OpenSSL 3.0.7 announcement and critical fix schedule (?)
6 views
Skip to first unread message
B.C. Cotman
Oct 25, 2022, 7:26:25 PM10/25/22
to us...@hardenedbsd.org
On lists and social media, this has been making its rounds:
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
"
This release will be made available on Tuesday 1st November 2022 between
1300-1700 UTC.
OpenSSL 3.0.7 is a security-fix release. The highest severity issue
fixed in this release is CRITICAL:
https://www.openssl.org/policies/general/security-policy.html
"
OpenSSL 3.0.5 can presently be found in ports ($PORTS/security/openssl-devel/)
Do you all have an expected commit/check-in/push for this in git repo
to take on new openssl-3.0.x on or after Nov 1, 2022 1300 UTC?
TIA!
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
"
This release will be made available on Tuesday 1st November 2022 between
1300-1700 UTC.
OpenSSL 3.0.7 is a security-fix release. The highest severity issue
fixed in this release is CRITICAL:
https://www.openssl.org/policies/general/security-policy.html
"
OpenSSL 3.0.5 can presently be found in ports ($PORTS/security/openssl-devel/)
Do you all have an expected commit/check-in/push for this in git repo
to take on new openssl-3.0.x on or after Nov 1, 2022 1300 UTC?
TIA!
Loic
Oct 26, 2022, 12:45:57 AM10/26/22
to B.C. Cotman, us...@hardenedbsd.org
Le Tue, 25 Oct 2022 16:26:12 -0700,
"B.C. Cotman" <b.c.c...@gmail.com> a écrit :
Hi,
Bernard Spil who maintains this port is very responsive (FYI, he is a
former member of the HardenedBSD team) and should update the port as
soon as the version is released. If it takes a while, we will update
the security/openssl-devel port on our end.
-
Loic
dev team
HardenedBSD
"B.C. Cotman" <b.c.c...@gmail.com> a écrit :
Bernard Spil who maintains this port is very responsive (FYI, he is a
former member of the HardenedBSD team) and should update the port as
soon as the version is released. If it takes a while, we will update
the security/openssl-devel port on our end.
-
Loic
dev team
HardenedBSD
Bernard Spil
Oct 26, 2022, 9:32:11 AM10/26/22
to Loic, us...@hardenedbsd.org
Cheers, Bernard.
Shawn Webb
Oct 26, 2022, 10:48:12 AM10/26/22
to Bernard Spil, Loic, us...@hardenedbsd.org
13-STABLE. So I guess this would be a matter of updating the ports
entry. We'll kick off new base binary updates and package builds once
the new OpenSSL port lands.
Thanks for maintaining the port, Bernard!
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Shawn Webb
Nov 1, 2022, 3:56:57 PM11/1/22
to B.C. Cotman, us...@hardenedbsd.org
https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/9775b2a77ad2d240b7f91547ab035997e338aba6
I'll kick off package builds later this evening.
Thanks,
B.C. Cotman
Nov 1, 2022, 10:39:13 PM11/1/22
to us...@hardenedbsd.org
On Tue, Nov 1, 2022 at 12:56 PM Shawn Webb <shawn...@hardenedbsd.org> wrote:
>
> On Tue, Oct 25, 2022 at 04:26:12PM -0700, B.C. Cotman wrote:
> > On lists and social media, this has been making its rounds:
> > https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
> > "
> > This release will be made available on Tuesday 1st November 2022 between
> > 1300-1700 UTC.
> > OpenSSL 3.0.7 is a security-fix release. The highest severity issue
> > fixed in this release is CRITICAL:
> > https://www.openssl.org/policies/general/security-policy.html
> > "
> > OpenSSL 3.0.5 can presently be found in ports ($PORTS/security/openssl-devel/)
> > Do you all have an expected commit/check-in/push for this in git repo
> > to take on new openssl-3.0.x on or after Nov 1, 2022 1300 UTC?
>
> I just bumped the security/openssl-devel port to 3.0.7:
>
> https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/9775b2a77ad2d240b7f91547ab035997e338aba6
>
> I'll kick off package builds later this evening.
Thanks!
>
> On Tue, Oct 25, 2022 at 04:26:12PM -0700, B.C. Cotman wrote:
> > On lists and social media, this has been making its rounds:
> > https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
> > "
> > This release will be made available on Tuesday 1st November 2022 between
> > 1300-1700 UTC.
> > OpenSSL 3.0.7 is a security-fix release. The highest severity issue
> > fixed in this release is CRITICAL:
> > https://www.openssl.org/policies/general/security-policy.html
> > "
> > OpenSSL 3.0.5 can presently be found in ports ($PORTS/security/openssl-devel/)
> > Do you all have an expected commit/check-in/push for this in git repo
> > to take on new openssl-3.0.x on or after Nov 1, 2022 1300 UTC?
>
> I just bumped the security/openssl-devel port to 3.0.7:
>
> https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/9775b2a77ad2d240b7f91547ab035997e338aba6
>
> I'll kick off package builds later this evening.
The ports build of openssl-devel worked fine.
We found we were able to down-grade all our services that were built
against openssl-devel provided OpenSSL 3.0.5, to build against OpenSSL
1.1.1q before November 1, and reduce the urgency of switching over
immeditely.
Once I saw the new OpenSSL-3.0.7 available in ports, we were able to
re-upgrade services and build them against the newer openssl-devel
3.0.7.
Thanks everyone for being so quick with getting this update from
OpenSSL included back in ports!
Reply all
Reply to author
Forward
0 new messages