CVS commit: pkgsrc/security/openssl

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/openssl
From: Tobias Nygren <tnn%netbsd.org@localhost>
Date: Thu, 8 Jan 2009 16:38:22 +0000 (UTC)

Module Name:    pkgsrc
Committed By:   tnn
Date:           Thu Jan  8 16:38:22 UTC 2009

Modified Files:
        pkgsrc/security/openssl: Makefile PLIST.common distinfo
        pkgsrc/security/openssl/patches: patch-af patch-am

Log Message:
Update to openssl-0.9.8j. Fixes CVE-2008-5077.

Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
   (CVE-2008-5077).
*) Allow the CHIL engine to be loaded, whether the application is
   multithreaded or not. (This does not release the developer from the
   obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
   JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
   s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
   to ensure that even with this option, only ciphersuites in the
   server's preference list will be accepted.  (Note that the option
   applies only when resuming a session, so the earlier behavior was
   just about the algorithm choice for symmetric cryptography.)

Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
   (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
   double-checked locking was incomplete for RSA blinding,
   addressing just one layer of what turns out to have been
   doubly unsafe triple-checked locking.
   So now fix this for real by retiring the MONT_HELPER macro
   in crypto/rsa/rsa_eay.c.
*) Various precautionary measures:
   - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
   - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
     (NB: This would require knowledge of the secret session ticket key
     to exploit, in which case you'd be SOL either way.)
   - Change bn_nist.c so that it will properly handle input BIGNUMs
     outside the expected range.
   - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
     builds.
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
   the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
   This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
   keystores. Support for SSL/TLS client authentication too.
   Not compiled unless enable-capieng specified to Configure.
   This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
   ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
   attribute creation routines such as certifcate requests and PKCS#12
   files.


To generate a diff of this commit:
cvs rdiff -r1.136 -r1.137 pkgsrc/security/openssl/Makefile
cvs rdiff -r1.13 -r1.14 pkgsrc/security/openssl/PLIST.common
cvs rdiff -r1.64 -r1.65 pkgsrc/security/openssl/distinfo
cvs rdiff -r1.21 -r1.22 pkgsrc/security/openssl/patches/patch-af
cvs rdiff -r1.5 -r1.6 pkgsrc/security/openssl/patches/patch-am

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index