Changes between Initial Version and Version 1 of Ticket #63615


Ignore:
Timestamp:
Oct 13, 2021, 4:26:38 AM (3 years ago)
Author:
ryandesign (Ryan Carsten Schmidt)
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #63615

    • Property Status changed from new to assigned
    • Property Owner set to jeremyhu
    • Property Summary changed from Please update LibreSSL port to 3.3.5 to libressl: update to 3.3.5
    • Property Priority changed from Not set to Normal

  • Ticket #63615 – Description

    initial v1  
    55However, 3.3.5 addresses the following two fixes (quoted from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)
    66
    7 "  * A stack overread could occur when checking X.509 name constraints.
    8     From GoldBinocle on GitHub.
    9 
    10   * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
    11     This compensates for the expiry of the DST Root X3 certificate."
     7>  * A stack overread could occur when checking X.509 name constraints.
     8>    From GoldBinocle on GitHub.
     9>
     10>  * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
     11>    This compensates for the expiry of the DST Root X3 certificate.
    1212
    1313In particular, the latter issue seems to impact some Let's Encrypt users and rectifies a bug which had been in OpenSSL which was fixed circa 2018 that LibreSSL developers apparently overlooked since their project forked approximately four years earlier. Anecdotally, GNUTLS also apparently had a similar bug.
     
    1515I have tested building LibreSSL with 3.3.5 by changing the version number in the portfile as well as updating the checksums per the instructions outlined here: https://guide.macports.org/chunked/development.creating-portfile.html and it seems to have built cleanly using the newer source tarball!
    1616
    17 "# uname -a
     17{{{
     18# uname -a
    1819Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64"
    1920
     
    2223
    2324# which openssl
    24 /opt/local/bin/openssl"
     25/opt/local/bin/openssl
     26}}}
    2527
    2628For reference, the checksums I derived were as follows:
    2729
     30{{{
    2831checksums           rmd160  76cd468b68ba63b108af9750777b37617da20605 \
    2932                    sha256 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5
     33}}}
    3034
    3135Though undoubtedly, the port maintainer should verify those independently.