Skip to content

Upgrade m2crypto to version 0.48.0#17869

Open
SumitJenaHCL wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_m2crypto-3.0
Open

Upgrade m2crypto to version 0.48.0#17869
SumitJenaHCL wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_m2crypto-3.0

Conversation

@SumitJenaHCL

@SumitJenaHCL SumitJenaHCL commented Jun 30, 2026

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

This PR upgrades the m2crypto package from 0.38.0 to 0.48.0.

The previous spec carried three downstream patches that no longer apply to 0.48.0, and the upstream packaging/build changed:

  • CVE-2020-25657 (RSA Bleichenbacher timing attack) is fixed upstream as of 0.39.0 — the mitigation is present in rsa_private_decrypt / rsa_public_decrypt — so CVE-2020-25657.patch was dropped.
  • CVE-2019-11358 only patched a bundled jQuery 3.2.1 file in pre-built HTML docs; 0.48.0 ships no jQuery/JavaScript, so CVE-2019-11358.patch was dropped.
  • The FIPS TLS1 test-skip patch is obsolete — upstream tests now handle OpenSSL 3.x (test_tls1_ok auto-skips, test_tls1_nok was rewritten).
Change Log
  • SPECS/m2crypto/m2crypto.spec — bump to 0.48.0-1, License MIT->BSD, deps, offline pytest %check
  • SPECS/m2crypto/m2crypto.signatures.json — new source hash
  • SPECS/m2crypto/0001-tests-gate-hmac-md5-on-openssl-pre-3.0.patch — added (test-only)
  • SPECS/m2crypto/CVE-2020-25657.patch — removed (fixed upstream in 0.39.0)
  • SPECS/m2crypto/CVE-2019-11358.patch — removed (no bundled jQuery in 0.48.0)
  • SPECS/m2crypto/0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch — removed (upstream handles OpenSSL 3.x)
  • cgmanifest.json — m2crypto 0.38.0 -> 0.48.0
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 30, 2026
@Kanishk-Bansal Kanishk-Bansal added the ptest package testing (%check section in spec) label Jun 30, 2026
@SumitJenaHCL

Copy link
Copy Markdown
Author

Buddy Build has passed.

@SumitJenaHCL SumitJenaHCL marked this pull request as ready for review June 30, 2026 15:26
@SumitJenaHCL SumitJenaHCL requested a review from a team as a code owner June 30, 2026 15:26
@SumitJenaHCL

Copy link
Copy Markdown
Author

Initially gated out the HMAC‑MD5 assertion with a patch, which effectively skipped that test. Switching to enabling the OpenSSL legacy provider in %check lets the upstream test_hmac run unmodified and actually exercise HMAC‑MD5 — so we keep full test coverage and carry no downstream patch to maintain. Same outcome (331 passed, 14 skipped, 0 failed), but it validates more and maintains less.

Buddy Build URL : https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1150353&view=results
Buddy build has passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging ptest package testing (%check section in spec)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants