Skip to content

deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on)#24353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rvagg wants to merge 1 commit into from
Closed

deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) #24353

rvagg wants to merge 1 commit into from

Conversation

@rvagg
Copy link
Member

@rvaggrvagg commented Nov 14, 2018

The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.

Ref: openssl/openssl#7549
Upstream: openssl/openssl@26d7fce1

Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

This is for 1.1.0, so can go in to 11 and 10. I'll do a separate one for 1.0.2.

@nodejs/crypto

@rvagg
deps: float 26d7fce1 from openssl (CVE-2018-0734follow-on)
497ba2a
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: openssl/openssl#7549 Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 14, 2018

@rvagg build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1601/pipeline

@nodejs-github-botnodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Nov 14, 2018
@rvaggrvagg mentioned this pull request Nov 14, 2018
Merged
rvagg added a commit to rvagg/io.js that referenced this pull request Nov 14, 2018
@rvagg
deps: float 26d7fce1 from openssl (CVE-2018-0734follow-on)
8d77cc1
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: openssl/openssl#7549 Ref: nodejs#24353 Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
@rvaggrvagg mentioned this pull request Nov 14, 2018
Closed
@BridgeAR
Copy link
Member

BridgeAR commented Nov 14, 2018

@rvagg adding the backport-requested labels will prevent these from being pulled into a release automatically. If they can not be backported, the releasing person will add the label to indicate that a manual backport is required.

@rvaggrvagg mentioned this pull request Nov 14, 2018
Closed
@Trott
Copy link
Member

Trott commented Nov 16, 2018

@nodejs/crypto @nodejs/security Would be great to get some reviews for this one-liner.

@Trott
Copy link
Member

Trott commented Nov 16, 2018

CI: https://ci.nodejs.org/job/node-test-pull-request/18685/

@TrottTrott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Nov 17, 2018
@danbev
Copy link
Contributor

danbev commented Nov 17, 2018

Landed in 323a365.

@danbevdanbev closed this Nov 17, 2018
danbev pushed a commit that referenced this pull request Nov 17, 2018
@rvagg@danbev
deps: float 26d7fce1 from openssl
323a365
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) PR-URL: #24353 Refs: openssl/openssl#7549 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]>
@targos
Copy link
Member

targos commented Nov 18, 2018

@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong.

@rvaggrvagg deleted the rvagg/openssl-CVE-2018-0734-followup branch November 19, 2018 10:18
@rvagg
Copy link
MemberAuthor

rvagg commented Nov 19, 2018

yes correct @targos, those labels are appropriate thanks

@beevelopbeevelop mentioned this pull request Apr 23, 2019
Closed
This was referenced Apr 23, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@sam-githubsam-githubsam-github approved these changes

@danbevdanbevdanbev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

author readyPRs that have at least one approval, no pending requests for changes, and a CI started.opensslIssues and PRs related to the OpenSSL dependency.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@rvagg@nodejs-github-bot@BridgeAR@Trott@danbev@targos@sam-github