Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update openssl to the latest security update #7633

Open
pshipton opened this issue Oct 29, 2019 · 15 comments
Open

Update openssl to the latest security update #7633

pshipton opened this issue Oct 29, 2019 · 15 comments
Labels
comp:build comp:openssl tracking
Milestone
Release 0.49 (Jav...

Comments

@pshipton
Copy link
Member

pshipton commented Oct 29, 2019
edited
Loading

openssl should be updated to the latest version for each OpenJ9 release.

Don't close this issue, move it to the next milestone after completing the update.
@pshipton
Copy link
Member Author

There is a 1.1.1e update which we're using for the 0.20.0 release.

@pshipton
Copy link
Member Author

pshipton commented Apr 2, 2020

There is a 1.1.1f bug fix update. It's in progress to update OpenJ9 head stream to use it, but I don't think the 0.20.0 release should be updated since there aren't any known problems we need bug fixes for, and updating carries the risk of breaking something. Adopt actually controls which version is used in a build.

@ashbm5 @DanHeidinga

@pshipton
Copy link
Member Author

https://mta.openssl.org/pipermail/openssl-announce/2020-April/000170.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1g.

This release will be made available on Tuesday 21st April 2020 between
1300-1700 UTC.

OpenSSL 1.1.g is a security-fix release. The highest severity issue
fixed in this release is HIGH:
https://www.openssl.org/policies/secpolicy.html#high

@ashbm5 we'll be asking you about the impact of the security fixes when this is released next week.

@0xdaryl 0xdaryl added comp:jit comp:jitserver Artifacts related to JIT-as-a-Service project comp:jit:aot arch:aarch64 comp:build and removed comp:build arch:aarch64 comp:jit comp:jit:aot comp:jitserver Artifacts related to JIT-as-a-Service project labels Dec 3, 2020
@pshipton
Copy link
Member Author

1.1.1i is release with security fixes. Created issues to update. #11407

@keithc-ca
Copy link
Contributor

The tag 1.1.1j appeared today: created #11980.

@keithc-ca keithc-ca mentioned this issue Oct 11, 2022
Merged
@keithc-ca keithc-ca mentioned this issue Nov 1, 2022
Merged
@AdamBrousseau
Copy link
Contributor

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg. Note that OpenSSL 1.0.2
is End Of Life and so 1.0.2zg will be available to premium support
customers only.
These releases will be made available on Tuesday 7th February 2023
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue fixed in
each of these three releases is High

@keithc-ca
Copy link
Contributor

Version 1.1.1t is now available. I'll put together the necessary pull requests.

@keithc-ca keithc-ca mentioned this issue Feb 7, 2023
Merged
@keithc-ca
Copy link
Contributor

@pshipton
Copy link
Member Author

pshipton commented Apr 12, 2023
edited
Loading

Update 1.1.1t with the latest security fixes.
https://www.openssl.org/news/secadv/20230322.txt
https://www.openssl.org/news/secadv/20230328.txt
#17161
#17169
#17170
ibmruntimes/temurin-build#78

@keithc-ca keithc-ca mentioned this issue May 30, 2023
Merged
@pshipton
Copy link
Member Author

Updated to include CVE-2024-13176

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
comp:build comp:openssl tracking
Projects
None yet
Milestone
Release 0.49 (Java 8, 11, 17, 21, 23)...
Development

No branches or pull requests
6 participants
@AdamBrousseau @DanHeidinga @tajila @0xdaryl @keithc-ca @pshipton