From c07d5a87f2dc779d336ddcebf25bc3a12c3ed5f0 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Thu, 23 Jun 2022 12:23:06 +0800
Subject: [PATCH] openssl: mark c_rehash obsolete

The c_rehash script, shipped by OpenSSL versions in current LFS trunk
and all previous LFS releases, is vulnerable to CVE-2022-2068.  It's
fixed in 3.0.4, but OpenSSL 3.0.4 is completely broken on CPU models with
AVX-512 extension [1]. So we'd like to defer OpenSSL update and wait for
upstream consensus about "would 3.0.5 be released in urgency".

But, the upstream has announced that use of c_rehash is obsolete now [2].
So we can tell people not to use it.

[1]: https://github.com/openssl/openssl/issues/18625
[2]: https://www.openssl.org/news/secadv/20220621.txt
---
 chapter08/openssl.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/chapter08/openssl.xml b/chapter08/openssl.xml
index 044c715a4..70502969c 100644
--- a/chapter08/openssl.xml
+++ b/chapter08/openssl.xml
@@ -135,8 +135,11 @@ make MANSUFFIX=ssl install</userinput></screen>
         <term><command>c_rehash</command></term>
         <listitem>
           <para>
-            is a <application>Perl</application> script that scans all files in
-            a directory and adds symbolic links to their hash values
+            is a <application>Perl</application> script that
+            scans all files in a directory and adds symbolic links to their
+            hash values.  Use of <command>c_rehash</command> is considered
+            obsolete and should be replaced by
+            <command>openssl rehash</command> command
           </para>
           <indexterm zone="ch-system-openssl c_rehash">
             <primary sortas="b-c_rehash">c_rehash</primary>