Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Tor, zlib, OpenSSL and GnuPG #85

Merged
merged 18 commits into from
Apr 12, 2022
Merged

Update Tor, zlib, OpenSSL and GnuPG #85

merged 18 commits into from
Apr 12, 2022

Conversation

fmarier
Copy link
Member

@fmarier fmarier commented Apr 7, 2022

Fixes #82.

@fmarier fmarier requested a review from diracdeltas April 7, 2022 22:49
@fmarier fmarier self-assigned this Apr 7, 2022
fmarier added 10 commits April 7, 2022 15:49
@fmarier
Upgrade to the latest version of the Tor daemon.
dde629c 
This release only includes minor bugfixes: https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.10
@fmarier
Upgrade to zlib version to fix CVE-2018-25032.
bead31f 
There is a rather long list of changes in this release: https://www.zlib.net/ChangeLog.txt

The most important being https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
@fmarier
Upgrade to latest OpenSSL version to fix CVE-2022-0778.
c373051 
This resolves two security issues:

- https://www.openssl.org/news/secadv/20220315.txt (High)
- https://www.openssl.org/news/secadv/20220128.txt (moderate)

though the latter is only relevant on MIPS architectures which we
don't support in Brave.
@fmarier
Remove deprecated MAINTAINER instruction.
50f26ce
@fmarier
Update gnupg dependency to the real package on focal.
4b3bd5f
@fmarier
Restrict curl to strong connections.
04645fc
@fmarier
Update Tor URLs to avoid redirects.
ff8d29f
@fmarier
Avoid downloading unnecessary packages.
f775e7c
@fmarier
Escape all shell variables and set pipefail option.
e5f30c9
@fmarier
Update the Tor signing keys and workflow.
9f006db 
https://support.torproject.org/little-t-tor/verify-little-t-tor/
@fmarier fmarier force-pushed the update-all-the-things-82 branch from cf2b250 to e06d128 Compare April 7, 2022 22:50
fmarier added 2 commits April 7, 2022 15:54
@fmarier
Upgrade the version of GPG on Mac.
7558860 
Verified on a Linux machine using:

```
$ curl --tlsv1.2 --proto '=https' -fsSL https://gnupg.org/signature_key.asc | gpg --import
gpg: key BCEF7E294B092E28: 1 signature not checked due to a missing key
gpg: key BCEF7E294B092E28: public key "Andre Heinecke (Release Signing Key)" imported
gpg: key 528897B826403ADA: 4 signatures not checked due to missing keys
gpg: key 528897B826403ADA: public key "Werner Koch (dist signing 2020)" imported
gpg: key E98E9B2D19C6C8BD: 2 signatures not checked due to missing keys
gpg: key E98E9B2D19C6C8BD: public key "Niibe Yutaka (GnuPG Release Key)" imported
gpg: key 549E695E905BA208: 1 signature not checked due to a missing key
gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)" imported
gpg: Total number processed: 4
gpg:               imported: 4
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-01-14

$ gpg --verify gnupg-2.3.4.tar.bz2.sig gnupg-2.3.4.tar.bz2
gpg: Signature made Mon 20 Dec 2021 01:52:45 PM PST
gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA
gpg: Signature made Mon 20 Dec 2021 10:20:39 PM PST
gpg:                using EDDSA key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD
gpg: Good signature from "Niibe Yutaka (GnuPG Release Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AC8E 115B F73E 2D8D 47FA  9908 E98E 9B2D 19C6 C8BD
```

https://www.gnupg.org/download/integrity_check.html
https://www.gnupg.org/signature_key.html
@fmarier
Disable LZMA and ZSTD support.
489936f 
We disable them explicitly on Mac and we don't actually download the
necessary libraries on Linux.
@fmarier fmarier force-pushed the update-all-the-things-82 branch from e06d128 to 7ebaffb Compare April 7, 2022 22:54
@fmarier fmarier mentioned this pull request Apr 8, 2022
Closed
@fmarier fmarier force-pushed the update-all-the-things-82 branch 2 times, most recently from 20bf429 to d28e20e Compare April 8, 2022 23:26
@fmarier
Remove duplicate download and verification code.
4f2ad77 
This also merges in the changes made to the Linux builds:

- enforcement of strong TLS parameters (limited by the Mac support)
- update Tor URLs to avoid redirects
- update the Tor daemon signature workflow
@fmarier fmarier force-pushed the update-all-the-things-82 branch from d28e20e to 4f2ad77 Compare April 8, 2022 23:50
@fmarier
Copy link
Member Author

fmarier commented Apr 9, 2022

The Linux builds sometimes fail to complete within the allowed time due to the libevent test suite taking so long. I started a Slack thread about bumping the timeout value.

The Mac build is flaky because sometimes the libevent tests fail:

17:56:41   regress_debug: [Lost connection!] 
17:56:41    [simplesignal FAILED]
17:56:41  [Lost connection!] 
17:56:41    [multiplesignal FAILED]
17:58:07  OKAY
17:58:07  PASS: test_runner_select
17:58:07  2/345 TESTS FAILED. (45 skipped)
17:58:07  FAILED
17:58:07  make[3]: *** [test_runner_kqueue] Error 1
17:58:07  make[3]: *** Waiting for unfinished jobs....
17:58:07  OKAY
17:58:07  make[2]: *** [check-TESTS] Error 2
17:58:07  make[1]: *** [check-am] Error 2

I think we'll need disable these tests like what PJ did in the past though that's pretty high maintenance and maybe we should just disable the tests entirely on Mac?

@fmarier fmarier mentioned this pull request Apr 11, 2022
Closed
@fmarier fmarier force-pushed the update-all-the-things-82 branch from 731e725 to a6d3775 Compare April 12, 2022 00:44
@fmarier fmarier force-pushed the update-all-the-things-82 branch from a6d3775 to 4147598 Compare April 12, 2022 01:51
@fmarier
Copy link
Member Author

fmarier commented Apr 12, 2022

@diracdeltas This is ready to be reviewed. Builds are passing on all platforms.

diracdeltas
diracdeltas approved these changes Apr 12, 2022
View reviewed changes
Copy link
Member

@diracdeltas diracdeltas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@fmarier fmarier merged commit 4edfc73 into master Apr 12, 2022
@fmarier fmarier deleted the update-all-the-things-82 branch April 12, 2022 18:17
@fmarier fmarier mentioned this pull request Apr 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diracdeltas diracdeltas diracdeltas approved these changes

Assignees

@fmarier fmarier

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

update to zlib, openssl, tor
2 participants
@fmarier @diracdeltas