Skip to content

Commit

Permalink
[Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts (sonic-net#1…
Browse files Browse the repository at this point in the history 
…6902)

### Why I did it
[Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts

Upgrade OpenSSL to 1.1.1n-0+deb11u5
Fix CVEs:
      CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
      CVE-2023-0465 (Invalid certificate policies in leaf certificates are
      CVE-2023-0466 (Certificate policy check not enabled).
      CVE-2022-4304 (Timing Oracle in RSA Decryption).
      CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).

Upgrade OpenSSH to 8.4p1-5+deb11u2
Fix CVEs:
    CVE-2023-38408 (Lacks SSH agent restriction)

##### Work item tracking
- Microsoft ADO **(number only)**: 25506776

#### How I did it
Upgrade the OpenSSL/OpenSSH package version and fix the UT failure.

#### How to verify it
Verified by UTs with and without FIPS enabled.
  • Loading branch information
@xumia @mssonicbld
xumia authored and mssonicbld committed Oct 20, 2023
1 parent 763f846 commit cf66a45
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions rules/sonic-fips.mk
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# fips packages

FIPS_VERSION = 0.8
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u4+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips
FIPS_VERSION = 0.9
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
FIPS_PYTHON_MAIN_VERSION = 3.9
FIPS_PYTHON_VERSION = 3.9.2-1+fips
FIPS_GOLANG_MAIN_VERSION = 1.15
Expand Down

0 comments on commit cf66a45

Please sign in to comment.