[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Sun May 16 00:25:49 UTC 2021
The branch master has been updated
via e2daf6f14045587614681bf6579480be63de6da0 (commit)
from 6dc56df26c41666ee5138da6c97bdb400fd03025 (commit)
- Log -----------------------------------------------------------------
commit e2daf6f14045587614681bf6579480be63de6da0
Author: Pauli <pauli at openssl.org>
Date: Sun May 16 10:23:54 2021 +1000
ci: remove the checksum CI script
This script introduces a security vulnerability where the OpenSSL github
repository can be modified which opens a window for an attacker.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reported-by: Nikita Stupin
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/checksums.yml | 71 -----------------------------------------
1 file changed, 71 deletions(-)
delete mode 100644 .github/workflows/checksums.yml
diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml
deleted file mode 100644
index 5f444b639b..0000000000
--- a/.github/workflows/checksums.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-name: FIPS Checksums
-on: [pull_request_target]
-jobs:
- apply-label:
- runs-on: ubuntu-latest
- steps:
- - name: install unifdef
- run: |
- sudo apt-get update
- sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef
- - uses: actions/checkout at v2
- with:
- ref: ${{ github.event.pull_request.base.sha }}
- - name: create build dirs
- run: |
- mkdir ./build-pristine
- mkdir ./build
- - name: config pristine
- run: ../config enable-fips && perl configdata.pm --dump
- working-directory: ./build-pristine
- - name: make build_generated pristine
- run: make -s build_generated
- working-directory: ./build-pristine
- - name: make fips-checksums pristine
- run: make fips-checksums
- working-directory: ./build-pristine
- - uses: actions/checkout at v2
- with:
- ref: ${{ github.event.pull_request.head.sha }}
- clean: false
- - name: config
- run: ../config enable-fips && perl configdata.pm --dump
- working-directory: ./build
- - name: make build_generated
- run: make -s build_generated
- working-directory: ./build
- - name: make fips-checksums
- run: make fips-checksums
- working-directory: ./build
- - name: update checksums pristine
- run: touch providers/fips.checksum.new && make update-fips-checksums
- working-directory: ./build-pristine
- - name: make diff-fips-checksums
- run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV
- working-directory: ./build
- - name: set label
- if: ${{ env.fips_changed }}
- continue-on-error: true
- uses: actions/github-script at v4
- with:
- github-token: ${{secrets.GITHUB_TOKEN}}
- script: |
- github.issues.addLabels({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- labels: ['severity: fips change']
- })
- - name: remove label
- if: ${{ env.fips_unchanged }}
- continue-on-error: true
- uses: actions/github-script at v4
- with:
- github-token: ${{secrets.GITHUB_TOKEN}}
- script: |
- github.issues.removeLabel({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: 'severity: fips change'
- })
More information about the openssl-commits
mailing list