Skip to content

Commit 4056c1f

Browse files
nodejs-github-bottargos
authored andcommittedMar 11, 2025
deps: upgrade openssl sources to quictls/openssl-3.0.16
PR-URL: #57335 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1 parent 5c20dcc commit 4056c1f

File tree

232 files changed

+2754
-3535
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

232 files changed

+2754
-3535
lines changed
 

‎deps/openssl/openssl/CHANGES.md

+30-3
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,36 @@ breaking changes, and mappings for the large list of deprecated functions.
2828

2929
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
3030

31-
### Changes between 3.0.15 and 3.0.15+quic [3 Sep 2024]
31+
### Changes between 3.0.15 and 3.0.16 [11 Feb 2025]
3232

33-
* Add QUIC API support from BoringSSL
33+
* Fixed timing side-channel in ECDSA signature computation.
3434

35-
*Todd Short*
35+
There is a timing signal of around 300 nanoseconds when the top word of
36+
the inverted ECDSA nonce value is zero. This can happen with significant
37+
probability only for some of the supported elliptic curves. In particular
38+
the NIST P-521 curve is affected. To be able to measure this leak, the
39+
attacker process must either be located in the same physical computer or
40+
must have a very fast network connection with low latency.
41+
42+
([CVE-2024-13176])
43+
44+
*Tomáš Mráz*
45+
46+
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
47+
curve parameters.
48+
49+
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
50+
explicit values for the field polynomial can lead to out-of-bounds memory
51+
reads or writes.
52+
Applications working with "exotic" explicit binary (GF(2^m)) curve
53+
parameters, that make it possible to represent invalid field polynomials
54+
with a zero constant term, via the above or similar APIs, may terminate
55+
abruptly as a result of reading or writing outside of array bounds. Remote
56+
code execution cannot easily be ruled out.
57+
58+
([CVE-2024-9143])
59+
60+
*Viktor Dukhovni*
3661

3762
### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
3863

@@ -19928,6 +19953,8 @@ ndif
1992819953

1992919954
<!-- Links -->
1993019955

19956+
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
19957+
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
1993119958
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
1993219959
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
1993319960
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741

‎deps/openssl/openssl/Configurations/unix-Makefile.tmpl

+1-1
Original file line numberDiff line numberDiff line change
@@ -1688,7 +1688,7 @@ EOF
16881688
} elsif ($makedep_scheme eq 'gcc' && !grep /\.rc$/, @srcs) {
16891689
$recipe .= <<"EOF";
16901690
$obj: $deps
1691-
$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -MT \$\@ -c -o \$\@ $srcs
1691+
$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -c -o \$\@ $srcs
16921692
\@touch $dep.tmp
16931693
\@if cmp $dep.tmp $dep > /dev/null 2> /dev/null; then \\
16941694
rm -f $dep.tmp; \\

0 commit comments

Comments
 (0)