gitian: upgrade OpenSSL to 1.0.1i #4648

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:gitian_openssl_1_0_1_i changing 9 files +32 −32

fanquake commented at 7:43 AM on August 7, 2014: member

Upgrade for https://www.openssl.org/news/secadv_20140806.txt

gitian: upgrade OpenSSL to 1.0.1i

Upgrade for https://www.openssl.org/news/secadv_20140806.txt

074bcdc27e

BitcoinPullTester commented at 7:56 AM on August 7, 2014: none

Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/p4648_074bcdc27e561514d3e3145f280f2c2a8b9a16f5/ for binaries and test log. This test script verifies pulls every time they are updated. It, however, dies sometimes and fails to test properly. If you are waiting on a test, please check timestamps to verify that the test.log is moving at http://jenkins.bluematt.me/pull-tester/current/ Contact BlueMatt on freenode if something looks broken.
Diapolo commented at 8:15 AM on August 7, 2014: none

ACK, seems wise to quickly patch OpenSSL these days.
laanwj added the label Improvement on Aug 7, 2014
laanwj added the label Build system on Aug 7, 2014
Michagogo commented at 11:53 AM on August 7, 2014: contributor

Are any of those issues serious enough that we should release an 0.9.3?
Michagogo commented at 11:55 AM on August 7, 2014: contributor

@fanquake You bumped the OS X Qt revision, but not Windows. Was this intentional?
DomT4 commented at 8:49 PM on August 7, 2014: contributor

OpenSSL should be updated, but there's nothing in the latest vulnerability updates that seems to call for any kind of emergency client update release. The OpenSSL version bump is worth adopting, but compared to the last couple of releases the severity of these latest disclosures is minimal for clients.
Michagogo commented at 2:41 AM on August 8, 2014: contributor

Okay, great.

On Thu, Aug 7, 2014 at 11:49 PM, Dominyk Tiller notifications@github.com wrote:

OpenSSL should be updated, but there's nothing in the latest vulnerability updates that seems to call for any kind of emergency client update release. The OpenSSL version bump is worth adopting, but compared to the last couple of releases the severity of these latest disclosures is minimal for clients.

— Reply to this email directly or view it on GitHub #4648 (comment).
Diapolo commented at 8:47 AM on August 8, 2014: none

I also think this round of fixes dosn't need an emergency release, from what I've read in the changelog.
laanwj commented at 12:06 PM on August 12, 2014: member

We do intend to do a 0.9.3 release in the near future for some minor bugfixes. May be worthwhile to include an openssl version bump too. But I'm not sure. If nothing is broken an upgrade could only break things.
laanwj commented at 7:04 AM on August 18, 2014: member

@theuni do you have an opinion here?
theuni commented at 4:21 AM on August 19, 2014: member

If it's agreed that it's no an immediate threat, we may as well just let this come in as part of #4727. Once that's merged, it's just a matter of replacing the version string (and hash) in depends to get the update.
laanwj referenced this in commit bba0175022 on Aug 21, 2014
laanwj commented at 4:13 PM on August 21, 2014: member

Has been merged into 0.9.3 branch via bba01750226745d6666d587cabe57c321fde0875.
Michagogo commented at 1:34 PM on August 22, 2014: contributor

I asked this 15 days ago and didn't get an answer. @fanquake, Was the Qt dependency version in the Windows build intentionally not bumped? I've seen that usually the Qt dependency is bumped when the OpenSSL build is, and the OS X Qt was, in fact, bumped. 0.9.3rc1 just got tagged with this upgrade and no bump, and I want to know if that was intentional or an oversight.

Edit: Never mind, @laanwj answered that it is, indeed, not needed.
laanwj commented at 8:14 AM on September 1, 2014: member

Closing in favor of #4767
laanwj closed this on Sep 1, 2014
fanquake deleted the branch on May 12, 2016
MarcoFalke locked this on Sep 8, 2021

Contributors

Labels

Refactoring Build system