From 4a811b00534cb1ba39f8d31c4912ba995a4ac268 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Tue, 8 Apr 2014 07:26:22 +0200 Subject: [PATCH] gitian: upgrade openssl to 1.0.1g for both win and linux OpenSSL 1.0.1g fixes CVE-2014-0160. Also bump dependency versions. --- contrib/gitian-descriptors/deps-linux.yml | 10 +++++----- contrib/gitian-descriptors/deps-win.yml | 10 +++++----- contrib/gitian-descriptors/gitian-linux.yml | 6 +++--- contrib/gitian-descriptors/gitian-win.yml | 6 +++--- contrib/gitian-descriptors/qt-win.yml | 6 +++--- doc/release-process.md | 2 +- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/contrib/gitian-descriptors/deps-linux.yml b/contrib/gitian-descriptors/deps-linux.yml index 908f9321a4..74c1624569 100644 --- a/contrib/gitian-descriptors/deps-linux.yml +++ b/contrib/gitian-descriptors/deps-linux.yml @@ -16,7 +16,7 @@ packages: reference_datetime: "2013-06-01 00:00:00" remotes: [] files: -- "openssl-1.0.1e.tar.gz" +- "openssl-1.0.1g.tar.gz" - "miniupnpc-1.8.tar.gz" - "qrencode-3.4.3.tar.bz2" - "protobuf-2.5.0.tar.bz2" @@ -30,15 +30,15 @@ script: | export TZ=UTC export LIBRARY_PATH="$STAGING/lib" # Integrity Check - echo "f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 openssl-1.0.1e.tar.gz" | sha256sum -c + echo "53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028 openssl-1.0.1g.tar.gz" | sha256sum -c echo "bc5f73c7b0056252c1888a80e6075787a1e1e9112b808f863a245483ff79859c miniupnpc-1.8.tar.gz" | sha256sum -c echo "dfd71487513c871bad485806bfd1fdb304dedc84d2b01a8fb8e0940b50597a98 qrencode-3.4.3.tar.bz2" | sha256sum -c echo "13bfc5ae543cf3aa180ac2485c0bc89495e3ae711fc6fab4f8ffe90dfb4bb677 protobuf-2.5.0.tar.bz2" | sha256sum -c echo "12edc0df75bf9abd7f82f821795bcee50f42cb2e5f76a6a281b85732798364ef db-4.8.30.NC.tar.gz" | sha256sum -c # - tar xzf openssl-1.0.1e.tar.gz - cd openssl-1.0.1e + tar xzf openssl-1.0.1g.tar.gz + cd openssl-1.0.1g # need -fPIC to avoid relocation error in 64 bit builds ./config no-shared no-zlib no-dso no-krb5 --openssldir=$STAGING -fPIC # need to build OpenSSL with faketime because a timestamp is embedded into cversion.o @@ -95,4 +95,4 @@ script: | done # cd $STAGING - find include lib bin host | sort | zip -X@ $OUTDIR/bitcoin-deps-linux${GBUILD_BITS}-gitian-r3.zip + find include lib bin host | sort | zip -X@ $OUTDIR/bitcoin-deps-linux${GBUILD_BITS}-gitian-r4.zip diff --git a/contrib/gitian-descriptors/deps-win.yml b/contrib/gitian-descriptors/deps-win.yml index 87ebf3e87b..b18d0f031c 100644 --- a/contrib/gitian-descriptors/deps-win.yml +++ b/contrib/gitian-descriptors/deps-win.yml @@ -14,7 +14,7 @@ packages: reference_datetime: "2011-01-30 00:00:00" remotes: [] files: -- "openssl-1.0.1e.tar.gz" +- "openssl-1.0.1g.tar.gz" - "db-4.8.30.NC.tar.gz" - "miniupnpc-1.8.tar.gz" - "zlib-1.2.8.tar.gz" @@ -28,7 +28,7 @@ script: | INDIR=$HOME/build TEMPDIR=$HOME/tmp # Input Integrity Check - echo "f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 openssl-1.0.1e.tar.gz" | sha256sum -c + echo "53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028 openssl-1.0.1g.tar.gz" | sha256sum -c echo "12edc0df75bf9abd7f82f821795bcee50f42cb2e5f76a6a281b85732798364ef db-4.8.30.NC.tar.gz" | sha256sum -c echo "bc5f73c7b0056252c1888a80e6075787a1e1e9112b808f863a245483ff79859c miniupnpc-1.8.tar.gz" | sha256sum -c echo "36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d zlib-1.2.8.tar.gz" | sha256sum -c @@ -48,8 +48,8 @@ script: | mkdir -p $INSTALLPREFIX $BUILDDIR cd $BUILDDIR # - tar xzf $INDIR/openssl-1.0.1e.tar.gz - cd openssl-1.0.1e + tar xzf $INDIR/openssl-1.0.1g.tar.gz + cd openssl-1.0.1g if [ "$BITS" == "32" ]; then OPENSSL_TGT=mingw else @@ -124,5 +124,5 @@ script: | done # cd $INSTALLPREFIX - find include lib | sort | zip -X@ $OUTDIR/bitcoin-deps-win$BITS-gitian-r10.zip + find include lib | sort | zip -X@ $OUTDIR/bitcoin-deps-win$BITS-gitian-r11.zip done # for BITS in diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml index 01a5c3c0bf..017a5c26a4 100644 --- a/contrib/gitian-descriptors/gitian-linux.yml +++ b/contrib/gitian-descriptors/gitian-linux.yml @@ -21,8 +21,8 @@ remotes: - "url": "https://github.com/bitcoin/bitcoin.git" "dir": "bitcoin" files: -- "bitcoin-deps-linux32-gitian-r3.zip" -- "bitcoin-deps-linux64-gitian-r3.zip" +- "bitcoin-deps-linux32-gitian-r4.zip" +- "bitcoin-deps-linux64-gitian-r4.zip" - "boost-linux32-1.55.0-gitian-r1.zip" - "boost-linux64-1.55.0-gitian-r1.zip" script: | @@ -36,7 +36,7 @@ script: | # mkdir -p $STAGING cd $STAGING - unzip ../build/bitcoin-deps-linux${GBUILD_BITS}-gitian-r3.zip + unzip ../build/bitcoin-deps-linux${GBUILD_BITS}-gitian-r4.zip unzip ../build/boost-linux${GBUILD_BITS}-1.55.0-gitian-r1.zip cd ../build # diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml index ecda73e44e..147708cee3 100644 --- a/contrib/gitian-descriptors/gitian-win.yml +++ b/contrib/gitian-descriptors/gitian-win.yml @@ -26,8 +26,8 @@ files: - "qt-win64-5.2.0-gitian-r2.zip" - "boost-win32-1.55.0-gitian-r6.zip" - "boost-win64-1.55.0-gitian-r6.zip" -- "bitcoin-deps-win32-gitian-r10.zip" -- "bitcoin-deps-win64-gitian-r10.zip" +- "bitcoin-deps-win32-gitian-r11.zip" +- "bitcoin-deps-win64-gitian-r11.zip" - "protobuf-win32-2.5.0-gitian-r4.zip" - "protobuf-win64-2.5.0-gitian-r4.zip" script: | @@ -61,7 +61,7 @@ script: | cd $STAGING unzip $INDIR/qt-win${BITS}-5.2.0-gitian-r2.zip unzip $INDIR/boost-win${BITS}-1.55.0-gitian-r6.zip - unzip $INDIR/bitcoin-deps-win${BITS}-gitian-r10.zip + unzip $INDIR/bitcoin-deps-win${BITS}-gitian-r11.zip unzip $INDIR/protobuf-win${BITS}-2.5.0-gitian-r4.zip if [ "$NEEDDIST" == "1" ]; then # Make source code archive which is architecture independent so it only needs to be done once diff --git a/contrib/gitian-descriptors/qt-win.yml b/contrib/gitian-descriptors/qt-win.yml index e3de2c02ef..cfe165d761 100644 --- a/contrib/gitian-descriptors/qt-win.yml +++ b/contrib/gitian-descriptors/qt-win.yml @@ -15,8 +15,8 @@ reference_datetime: "2011-01-30 00:00:00" remotes: [] files: - "qt-everywhere-opensource-src-5.2.0.tar.gz" -- "bitcoin-deps-win32-gitian-r10.zip" -- "bitcoin-deps-win64-gitian-r10.zip" +- "bitcoin-deps-win32-gitian-r11.zip" +- "bitcoin-deps-win64-gitian-r11.zip" script: | # Defines export TZ=UTC @@ -48,7 +48,7 @@ script: | # # Need mingw-compiled openssl from bitcoin-deps: cd $DEPSDIR - unzip $INDIR/bitcoin-deps-win${BITS}-gitian-r10.zip + unzip $INDIR/bitcoin-deps-win${BITS}-gitian-r11.zip # cd $BUILDDIR # diff --git a/doc/release-process.md b/doc/release-process.md index 095d20f9ea..13d843951a 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -40,7 +40,7 @@ Release Process mkdir -p inputs; cd inputs/ wget 'http://miniupnp.free.fr/files/download.php?file=miniupnpc-1.8.tar.gz' -O miniupnpc-1.8.tar.gz - wget 'https://www.openssl.org/source/openssl-1.0.1e.tar.gz' + wget 'https://www.openssl.org/source/openssl-1.0.1g.tar.gz' wget 'http://download.oracle.com/berkeley-db/db-4.8.30.NC.tar.gz' wget 'http://zlib.net/zlib-1.2.8.tar.gz' wget 'ftp://ftp.simplesystems.org/pub/png/src/history/libpng16/libpng-1.6.8.tar.gz'