[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/openssl
Module Name: pkgsrc
Committed By: tnn
Date: Thu Jan 8 16:38:22 UTC 2009
pkgsrc/security/openssl: Makefile PLIST.common distinfo
pkgsrc/security/openssl/patches: patch-af patch-am
Update to openssl-0.9.8j. Fixes CVE-2008-5077.
Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
double-checked locking was incomplete for RSA blinding,
addressing just one layer of what turns out to have been
doubly unsafe triple-checked locking.
So now fix this for real by retiring the MONT_HELPER macro
*) Various precautionary measures:
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
(NB: This would require knowledge of the secret session ticket key
to exploit, in which case you'd be SOL either way.)
- Change bn_nist.c so that it will properly handle input BIGNUMs
outside the expected range.
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
keystores. Support for SSL/TLS client authentication too.
Not compiled unless enable-capieng specified to Configure.
This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
attribute creation routines such as certifcate requests and PKCS#12
To generate a diff of this commit:
cvs rdiff -r1.136 -r1.137 pkgsrc/security/openssl/Makefile
cvs rdiff -r1.13 -r1.14 pkgsrc/security/openssl/PLIST.common
cvs rdiff -r1.64 -r1.65 pkgsrc/security/openssl/distinfo
cvs rdiff -r1.21 -r1.22 pkgsrc/security/openssl/patches/patch-af
cvs rdiff -r1.5 -r1.6 pkgsrc/security/openssl/patches/patch-am
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Main Index |
Thread Index |