From f03ea81c8912856534278a6852d0c9924a325a56 Mon Sep 17 00:00:00 2001 From: Aapo Talvensaari Date: Tue, 17 Sep 2024 18:23:04 +0300 Subject: [PATCH] chore(deps): bump openssl to 3.2.3 (#13623) ### Summary - Fixed possible denial of service in X.509 name checks, CVE-2024-6119. - Fixed possible buffer overread in SSL_select_next_proto(), CVE-2024-5535. - Fixed potential use after free after SSL_free_buffers() is called, CVE-2024-4741. - Fixed an issue where checking excessively long DSA keys or parameters may be very slow, CVE-2024-4603. - Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks. - Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, CVE-2024-2511. - New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded. - Fixed bug where SSL_export_keying_material() could not be used with QUIC connections. Signed-off-by: Aapo Talvensaari --- .requirements | 4 ++-- build/openresty/openssl/openssl_repositories.bzl | 7 ------- changelog/unreleased/kong/bump_openssl.yml | 2 ++ scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt | 3 +-- .../explain_manifest/fixtures/amazonlinux-2023-amd64.txt | 2 +- .../explain_manifest/fixtures/amazonlinux-2023-arm64.txt | 2 +- scripts/explain_manifest/fixtures/debian-11-amd64.txt | 2 +- scripts/explain_manifest/fixtures/debian-12-amd64.txt | 2 +- scripts/explain_manifest/fixtures/el8-amd64.txt | 2 +- scripts/explain_manifest/fixtures/el9-amd64.txt | 2 +- scripts/explain_manifest/fixtures/el9-arm64.txt | 2 +- scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt | 2 +- scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt | 2 +- scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt | 2 +- 14 files changed, 15 insertions(+), 21 deletions(-) create mode 100644 changelog/unreleased/kong/bump_openssl.yml diff --git a/.requirements b/.requirements index 48472d5efef4..d77a3eb3f125 100644 --- a/.requirements +++ b/.requirements @@ -4,8 +4,8 @@ OPENRESTY=1.25.3.2 OPENRESTY_SHA256=2d564022b06e33b45f7e5cfaf1e5dc571d38d61803af9fa2754dfff353c28d9c LUAROCKS=3.11.1 LUAROCKS_SHA256=c3fb3d960dffb2b2fe9de7e3cb004dc4d0b34bb3d342578af84f84325c669102 -OPENSSL=3.2.1 -OPENSSL_SHA256=83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 +OPENSSL=3.2.3 +OPENSSL_SHA256=52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239 PCRE=10.44 PCRE_SHA256=86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b ADA=2.9.2 diff --git a/build/openresty/openssl/openssl_repositories.bzl b/build/openresty/openssl/openssl_repositories.bzl index bfd818116342..a2b70d7a2c18 100644 --- a/build/openresty/openssl/openssl_repositories.bzl +++ b/build/openresty/openssl/openssl_repositories.bzl @@ -6,12 +6,6 @@ load("@kong_bindings//:variables.bzl", "KONG_VAR") def openssl_repositories(): version = KONG_VAR["OPENSSL"] - - openssl_verion_uri = version - if version.startswith("3"): - # for 3.x only use the first two digits - openssl_verion_uri = ".".join(version.split(".")[:2]) - maybe( http_archive, name = "openssl", @@ -20,6 +14,5 @@ def openssl_repositories(): strip_prefix = "openssl-" + version, urls = [ "https://github.com/openssl/openssl/releases/download/openssl-" + version + "/openssl-" + version + ".tar.gz", - "https://openssl.org/source/old/3.1/openssl-" + version + ".tar.gz", ], ) diff --git a/changelog/unreleased/kong/bump_openssl.yml b/changelog/unreleased/kong/bump_openssl.yml new file mode 100644 index 000000000000..e03dc9e74cc4 --- /dev/null +++ b/changelog/unreleased/kong/bump_openssl.yml @@ -0,0 +1,2 @@ +message: "Bumped OpenSSL to 3.2.3, to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs" +type: dependency diff --git a/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt b/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt index b22d4daf4ec4..49cfc216ee77 100644 --- a/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt +++ b/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt @@ -206,7 +206,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True @@ -218,4 +218,3 @@ - libdl.so.2 - libc.so.6 - ld-linux-x86-64.so.2 - diff --git a/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt b/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt index 08757b89f8eb..deae6a849335 100644 --- a/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt +++ b/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt @@ -179,7 +179,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt b/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt index 1a499b6cda55..e4a40200bd12 100644 --- a/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt +++ b/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt @@ -203,7 +203,7 @@ - lua-resty-events - lua-resty-lmdb - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/debian-11-amd64.txt b/scripts/explain_manifest/fixtures/debian-11-amd64.txt index 362fecb88649..fc773affedbf 100644 --- a/scripts/explain_manifest/fixtures/debian-11-amd64.txt +++ b/scripts/explain_manifest/fixtures/debian-11-amd64.txt @@ -180,7 +180,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/debian-12-amd64.txt b/scripts/explain_manifest/fixtures/debian-12-amd64.txt index 2f5088b72877..13ef48481973 100644 --- a/scripts/explain_manifest/fixtures/debian-12-amd64.txt +++ b/scripts/explain_manifest/fixtures/debian-12-amd64.txt @@ -169,7 +169,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/el8-amd64.txt b/scripts/explain_manifest/fixtures/el8-amd64.txt index 5f4d543386d8..bce086c65f0b 100644 --- a/scripts/explain_manifest/fixtures/el8-amd64.txt +++ b/scripts/explain_manifest/fixtures/el8-amd64.txt @@ -190,7 +190,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/el9-amd64.txt b/scripts/explain_manifest/fixtures/el9-amd64.txt index becd10e6db5c..15e85a6938b3 100644 --- a/scripts/explain_manifest/fixtures/el9-amd64.txt +++ b/scripts/explain_manifest/fixtures/el9-amd64.txt @@ -179,7 +179,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/el9-arm64.txt b/scripts/explain_manifest/fixtures/el9-arm64.txt index 1a499b6cda55..e4a40200bd12 100644 --- a/scripts/explain_manifest/fixtures/el9-arm64.txt +++ b/scripts/explain_manifest/fixtures/el9-arm64.txt @@ -203,7 +203,7 @@ - lua-resty-events - lua-resty-lmdb - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt b/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt index c882ce0f7138..ced909d9fcb8 100644 --- a/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt +++ b/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt @@ -184,7 +184,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt b/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt index 389745386cd6..019ec5337c1b 100644 --- a/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt +++ b/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt @@ -173,7 +173,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt b/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt index 6b1664c89895..dc470c5cdab8 100644 --- a/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt +++ b/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt @@ -190,7 +190,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True