits into from

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Jul 22, 2024

Problem

https://rustsec.org/advisories/RUSTSEC-2024-0357.html

Crate:     openssl
Version:   0.10.64
Title:     `MemBio::get_buf` has undefined behavior with empty buffers
Date:      2024-07-21
ID:        RUSTSEC-2024-0357
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0357
Solution:  Upgrade to >=0.10.66
Dependency tree:
openssl 0.10.64
This is an automatic backport of pull request #2228 done by [Mergify](https://mergify.com).

@yihau @mergify
chore: bump openssl to 0.10.66 (#2228)
9da2c90 
(cherry picked from commit 02918b8)

# Conflicts:
#	Cargo.lock
#	programs/sbf/Cargo.lock
@mergify mergify bot requested a review from a team as a code owner July 22, 2024 12:14
@mergify mergify bot added the conflicts label Jul 22, 2024
@mergify mergify bot assigned yihau Jul 22, 2024
@mergify Mergify
Copy link
Author

mergify bot commented Jul 22, 2024

Cherry-pick of 02918b8 has failed:

On branch mergify/bp/v1.18/pr-2228
Your branch is up to date with 'origin/v1.18'.

You are currently cherry-picking commit 02918b89f6.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   Cargo.lock
	both modified:   programs/sbf/Cargo.lock

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@yihau yihau removed the conflicts label Jul 22, 2024
@willhickey
Copy link

If we're going to bump this in v1.18 I'm inclined to soak it for a week in v2.0 on testnet first. Given that v1.18.19 is very similar to v1.18.18 we can skip v1.18.19 and leave mainnet-beta on v1.18.18 this week.

@t-nelson
Copy link

the delta between openssl in v1.18 (0.10.63) and the patched open ssl is 87 commits. meanwhile the effective part of the patch for this security advisory is six lines

@CriesofCarrots
Copy link

the delta between openssl in v1.18 (0.10.63) and the patched open ssl is 87 commits. meanwhile the effective part of the patch for this security advisory is six lines

@t-nelson , are you trying to make a particular argument here, or just sharing data?
Will did already compile this data and response options on discord: https://discord.com/channels/428295358100013066/910937142182682656/1264781703977762838
If you have opinions, it would be great if you chime in there.

@willhickey
Copy link

If we decide to vendor and patch I've got a fork with a suitable branch ready:
https://github.com/anza-xyz/rust-openssl/tree/v0.10.63_with_RUSTSEC-2024-0357_patch

@yihau
Copy link
Member

yihau commented Jul 24, 2024

looks like we decide to suppress the openssl => #2263

@yihau yihau closed this Jul 24, 2024
@yihau yihau deleted the mergify/bp/v1.18/pr-2228 branch July 24, 2024 05:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@yihau yihau

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@willhickey @t-nelson @CriesofCarrots @yihau