chore(deps): bump openssl to 3.2.3

### Summary

- Fixed possible denial of service in X.509 name checks, CVE-2024-6119.
- Fixed possible buffer overread in SSL_select_next_proto(), CVE-2024-5535.
- Fixed potential use after free after SSL_free_buffers() is called, CVE-2024-4741.
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow, CVE-2024-4603.
- Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks.
- Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, CVE-2024-2511.
- New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.
- Fixed bug where SSL_export_keying_material() could not be used with QUIC connections.

Signed-off-by: Aapo Talvensaari <[email protected]>

.requirements

@@ -4,8 +4,8 @@ OPENRESTY=1.25.3.2
 OPENRESTY_SHA256=2d564022b06e33b45f7e5cfaf1e5dc571d38d61803af9fa2754dfff353c28d9c
 LUAROCKS=3.11.1
 LUAROCKS_SHA256=c3fb3d960dffb2b2fe9de7e3cb004dc4d0b34bb3d342578af84f84325c669102
-OPENSSL=3.2.1
-OPENSSL_SHA256=83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39
+OPENSSL=3.2.3
+OPENSSL_SHA256=52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239
 PCRE=10.44
 PCRE_SHA256=86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b
 ADA=2.9.2

build/openresty/openssl/openssl_repositories.bzl

@@ -6,12 +6,6 @@ load("@kong_bindings//:variables.bzl", "KONG_VAR")
 
 def openssl_repositories():
     version = KONG_VAR["OPENSSL"]
-
-    openssl_verion_uri = version
-    if version.startswith("3"):
-        # for 3.x only use the first two digits
-        openssl_verion_uri = ".".join(version.split(".")[:2])
-
     maybe(
         http_archive,
         name = "openssl",

changelog/unreleased/kong/bump_openssl.yml

@@ -0,0 +1,2 @@
+message: "Bumped OpenSSL to 3.2.3, to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs"
+type: dependency

scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt

@@ -206,7 +206,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 
@@ -218,4 +218,3 @@
   - libdl.so.2
   - libc.so.6
   - ld-linux-x86-64.so.2
-

scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt

@@ -195,7 +195,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt

@@ -202,7 +202,7 @@
   - lua-resty-events
   - lua-resty-lmdb
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/debian-11-amd64.txt

@@ -196,7 +196,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/debian-12-amd64.txt

@@ -185,7 +185,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/el8-amd64.txt

@@ -206,7 +206,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/el9-amd64.txt

@@ -195,7 +195,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/el9-arm64.txt

@@ -202,7 +202,7 @@
   - lua-resty-events
   - lua-resty-lmdb
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt

@@ -200,7 +200,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt

@@ -189,7 +189,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True
 

scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt

@@ -190,7 +190,7 @@
   - lua-resty-lmdb
   - ngx_brotli
   - ngx_wasmx_module
-  OpenSSL   : OpenSSL 3.2.1 30 Jan 2024
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
   DWARF     : True
   DWARF - ngx_http_request_t related DWARF DIEs: True