Changeset 0b0fa07

Timestamp:

06/23/2022 04:23:06 AM (22 months ago)

Author:

Xi Ruoyao <xry111@…>

Branches:

11.2, 11.2-rc1, 11.3, 11.3-rc1, 12.0, 12.0-rc1, 12.1, 12.1-rc1, bdubbs/gcc13, multilib, renodr/libudev-from-systemd, s6-init, trunk, xry111/arm64, xry111/arm64-12.0, xry111/clfs-ng, xry111/loongarch, xry111/loongarch-12.0, xry111/loongarch-12.1, xry111/mips64el, xry111/pip3, xry111/rust-wip-20221008, xry111/update-glibc

Children:

40488bd

Parents:

e909a1eb

Message:

openssl: mark c_rehash obsolete

The c_rehash script, shipped by OpenSSL versions in current LFS trunk
and all previous LFS releases, is vulnerable to CVE-2022-2068. It's
fixed in 3.0.4, but OpenSSL 3.0.4 is completely broken on CPU models with
AVX-512 extension [1]. So we'd like to defer OpenSSL update and wait for
upstream consensus about "would 3.0.5 be released in urgency".

But, the upstream has announced that use of c_rehash is obsolete now [2].
So we can tell people not to use it.

[1]: ​https://github.com/openssl/openssl/issues/18625
[2]: ​https://www.openssl.org/news/secadv/20220621.txt

File:

• chapter08/openssl.xml (modified) (1 diff)

chapter08/openssl.xml

@@ -136 +136 @@
         <listitem>
           <para>
-            is a <application>Perl</application> script that scans all files in
-            a directory and adds symbolic links to their hash values
+            is a <application>Perl</application> script that
+            scans all files in a directory and adds symbolic links to their
+            hash values.  Use of <command>c_rehash</command> is considered
+            obsolete and should be replaced by
+            <command>openssl rehash</command> command
           </para>
           <indexterm zone="ch-system-openssl c_rehash">