Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Updating OpenSSL to 1.0.2p #1654

Merged
merged 1 commit into from
Aug 15, 2018
Merged

Updating OpenSSL to 1.0.2p #1654

merged 1 commit into from
Aug 15, 2018

Conversation

tyler-ball
Copy link
Contributor

Description

Resolves:

Client DoS due to large DH parameter (CVE-2018-0732)
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Issues Resolved

N/A

Check List

Signed-off-by: tyler-ball tball@chef.io

@tyler-ball tyler-ball requested a review from a team August 14, 2018 17:48
@tas50
Copy link
Contributor

tas50 commented Aug 14, 2018

You need to bundle update omnibus or this will fail since it requires the updated omnibus-software.

Resolves:

Client DoS due to large DH parameter (CVE-2018-0732)
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Following chef/chef#7546

Signed-off-by: tyler-ball <tball@chef.io>
@tyler-ball
Copy link
Contributor Author

tyler-ball commented Aug 14, 2018

Okay! Finally got the deps updated. Got rid of the rspec-core pin because why do we care about that in omnibus

@@ -18,6 +18,3 @@ group :development do
gem "kitchen-vagrant"
gem "winrm-elevated"
end

# TODO remove this when we update Chef to use the new api exposed in 3.5.1
gem "rspec-core", "= 3.4.4"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

???

Copy link
Contributor Author

@tyler-ball tyler-ball Aug 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. Apparently I added that 2 years ago in d11e563 - I see no reason to keep it pinned in the omnibus build since it is no longer pinned in the main Gemfile, and master is using 3.7.0

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is our rspec installation used directly by customers, or do we only build it for self-testing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neither. This would be rspec if it was used to test omnibus or omnibus-software (or anything in the chef-dk/omnibus folder). This version pin doesn't determine what is used to test the main ChefDK source, or the produced ChefDK omnibus package. I have no idea why we would want to keep this

@tas50
Copy link
Contributor

tas50 commented Aug 15, 2018

Let's cross our fingers for chef 14 omnibus builds!!!!

@tas50 tas50 merged commit 354234d into master Aug 15, 2018
@chef-ci chef-ci deleted the openssl branch August 15, 2018 21:36
@lock
Copy link

lock bot commented Oct 14, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Oct 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants