[MacPorts] #63615: libressl: update to 3.3.5 (was: Please update LibreSSL port to 3.3.5)
MacPorts
noreply at macports.org
Wed Oct 13 04:26:38 UTC 2021
#63615: libressl: update to 3.3.5
-----------------------+----------------------
Reporter: artkiver | Owner: jeremyhu
Type: update | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------
Changes (by ryandesign):
* status: new => assigned
* owner: (none) => jeremyhu
* priority: Not set => Normal
Old description:
> Hello!
>
> It appears as if the MacPorts LibreSSL port is at version 3.2.3. While
> https://ports.macports.org/port/libressl/details/ shows a yellow
> exclamation mark which reads "libressl seems to have been updated (port
> version 3.2.3 new version: 3.4.0)" the current version on libressl.org is
> 3.3.5 so I am not really sure where the MacPorts version drift yellow
> exclamation mark is referencing as I cannot corroborate a version 3.4.0
> having been released.
>
> However, 3.3.5 addresses the following two fixes (quoted from
> https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)
>
> " * A stack overread could occur when checking X.509 name constraints.
> From GoldBinocle on GitHub.
>
> * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
> This compensates for the expiry of the DST Root X3 certificate."
>
> In particular, the latter issue seems to impact some Let's Encrypt users
> and rectifies a bug which had been in OpenSSL which was fixed circa 2018
> that LibreSSL developers apparently overlooked since their project forked
> approximately four years earlier. Anecdotally, GNUTLS also apparently had
> a similar bug.
>
> I have tested building LibreSSL with 3.3.5 by changing the version number
> in the portfile as well as updating the checksums per the instructions
> outlined here: https://guide.macports.org/chunked/development.creating-
> portfile.html and it seems to have built cleanly using the newer source
> tarball!
>
> "# uname -a
> Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon
> Aug 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101
> arm64"
>
> # openssl version
> LibreSSL 3.3.5
>
> # which openssl
> /opt/local/bin/openssl"
>
> For reference, the checksums I derived were as follows:
>
> checksums rmd160 76cd468b68ba63b108af9750777b37617da20605 \
> sha256
> 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5
>
> Though undoubtedly, the port maintainer should verify those
> independently.
>
> I guess I also removed the line for the size of the tar.gz since I wasn't
> entirely sure how MacPorts calculates that, but the port seemed to build
> OK without that information in the Portfile.
>
> At least from my vantage, this appears as if it is a pretty easy version
> update, with minimal effort required by the port maintainer, though
> doubtlessly there may have been some things I overlooked. I couldn't help
> but notice MacPorts also has a libressl-devel port which is even further
> behind the main LibreSSL port at version 2.9.2, though I suppose that is
> still a more recent LibreSSL than the version which ships with Big Sur
> 11.6 (namely, 2.8.3).
>
> I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so
> my guess is for those who really need it, they should be able to find
> workarounds as I did manually. Nonetheless, I thought I would open a Trac
> ticket to formalize the version skew/drift a bit more.
>
> Thank you in advance for rectifying this!
New description:
Hello!
It appears as if the MacPorts LibreSSL port is at version 3.2.3. While
https://ports.macports.org/port/libressl/details/ shows a yellow
exclamation mark which reads "libressl seems to have been updated (port
version 3.2.3 new version: 3.4.0)" the current version on libressl.org is
3.3.5 so I am not really sure where the MacPorts version drift yellow
exclamation mark is referencing as I cannot corroborate a version 3.4.0
having been released.
However, 3.3.5 addresses the following two fixes (quoted from
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)
> * A stack overread could occur when checking X.509 name constraints.
> From GoldBinocle on GitHub.
>
> * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
> This compensates for the expiry of the DST Root X3 certificate.
In particular, the latter issue seems to impact some Let's Encrypt users
and rectifies a bug which had been in OpenSSL which was fixed circa 2018
that LibreSSL developers apparently overlooked since their project forked
approximately four years earlier. Anecdotally, GNUTLS also apparently had
a similar bug.
I have tested building LibreSSL with 3.3.5 by changing the version number
in the portfile as well as updating the checksums per the instructions
outlined here: https://guide.macports.org/chunked/development.creating-
portfile.html and it seems to have built cleanly using the newer source
tarball!
{{{
# uname -a
Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug
30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64"
# openssl version
LibreSSL 3.3.5
# which openssl
/opt/local/bin/openssl
}}}
For reference, the checksums I derived were as follows:
{{{
checksums rmd160 76cd468b68ba63b108af9750777b37617da20605 \
sha256
0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5
}}}
Though undoubtedly, the port maintainer should verify those independently.
I guess I also removed the line for the size of the tar.gz since I wasn't
entirely sure how MacPorts calculates that, but the port seemed to build
OK without that information in the Portfile.
At least from my vantage, this appears as if it is a pretty easy version
update, with minimal effort required by the port maintainer, though
doubtlessly there may have been some things I overlooked. I couldn't help
but notice MacPorts also has a libressl-devel port which is even further
behind the main LibreSSL port at version 2.9.2, though I suppose that is
still a more recent LibreSSL than the version which ships with Big Sur
11.6 (namely, 2.8.3).
I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so
my guess is for those who really need it, they should be able to find
workarounds as I did manually. Nonetheless, I thought I would open a Trac
ticket to formalize the version skew/drift a bit more.
Thank you in advance for rectifying this!
--
--
Ticket URL: <https://trac.macports.org/ticket/63615#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list