You are not logged in.
Is this dependency really necessary? openssl-1.0 suffers from (extracted with arch-audit): denial of service, multiple issues, private key recovery.
would be nice if there's some way to get this to work with openssl-1.1
Last edited by pfilz0 (2021-06-03 09:36:45)
Offline
I think it was introduced as the fix to https://bugs.archlinux.org/task/67449
https://github.com/archlinux/svntogit-c … 986e85086e
Offline
Thanks for the links, it seems indeed that there was a problem with BoringSSL which was fixed by adding the openssl-1.0 dependency.
But this could still be changed to v1.1, right?
Offline
Try rebuilding with that change and see what happens.
You could also patch openssl1.0 with the fixes from https://bugs.archlinux.org/task/67858#comment197269 which should address all the current know security issues with the package.
It does not include a fix for CVE-2021-23839 as the package was not built with SSL2 support so is not vulnerable.
Offline
I've applied your diff and recompiled the openssl-1.0 package. That seems to be the simplest way to go. Thanks for the quick solution.
Offline