Skip to content

deps: float b18162a7c from openssl (CVE-2018-5407) (8.x and 6.x only)#24352

Closed
rvagg wants to merge 4 commits intonodejs:v8.x-stagingfrom
rvagg:rvagg/openssl-CVE-2018-5407
Closed

deps: float b18162a7c from openssl (CVE-2018-5407) (8.x and 6.x only)#24352
rvagg wants to merge 4 commits intonodejs:v8.x-stagingfrom
rvagg:rvagg/openssl-CVE-2018-5407

Conversation

@rvagg
Copy link
Member

@rvagg rvagg commented Nov 14, 2018

Low severity timing vulnerability in ECC calculations impacting ECDSA and ECDH. This was fixed already in 1.1.0i which we already have but there was a long delay in getting it back in to 1.0.1. They are not releasing a new 1.0.1 specifically for this and I'd expect there to be a delay on a new version because of a shift in development focus.

So this should go into 8.x and 6.x when we do them next.

@nodejs/release @nodejs/crypto

Ref: https://www.openssl.org/news/secadv/20181112.txt

Vasili Skurydzin and others added 4 commits November 12, 2018 15:21
@BethGriggs
deps: cherry-pick 6bc4bfe from V8 upstream
dcf3fcc 
Only changes to src/base/debug/stack_trace_posix.cc included.

Original commit message:
    Fixes to V8 GN build process on aix platform

    src/base/debug/stack_trace_posix.cc: suppressed unused function
    warnings for functions DemangleSymbols, OutputPointer(in order to
    compile with -Werror flag)

    test/cctest/test-isolate-independent-builtins.cc: corrections to
    make ByteInText test case compatible with aix. (affects aix only)

    Change-Id: I49e45e63545404c77aaed3f51b26557f6f03455e
    Reviewed-on: https://chromium-review.googlesource.com/927484
    Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    Reviewed-by: Michael Achenbach <machenbach@chromium.org>
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Cr-Commit-Position: refs/heads/master@{nodejs#52071}

PR-URL: nodejs#23958
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
@BethGriggs
deps: cherry-pick d2e0166 from V8 upstream
a2c76b3 
    Original commit message:

    ppc64, aix: Pass CallFrequency object by const reference to avoid
    value copy error.

    Bug: v8:8193
    GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61976

    Change-Id: I0d4efca4da03ef82651325e15ddf2160022bc8de
    Reviewed-on: https://chromium-review.googlesource.com/1228633
    Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
    Reviewed-by: Daniel Clifford <danno@chromium.org>
    Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
    Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
    Cr-Commit-Position: refs/heads/master@{nodejs#56275}

PR-URL: nodejs#23958
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
@BethGriggs
deps,v8: fix gyp build on Aix platform
e083cc1 
Floating this patch since the code does not exist upstream anymore.

deps/v8/testing/gtest.gyp:
Suppress -Wnonnull-compare, -Waddress warnings for
deps/v8/testing/gtest project;

deps/v8/src/compiler/store-store-elimination.cc,
deps/v8/src/conversions.cc:
Suppress unused function warnings in order to compile with newer
(>4.8.5) gcc on Aix.

PR-URL: nodejs#23958
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
@rvagg
deps: float b18162a7c from openssl (CVE-2018-5407)
4b7f9bb 
Low severity timing vulnerability in ECC calculations impacting
ECDSA and ECDH.

Publicly disclosed but unreleased, pending OpenSSL 1.0.1q

Ref: https://www.openssl.org/news/secadv/20181112.txt
Ref: openssl/openssl#7593
Upstream: openssl/openssl@b18162a7c

Original commit message:
    CVE-2018-5407 fix: ECC ladder

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
    (Merged from openssl/openssl#7593)
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 14, 2018

@rvagg build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1600/pipeline

@nodejs-github-bot nodejs-github-bot added openssl Issues and PRs related to the OpenSSL dependency. v8.x labels Nov 14, 2018
@rvagg rvagg mentioned this pull request Nov 14, 2018
Merged
@rvagg rvagg mentioned this pull request Nov 14, 2018
Closed
@rvagg rvagg closed this Nov 25, 2018
@rvagg rvagg deleted the rvagg/openssl-CVE-2018-5407 branch November 25, 2018 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

openssl Issues and PRs related to the OpenSSL dependency.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rvagg @nodejs-github-bot