pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2015Q1]: pkgsrc/security/openssl Pullup ticket #4747 - request...
details: https://anonhg.NetBSD.org/pkgsrc/rev/f7d1de6fee0e
branches: pkgsrc-2015Q1
changeset: 649275:f7d1de6fee0e
user: spz <spz%pkgsrc.org@localhost>
date: Sat Jun 13 07:03:28 2015 +0000
description:
Pullup ticket #4747 - requested by tron
security/openssl: security update
Revisions pulled up:
- security/openssl/Makefile 1.208-1.209
- security/openssl/PLIST.common 1.24
- security/openssl/distinfo 1.113-1.114
- security/openssl/patches/patch-Configure 1.5
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Jun 12 17:02:24 UTC 2015
Modified Files:
pkgsrc/security/openssl: Makefile PLIST.common distinfo
pkgsrc/security/openssl/patches: patch-Configure
Log Message:
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a:
- Malformed ECParameters causes infinite loop
When processing an ECParameters structure OpenSSL enters an infinite loop
if the curve specified is over a specially malformed binary polynomial
field.
This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
(CVE-2015-1788)
[Andy Polyakov]
- Exploitable out-of-bounds read in X509_cmp_time
X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno B?ck.
(CVE-2015-1789)
[Emilia K?sper]
- PKCS7 crash with missing EnvelopedContent
The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
[Emilia K?sper]
- CMS verify infinite loop with unknown hash function
When verifying a signedData message the CMS code can enter an infinite lo=
op
if presented with an unknown hash function OID. This can be used to perfo=
rm
denial of service against any system which verifies signedData messages u=
sing
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
(CVE-2015-1792)
[Stephen Henson]
- Race condition handling NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
(CVE-2015-1791)
[Matt Caswell]
- Removed support for the two export grade static DH ciphersuites
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
were newly added (along with a number of other static DH ciphersuites) to
1.0.2. However the two export ones have *never* worked since they were
introduced. It seems strange in any case to be adding new export
ciphersuites, and given "logjam" it also does not seem correct to fix the=
m.
[Matt Caswell]
- Only support 256-bit or stronger elliptic curves with the
'ecdh_auto' setting (server) or by default (client). Of supported
curves, prefer P-256 (both).
[Emilia Kasper]
- Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
To generate a diff of this commit:
cvs rdiff -u -r1.207 -r1.208 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/security/openssl/PLIST.common
cvs rdiff -u -r1.112 -r1.113 pkgsrc/security/openssl/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssl/patches/patch-Configure
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Jun 12 17:32:32 UTC 2015
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
Log Message:
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c:
- Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
To generate a diff of this commit:
cvs rdiff -u -r1.208 -r1.209 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.113 -r1.114 pkgsrc/security/openssl/distinfo
diffstat:
security/openssl/Makefile | 8 ++++----
security/openssl/PLIST.common | 3 ++-
security/openssl/distinfo | 10 +++++-----
security/openssl/patches/patch-Configure | 25 ++++++++++++++-----------
4 files changed, 25 insertions(+), 21 deletions(-)
diffs (116 lines):
diff -r 938da2a73a35 -r f7d1de6fee0e security/openssl/Makefile
--- a/security/openssl/Makefile Fri Jun 12 22:44:26 2015 +0000
+++ b/security/openssl/Makefile Sat Jun 13 07:03:28 2015 +0000
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.204 2015/03/19 22:11:22 tron Exp $
+# $NetBSD: Makefile,v 1.204.2.1 2015/06/13 07:03:28 spz Exp $
-DISTNAME= openssl-1.0.2a
+DISTNAME= openssl-1.0.2c
CATEGORIES= security
-MASTER_SITES= http://www.openssl.org/source/
+MASTER_SITES= https://www.openssl.org/source/
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
-HOMEPAGE= http://www.openssl.org/
+HOMEPAGE= https://www.openssl.org/
COMMENT= Secure Socket Layer and cryptographic library
LICENSE= openssl
diff -r 938da2a73a35 -r f7d1de6fee0e security/openssl/PLIST.common
--- a/security/openssl/PLIST.common Fri Jun 12 22:44:26 2015 +0000
+++ b/security/openssl/PLIST.common Sat Jun 13 07:03:28 2015 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST.common,v 1.23 2015/03/19 22:11:22 tron Exp $
+@comment $NetBSD: PLIST.common,v 1.23.2.1 2015/06/13 07:03:28 spz Exp $
bin/c_rehash
bin/openssl
include/openssl/aes.h
@@ -1125,6 +1125,7 @@
man/man3/SSL_CIPHER_get_name.3
man/man3/SSL_CIPHER_get_version.3
man/man3/SSL_COMP_add_compression_method.3
+man/man3/SSL_COMP_free_compression_methods.3
man/man3/SSL_CONF_CTX_clear_flags.3
man/man3/SSL_CONF_CTX_free.3
man/man3/SSL_CONF_CTX_new.3
diff -r 938da2a73a35 -r f7d1de6fee0e security/openssl/distinfo
--- a/security/openssl/distinfo Fri Jun 12 22:44:26 2015 +0000
+++ b/security/openssl/distinfo Sat Jun 13 07:03:28 2015 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.112 2015/03/19 22:11:22 tron Exp $
+$NetBSD: distinfo,v 1.112.2.1 2015/06/13 07:03:28 spz Exp $
-SHA1 (openssl-1.0.2a.tar.gz) = 46ecd325b8e587fa491f6bb02ad4a9fb9f382f5f
-RMD160 (openssl-1.0.2a.tar.gz) = 2974a0a8cc469d85a5391a64aa0a2b2c5b00acfa
-Size (openssl-1.0.2a.tar.gz) = 5262089 bytes
-SHA1 (patch-Configure) = d57986a34cd88a27c5d94df5a3cc3e2c12bf8bbe
+SHA1 (openssl-1.0.2c.tar.gz) = 6e4a5e91159eb32383296c7c83ac0e59b83a0a44
+RMD160 (openssl-1.0.2c.tar.gz) = a54501f8bdfe0608f1020b7401eca83b8d947e58
+Size (openssl-1.0.2c.tar.gz) = 5280670 bytes
+SHA1 (patch-Configure) = ce5f4ab244f49d3a556b1123190f2424b38fd789
SHA1 (patch-Makefile.org) = 72f023aeead660decaa09b6664936bd73a214069
SHA1 (patch-Makefile.shared) = 709283ba4bb4bd568e289fe111b8dea319968328
SHA1 (patch-apps_Makefile) = 745e01fb967979f5105896f8a728fd7a041af6c9
diff -r 938da2a73a35 -r f7d1de6fee0e security/openssl/patches/patch-Configure
--- a/security/openssl/patches/patch-Configure Fri Jun 12 22:44:26 2015 +0000
+++ b/security/openssl/patches/patch-Configure Sat Jun 13 07:03:28 2015 +0000
@@ -1,12 +1,12 @@
-$NetBSD: patch-Configure,v 1.4 2015/03/19 22:11:22 tron Exp $
+$NetBSD: patch-Configure,v 1.4.2.1 2015/06/13 07:03:28 spz Exp $
* Avoid -fast on Solaris, creates non-portable packages which depend on
host-specific CPU features.
* Add GNU/kFreeBSD support.
---- Configure.orig 2015-03-19 13:30:36.000000000 +0000
-+++ Configure 2015-03-19 20:58:06.000000000 +0000
-@@ -341,6 +341,7 @@
+--- Configure.orig 2015-06-11 14:50:11.000000000 +0100
++++ Configure 2015-06-12 12:07:54.000000000 +0100
+@@ -358,6 +358,7 @@
#
"osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
"osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
@@ -14,10 +14,11 @@
"tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
####
-@@ -464,6 +465,29 @@
+@@ -481,8 +482,31 @@
"BSD-ia64", "gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "BSD-x86_64", "gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "BSD-x86_64", "cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD","gcc:-DTERMIOS -O2 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-alpha", "gcc:-DTERMIOS -DL_ENDIAN -O2 -Wall::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-arm", "gcc:-DTERMIOS -DL_ENDIAN -O2 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -39,12 +40,14 @@
+"DragonFly-x86_64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"GNU/kFreeBSD-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIOS -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"GNU/kFreeBSD-i386", "gcc:-DL_ENDIAN -DTERMIOS -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
+
+
- "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++ "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++
+ "nextstep", "cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+ "nextstep3.3", "cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
- "nextstep", "cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
-@@ -915,7 +939,7 @@
+@@ -932,7 +956,7 @@
# The check for the option is there so scripts aren't
# broken
}
@@ -53,7 +56,7 @@
{
if (/^--prefix=(.*)$/)
{
-@@ -1737,7 +1761,7 @@
+@@ -1764,7 +1788,7 @@
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
Home |
Main Index |
Thread Index |
Old Index