diff options
| author | taca <taca@pkgsrc.org> | 2010-01-15 04:55:30 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2010-01-15 04:55:30 +0000 |
| commit | 0b5c2cae0362a377f7b559d5a3e8bd976a534190 (patch) | |
| tree | d1021751a6eda0e3f58c259261702a0bf22fe064 | |
| parent | ae4baa3248d3756871ebda746e80d5172dc5f95c (diff) | |
| download | pkgsrc-0b5c2cae0362a377f7b559d5a3e8bd976a534190.tar.gz | |
Update openssl package to 0.9.8l, fixing security problem.
Approved by agc@.
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
*) Disable renegotiation completely - this fixes a severe security
problem (CVE-2009-3555) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
you're doing.
[Ben Laurie]
| -rw-r--r-- | security/openssl/Makefile | 7 | ||||
| -rw-r--r-- | security/openssl/distinfo | 14 | ||||
| -rw-r--r-- | security/openssl/patches/patch-aa | 10 | ||||
| -rw-r--r-- | security/openssl/patches/patch-ac | 16 | ||||
| -rw-r--r-- | security/openssl/patches/patch-af | 10 |
5 files changed, 28 insertions, 29 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index bb0cb9e838e..df98f46093c 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,15 +1,14 @@ -# $NetBSD: Makefile,v 1.141 2009/12/25 11:58:06 obache Exp $ +# $NetBSD: Makefile,v 1.142 2010/01/15 04:55:30 taca Exp $ OPENSSL_SNAPSHOT?= # empty OPENSSL_STABLE?= # empty -OPENSSL_VERS?= 0.9.8k -PKGREVISION= 1 +OPENSSL_VERS?= 0.9.8l .if empty(OPENSSL_SNAPSHOT) DISTNAME= openssl-${OPENSSL_VERS} MASTER_SITES= ftp://ftp.openssl.org/source/ \ ftp://sunsite.cnlab-switch.ch/mirror/openssl/source/ \ - ftp://sunsite.uio.no/pub/security/openssl/source/ + ftp://sunsite.uio.no/pub/security/openssl/source/ .else . if !empty(OPENSSL_STABLE:M[yY][eE][sS]) DISTNAME= openssl-${OPENSSL_VERS:C/[a-z]$//}-stable-SNAP-${OPENSSL_SNAPSHOT} diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 203c81f625a..da4a313795c 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,13 +1,13 @@ -$NetBSD: distinfo,v 1.69 2009/12/25 11:58:06 obache Exp $ +$NetBSD: distinfo,v 1.70 2010/01/15 04:55:30 taca Exp $ -SHA1 (openssl-0.9.8k.tar.gz) = 3ba079f91d3c1ec90a36dcd1d43857165035703f -RMD160 (openssl-0.9.8k.tar.gz) = 496df7a5d33457b0d8e3b930a8e5cf068923182c -Size (openssl-0.9.8k.tar.gz) = 3852259 bytes -SHA1 (patch-aa) = 7191fd8bc34b384f44a9a7c238a556f251ab01c9 -SHA1 (patch-ac) = 1b0954f97524b3896bef562d1b13fa9aec1f0dec +SHA1 (openssl-0.9.8l.tar.gz) = d3fb6ec89532ab40646b65af179bb1770f7ca28f +RMD160 (openssl-0.9.8l.tar.gz) = 9de81ec2583edcba729e62d50fd22c0a98a52903 +Size (openssl-0.9.8l.tar.gz) = 4179422 bytes +SHA1 (patch-aa) = cb6942b0be960151c185e89af1e09050a6b18dff +SHA1 (patch-ac) = 3f62d36e18c2b8f587322dac5b329207704f40ad SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3 SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480 -SHA1 (patch-af) = 1eda5a96835b65d325c77ce5d39f1e524815a3c7 +SHA1 (patch-af) = 81263ce9dc0e89293ac1fc298e1178253a0b0b1b SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 diff --git a/security/openssl/patches/patch-aa b/security/openssl/patches/patch-aa index ed8b93aecba..5c2acd50232 100644 --- a/security/openssl/patches/patch-aa +++ b/security/openssl/patches/patch-aa @@ -1,7 +1,7 @@ -$NetBSD: patch-aa,v 1.21 2009/12/25 11:58:06 obache Exp $ +$NetBSD: patch-aa,v 1.22 2010/01/15 04:55:30 taca Exp $ ---- config.orig 2007-08-01 13:21:35.000000000 +0200 -+++ config 2007-10-21 13:18:53.000000000 +0200 +--- config.orig 2009-02-16 08:43:41.000000000 +0000 ++++ config @@ -49,6 +49,7 @@ done # First get uname entries that we use below @@ -39,7 +39,7 @@ $NetBSD: patch-aa,v 1.21 2009/12/25 11:58:06 obache Exp $ ;; OpenBSD:*) -@@ -655,13 +664,18 @@ case "$GUESSOS" in +@@ -661,13 +670,18 @@ case "$GUESSOS" in ;; *-*-sunos4) OUT="sunos-$CC" ;; @@ -59,7 +59,7 @@ $NetBSD: patch-aa,v 1.21 2009/12/25 11:58:06 obache Exp $ if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD libc=/usr/lib/libc.so else # OpenBSD -@@ -674,6 +688,8 @@ case "$GUESSOS" in +@@ -680,6 +694,8 @@ case "$GUESSOS" in esac ;; *-*-*bsd*) OUT="BSD-generic32" ;; diff --git a/security/openssl/patches/patch-ac b/security/openssl/patches/patch-ac index 67ec4004446..05e06c9ca5f 100644 --- a/security/openssl/patches/patch-ac +++ b/security/openssl/patches/patch-ac @@ -1,8 +1,8 @@ -$NetBSD: patch-ac,v 1.36 2009/12/25 11:58:06 obache Exp $ +$NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $ ---- Configure.orig 2007-09-16 14:24:17.000000000 +0200 -+++ Configure 2007-10-21 13:21:36.000000000 +0200 -@@ -194,7 +194,7 @@ my %table=( +--- Configure.orig 2009-11-05 12:07:06.000000000 +0000 ++++ Configure +@@ -206,7 +206,7 @@ my %table=( "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Solaris x86 with Sun C setups @@ -11,7 +11,7 @@ $NetBSD: patch-ac,v 1.36 2009/12/25 11:58:06 obache Exp $ "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -@@ -306,6 +306,7 @@ my %table=( +@@ -318,6 +318,7 @@ my %table=( # "osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:alpha-osf1-shared:::.so", "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so", @@ -19,7 +19,7 @@ $NetBSD: patch-ac,v 1.36 2009/12/25 11:58:06 obache Exp $ "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so", #### -@@ -368,6 +369,25 @@ my %table=( +@@ -380,6 +381,25 @@ my %table=( "BSD-ia64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-x86_64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -45,7 +45,7 @@ $NetBSD: patch-ac,v 1.36 2009/12/25 11:58:06 obache Exp $ "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "nextstep", "cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", -@@ -734,6 +754,10 @@ PROCESS_ARGS: +@@ -808,6 +828,10 @@ PROCESS_ARGS: { $libs.=$_." "; } @@ -56,7 +56,7 @@ $NetBSD: patch-ac,v 1.36 2009/12/25 11:58:06 obache Exp $ elsif (/^-[^-]/ or /^\+/) { $flags.=$_." "; -@@ -1371,7 +1395,7 @@ while (<IN>) +@@ -1523,7 +1547,7 @@ while (<IN>) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; diff --git a/security/openssl/patches/patch-af b/security/openssl/patches/patch-af index ebae02aac9d..b209050cfcc 100644 --- a/security/openssl/patches/patch-af +++ b/security/openssl/patches/patch-af @@ -1,6 +1,6 @@ -$NetBSD: patch-af,v 1.22 2009/01/08 16:38:22 tnn Exp $ +$NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ ---- Makefile.org.orig 2008-12-30 14:26:26.000000000 +0100 +--- Makefile.org.orig 2009-03-03 22:40:29.000000000 +0000 +++ Makefile.org @@ -28,6 +28,7 @@ INSTALLTOP=/usr/local/ssl @@ -47,7 +47,7 @@ $NetBSD: patch-af,v 1.22 2009/01/08 16:38:22 tnn Exp $ INSTALL_PREFIX='${INSTALL_PREFIX}' \ INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' \ MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \ -@@ -608,7 +610,7 @@ dist: +@@ -611,7 +613,7 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) @@ -56,7 +56,7 @@ $NetBSD: patch-af,v 1.22 2009/01/08 16:38:22 tnn Exp $ install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ -@@ -616,9 +618,7 @@ install_sw: +@@ -619,9 +621,7 @@ install_sw: $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ @@ -67,7 +67,7 @@ $NetBSD: patch-af,v 1.22 2009/01/08 16:38:22 tnn Exp $ @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ -@@ -688,35 +688,53 @@ install_docs: +@@ -691,35 +691,53 @@ install_docs: set -e; for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ |