[#5727] OpenSSL August 2021 patches. (#152)

* Back to downloading with Start-BitsTransfer on Windows. * Updated OpenSSL 1.1.1 sources to version 1.1.1l. * Build OpenSSL 1.1.1l instead of 1.1.1k where needed. * Patched OpenSSL 1.0.2 sources for CVE-2021-3712. * Updated cffi sources to version 1.14.6. * Use latest cffi version. * Updated version for our patched OpenSSL 1.0.2v sources. * Updated external deps docs. * Use the paxctl package on Alpine 3.14. * Use published CentOS 5.11 chevah setup.
chevah · Sep 16, 2021 · ad5a0e1 · ad5a0e1
1 parent 039620e
commit ad5a0e1
Show file tree

Hide file tree

Showing 5,573 changed files with 2,505 additions and 814 deletions.
diff --git a/.github/workflows/bare.yaml b/.github/workflows/bare.yaml
@@ -176,9 +176,7 @@ jobs:
       run: |
         chocolatey install --yes --no-progress make nasm 7zip curl
         # There's no vcpython27 choco pkg since Microsoft removed the installer.
-        #Start-BitsTransfer https://bin.chevah.com:20443/third-party-stuff/VCForPython27.msi
-        # Pending upstream fix for SFTPPlus, we use the real curl for now.
-        curl.exe -O https://bin.chevah.com:20443/third-party-stuff/VCForPython27.msi
+        Start-BitsTransfer https://bin.chevah.com:20443/third-party-stuff/VCForPython27.msi
         msiexec /quiet /i VCForPython27.msi
 
     - name: Clone sources independently

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -30,7 +30,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        container: [ 'alpine:3.14', 'centos:8.2.2004', 'centos:5.11' ]
+        # CentOS 5.11 setup was saved as an image pushed to Docker Hub. See the
+        # Overview section at https://hub.docker.com/r/proatria/centos for details.
+        container: [ 'alpine:3.14', 'centos:8.2.2004', 'proatria/centos:5.11-chevah1' ]
     timeout-minutes: 30
     steps:
 
@@ -39,9 +41,7 @@ jobs:
       if: startsWith(matrix.container, 'alpine')
       run: |
         apk upgrade -U
-        apk add git curl bash gcc make m4 automake libtool patch zlib-dev libffi-dev ncurses-dev linux-headers musl-dev openssl-dev lddtree shadow sudo openssh-client
-        curl -o /usr/local/bin/paxctl https://bin.chevah.com:20443/third-party-stuff/alpine/paxctl-3.12
-        chmod +x /usr/local/bin/paxctl
+        apk add git curl bash gcc make m4 automake libtool patch zlib-dev libffi-dev ncurses-dev linux-headers musl-dev openssl-dev lddtree shadow sudo openssh-client paxctl
 
     # Stick to CentOS 8.2 as OpenSSL got updated in 8.3 from 1.1.1c to 1.1.1g.
     - name: CentOS 8.2 setup
@@ -52,23 +52,6 @@ jobs:
         yum -y upgrade
         yum -y install git curl gcc make m4 automake libtool patch openssl-devel zlib-devel libffi-devel ncurses-devel sudo which openssh-clients
 
-    # Final CentOS 5 version is used to build the generic Linux package.
-    - name: CentOS 5.11 setup
-      if: matrix.container == 'centos:5.11'
-      run: |
-        sed -i s/^mirrorlist=/#mirrorlist=/ /etc/yum.repos.d/*.repo
-        sed -i s@^#baseurl=http://mirror.centos.org/centos/\$releasever/@baseurl=http://vault.centos.org/5.11/@ /etc/yum.repos.d/*.repo
-        yum -y upgrade
-        # Use https://bin.chevah.com:20443/third-party-stuff/centos5/tuxad/
-        # when tuxad.de dissapears, it has the minimum required stuff.
-        rpm -i http://www.tuxad.de/rpms/tuxad-release-5-1.noarch.rpm
-        yum -y install wget curl gcc44 make m4 automake libtool patch sudo which openssh-clients
-        ln -s /usr/bin/gcc44 /usr/local/bin/gcc
-        wget --mirror --no-parent https://bin.chevah.com:20443/third-party-stuff/centos5/endpoint/
-        cd bin.chevah.com\:20443/third-party-stuff/centos5/endpoint/
-        rpm -i local-perl-*.rpm
-        rpm -i --nodeps git{-core,}-2.5.0-1.ep.x86_64.rpm
-
     # On a Docker container, everything runs as root by default.
     - name: Chevah user setup
       run: |

diff --git a/chevah_build b/chevah_build
@@ -4,9 +4,7 @@
 #
 # build
 # test
-# publish_production
-# publish_staging
-#
+# compat (for the compat repo tests)
 
 PYTHON_BUILD_VERSION="2.7.18"
 LIBFFI_VERSION="3.2.1"
@@ -15,12 +13,12 @@ BZIP2_VERSION="1.0.8"
 # We statically build the BSD libedit on selected platforms to get the
 # readline module available without linking to the GPL-only readline libs.
 LIBEDIT_VERSION="20170329-3.1"
-OPENSSL_VERSION="1.1.1k"
+OPENSSL_VERSION="1.1.1l"
 SQLITE_VERSION="3.36.0"
 
 # Python modules versions to be used everywhere possible.
 PYSQLITE_VERSION="2.8.3"
-CFFI_VERSION="1.14.5"
+CFFI_VERSION="1.14.6"
 # 19.1.0 is used with OpenSSL 1.0.2 libs.
 PYOPENSSL_VERSION="20.0.1"
 SCANDIR_VERSION="1.10.0"
@@ -196,7 +194,7 @@ case $OS in
         # As of January 2021, OpenSSL 1.0.2u is the latest version from IBM.
         export BUILD_OPENSSL="yes"
         # 1.1.1 tests fail on AIX, use 1.0.2 with patches from Ubuntu 16.04 LTS.
-        OPENSSL_VERSION="1.0.2v-chevah2"
+        OPENSSL_VERSION="1.0.2v-chevah3"
         # Perl's Test::Simple and its deps are required for building OpenSSL.
         execute perl -MTest::Simple -e 1
         # cryptography 3.2.x, last version to support OpenSSL 1.0.2.

diff --git a/external_deps.csv b/external_deps.csv
@@ -2,21 +2,21 @@ OS,AIX,,,Amazon,Alpine,,Debian,FreeBSD,,HP-UX,macOS,OS X,RHEL,,,,SLES,,Solaris,,
 OS Version,5.3³,6.1³,7.1¹,2¹,3.12³,3.14¹,5.0+³,11.4³,12.2²,11.31²,10.13+¹,10.8³,5.11¹,6.x¹,7.x¹,8.x¹,11SP4¹,12SP3¹,10u8+³,11.0/11.1³,11.2²,11.4²,14.04²,16.04¹,18.04¹,20.04¹,"XP, 2003, 2008²","2012r2, 2016, 2019¹"
 "OpenSSL /
 LibreSSL⁶","1.0.2v-chevah2 (statically linked with stdlib “ssl”)
-1.0.2v-chevah2 (statically linked with cryptography)",1.0.2k (from AIX Web Download Pack Programs),"1.0.2v-chevah2 (statically linked with stdlib “ssl”)
-1.0.2v-chevah2 (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)",1.1.1j,1.1.1k,"1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
-1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)",1.1.1c FIPS,"1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,1.0.2o,"1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
-1.1.1k (statically linked with cryptography)",1.1.0g,1.1.1f,"1.0.2t (bundled with upstream Python 2.7.18)
+1.0.2v-chevah2 (statically linked with cryptography)",1.0.2k (from AIX Web Download Pack Programs),"1.0.2v-chevah3 (statically linked with stdlib “ssl”)
+1.0.2v-chevah3 (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)",1.1.1j,1.1.1l,"1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
+1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)",1.1.1c FIPS,"1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,1.0.2o,"1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
+1.1.1l (statically linked with cryptography)",1.1.0g,1.1.1f,"1.0.2t (bundled with upstream Python 2.7.18)
 1.1.1g (bundled with upstream cryptography 2.9.1)","1.0.2t¹⁰ (bundled with upstream Python 2.7.18)
-1.1.1k (built from upstream sources)"
+1.1.1l (built from upstream sources)"
 Python,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.8⁴,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18¹³
 SQLite,3.34.1,3.34.1,3.36.0,3.36.0,3.34.1,3.36.0,3.36.0,3.30.1,3.34.1,3.34.1,3.36.0,3.30.1,3.36.0,3.36.0,3.36.0,3.36.0,3.36.0,3.36.0,3.34.1,3.30.1,3.34.1,3.34.1,3.36.0,3.36.0,3.36.0,3.36.0,3.30.1 (we overwrite version from upstream Python at build time),3.36.0 (we overwrite version from upstream Python at build time)
 Expat,2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.1.0⁵ (bundled with Python 2.7.8),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python)
@@ -27,13 +27,13 @@ libedit,n/a,n/a,n/a,n/a,20170329-3.1,20170329-3.1,n/a,20170329-3.1,20170329-3.1,
 pysqlite,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,"n/a, upstream sqlite3 is used","n/a, upstream sqlite3 is used"
 pip,20.3.4,9.0.3,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4
 setuptools,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,41.6.0,41.6.0,41.6.0,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1
-wheel,0.36.2,0.33.6,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2
+wheel,0.36.2,0.33.6,0.37.0,0.37.0,0.33.6,0.37.0,0.37.0,0.33.6,0.37.0,0.36.2,0.37.0,0.33.6,0.37.0,0.37.0,0.37.0,0.37.0,0.37.0,0.37.0,0.36.2,0.33.6,0.36.2,0.37.0,0.37.0,0.37.0,0.37.0,0.37.0,0.36.2,0.37.0
 pycparser,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20
 setproctitle,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10
 cryptography,3.2.1¹²,2.9.2¹²,3.2.1¹²,3.3.2,3.3.2,3.3.2,3.3.2,2.9.2¹²,3.3.2,n/a,3.3.2,2.9.2¹² (wheel includes OpenSSL),3.3.2,3.3.2,3.3.2,3.3.2,3.3.2,3.3.2,n/a,n/a,n/a,3.2.1¹²,3.3.2,3.3.2,3.3.2,3.3.2,2.9.2¹² (wheel includes OpenSSL),3.3.2 (wheel includes OpenSSL)
 six,1.15.0,1.13.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.11.0,1.11.0,1.11.0,1.11.0,1.11.0,1.11.0
 ipaddress,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,n/a,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,n/a,n/a,n/a,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23
-cffi,1.14.5,1.14.0,1.14.5,1.14.5,1.14.0,1.14.5,1.14.5,1.14.0,1.14.5,n/a,1.14.5,1.14.0,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,n/a,1.14.0,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,1.14.0,1.14.5
+cffi,1.14.5,1.14.0,1.14.6,1.14.6,1.14.0,1.14.6,1.14.6,1.14.0,1.14.6,n/a,1.14.6,1.14.0,1.14.6,1.14.6,1.14.6,1.14.6,1.14.6,1.14.6,n/a,1.14.0,1.14.5,1.14.6,1.14.6,1.14.6,1.14.6,1.14.6,1.14.0,1.14.6
 asn1crypto,n/a,1.2.0,n/a,n/a,n/a,n/a,n/a,1.2.0,n/a,n/a,n/a,1.2.0,n/a,n/a,n/a,n/a,n/a,n/a,n/a,1.2.0,n/a,n/a,n/a,n/a,n/a,n/a,1.2.0,n/a
 enum34,1.1.10,1.1.6,1.1.10,1.1.10,1.1.6,1.1.10,1.1.10,1.1.6,1.1.10,n/a,1.1.10,1.1.6,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,,,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.6,1.1.10
 idna,n/a,2.6,n/a,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,n/a,2.6,n/a