Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/OPENSSL]: src/crypto/external/bsd/openssl/dist Changes between 1.1.1i an...
details: https://anonhg.NetBSD.org/src/rev/508f289236dd
branches: OPENSSL
changeset: 952865:508f289236dd
user: christos <christos%NetBSD.org@localhost>
date: Sat Feb 20 03:12:10 2021 +0000
description:
Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
*) Fixed the X509_issuer_and_serial_hash() function. It attempts
to create a unique hash value based on the issuer and serial
number data contained within an X509 certificate. However it
was failing to correctly handle any errors that may occur
while parsing the issuer field (which might occur if the issuer
field is maliciously constructed). This may subsequently result
in a NULL pointer deref and a crash leading to a potential
denial of service attack.
(CVE-2021-23841)
[Matt Caswell]
*) Fixed the RSA_padding_check_SSLv23() function and the
RSA_SSLV23_PADDING padding mode to correctly check for rollback
attacks. This is considered a bug in OpenSSL 1.1.1 because it
does not support SSLv2. In 1.0.2 this is CVE-2021-23839.
[Matt Caswell]
*) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
functions. Previously they could overflow the output length
argument in some cases where the input length is close to the
maximum permissable length for an integer on the platform. In
such cases the return value from the function call would be
1 (indicating success), but the output length value would be
negative. This could cause applications to behave incorrectly
or crash.
(CVE-2021-23840)
[Matt Caswell]
*) Fixed SRP_Calc_client_key so that it runs in constant time.
The previous implementation called BN_mod_exp without setting
BN_FLG_CONSTTIME. This could be exploited in a side channel
attack to recover the password. Since the attack is local host
only this is outside of the current OpenSSL threat model and
therefore no CVE is assigned.
Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting
this issue.
[Matt Caswell]
diffstat:
crypto/external/bsd/openssl/dist/AUTHORS | 7 +
crypto/external/bsd/openssl/dist/CHANGES | 37 +++
crypto/external/bsd/openssl/dist/CONTRIBUTING | 4 +-
crypto/external/bsd/openssl/dist/Configurations/10-main.conf | 1 +
crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl | 36 +--
crypto/external/bsd/openssl/dist/Configure | 29 +-
crypto/external/bsd/openssl/dist/INSTALL | 15 +-
crypto/external/bsd/openssl/dist/NEWS | 10 +
crypto/external/bsd/openssl/dist/NOTES.VMS | 12 +-
crypto/external/bsd/openssl/dist/NOTES.WIN | 4 +-
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/VMS/msg_install.com | 19 +
crypto/external/bsd/openssl/dist/VMS/msg_staging.com | 37 +++
crypto/external/bsd/openssl/dist/apps/ca.c | 53 ++---
crypto/external/bsd/openssl/dist/crypto/armcap.c | 19 +-
crypto/external/bsd/openssl/dist/crypto/asn1/charmap.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c | 16 +-
crypto/external/bsd/openssl/dist/crypto/conf/conf_def.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c | 33 ++-
crypto/external/bsd/openssl/dist/crypto/err/openssl.txt | 3 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c | 27 ++
crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/mem_sec.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/objects/obj_dat.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/objects/obj_xref.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-armv4.pl | 13 +-
crypto/external/bsd/openssl/dist/crypto/ppccap.c | 20 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ssl.c | 10 +-
crypto/external/bsd/openssl/dist/crypto/srp/srp_lib.c | 13 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c | 22 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 15 +-
crypto/external/bsd/openssl/dist/crypto/x509/x_all.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/x509/x_attrib.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c | 14 +-
crypto/external/bsd/openssl/dist/doc/man1/ca.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/cms.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/crl2pkcs7.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/dgst.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/dsa.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man1/ec.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man1/enc.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/genpkey.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/genrsa.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/pkcs12.pod | 14 +-
crypto/external/bsd/openssl/dist/doc/man1/pkcs8.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man1/pkey.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man1/pkeyutl.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/req.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man1/rsa.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man1/s_client.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/s_server.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/smime.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/spkac.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/storeutl.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/ts.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man1/x509.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man3/DH_generate_key.pod | 27 ++-
crypto/external/bsd/openssl/dist/doc/man3/OCSP_sendreq_new.pod | 28 ++-
crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_malloc.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/man3/X509_get_extension_flags.pod | 11 +-
crypto/external/bsd/openssl/dist/fuzz/x509.c | 2 +
crypto/external/bsd/openssl/dist/include/openssl/evperr.h | 7 +-
crypto/external/bsd/openssl/dist/include/openssl/obj_mac.h | 2 +-
crypto/external/bsd/openssl/dist/include/openssl/opensslv.h | 4 +-
crypto/external/bsd/openssl/dist/include/openssl/x509v3.h | 7 +-
crypto/external/bsd/openssl/dist/ssl/d1_lib.c | 11 +-
crypto/external/bsd/openssl/dist/ssl/record/rec_layer_d1.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/ssl_local.h | 3 +-
crypto/external/bsd/openssl/dist/ssl/statem/extensions.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c | 3 +-
crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c | 15 +-
crypto/external/bsd/openssl/dist/test/build.info | 4 +-
crypto/external/bsd/openssl/dist/test/certs/ca-pss-cert.pem | 21 ++
crypto/external/bsd/openssl/dist/test/certs/ca-pss-key.pem | 28 ++
crypto/external/bsd/openssl/dist/test/certs/ee-pss-cert.pem | 21 ++
crypto/external/bsd/openssl/dist/test/certs/invalid-cert.pem | 19 +
crypto/external/bsd/openssl/dist/test/certs/mkcert.sh | 24 +-
crypto/external/bsd/openssl/dist/test/certs/setup.sh | 13 +-
crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t | 7 +-
crypto/external/bsd/openssl/dist/test/recipes/70-test_verify_extra.t | 5 +-
crypto/external/bsd/openssl/dist/test/recipes/80-test_x509aux.t | 15 +-
crypto/external/bsd/openssl/dist/test/rsa_test.c | 105 ++++-----
crypto/external/bsd/openssl/dist/test/sslapitest.c | 59 +++++
crypto/external/bsd/openssl/dist/test/v3nametest.c | 2 +-
crypto/external/bsd/openssl/dist/test/verify_extra_test.c | 55 ++++-
crypto/external/bsd/openssl/dist/test/x509aux.c | 19 +-
87 files changed, 823 insertions(+), 318 deletions(-)
diffs (truncated from 2787 to 300 lines):
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/AUTHORS
--- a/crypto/external/bsd/openssl/dist/AUTHORS Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/AUTHORS Sat Feb 20 03:12:10 2021 +0000
@@ -13,6 +13,8 @@
Bernd Edlinger
Bodo Möller
David Benjamin
+David von Oheimb
+Dmitry Belyavskiy (Дмитрий Белявский)
Emilia Käsper
Eric Young
Geoff Thorpe
@@ -22,14 +24,19 @@
Mark J. Cox
Matt Caswell
Matthias St. Pierre
+Nicola Tuveri
Nils Larsch
+Patrick Steuer
Paul Dale
Paul C. Sutton
+Paul Yang
Ralf S. Engelschall
Rich Salz
Richard Levitte
+Shane Lontis
Stephen Henson
Steve Marquess
Tim Hudson
+Tomáš Mráz
Ulf Möller
Viktor Dukhovni
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Sat Feb 20 03:12:10 2021 +0000
@@ -7,6 +7,43 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+ *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
+ create a unique hash value based on the issuer and serial number data
+ contained within an X509 certificate. However it was failing to correctly
+ handle any errors that may occur while parsing the issuer field (which might
+ occur if the issuer field is maliciously constructed). This may subsequently
+ result in a NULL pointer deref and a crash leading to a potential denial of
+ service attack.
+ (CVE-2021-23841)
+ [Matt Caswell]
+
+ *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks. This is considered a
+ bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+ CVE-2021-23839.
+ [Matt Caswell]
+
+ *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+ functions. Previously they could overflow the output length argument in some
+ cases where the input length is close to the maximum permissable length for
+ an integer on the platform. In such cases the return value from the function
+ call would be 1 (indicating success), but the output length value would be
+ negative. This could cause applications to behave incorrectly or crash.
+ (CVE-2021-23840)
+ [Matt Caswell]
+
+ *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
+ implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
+ could be exploited in a side channel attack to recover the password. Since
+ the attack is local host only this is outside of the current OpenSSL
+ threat model and therefore no CVE is assigned.
+
+ Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
+ issue.
+ [Matt Caswell]
+
Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
*) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/CONTRIBUTING
--- a/crypto/external/bsd/openssl/dist/CONTRIBUTING Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/CONTRIBUTING Sat Feb 20 03:12:10 2021 +0000
@@ -41,8 +41,8 @@
https://www.openssl.org/policies/codingstyle.html) and compile
without warnings. Where gcc or clang is available you should use the
--strict-warnings Configure option. OpenSSL compiles on many varied
- platforms: try to ensure you only use portable features. Clean builds
- via Travis and AppVeyor are required, and they are started automatically
+ platforms: try to ensure you only use portable features. Clean builds via
+ GitHub Actions and AppVeyor are required, and they are started automatically
whenever a PR is created or updated.
5. When at all possible, patches should include tests. These can
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/Configurations/10-main.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf Sat Feb 20 03:12:10 2021 +0000
@@ -663,6 +663,7 @@
"linux-ppc" => {
inherit_from => [ "linux-generic32", asm("ppc32_asm") ],
perlasm_scheme => "linux32",
+ lib_cppflags => add("-DB_ENDIAN"),
},
"linux-ppc64" => {
inherit_from => [ "linux-generic64", asm("ppc64_asm") ],
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl
--- a/crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl Sat Feb 20 03:12:10 2021 +0000
@@ -377,8 +377,13 @@
$(NODEBUG) !
$(NODEBUG) ! Installation logical names
$(NODEBUG) !
- $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
- $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+ $(NODEBUG) ! This also creates a few DCL variables that are used for
+ $(NODEBUG) ! the "install_msg" target.
+ $(NODEBUG) !
+ $(NODEBUG) installroot = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
+ $(NODEBUG) installtop = installroot + ".]"
+ $(NODEBUG) dataroot = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
+ $(NODEBUG) datatop = dataroot + ".]"
$(NODEBUG) DEFINE ossl_installroot 'installtop'
$(NODEBUG) DEFINE ossl_dataroot 'datatop'
$(NODEBUG) !
@@ -455,30 +460,19 @@
@ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options"
@ ! {- output_on() if !$disabled{tests}; "" -}
-install : install_sw install_ssldirs install_docs
+install : install_sw install_ssldirs install_docs install_msg
+ @ !
+
+install_msg :
@ WRITE SYS$OUTPUT ""
@ WRITE SYS$OUTPUT "######################################################################"
@ WRITE SYS$OUTPUT ""
@ IF "$(DESTDIR)" .EQS. "" THEN -
- PIPE ( WRITE SYS$OUTPUT "Installation complete" ; -
- WRITE SYS$OUTPUT "" ; -
- WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
- WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
- WRITE SYS$OUTPUT "" )
+ @{- sourcefile("VMS", "msg_install.com") -} "$(SYSTARTUP)" "{- $osslver -}"
@ IF "$(DESTDIR)" .NES. "" THEN -
- PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; -
- WRITE SYS$OUTPUT "" ; -
- WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; -
- WRITE SYS$OUTPUT staging_instdir ; -
- WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; -
- WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; -
- WRITE SYS$OUTPUT staging_datadir ; -
- WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; -
- WRITE SYS$OUTPUT "" ; -
- WRITE SYS$OUTPUT "When in its final destination," ; -
- WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
- WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
- WRITE SYS$OUTPUT "" )
+ @{- sourcefile("VMS", "msg_staging.com") -} -
+ "''installroot']" "''dataroot']" "$(INSTALLTOP)" "$(OPENSSLDIR)" -
+ "$(SYSTARTUP)" "{- $osslver -}"
check_install :
spawn/nolog @ossl_installroot:[SYSTEST]openssl_ivp{- $osslver -}.com
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Sat Feb 20 03:12:10 2021 +0000
@@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1201,6 +1201,10 @@
# At this point, we can forget everything about %user and %useradd,
# because it's now all been merged into the corresponding $config entry
+if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
+ disable('static', 'pic', 'threads');
+}
+
# Allow overriding the build file name
$config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";
@@ -1521,10 +1525,6 @@
}
}
-if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
- disable('static', 'pic', 'threads');
-}
-
$config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings'
? @strict_warnings_collection
: ( $_ ) }
@@ -2611,19 +2611,22 @@
}
print "\nEnabled features:\n\n";
foreach my $what (@disablables) {
- print " $what\n" unless $disabled{$what};
+ print " $what\n"
+ unless grep { $_ =~ /^${what}$/ } keys %disabled;
}
print "\nDisabled features:\n\n";
foreach my $what (@disablables) {
- if ($disabled{$what}) {
- print " $what", ' ' x ($longest - length($what) + 1),
- "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1);
- print $disabled_info{$what}->{macro}
- if $disabled_info{$what}->{macro};
+ my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled;
+ my $what3 = $what2[0];
+ if ($what3) {
+ print " $what3", ' ' x ($longest - length($what3) + 1),
+ "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1);
+ print $disabled_info{$what3}->{macro}
+ if $disabled_info{$what3}->{macro};
print ' (skip ',
- join(', ', @{$disabled_info{$what}->{skipped}}),
+ join(', ', @{$disabled_info{$what3}->{skipped}}),
')'
- if $disabled_info{$what}->{skipped};
+ if $disabled_info{$what3}->{skipped};
print "\n";
}
}
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/INSTALL
--- a/crypto/external/bsd/openssl/dist/INSTALL Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/INSTALL Sat Feb 20 03:12:10 2021 +0000
@@ -106,8 +106,7 @@
This will build and install OpenSSL in the default location, which is:
Unix: normal installation directories under /usr/local
- OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
- OpenSSL version number with underscores instead of periods.
+ OpenVMS: SYS$COMMON:[OPENSSL]
Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
The installation directory should be appropriately protected to ensure
@@ -116,7 +115,9 @@
your Operating System it is recommended that you do not overwrite the system
version and instead install to somewhere else.
- If you want to install it anywhere else, run config like this:
+ If you want to install it anywhere else, run config like this (the options
+ --prefix and --openssldir are explained further down, and the values shown
+ here are mere examples):
On Unix:
@@ -198,7 +199,7 @@
Unix: /usr/local
Windows: C:\Program Files\OpenSSL
or C:\Program Files (x86)\OpenSSL
- OpenVMS: SYS$COMMON:[OPENSSL-'version']
+ OpenVMS: SYS$COMMON:[OPENSSL]
--release
Build OpenSSL without debugging symbols. This is the default.
@@ -961,9 +962,9 @@
share/doc/openssl/html/man7
Contains the HTML rendition of the man-pages.
- OpenVMS ('arch' is replaced with the architecture name, "Alpha"
- or "ia64", 'sover' is replaced with the shared library version
- (0101 for 1.1), and 'pz' is replaced with the pointer size
+ OpenVMS ('arch' is replaced with the architecture name, "ALPHA"
+ or "IA64", 'sover' is replaced with the shared library version
+ (0101 for 1.1.x), and 'pz' is replaced with the pointer size
OpenSSL was built with):
[.EXE.'arch'] Contains the openssl binary.
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Sat Feb 20 03:12:10 2021 +0000
@@ -5,6 +5,16 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+ o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+ function (CVE-2021-23841)
+ o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks
+ o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+ EVP_DecryptUpdate functions (CVE-2021-23840)
+ o Fixed SRP_Calc_client_key so that it runs in constant time
+
Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/NOTES.VMS
--- a/crypto/external/bsd/openssl/dist/NOTES.VMS Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/NOTES.VMS Sat Feb 20 03:12:10 2021 +0000
@@ -90,9 +90,9 @@
Unix mount point.
The easiest way to check if everything got through as it should is to
- check for one of the following files:
Home |
Main Index |
Thread Index |
Old Index