upgrade openssl to 3.3.2 (#10494)

tobiasb-ms · web-flow · commit e728ae0e9e95 · 2024-09-19T09:08:42.000-07:00
Upgrades openssl to 3.3.2. This contains bug fixes and addresses some CVEs.
diff --git a/SPECS/openssl/CVE-2024-5535.patch b/SPECS/openssl/CVE-2024-5535.patch
diff --git a/SPECS/openssl/openssl.signatures.json b/SPECS/openssl/openssl.signatures.json
@@ -5,6 +5,6 @@
   "configuration-prefix.h": "11aba0dcfab381269e7e6ba1fdde1e4e8dfe51e39d8c7a2918f3b28a32cb98fd",
   "configuration-switch.h": "400439d7e8c551e7d5de8bfc648dcc0ddf6f4a7552750af4813449f68941b928",
   "genpatches": "9da7f988d4378adf499b1322e79f29e94c889c4bf10cd6e79e6991b673de2463",
-  "openssl-3.3.0.tar.gz": "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02"
+  "openssl-3.3.2.tar.gz": "2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281"
  }
 }
diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec
@@ -8,11 +8,11 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.3.0
-Release: 2%{?dist}
+Version: 3.3.2
+Release: 1%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
-Source: https://www.openssl.org/source/openssl-%{version}.tar.gz
+Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz
 Source2: Makefile.certificate
 Source3: genpatches
 Source9: configuration-switch.h
@@ -62,8 +62,6 @@ Patch52:  0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 # # See notes in the patch for details, but this patch will not be needed if
 # # the openssl issue https://github.com/openssl/openssl/issues/7048 is ever implemented and released.
 Patch80:  0001-Replacing-deprecated-functions-with-NULL-or-highest.patch
-# Remove if we upgrade to 3.3.2 to or later. https://www.openssl.org/news/secadv/20240627.txt
-Patch81:  CVE-2024-5535.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -360,6 +358,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Sep 19 2024 Tobias Brick <tobiasb@microsoft.com> - 3.3.2-1
+- Upgrade to 3.3.2
+
 * Fri Jul 12 2024 Suresh Thelkar <sthelkar@microsoft.com> - 3.3.0-2
 - Patch CVE-2023-5535
 
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -15203,8 +15203,8 @@
         "type": "other",
         "other": {
           "name": "openssl",
-          "version": "3.3.0",
-          "downloadUrl": "https://www.openssl.org/source/openssl-3.3.0.tar.gz"
+          "version": "3.3.2",
+          "downloadUrl": "https://github.com/openssl/openssl/releases/download/openssl-3.3.2/openssl-3.3.2.tar.gz"
         }
       }
     },
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.aarch64.rpm
-openssl-devel-3.3.0-2.azl3.aarch64.rpm
-openssl-libs-3.3.0-2.azl3.aarch64.rpm
-openssl-perl-3.3.0-2.azl3.aarch64.rpm
-openssl-static-3.3.0-2.azl3.aarch64.rpm
+openssl-3.3.2-1.azl3.aarch64.rpm
+openssl-devel-3.3.2-1.azl3.aarch64.rpm
+openssl-libs-3.3.2-1.azl3.aarch64.rpm
+openssl-perl-3.3.2-1.azl3.aarch64.rpm
+openssl-static-3.3.2-1.azl3.aarch64.rpm
 libcap-2.69-1.azl3.aarch64.rpm
 libcap-devel-2.69-1.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.x86_64.rpm
-openssl-devel-3.3.0-2.azl3.x86_64.rpm
-openssl-libs-3.3.0-2.azl3.x86_64.rpm
-openssl-perl-3.3.0-2.azl3.x86_64.rpm
-openssl-static-3.3.0-2.azl3.x86_64.rpm
+openssl-3.3.2-1.azl3.x86_64.rpm
+openssl-devel-3.3.2-1.azl3.x86_64.rpm
+openssl-libs-3.3.2-1.azl3.x86_64.rpm
+openssl-perl-3.3.2-1.azl3.x86_64.rpm
+openssl-static-3.3.2-1.azl3.x86_64.rpm
 libcap-2.69-1.azl3.x86_64.rpm
 libcap-devel-2.69-1.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -285,12 +285,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm
 npth-devel-1.6-4.azl3.aarch64.rpm
 ntsysv-1.25-1.azl3.aarch64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.aarch64.rpm
-openssl-debuginfo-3.3.0-2.azl3.aarch64.rpm
-openssl-devel-3.3.0-2.azl3.aarch64.rpm
-openssl-libs-3.3.0-2.azl3.aarch64.rpm
-openssl-perl-3.3.0-2.azl3.aarch64.rpm
-openssl-static-3.3.0-2.azl3.aarch64.rpm
+openssl-3.3.2-1.azl3.aarch64.rpm
+openssl-debuginfo-3.3.2-1.azl3.aarch64.rpm
+openssl-devel-3.3.2-1.azl3.aarch64.rpm
+openssl-libs-3.3.2-1.azl3.aarch64.rpm
+openssl-perl-3.3.2-1.azl3.aarch64.rpm
+openssl-static-3.3.2-1.azl3.aarch64.rpm
 p11-kit-0.25.0-1.azl3.aarch64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
 p11-kit-devel-0.25.0-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -291,12 +291,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm
 npth-devel-1.6-4.azl3.x86_64.rpm
 ntsysv-1.25-1.azl3.x86_64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.x86_64.rpm
-openssl-debuginfo-3.3.0-2.azl3.x86_64.rpm
-openssl-devel-3.3.0-2.azl3.x86_64.rpm
-openssl-libs-3.3.0-2.azl3.x86_64.rpm
-openssl-perl-3.3.0-2.azl3.x86_64.rpm
-openssl-static-3.3.0-2.azl3.x86_64.rpm
+openssl-3.3.2-1.azl3.x86_64.rpm
+openssl-debuginfo-3.3.2-1.azl3.x86_64.rpm
+openssl-devel-3.3.2-1.azl3.x86_64.rpm
+openssl-libs-3.3.2-1.azl3.x86_64.rpm
+openssl-perl-3.3.2-1.azl3.x86_64.rpm
+openssl-static-3.3.2-1.azl3.x86_64.rpm
 p11-kit-0.25.0-1.azl3.x86_64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
 p11-kit-devel-0.25.0-1.azl3.x86_64.rpm
diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums
@@ -41,7 +41,7 @@ dd16fb1d67bfab79a72f5e8390735c49e3e8e70b4945a15ab1f81ddb78658fb3  make-4.4.1.tar
 ab642492f5cf882b74aa0cb730cd410a81edcdbec895183ce930e706c1c759b8  mpc-1.3.1.tar.gz
 277807353a6726978996945af13e52829e3abd7a9a5b7fb2793894e18f1fcbb2  mpfr-4.2.1.tar.xz
 6931283d9ac87c5073f30b6290c4c75f21632bb4fc3603ac8100812bed248159  ncurses-6.4.tar.gz
-53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02  openssl-3.3.0.tar.gz
+2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281  openssl-3.3.2.tar.gz
 ac610bda97abe0d9f6b7c963255a11dcb196c25e337c61f94e4778d632f1d8fd  patch-2.7.6.tar.xz
 eca551caec3bc549a4e590c0015003790bdd1a604ffe19cc78ee631d51f7072e  perl-5.38.0.tar.xz
 ea5a25ef8f251eb5377ec0e21c75fb61894433cfbdbf0b2559ba33e4c2664401  pkgconf-2.0.2.tar.xz
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
@@ -571,9 +571,9 @@ popd
 rm -rf automake-1.16.5
 touch /logs/status_automake_complete
 
-echo OpenSSL-3.3.0
-tar xf openssl-3.3.0.tar.gz
-pushd openssl-3.3.0
+echo OpenSSL-3.3.2
+tar xf openssl-3.3.2.tar.gz
+pushd openssl-3.3.2
 sslarch=
 ./config --prefix=/usr \
          --openssldir=/etc/pki/tls \
@@ -591,7 +591,7 @@ make all -j$(nproc)
 sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
 make MANSUFFIX=ssl install
 popd
-rm -rf openssl-3.3.0
+rm -rf openssl-3.3.2
 touch /logs/status_openssl_complete
 
 echo Elfutils-0.189

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,6 @@`
`5`	`5`	`"configuration-prefix.h": "11aba0dcfab381269e7e6ba1fdde1e4e8dfe51e39d8c7a2918f3b28a32cb98fd",`
`6`	`6`	`"configuration-switch.h": "400439d7e8c551e7d5de8bfc648dcc0ddf6f4a7552750af4813449f68941b928",`
`7`	`7`	`"genpatches": "9da7f988d4378adf499b1322e79f29e94c889c4bf10cd6e79e6991b673de2463",`
`8`		`- "openssl-3.3.0.tar.gz": "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02"`
	`8`	`+ "openssl-3.3.2.tar.gz": "2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281"`
`9`	`9`	`}`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15203,8 +15203,8 @@`
`15203`	`15203`	`"type": "other",`
`15204`	`15204`	`"other": {`
`15205`	`15205`	`"name": "openssl",`
`15206`		`- "version": "3.3.0",`
`15207`		`- "downloadUrl": "https://www.openssl.org/source/openssl-3.3.0.tar.gz"`
	`15206`	`+ "version": "3.3.2",`
	`15207`	`+ "downloadUrl": "https://github.com/openssl/openssl/releases/download/openssl-3.3.2/openssl-3.3.2.tar.gz"`
`15208`	`15208`	`}`
`15209`	`15209`	`}`
`15210`	`15210`	`},`