Skip to content

deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) #24353

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) #24353

wants to merge 1 commit into from

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Nov 14, 2018

The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.

Ref: openssl/openssl#7549
Upstream: openssl/openssl@26d7fce1

Original commit message:
    Add a constant time flag to one of the bignums to avoid a timing leak.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/7549)

    (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

This is for 1.1.0, so can go in to 11 and 10. I'll do a separate one for 1.0.2.

@nodejs/crypto

@rvagg
deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on)
497ba2a 
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.

Ref: openssl/openssl#7549
Upstream: openssl/openssl@26d7fce1

Original commit message:
    Add a constant time flag to one of the bignums to avoid a timing leak.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (Merged from openssl/openssl#7549)

    (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
@nodejs-github-bot
Copy link
Collaborator

@rvagg build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1601/pipeline

@nodejs-github-bot nodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Nov 14, 2018
@rvagg rvagg mentioned this pull request Nov 14, 2018
Merged
rvagg added a commit to rvagg/io.js that referenced this pull request Nov 14, 2018
@rvagg
deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on)
8d77cc1 
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.

Ref: openssl/openssl#7549
Ref: nodejs#24353
Upstream: openssl/openssl@26d7fce1

Original commit message:
    Add a constant time flag to one of the bignums to avoid a timing leak.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (Merged from openssl/openssl#7549)

    (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
@rvagg rvagg mentioned this pull request Nov 14, 2018
Closed
@BridgeAR
Copy link
Member

@rvagg adding the backport-requested labels will prevent these from being pulled into a release automatically. If they can not be backported, the releasing person will add the label to indicate that a manual backport is required.

@rvagg rvagg mentioned this pull request Nov 14, 2018
Closed
@Trott
Copy link
Member

Trott commented Nov 16, 2018

@nodejs/crypto @nodejs/security Would be great to get some reviews for this one-liner.

@Trott
Copy link
Member

Trott commented Nov 16, 2018

CI: https://ci.nodejs.org/job/node-test-pull-request/18685/

@Trott Trott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Nov 17, 2018
@danbev
Copy link
Contributor

danbev commented Nov 17, 2018

Landed in 323a365.

@danbev danbev closed this Nov 17, 2018
danbev pushed a commit that referenced this pull request Nov 17, 2018
@rvagg @danbev
deps: float 26d7fce1 from openssl
323a365 
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.

Upstream: openssl/openssl@26d7fce1

Original commit message:
  Add a constant time flag to one of the bignums to avoid a timing leak.

  Reviewed-by: Tim Hudson <tjh@openssl.org>
  (Merged from openssl/openssl#7549)

  (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

PR-URL: #24353
Refs: openssl/openssl#7549
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@targos
Copy link
Member

targos commented Nov 18, 2018

@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong.

@rvagg rvagg deleted the rvagg/openssl-CVE-2018-0734-followup branch November 19, 2018 10:18
@rvagg
Copy link
Member Author

rvagg commented Nov 19, 2018

yes correct @targos, those labels are appropriate thanks

@beevelop beevelop mentioned this pull request Apr 23, 2019
Closed
This was referenced Apr 23, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@sam-github sam-github sam-github approved these changes

@danbev danbev danbev approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rvagg @nodejs-github-bot @BridgeAR @Trott @danbev @targos @sam-github