Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump openssl to 3.2.3 #13623

Merged
merged 1 commit into from
Sep 17, 2024
Merged

chore(deps): bump openssl to 3.2.3 #13623

merged 1 commit into from
Sep 17, 2024

Conversation

bungle
Copy link
Member

@bungle bungle commented Sep 5, 2024

Summary

  • Fixed possible denial of service in X.509 name checks, CVE-2024-6119.
  • Fixed possible buffer overread in SSL_select_next_proto(), CVE-2024-5535.
  • Fixed potential use after free after SSL_free_buffers() is called, CVE-2024-4741.
  • Fixed an issue where checking excessively long DSA keys or parameters may be very slow, CVE-2024-4603.
  • Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks.
  • Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, CVE-2024-2511.
  • New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.
  • Fixed bug where SSL_export_keying_material() could not be used with QUIC connections.

KAG-5326

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

@github-actions github-actions bot added build/bazel cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee labels Sep 5, 2024
### Summary

- Fixed possible denial of service in X.509 name checks, CVE-2024-6119.
- Fixed possible buffer overread in SSL_select_next_proto(), CVE-2024-5535.
- Fixed potential use after free after SSL_free_buffers() is called, CVE-2024-4741.
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow, CVE-2024-4603.
- Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks.
- Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, CVE-2024-2511.
- New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.
- Fixed bug where SSL_export_keying_material() could not be used with QUIC connections.

Signed-off-by: Aapo Talvensaari <[email protected]>
@bungle bungle force-pushed the chore/openssl-3.2.3 branch from b31c007 to 10a6f59 Compare September 5, 2024 09:32
@bungle
Copy link
Member Author

bungle commented Sep 5, 2024

The EE PR is here: https://github.com/Kong/kong-ee/pull/10193, thus no cherry-pick label is needed.

@bungle bungle removed the cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee label Sep 5, 2024
@bungle bungle merged commit f03ea81 into master Sep 17, 2024
30 checks passed
@bungle bungle deleted the chore/openssl-3.2.3 branch September 17, 2024 15:23
@kikito kikito added the cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee label Nov 4, 2024
@kikito
Copy link
Member

kikito commented Nov 4, 2024

cherrypick in https://github.com/Kong/kong-ee/pull/10193

@team-gateway-bot
Copy link
Collaborator

Cherry-pick failed for master, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git remote add upstream https://github.com/kong/kong-ee
git fetch upstream master
git worktree add -d .worktree/cherry-pick-13623-to-master-to-upstream upstream/master
cd .worktree/cherry-pick-13623-to-master-to-upstream
git checkout -b cherry-pick-13623-to-master-to-upstream
ancref=$(git merge-base 7b4f198a8b322d0d6c33767add195bfcb275f743 10a6f59be108055b23582057087d469471d0c22c)
git cherry-pick -x $ancref..10a6f59be108055b23582057087d469471d0c22c

@github-actions github-actions bot added the incomplete-cherry-pick A cherry-pick was incomplete and needs manual intervention label Nov 4, 2024
@AndyZhang0707 AndyZhang0707 removed the incomplete-cherry-pick A cherry-pick was incomplete and needs manual intervention label Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build/bazel cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee size/M
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants