pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/openssl Update openssl to 1.0.2m.
details: https://anonhg.NetBSD.org/pkgsrc/rev/1d8b28810d00
branches: trunk
changeset: 371960:1d8b28810d00
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Fri Nov 24 20:34:23 2017 +0000
description:
Update openssl to 1.0.2m.
This is a recommended security update.
Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
*) bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3736)
[Andy Polyakov]
*) Malformed X.509 IPAddressFamily could cause OOB read
If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3735)
[Rich Salz]
Changes between 1.0.2k and 1.0.2l [25 May 2017]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
[Richard Levitte]
diffstat:
security/openssl/Makefile | 5 +-
security/openssl/PLIST.common | 90 +++++++++++++++++-
security/openssl/distinfo | 11 +-
security/openssl/patches/patch-crypto_x509v3_v3_addr.c | 25 -----
4 files changed, 96 insertions(+), 35 deletions(-)
diffs (237 lines):
diff -r 589496a9ced5 -r 1d8b28810d00 security/openssl/Makefile
--- a/security/openssl/Makefile Fri Nov 24 16:02:35 2017 +0000
+++ b/security/openssl/Makefile Fri Nov 24 20:34:23 2017 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.232 2017/09/22 21:02:43 tez Exp $
+# $NetBSD: Makefile,v 1.233 2017/11/24 20:34:23 bsiegert Exp $
-DISTNAME= openssl-1.0.2k
-PKGREVISION= 1
+DISTNAME= openssl-1.0.2m
CATEGORIES= security
MASTER_SITES= https://www.openssl.org/source/
diff -r 589496a9ced5 -r 1d8b28810d00 security/openssl/PLIST.common
--- a/security/openssl/PLIST.common Fri Nov 24 16:02:35 2017 +0000
+++ b/security/openssl/PLIST.common Fri Nov 24 20:34:23 2017 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST.common,v 1.30 2016/09/22 12:28:55 jperkin Exp $
+@comment $NetBSD: PLIST.common,v 1.31 2017/11/24 20:34:23 bsiegert Exp $
bin/c_rehash
bin/openssl
include/openssl/aes.h
@@ -122,6 +122,48 @@
man/man1/openssl_mdc2.1
man/man1/openssl_nseq.1
man/man1/openssl_ocsp.1
+man/man1/openssl_openssl-asn1parse.1
+man/man1/openssl_openssl-ca.1
+man/man1/openssl_openssl-ciphers.1
+man/man1/openssl_openssl-cms.1
+man/man1/openssl_openssl-crl.1
+man/man1/openssl_openssl-crl2pkcs7.1
+man/man1/openssl_openssl-dgst.1
+man/man1/openssl_openssl-dhparam.1
+man/man1/openssl_openssl-dsa.1
+man/man1/openssl_openssl-dsaparam.1
+man/man1/openssl_openssl-ec.1
+man/man1/openssl_openssl-ecparam.1
+man/man1/openssl_openssl-enc.1
+man/man1/openssl_openssl-errstr.1
+man/man1/openssl_openssl-gendsa.1
+man/man1/openssl_openssl-genpkey.1
+man/man1/openssl_openssl-genrsa.1
+man/man1/openssl_openssl-nseq.1
+man/man1/openssl_openssl-ocsp.1
+man/man1/openssl_openssl-passwd.1
+man/man1/openssl_openssl-pkcs12.1
+man/man1/openssl_openssl-pkcs7.1
+man/man1/openssl_openssl-pkcs8.1
+man/man1/openssl_openssl-pkey.1
+man/man1/openssl_openssl-pkeyparam.1
+man/man1/openssl_openssl-pkeyutl.1
+man/man1/openssl_openssl-rand.1
+man/man1/openssl_openssl-req.1
+man/man1/openssl_openssl-rsa.1
+man/man1/openssl_openssl-rsautl.1
+man/man1/openssl_openssl-s_client.1
+man/man1/openssl_openssl-s_server.1
+man/man1/openssl_openssl-s_time.1
+man/man1/openssl_openssl-sess_id.1
+man/man1/openssl_openssl-smime.1
+man/man1/openssl_openssl-speed.1
+man/man1/openssl_openssl-spkac.1
+man/man1/openssl_openssl-ts.1
+man/man1/openssl_openssl-tsget.1
+man/man1/openssl_openssl-verify.1
+man/man1/openssl_openssl-version.1
+man/man1/openssl_openssl-x509.1
man/man1/openssl_passwd.1
man/man1/openssl_pkcs12.1
man/man1/openssl_pkcs7.1
@@ -814,6 +856,7 @@
man/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3
man/man3/EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3
man/man3/EVP_PKEY_CTX_set_signature_md.3
+man/man3/EVP_PKEY_METHOD.3
man/man3/EVP_PKEY_assign_DH.3
man/man3/EVP_PKEY_assign_DSA.3
man/man3/EVP_PKEY_assign_EC_KEY.3
@@ -837,6 +880,39 @@
man/man3/EVP_PKEY_get_default_digest_nid.3
man/man3/EVP_PKEY_keygen.3
man/man3/EVP_PKEY_keygen_init.3
+man/man3/EVP_PKEY_meth_add0.3
+man/man3/EVP_PKEY_meth_copy.3
+man/man3/EVP_PKEY_meth_find.3
+man/man3/EVP_PKEY_meth_free.3
+man/man3/EVP_PKEY_meth_get_cleanup.3
+man/man3/EVP_PKEY_meth_get_copy.3
+man/man3/EVP_PKEY_meth_get_ctrl.3
+man/man3/EVP_PKEY_meth_get_decrypt.3
+man/man3/EVP_PKEY_meth_get_derive.3
+man/man3/EVP_PKEY_meth_get_encrypt.3
+man/man3/EVP_PKEY_meth_get_init.3
+man/man3/EVP_PKEY_meth_get_keygen.3
+man/man3/EVP_PKEY_meth_get_paramgen.3
+man/man3/EVP_PKEY_meth_get_sign.3
+man/man3/EVP_PKEY_meth_get_signctx.3
+man/man3/EVP_PKEY_meth_get_verify.3
+man/man3/EVP_PKEY_meth_get_verify_recover.3
+man/man3/EVP_PKEY_meth_get_verifyctx.3
+man/man3/EVP_PKEY_meth_new.3
+man/man3/EVP_PKEY_meth_set_cleanup.3
+man/man3/EVP_PKEY_meth_set_copy.3
+man/man3/EVP_PKEY_meth_set_ctrl.3
+man/man3/EVP_PKEY_meth_set_decrypt.3
+man/man3/EVP_PKEY_meth_set_derive.3
+man/man3/EVP_PKEY_meth_set_encrypt.3
+man/man3/EVP_PKEY_meth_set_init.3
+man/man3/EVP_PKEY_meth_set_keygen.3
+man/man3/EVP_PKEY_meth_set_paramgen.3
+man/man3/EVP_PKEY_meth_set_sign.3
+man/man3/EVP_PKEY_meth_set_signctx.3
+man/man3/EVP_PKEY_meth_set_verify.3
+man/man3/EVP_PKEY_meth_set_verify_recover.3
+man/man3/EVP_PKEY_meth_set_verifyctx.3
man/man3/EVP_PKEY_missing_parameters.3
man/man3/EVP_PKEY_new.3
man/man3/EVP_PKEY_paramgen.3
@@ -865,10 +941,14 @@
man/man3/EVP_VerifyFinal.3
man/man3/EVP_VerifyInit.3
man/man3/EVP_VerifyUpdate.3
+man/man3/EVP_aes_128_cbc_hmac_sha1.3
+man/man3/EVP_aes_128_cbc_hmac_sha256.3
man/man3/EVP_aes_128_ccm.3
man/man3/EVP_aes_128_gcm.3
man/man3/EVP_aes_192_ccm.3
man/man3/EVP_aes_192_gcm.3
+man/man3/EVP_aes_256_cbc_hmac_sha1.3
+man/man3/EVP_aes_256_cbc_hmac_sha256.3
man/man3/EVP_aes_256_ccm.3
man/man3/EVP_aes_256_gcm.3
man/man3/EVP_bf_cbc.3
@@ -918,6 +998,7 @@
man/man3/EVP_rc2_ofb.3
man/man3/EVP_rc4.3
man/man3/EVP_rc4_40.3
+man/man3/EVP_rc4_hmac_md5.3
man/man3/EVP_rc5_32_12_16_cbc.3
man/man3/EVP_rc5_32_12_16_cfb.3
man/man3/EVP_rc5_32_12_16_ecb.3
@@ -1258,6 +1339,8 @@
man/man3/SSL_CTX_set_session_id_context.3
man/man3/SSL_CTX_set_ssl_version.3
man/man3/SSL_CTX_set_timeout.3
+man/man3/SSL_CTX_set_tlsext_servername_arg.3
+man/man3/SSL_CTX_set_tlsext_servername_callback.3
man/man3/SSL_CTX_set_tlsext_status_arg.3
man/man3/SSL_CTX_set_tlsext_status_cb.3
man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1307,6 +1390,7 @@
man/man3/SSL_connect.3
man/man3/SSL_ctrl.3
man/man3/SSL_do_handshake.3
+man/man3/SSL_export_keying_material.3
man/man3/SSL_flush_sessions.3
man/man3/SSL_free.3
man/man3/SSL_get0_alpn_selected.3
@@ -1342,6 +1426,8 @@
man/man3/SSL_get_rbio.3
man/man3/SSL_get_read_ahead.3
man/man3/SSL_get_secure_renegotiation_support.3
+man/man3/SSL_get_servername.3
+man/man3/SSL_get_servername_type.3
man/man3/SSL_get_session.3
man/man3/SSL_get_shared_curve.3
man/man3/SSL_get_shutdown.3
@@ -1494,6 +1580,7 @@
man/man3/X509_NAME_print.3
man/man3/X509_NAME_print_ex.3
man/man3/X509_NAME_print_ex_fp.3
+man/man3/X509_REQ_check_private_key.3
man/man3/X509_STORE_CTX_cleanup.3
man/man3/X509_STORE_CTX_free.3
man/man3/X509_STORE_CTX_get0_param.3
@@ -1537,6 +1624,7 @@
man/man3/X509_check_host.3
man/man3/X509_check_ip.3
man/man3/X509_check_ip_asc.3
+man/man3/X509_check_private_key.3
man/man3/X509_free.3
man/man3/X509_new.3
man/man3/X509_verify_cert.3
diff -r 589496a9ced5 -r 1d8b28810d00 security/openssl/distinfo
--- a/security/openssl/distinfo Fri Nov 24 16:02:35 2017 +0000
+++ b/security/openssl/distinfo Fri Nov 24 20:34:23 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.128 2017/09/22 21:02:43 tez Exp $
+$NetBSD: distinfo,v 1.129 2017/11/24 20:34:23 bsiegert Exp $
-SHA1 (openssl-1.0.2k.tar.gz) = 5f26a624479c51847ebd2f22bb9f84b3b44dcb44
-RMD160 (openssl-1.0.2k.tar.gz) = 56b70831e49f83987ec14b3878d0d693f9a7d862
-SHA512 (openssl-1.0.2k.tar.gz) = 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016
-Size (openssl-1.0.2k.tar.gz) = 5309236 bytes
+SHA1 (openssl-1.0.2m.tar.gz) = 27fb00641260f97eaa587eb2b80fab3647f6013b
+RMD160 (openssl-1.0.2m.tar.gz) = 353479313ecfee1abdf28170e642fc30a4c71c09
+SHA512 (openssl-1.0.2m.tar.gz) = 7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93
+Size (openssl-1.0.2m.tar.gz) = 5373776 bytes
SHA1 (patch-Configure) = 2d963d781314276a0ee1bc531df6bc50f0f6b32b
SHA1 (patch-Makefile.org) = d2a9295003a8b88718a328b01ff6bcbbc102ec0b
SHA1 (patch-Makefile.shared) = d317004d6ade167fc3b6e533bb8a1e93657188b2
@@ -11,5 +11,4 @@
SHA1 (patch-config) = 345cadece3bdf0ef0a273a6c9ba6d0cbb1026a31
SHA1 (patch-crypto_bn_bn__prime.pl) = a516f3709a862d85e659d466e895419b1e0a94c8
SHA1 (patch-crypto_des_Makefile) = 7a23f9883ff6c93ec0e5d08e1332cc95de8cdba2
-SHA1 (patch-crypto_x509v3_v3_addr.c) = 0782668ce0748b58eda9036ee93fa926e575698b
SHA1 (patch-tools_Makefile) = 67f0b9b501969382fd89b678c277d32bf5d294bc
diff -r 589496a9ced5 -r 1d8b28810d00 security/openssl/patches/patch-crypto_x509v3_v3_addr.c
--- a/security/openssl/patches/patch-crypto_x509v3_v3_addr.c Fri Nov 24 16:02:35 2017 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
-$NetBSD: patch-crypto_x509v3_v3_addr.c,v 1.1 2017/09/22 21:02:43 tez Exp $
-
-Patch for CVE-2017-3735 from
-https://github.com/openssl/openssl/commit/31c8b265591a0aaa462a1f3eb5770661aaac67db
-
-
---- crypto/x509v3/v3_addr.c
-+++ crypto/x509v3/v3_addr.c
-@@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi)
- */
- unsigned int v3_addr_get_afi(const IPAddressFamily *f)
- {
-- return ((f != NULL &&
-- f->addressFamily != NULL && f->addressFamily->data != NULL)
-- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1]))
-- : 0);
-+ if (f == NULL
-+ || f->addressFamily == NULL
-+ || f->addressFamily->data == NULL
-+ || f->addressFamily->length < 2)
-+ return 0;
-+ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
- }
-
- /*
Home |
Main Index |
Thread Index |
Old Index