public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed
* openssl needs updated
@ 2021-05-28 17:13 Brian Inglis
  2021-05-30  7:06 ` Brian Inglis
  0 siblings, 1 reply; 4+ messages in thread
From: Brian Inglis @ 2021-05-28 17:13 UTC (permalink / raw)
  To: cygwin-apps

openssl/libssl has not been updated since 1.1.f two years ago and now
has four high sev CVEs outstanding in upstream 1.1.1k: two last year,
two this year.

If maintainer is short of time, I may be able to co-maintain?

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: openssl needs updated
  2021-05-28 17:13 openssl needs updated Brian Inglis
@ 2021-05-30  7:06 ` Brian Inglis
  2021-05-30  8:06   ` Achim Gratz
  0 siblings, 1 reply; 4+ messages in thread
From: Brian Inglis @ 2021-05-30  7:06 UTC (permalink / raw)
  To: cygwin-apps

On 2021-05-28 11:13, Brian Inglis wrote:
> openssl/libssl has not been updated since 1.1.f two years ago and now
> has four high sev CVEs outstanding in upstream 1.1.1k: two last year,
> two this year.
> 
> If maintainer is short of time, I may be able to co-maintain?

Successful builds and tests of 1.1.1k x86/_64 with selected patches from 
Fedora main and minimal changes from current 1.1.1f and my last 1.1.1h:

https://ci.appveyor.com/project/cygwin/scallywag/builds/39377213

pushed to playground with locally rebased patch for sha256 default 
instead of sha1:

https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/openssl.git;hb=refs/heads/playground;f=openssl.cygport

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: openssl needs updated
  2021-05-30  7:06 ` Brian Inglis
@ 2021-05-30  8:06   ` Achim Gratz
  2021-05-30 16:17     ` Brian Inglis
  0 siblings, 1 reply; 4+ messages in thread
From: Achim Gratz @ 2021-05-30  8:06 UTC (permalink / raw)
  To: cygwin-apps

Brian Inglis writes:
> On 2021-05-28 11:13, Brian Inglis wrote:
>> openssl/libssl has not been updated since 1.1.f two years ago and now
>> has four high sev CVEs outstanding in upstream 1.1.1k: two last year,
>> two this year.
>> If maintainer is short of time, I may be able to co-maintain?

If you really want co-maint and not just take over I'd suggest you
refrain from purely stylistic changes like these:

--8<---------------cut here---------------start------------->8---
 src_compile() {
-       cd ${S}
+       cd $S
        lndirs
--8<---------------cut here---------------end--------------->8---

I'd like to see the existing MingW64 packages moving to *-openssl10 (and
getting updated to the latest version as well), then updating *-openssl
to the 1.1 branch.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf microQ V2.22R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: openssl needs updated
  2021-05-30  8:06   ` Achim Gratz
@ 2021-05-30 16:17     ` Brian Inglis
  0 siblings, 0 replies; 4+ messages in thread
From: Brian Inglis @ 2021-05-30 16:17 UTC (permalink / raw)
  To: cygwin-apps

On 2021-05-30 02:06, Achim Gratz wrote:
> Brian Inglis writes:
>> On 2021-05-28 11:13, Brian Inglis wrote:
>>> openssl/libssl has not been updated since 1.1.f two years ago
>>> and now has four high sev CVEs outstanding in upstream 1.1.1k:
>>> two last year, two this year. >>> If maintainer is short of time, I may be able to co-maintain?

> If you really want co-maint and not just take over I'd suggest you
> refrain from purely stylistic changes like these:
>   src_compile() {
> -       cd ${S}
> +       cd $S
>          lndirs

Those are from my own local builds I keep more up to date than releases.
I manually switch from release or local tars to check builds.

> I'd like to see the existing MingW64 packages moving to *-openssl10
> (and getting updated to the latest version as well), then updating
> *-openssl to the 1.1 branch.
OpenSSL 1.0.2u was EoL and unsupported end of 2019:
https://www.openssl.org/blog/blog/2019/11/07/3.0-update/
Cygwin current is 1.0.2t so close but mingw is 1.0.2o 3 years ago.

OpenSSL 3 came out a year ago and is still in alpha # 17.

I haven't even looked at mingw packages because they are so outdated.
I am afraid to find out why they have not been updated to 1.1.1! ;^>

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-05-30 16:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-28 17:13 openssl needs updated Brian Inglis
2021-05-30  7:06 ` Brian Inglis
2021-05-30  8:06   ` Achim Gratz
2021-05-30 16:17     ` Brian Inglis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).