Changeset c07d5a87

Timestamp:

06/24/2022 02:07:14 PM (22 months ago)

Author:

William Harrington <kb0iic@…>

Branches:

arm

Children:

995347d

Parents:

e8afce4

git-author:

Xi Ruoyao <xry111@…> (06/23/2022 04:23:06 AM)

git-committer:

William Harrington <kb0iic@…> (06/24/2022 02:07:14 PM)

Message:

openssl: mark c_rehash obsolete

The c_rehash script, shipped by OpenSSL versions in current LFS trunk
and all previous LFS releases, is vulnerable to CVE-2022-2068. It's
fixed in 3.0.4, but OpenSSL 3.0.4 is completely broken on CPU models with
AVX-512 extension [1]. So we'd like to defer OpenSSL update and wait for
upstream consensus about "would 3.0.5 be released in urgency".

But, the upstream has announced that use of c_rehash is obsolete now [2].
So we can tell people not to use it.

[1]: ​https://github.com/openssl/openssl/issues/18625
[2]: ​https://www.openssl.org/news/secadv/20220621.txt

File:

• chapter08/openssl.xml (modified) (1 diff)

chapter08/openssl.xml

@@ -136 +136 @@
         <listitem>
           <para>
-            is a <application>Perl</application> script that scans all files in
-            a directory and adds symbolic links to their hash values
+            is a <application>Perl</application> script that
+            scans all files in a directory and adds symbolic links to their
+            hash values.  Use of <command>c_rehash</command> is considered
+            obsolete and should be replaced by
+            <command>openssl rehash</command> command
           </para>
           <indexterm zone="ch-system-openssl c_rehash">