CVS commit: [pkgsrc-2015Q1] pkgsrc/security/openssl

["S.P.Zeidler" <spz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   spz
Date:           Sat Jun 13 07:03:28 UTC 2015

Modified Files:
        pkgsrc/security/openssl [pkgsrc-2015Q1]: Makefile PLIST.common distinfo
        pkgsrc/security/openssl/patches [pkgsrc-2015Q1]: patch-Configure

Log Message:
Pullup ticket #4747 - requested by tron
security/openssl: security update

Revisions pulled up:
- security/openssl/Makefile                                     1.208-1.209
- security/openssl/PLIST.common                                 1.24
- security/openssl/distinfo                                     1.113-1.114
- security/openssl/patches/patch-Configure                      1.5

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        tron
   Date:                Fri Jun 12 17:02:24 UTC 2015

   Modified Files:
        pkgsrc/security/openssl: Makefile PLIST.common distinfo
        pkgsrc/security/openssl/patches: patch-Configure

   Log Message:
   Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a:
   - Malformed ECParameters causes infinite loop
     When processing an ECParameters structure OpenSSL enters an infinite loop
     if the curve specified is over a specially malformed binary polynomial
     field.
     This can be used to perform denial of service against any
     system which processes public keys, certificate requests or
     certificates.  This includes TLS clients and TLS servers with
     client authentication enabled.
     This issue was reported to OpenSSL by Joseph Barr-Pixton.
     (CVE-2015-1788)
     [Andy Polyakov]
   - Exploitable out-of-bounds read in X509_cmp_time
     X509_cmp_time does not properly check the length of the ASN1_TIME
     string and can read a few bytes out of bounds. In addition,
     X509_cmp_time accepts an arbitrary number of fractional seconds in the
     time string.
     An attacker can use this to craft malformed certificates and CRLs of
     various sizes and potentially cause a segmentation fault, resulting in
     a DoS on applications that verify certificates or CRLs. TLS clients
     that verify CRLs are affected. TLS clients and servers with client
     authentication enabled may be affected if they use custom verification
     callbacks.
     This issue was reported to OpenSSL by Robert Swiecki (Google), and
     independently by Hanno B?ck.
     (CVE-2015-1789)
     [Emilia K?sper]
   - PKCS7 crash with missing EnvelopedContent
     The PKCS#7 parsing code does not handle missing inner EncryptedContent
     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
     with missing content and trigger a NULL pointer dereference on parsing.
     Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
     structures from untrusted sources are affected. OpenSSL clients and
     servers are not affected.
     This issue was reported to OpenSSL by Michal Zalewski (Google).
     (CVE-2015-1790)
     [Emilia K?sper]
   - CMS verify infinite loop with unknown hash function
     When verifying a signedData message the CMS code can enter an infinite lo=
   op
     if presented with an unknown hash function OID. This can be used to perfo=
   rm
     denial of service against any system which verifies signedData messages u=
   sing
     the CMS code.
     This issue was reported to OpenSSL by Johannes Bauer.
     (CVE-2015-1792)
     [Stephen Henson]
   - Race condition handling NewSessionTicket
     If a NewSessionTicket is received by a multi-threaded client when
     attempting to reuse a previous ticket then a race condition can occur
     potentially leading to a double free of the ticket data.
     (CVE-2015-1791)
     [Matt Caswell]
   - Removed support for the two export grade static DH ciphersuites
     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
     were newly added (along with a number of other static DH ciphersuites) to
     1.0.2. However the two export ones have *never* worked since they were
     introduced. It seems strange in any case to be adding new export
     ciphersuites, and given "logjam" it also does not seem correct to fix the=
   m.
     [Matt Caswell]
   - Only support 256-bit or stronger elliptic curves with the
     'ecdh_auto' setting (server) or by default (client). Of supported
     curves, prefer P-256 (both).
     [Emilia Kasper]
   - Reject DH handshakes with parameters shorter than 768 bits.
     [Kurt Roeckx and Emilia Kasper]

   To generate a diff of this commit:
   cvs rdiff -u -r1.207 -r1.208 pkgsrc/security/openssl/Makefile
   cvs rdiff -u -r1.23 -r1.24 pkgsrc/security/openssl/PLIST.common
   cvs rdiff -u -r1.112 -r1.113 pkgsrc/security/openssl/distinfo
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssl/patches/patch-Configure

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        tron
   Date:                Fri Jun 12 17:32:32 UTC 2015

   Modified Files:
        pkgsrc/security/openssl: Makefile distinfo

   Log Message:
   Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c:
   - Fix HMAC ABI incompatibility. The previous version introduced an ABI
     incompatibility in the handling of HMAC. The previous ABI has now been
     restored.

   To generate a diff of this commit:
   cvs rdiff -u -r1.208 -r1.209 pkgsrc/security/openssl/Makefile
   cvs rdiff -u -r1.113 -r1.114 pkgsrc/security/openssl/distinfo


To generate a diff of this commit:
cvs rdiff -u -r1.204 -r1.204.2.1 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.23 -r1.23.2.1 pkgsrc/security/openssl/PLIST.common
cvs rdiff -u -r1.112 -r1.112.2.1 pkgsrc/security/openssl/distinfo
cvs rdiff -u -r1.4 -r1.4.2.1 pkgsrc/security/openssl/patches/patch-Configure

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.