Skip to content

Commit

Permalink
chore(deps): bump openssl to 3.2.3 (#13623)
Browse files Browse the repository at this point in the history
### Summary

- Fixed possible denial of service in X.509 name checks, CVE-2024-6119.
- Fixed possible buffer overread in SSL_select_next_proto(), CVE-2024-5535.
- Fixed potential use after free after SSL_free_buffers() is called, CVE-2024-4741.
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow, CVE-2024-4603.
- Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks.
- Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, CVE-2024-2511.
- New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.
- Fixed bug where SSL_export_keying_material() could not be used with QUIC connections.

Signed-off-by: Aapo Talvensaari <[email protected]>
  • Loading branch information
bungle authored Sep 17, 2024
1 parent 1c4b859 commit f03ea81
Show file tree
Hide file tree
Showing 14 changed files with 15 additions and 21 deletions.
4 changes: 2 additions & 2 deletions .requirements
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ OPENRESTY=1.25.3.2
OPENRESTY_SHA256=2d564022b06e33b45f7e5cfaf1e5dc571d38d61803af9fa2754dfff353c28d9c
LUAROCKS=3.11.1
LUAROCKS_SHA256=c3fb3d960dffb2b2fe9de7e3cb004dc4d0b34bb3d342578af84f84325c669102
OPENSSL=3.2.1
OPENSSL_SHA256=83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39
OPENSSL=3.2.3
OPENSSL_SHA256=52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239
PCRE=10.44
PCRE_SHA256=86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b
ADA=2.9.2
Expand Down
7 changes: 0 additions & 7 deletions build/openresty/openssl/openssl_repositories.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,6 @@ load("@kong_bindings//:variables.bzl", "KONG_VAR")

def openssl_repositories():
version = KONG_VAR["OPENSSL"]

openssl_verion_uri = version
if version.startswith("3"):
# for 3.x only use the first two digits
openssl_verion_uri = ".".join(version.split(".")[:2])

maybe(
http_archive,
name = "openssl",
Expand All @@ -20,6 +14,5 @@ def openssl_repositories():
strip_prefix = "openssl-" + version,
urls = [
"https://github.com/openssl/openssl/releases/download/openssl-" + version + "/openssl-" + version + ".tar.gz",
"https://openssl.org/source/old/3.1/openssl-" + version + ".tar.gz",
],
)
2 changes: 2 additions & 0 deletions changelog/unreleased/kong/bump_openssl.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
message: "Bumped OpenSSL to 3.2.3, to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs"
type: dependency
3 changes: 1 addition & 2 deletions scripts/explain_manifest/fixtures/amazonlinux-2-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand All @@ -218,4 +218,3 @@
- libdl.so.2
- libc.so.6
- ld-linux-x86-64.so.2

Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@
- lua-resty-events
- lua-resty-lmdb
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/debian-11-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/debian-12-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/el8-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/el9-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/el9-arm64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@
- lua-resty-events
- lua-resty-lmdb
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/ubuntu-20.04-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/ubuntu-22.04-amd64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down
2 changes: 1 addition & 1 deletion scripts/explain_manifest/fixtures/ubuntu-22.04-arm64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@
- lua-resty-lmdb
- ngx_brotli
- ngx_wasmx_module
OpenSSL : OpenSSL 3.2.1 30 Jan 2024
OpenSSL : OpenSSL 3.2.3 3 Sep 2024
DWARF : True
DWARF - ngx_http_request_t related DWARF DIEs: True

Expand Down

1 comment on commit f03ea81

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bazel Build

Docker image available kong/kong:f03ea81c8912856534278a6852d0c9924a325a56
Artifacts available https://github.com/Kong/kong/actions/runs/10906130644

Please sign in to comment.