diff --git a/.requirements b/.requirements index 48472d5efef4..d77a3eb3f125 100644 --- a/.requirements +++ b/.requirements @@ -4,8 +4,8 @@ OPENRESTY=1.25.3.2 OPENRESTY_SHA256=2d564022b06e33b45f7e5cfaf1e5dc571d38d61803af9fa2754dfff353c28d9c LUAROCKS=3.11.1 LUAROCKS_SHA256=c3fb3d960dffb2b2fe9de7e3cb004dc4d0b34bb3d342578af84f84325c669102 -OPENSSL=3.2.1 -OPENSSL_SHA256=83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 +OPENSSL=3.2.3 +OPENSSL_SHA256=52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239 PCRE=10.44 PCRE_SHA256=86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b ADA=2.9.2 diff --git a/build/openresty/openssl/openssl_repositories.bzl b/build/openresty/openssl/openssl_repositories.bzl index bfd818116342..a2b70d7a2c18 100644 --- a/build/openresty/openssl/openssl_repositories.bzl +++ b/build/openresty/openssl/openssl_repositories.bzl @@ -6,12 +6,6 @@ load("@kong_bindings//:variables.bzl", "KONG_VAR") def openssl_repositories(): version = KONG_VAR["OPENSSL"] - - openssl_verion_uri = version - if version.startswith("3"): - # for 3.x only use the first two digits - openssl_verion_uri = ".".join(version.split(".")[:2]) - maybe( http_archive, name = "openssl", @@ -20,6 +14,5 @@ def openssl_repositories(): strip_prefix = "openssl-" + version, urls = [ "https://github.com/openssl/openssl/releases/download/openssl-" + version + "/openssl-" + version + ".tar.gz", - "https://openssl.org/source/old/3.1/openssl-" + version + ".tar.gz", ], ) diff --git a/changelog/unreleased/kong/bump_openssl.yml b/changelog/unreleased/kong/bump_openssl.yml new file mode 100644 index 000000000000..e03dc9e74cc4 --- /dev/null +++ b/changelog/unreleased/kong/bump_openssl.yml @@ -0,0 +1,2 @@ +message: "Bumped OpenSSL to 3.2.3, to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs" +type: dependency diff --git a/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt b/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt index f75994009046..99bc1a0bf2b5 100644 --- a/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt +++ b/scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt @@ -206,7 +206,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True @@ -218,4 +218,3 @@ - libdl.so.2 - libc.so.6 - ld-linux-x86-64.so.2 - diff --git a/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt b/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt index 1baf5d190001..8f9eca0c2d03 100644 --- a/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt +++ b/scripts/explain_manifest/fixtures/amazonlinux-2023-amd64.txt @@ -195,7 +195,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt b/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt index 807cec769697..46ca7815c3ab 100644 --- a/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt +++ b/scripts/explain_manifest/fixtures/amazonlinux-2023-arm64.txt @@ -202,7 +202,7 @@ - lua-resty-events - lua-resty-lmdb - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/debian-11-amd64.txt b/scripts/explain_manifest/fixtures/debian-11-amd64.txt index 768258ad6b1a..34dab9c2c665 100644 --- a/scripts/explain_manifest/fixtures/debian-11-amd64.txt +++ b/scripts/explain_manifest/fixtures/debian-11-amd64.txt @@ -196,7 +196,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/debian-12-amd64.txt b/scripts/explain_manifest/fixtures/debian-12-amd64.txt index 31cb3a4d6c7e..c4ef88a045ed 100644 --- a/scripts/explain_manifest/fixtures/debian-12-amd64.txt +++ b/scripts/explain_manifest/fixtures/debian-12-amd64.txt @@ -185,7 +185,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/el8-amd64.txt b/scripts/explain_manifest/fixtures/el8-amd64.txt index ec2ba1998a3e..5209a52ceee4 100644 --- a/scripts/explain_manifest/fixtures/el8-amd64.txt +++ b/scripts/explain_manifest/fixtures/el8-amd64.txt @@ -206,7 +206,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/el9-amd64.txt b/scripts/explain_manifest/fixtures/el9-amd64.txt index fb837ac0c0ea..a3a1418a053e 100644 --- a/scripts/explain_manifest/fixtures/el9-amd64.txt +++ b/scripts/explain_manifest/fixtures/el9-amd64.txt @@ -195,7 +195,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/el9-arm64.txt b/scripts/explain_manifest/fixtures/el9-arm64.txt index 807cec769697..46ca7815c3ab 100644 --- a/scripts/explain_manifest/fixtures/el9-arm64.txt +++ b/scripts/explain_manifest/fixtures/el9-arm64.txt @@ -202,7 +202,7 @@ - lua-resty-events - lua-resty-lmdb - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt b/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt index 361c43bb7897..190e0742d98e 100644 --- a/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt +++ b/scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt @@ -200,7 +200,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt b/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt index e0cdc94ca3b3..f76ff5dc7e85 100644 --- a/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt +++ b/scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt @@ -189,7 +189,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True diff --git a/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt b/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt index cb06affdd985..21fcb568fcdf 100644 --- a/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt +++ b/scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt @@ -190,7 +190,7 @@ - lua-resty-lmdb - ngx_brotli - ngx_wasmx_module - OpenSSL : OpenSSL 3.2.1 30 Jan 2024 + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 DWARF : True DWARF - ngx_http_request_t related DWARF DIEs: True