Skip to content

Check for vulnerable openssl #10988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hoffmang9 merged 11 commits into from
Apr 1, 2022
Merged

Check for vulnerable openssl #10988

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1e7ecdd
Check for vulnerable openssl
hoffmang9 Apr 1, 2022
78f95ee
Update OpenSSL on MacOS
hoffmang9 Apr 1, 2022
8f3e2e0
First attempt - openssl Ubuntu 18.04 and 20.04
hoffmang9 Apr 1, 2022
bbb0ebe
place local/bin ahead in PATH
hoffmang9 Apr 1, 2022
ca7df10
specify install openssl
hoffmang9 Apr 1, 2022
3f8c227
correct path
hoffmang9 Apr 1, 2022
fcda698
run ldconfig
hoffmang9 Apr 1, 2022
9733582
stop building and check for patched openssl
hoffmang9 Apr 1, 2022
db9cd90
spell sudo right by removing it
hoffmang9 Apr 1, 2022
63f56b2
Remove openssl building - 1st attempt RHs
hoffmang9 Apr 1, 2022
427721f
Test Windows OpenSSL version HT @AmineKhaldi
hoffmang9 Apr 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions Install.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,14 @@ if ([version]$pythonVersion -lt [version]"3.7.0")
}
Write-Output "Python version is:" $pythonVersion

$openSSLVersionStr = (py -c 'import ssl; print(ssl.OPENSSL_VERSION)')
$openSSLVersion = (py -c 'import ssl; print(ssl.OPENSSL_VERSION_NUMBER)')
if ($openSSLVersion -lt 269488367)
{
Write-Output "Found Python with OpenSSL version:" $openSSLVersionStr
Write-Output "Anything before 1.1.1n is vulnerable to CVE-2022-0778."
}

py -m venv venv

venv\scripts\python -m pip install --upgrade pip setuptools wheel
Expand Down
31 changes: 22 additions & 9 deletions install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ install_python3_and_sqlite3_from_source_with_yum() {
# Preparing installing Python
echo 'yum groupinstall -y "Development Tools"'
sudo yum groupinstall -y "Development Tools"
echo "sudo yum install -y openssl-devel libffi-devel bzip2-devel wget"
sudo yum install -y openssl-devel libffi-devel bzip2-devel wget
echo "sudo yum install -y openssl-devel openssl libffi-devel bzip2-devel wget"
sudo yum install -y openssl-devel openssl libffi-devel bzip2-devel wget

echo "cd $TMP_PATH"
cd "$TMP_PATH"
Expand Down Expand Up @@ -111,27 +111,28 @@ install_python3_and_sqlite3_from_source_with_yum() {
cd "$CURRENT_WD"
}


# Manage npm and other install requirements on an OS specific basis
if [ "$(uname)" = "Linux" ]; then
#LINUX=1
if [ "$UBUNTU" = "true" ] && [ "$UBUNTU_PRE_2004" = "1" ]; then
# Ubuntu
echo "Installing on Ubuntu pre 20.04 LTS."
sudo apt-get update
sudo apt-get install -y python3.7-venv python3.7-distutils
sudo apt-get install -y python3.7-venv python3.7-distutils openssl
apt show openssl
elif [ "$UBUNTU" = "true" ] && [ "$UBUNTU_PRE_2004" = "0" ] && [ "$UBUNTU_2100" = "0" ]; then
echo "Installing on Ubuntu 20.04 LTS."
sudo apt-get update
sudo apt-get install -y python3.8-venv python3-distutils
sudo apt-get install -y python3.8-venv python3-distutils openssl
apt show openssl
elif [ "$UBUNTU" = "true" ] && [ "$UBUNTU_2100" = "1" ]; then
echo "Installing on Ubuntu 21.04 or newer."
sudo apt-get update
sudo apt-get install -y python3.9-venv python3-distutils
sudo apt-get install -y python3.9-venv python3-distutils openssl
elif [ "$DEBIAN" = "true" ]; then
echo "Installing on Debian."
sudo apt-get update
sudo apt-get install -y python3-venv
sudo apt-get install -y python3-venv openssl
elif type pacman >/dev/null 2>&1 && [ -f "/etc/arch-release" ]; then
# Arch Linux
# Arch provides latest python version. User will need to manually install python 3.9 if it is not present
Expand Down Expand Up @@ -160,16 +161,17 @@ if [ "$(uname)" = "Linux" ]; then
elif type yum >/dev/null 2>&1 && [ -f "/etc/redhat-release" ] && grep Rocky /etc/redhat-release; then
echo "Installing on Rocky."
# TODO: make this smarter about getting the latest version
sudo yum install --assumeyes python39
sudo yum install --assumeyes python39 openssl
elif type yum >/dev/null 2>&1 && [ -f "/etc/redhat-release" ] || [ -f "/etc/fedora-release" ]; then
# Redhat or Fedora
echo "Installing on Redhat/Fedora."
if ! command -v python3.9 >/dev/null 2>&1; then
sudo yum install -y python39
sudo yum install -y python39 openssl
fi
fi
elif [ "$(uname)" = "Darwin" ] && ! type brew >/dev/null 2>&1; then
echo "Installation currently requires brew on MacOS - https://brew.sh/"
brew install openssl
elif [ "$(uname)" = "OpenBSD" ]; then
export MAKE=${MAKE:-gmake}
export BUILD_VDF_CLIENT=${BUILD_VDF_CLIENT:-N}
Expand Down Expand Up @@ -231,6 +233,17 @@ if [ "$SQLITE_MAJOR_VER" -lt "3" ] || [ "$SQLITE_MAJOR_VER" = "3" ] && [ "$SQLIT
exit 1
fi

# Check openssl version python will use
OPENSSL_VERSION_STRING=$($INSTALL_PYTHON_PATH -c 'import ssl; print(ssl.OPENSSL_VERSION)')
OPENSSL_VERSION_INT=$($INSTALL_PYTHON_PATH -c 'import ssl; print(ssl.OPENSSL_VERSION_NUMBER)')
# There is also ssl.OPENSSL_VERSION_INFO returning a tuple
# 1.1.1n corresponds to 269488367 as an integer
echo "OpenSSL version for Python is ${OPENSSL_VERSION_STRING}"
if [ "$OPENSSL_VERSION_INT" -lt "269488367" ]; then
echo "WARNING: OpenSSL versions before 3.0.2, 1.1.1n, or 1.0.2zd are vulnerable to CVE-2022-0778"
echo "Your OS may have patched OpenSSL and not updated the version to 1.1.1n"
fi

# If version of `python` and "$INSTALL_PYTHON_VERSION" does not match, clear old version
VENV_CLEAR=""
if [ -e venv/bin/python ]; then
Expand Down