Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade to OpenSSL 1.0.2p #1752

Merged
merged 1 commit into from
Aug 21, 2018
Merged

upgrade to OpenSSL 1.0.2p #1752

merged 1 commit into from
Aug 21, 2018

Conversation

robbkidd
Copy link
Contributor

Updating omnibus-software will pull in the new OpenSSL default version of 1.0.2p which addresses two CVEs.

Both of these CVEs are categorized as Low by the OpenSSL project. Neither are particularly present in Supermarket's business processes. Updating to this version will quiet vulnerability scanners.

@robbkidd
use an updated OpenSSL by updating omnibus & omnibus-software
16cef4c 
This will pull in the new OpenSSL default version of 1.0.2p which
addresses two CVEs.

* Client DoS due to large DH parameter (CVE-2018-0732)
* Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Both of these CVEs are categorized as Low by the OpenSSL project.
Neither are particularly present in Supermarket's business processes.
Updating to this version will quiet vulnerability scanners.

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd robbkidd requested a review from a team August 21, 2018 18:15
@robbkidd
Copy link
Contributor Author

Manifest entry from an ad-hoc build of this branch:

            "openssl": {
                "locked_version": "1.0.2p",
                "locked_source": {
                    "url": "https://www.openssl.org/source/openssl-1.0.2p.tar.gz",
                    "extract": "lax_tar",
                    "sha256": "50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00"
                },
                "source_type": "url",
                "described_version": "1.0.2p",
                "license": "OpenSSL"
            },

👍

tyler-ball
tyler-ball approved these changes Aug 21, 2018
View reviewed changes
Copy link
Contributor

@tyler-ball tyler-ball left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tenor-114523104

pwelch
pwelch approved these changes Aug 21, 2018
View reviewed changes
Copy link
Contributor

@pwelch pwelch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@robbkidd robbkidd merged commit c9e2f04 into master Aug 21, 2018
@robbkidd robbkidd deleted the robb/update-omnibus-for-new-openssl branch August 21, 2018 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pwelch pwelch pwelch approved these changes

@tyler-ball tyler-ball tyler-ball approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@robbkidd @pwelch @tyler-ball