Bug 8157 - Upgrade OpenSSL
Summary: Upgrade OpenSSL
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Build system (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.15.0
Assignee: Linn
URL:
Keywords: prosaic, samuel_tester
Depends on:
Blocks:
 
Reported: 2023-05-23 16:23 CEST by Linn
Modified: 2023-05-26 17:07 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Linn cendio 2023-05-23 16:23:35 CEST
We are currently using OpenSSL v. 3.0.4. We should upgrade to the latest release 3.1.0 (released 14 mar 2023).
Comment 1 Linn cendio 2023-05-23 16:52:53 CEST
Note that OpenSSL has been updated once before in 4.15.0 in bug 7961. When writing release notes for this bug, check what release notes already exist for this topic and update them if needed.

There have been a number of security fixes since the last update OpenSSL, the most relevant being:

* CVE-2022-4450 - Double free after calling PEM_read_bio_ex
* CVE-2022-2274 -  Bug in RSA implementation for AVX512IFMA capable CPUs

For a full list of security fixes, see https://www.openssl.org/news/vulnerabilities.html
Comment 2 Linn cendio 2023-05-23 16:59:20 CEST
(In reply to Linn from comment #0)
> We should upgrade to the latest release 3.1.0 (released 14 mar 2023).
Correction - the latest stable release is v. 3.0.8 (released 8 feb 2023).
Comment 4 Linn cendio 2023-05-25 16:15:48 CEST
OpenSSL has been upgraded and as a consequence, the patch for CVE-2022-2274 is no longer needed since that CVE has been fixed upstream.
Comment 5 Linn cendio 2023-05-25 16:16:05 CEST
Tested with server on Fedora 37 and Ubuntu 20.04.

* Logging in with public key
  - Key without password
  - Key with password
  - Non-authorized key
* Logging in with password
* Logging with Kerberos
* Logging in with smart card
Comment 6 Samuel Mannehed cendio 2023-05-26 17:07:45 CEST
Things seem to work well. I used client build 3174 and server build 3271 on Fedora 38. I verified the following:

* Public key authentication (regular, password protected, not in authorized_keys, invalid key file)
* Password authentication
* Kerberos authentication
* Smart card authentication
* Smart card redirection
* Sound redirection

The commit also looks fine, I compared it to previous times we have upgraded openssl.

Note You need to log in before you can comment on or make changes to this bug.