[openssl] master update

Dr. Paul Dale pauli at openssl.org
Sun May 16 00:25:49 UTC 2021


The branch master has been updated
       via  e2daf6f14045587614681bf6579480be63de6da0 (commit)
      from  6dc56df26c41666ee5138da6c97bdb400fd03025 (commit)


- Log -----------------------------------------------------------------
commit e2daf6f14045587614681bf6579480be63de6da0
Author: Pauli <pauli at openssl.org>
Date:   Sun May 16 10:23:54 2021 +1000

    ci: remove the checksum CI script
    
    This script introduces a security vulnerability where the OpenSSL github
    repository can be modified which opens a window for an attacker.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    
    Reported-by: Nikita Stupin

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/checksums.yml | 71 -----------------------------------------
 1 file changed, 71 deletions(-)
 delete mode 100644 .github/workflows/checksums.yml

diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml
deleted file mode 100644
index 5f444b639b..0000000000
--- a/.github/workflows/checksums.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-name: FIPS Checksums
-on: [pull_request_target]
-jobs:
-  apply-label:
-    runs-on: ubuntu-latest
-    steps:
-      - name: install unifdef
-        run: |
-            sudo apt-get update
-            sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
-      - uses: actions/checkout at v2
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-      - name: create build dirs
-        run: |
-          mkdir ./build-pristine
-          mkdir ./build
-      - name: config pristine
-        run: ../config enable-fips && perl configdata.pm --dump
-        working-directory: ./build-pristine
-      - name: make build_generated pristine
-        run: make -s build_generated
-        working-directory: ./build-pristine
-      - name: make fips-checksums pristine
-        run: make fips-checksums
-        working-directory: ./build-pristine
-      - uses: actions/checkout at v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          clean: false
-      - name: config
-        run: ../config enable-fips && perl configdata.pm --dump
-        working-directory: ./build
-      - name: make build_generated
-        run: make -s build_generated
-        working-directory: ./build
-      - name: make fips-checksums
-        run: make fips-checksums
-        working-directory: ./build
-      - name: update checksums pristine
-        run: touch providers/fips.checksum.new && make update-fips-checksums
-        working-directory: ./build-pristine
-      - name: make diff-fips-checksums
-        run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV
-        working-directory: ./build
-      - name: set label
-        if: ${{ env.fips_changed }}
-        continue-on-error: true
-        uses: actions/github-script at v4
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            github.issues.addLabels({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              labels: ['severity: fips change']
-            })
-      - name: remove label
-        if: ${{ env.fips_unchanged }}
-        continue-on-error: true
-        uses: actions/github-script at v4
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            github.issues.removeLabel({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              name: 'severity: fips change'
-            })


More information about the openssl-commits mailing list