Explicitly pin openssl to 1.0.2zi to avoid a CVE (#6825)

Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
2025-02-16 14:08:36 +00:00 · 2023-10-24 12:13:20 -04:00 · 2023-10-24 12:13:20 -04:00 · 7cec68962b
commit 7cec68962b
parent 56886eff1a
1 changed files with 11 additions and 3 deletions
--- a/omnibus_overrides.rb
+++ b/omnibus_overrides.rb
@ -5,7 +5,15 @@ train_stable = /^train \((.*)\)/.match(`gem list ^train$ --remote`)[1]
 override "train", version: "v#{train_stable}"
 override "ruby", version: "3.1.2"

-# Mac m1
-override "openssl", version: "1.1.1w" if mac_os_x?

-override "ruby-msys2-devkit", version: "3.1.2-1"
+# Mac Apple Silicon requires 1.1.1 series instead of 1.0.2 series
+if mac_os_x?
+  override "openssl", version: "1.1.1w"
+else
+  # Hopefully temporary, in October 2023 the default is 1.0.2zg which 
+  # has an open high cve, while zi is available. Temporarily pin until
+  # default in omnibus-software has no cves.
+  override "openssl", version: "1.0.2zi"
+end
+
+override "ruby-msys2-devkit", version: "3.1.2-1"