[FASTTRACK-CHERRYPICK] openssl: Fix CVE-2023-50782 affecting python-cryptography - branch main (#9318)

CBL-Mariner-Bot · jcamposeco · web-flow · commit e2c8d9e5dad0 · 2024-06-07T14:54:22.000-07:00
Co-authored-by: J Camposeco &lt;108859819+jcamposeco@users.noreply.github.com&gt;
Co-authored-by: Juan Camposeco &lt;juanarturoc@microsoft.com&gt;
diff --git a/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch b/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch
diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec
@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        31%{?dist}
+Release:        32%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -61,7 +61,8 @@ Patch37:        CVE-2023-3817.patch
 Patch38:        openssl-1.1.1-improve-safety-of-DH.patch
 Patch39:        openssl-1.1.1-add-null-checks-where-contentinfo-data-can-be-null.patch
 Patch40:        openssl-1.1.1-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch
-Patch41:        openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
+Patch41:        openssl-1.1.1-pkcs1-implicit-rejection.patch
+Patch42:        openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -176,6 +177,7 @@ cp %{SOURCE4} test/
 %patch39 -p1
 %patch40 -p1
 %patch41 -p1
+%patch42 -p1
 
 %build
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
@@ -365,9 +367,12 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
-* Tue Jun 04 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-31
+* Tue Jun 04 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-32
 - Only free the read buffers if we're not using them
 
+* Thu May 23 2024 Juan Camposeco <juan.camposeco@gmail.com> - 1.1.1k-31
+- Implicit rejection of PKCS#1 v1.5 (CVE-2023-50782) - cherrypick from fasttrack/2.0
+
 * Fri Apr 19 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-30
 - Fix unconstrained session cache growth in TLSv1.3
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-31.cm2.aarch64.rpm
-openssl-devel-1.1.1k-31.cm2.aarch64.rpm
-openssl-libs-1.1.1k-31.cm2.aarch64.rpm
-openssl-perl-1.1.1k-31.cm2.aarch64.rpm
-openssl-static-1.1.1k-31.cm2.aarch64.rpm
+openssl-1.1.1k-32.cm2.aarch64.rpm
+openssl-devel-1.1.1k-32.cm2.aarch64.rpm
+openssl-libs-1.1.1k-32.cm2.aarch64.rpm
+openssl-perl-1.1.1k-32.cm2.aarch64.rpm
+openssl-static-1.1.1k-32.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-31.cm2.x86_64.rpm
-openssl-devel-1.1.1k-31.cm2.x86_64.rpm
-openssl-libs-1.1.1k-31.cm2.x86_64.rpm
-openssl-perl-1.1.1k-31.cm2.x86_64.rpm
-openssl-static-1.1.1k-31.cm2.x86_64.rpm
+openssl-1.1.1k-32.cm2.x86_64.rpm
+openssl-devel-1.1.1k-32.cm2.x86_64.rpm
+openssl-libs-1.1.1k-32.cm2.x86_64.rpm
+openssl-perl-1.1.1k-32.cm2.x86_64.rpm
+openssl-static-1.1.1k-32.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-31.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-31.cm2.aarch64.rpm
-openssl-devel-1.1.1k-31.cm2.aarch64.rpm
-openssl-libs-1.1.1k-31.cm2.aarch64.rpm
-openssl-perl-1.1.1k-31.cm2.aarch64.rpm
-openssl-static-1.1.1k-31.cm2.aarch64.rpm
+openssl-1.1.1k-32.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-32.cm2.aarch64.rpm
+openssl-devel-1.1.1k-32.cm2.aarch64.rpm
+openssl-libs-1.1.1k-32.cm2.aarch64.rpm
+openssl-perl-1.1.1k-32.cm2.aarch64.rpm
+openssl-static-1.1.1k-32.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-31.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-31.cm2.x86_64.rpm
-openssl-devel-1.1.1k-31.cm2.x86_64.rpm
-openssl-libs-1.1.1k-31.cm2.x86_64.rpm
-openssl-perl-1.1.1k-31.cm2.x86_64.rpm
-openssl-static-1.1.1k-31.cm2.x86_64.rpm
+openssl-1.1.1k-32.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-32.cm2.x86_64.rpm
+openssl-devel-1.1.1k-32.cm2.x86_64.rpm
+openssl-libs-1.1.1k-32.cm2.x86_64.rpm
+openssl-perl-1.1.1k-32.cm2.x86_64.rpm
+openssl-static-1.1.1k-32.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm
