Bug 893446 (CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401)

Summary:	<dev-libs/openssl-{1.1.1t, 3.0.8}: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	base-system, bertrand, hydrapolic
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	?? [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	893556
Bug Blocks:	855494, 887073

Description Sam James archtester

2023-02-07 04:28:08 UTC

https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html

"""
Hello,

The OpenSSL project team would like to announce the forthcoming release 
of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg. Note that OpenSSL 1.0.2 
is End Of Life and so 1.0.2zg will be available to premium support 
customers only.

These releases will be made available on Tuesday 7th February 2023 
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in 
each of these three releases is High:

https://www.openssl.org/policies/secpolicy.html

Yours
The OpenSSL Project Team
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-02-07 16:54:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4cbfc0cf23eb89fe311d0404afe0134a1c7324d

commit f4cbfc0cf23eb89fe311d0404afe0134a1c7324d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-07 16:50:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-07 16:53:13 +0000

    dev-libs/openssl: add 3.0.8
    
    Bug: https://bugs.gentoo.org/893446
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/Manifest             |   2 +
 dev-libs/openssl/openssl-3.0.8.ebuild | 260 ++++++++++++++++++++++++++++++++++
 2 files changed, 262 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7421cd7524852eeb68ca87eccbbe31ab1e0f906c

commit 7421cd7524852eeb68ca87eccbbe31ab1e0f906c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-07 16:51:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-07 16:53:13 +0000

    dev-libs/openssl: keyword 1.1.1t
    
    Originally unkeyworded as we copied from 8263780cbef6fd6d62bdd57dc14373f869739e77.
    
    Bug: https://bugs.gentoo.org/893446
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/openssl-1.1.1t.ebuild | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f288f0e0ea80bccae6a5e074e605ac5982e84b98

commit f288f0e0ea80bccae6a5e074e605ac5982e84b98
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-07 16:43:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-07 16:53:12 +0000

    dev-libs/openssl: add 1.1.1t
    
    Bug: https://bugs.gentoo.org/893446
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/Manifest              |   2 +
 dev-libs/openssl/openssl-1.1.1t.ebuild | 340 +++++++++++++++++++++++++++++++++
 2 files changed, 342 insertions(+)

Comment 2 Sam James archtester

2023-02-07 16:56:44 UTC

Advisory: https://mta.openssl.org/pipermail/openssl-announce/2023-February/000251.html

Comment 3 Larry the Git Cow gentoo-dev

2023-02-13 07:04:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1c15de07da848681bf49fea4541b36fad4ae848

commit b1c15de07da848681bf49fea4541b36fad4ae848
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-13 07:02:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-13 07:02:46 +0000

    dev-libs/openssl-compat: add 1.1.1t
    
    Bug: https://bugs.gentoo.org/893446
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl-compat/Manifest                   |   2 +
 dev-libs/openssl-compat/files/gentoo.config-1.0.4  | 176 ++++++++++++++++
 .../openssl-compat/openssl-compat-1.1.1t.ebuild    | 221 +++++++++++++++++++++
 3 files changed, 399 insertions(+)