Pullup ticket #4877 - requested by cyberpkgsrc_2015Q3

security/openssl: security fix

Revisions pulled up:
- security/openssl/Makefile                                     1.214-1.216
- security/openssl/PLIST.common                                 1.26
- security/openssl/distinfo                                     1.116,1.118
- security/openssl/patches/patch-Makefile.shared                1.3

---
   Module Name:    pkgsrc
   Committed By:   jperkin
   Date:           Fri Oct  9 11:44:48 UTC 2015

   Modified Files:
           pkgsrc/security/openssl: Makefile

   Log Message:
   Force the "linux-elf" Configure target for Linux 32-bit, fixes the build when
   running with ABI=32 on a 64-bit native host.

---
   Module Name:    pkgsrc
   Committed By:   jperkin
   Date:           Mon Oct 26 09:42:47 UTC 2015

   Modified Files:
           pkgsrc/security/openssl: Makefile distinfo
           pkgsrc/security/openssl/patches: patch-Makefile.shared

   Log Message:
   Support SunOS/clang and pass -h linker argument correctly.  Doesn't fully
   fix the build yet, an additional patch to remove LD_LIBRARY_PATH is required
   but needs wider testing.

---
   Module Name:    pkgsrc
   Committed By:   jperkin
   Date:           Mon Dec  7 15:57:42 UTC 2015

   Modified Files:
           pkgsrc/security/openssl: Makefile PLIST.common distinfo

   Log Message:
   Update security/openssl to 1.0.2e.

   pkgsrc changes:

     - We now need to run 'make depend' after configure to pick up algorithm
       selection changes.

   Upstream changes:

    Changes between 1.0.2d and 1.0.2e [3 Dec 2015]

     *) BN_mod_exp may produce incorrect results on x86_64

        There is a carry propagating bug in the x86_64 Montgomery squaring
        procedure. No EC algorithms are affected. Analysis suggests that attacks
        against RSA and DSA as a result of this defect would be very difficult to
        perform and are not believed likely. Attacks against DH are considered just
        feasible (although very difficult) because most of the work necessary to
        deduce information about a private key may be performed offline. The amount
        of resources required for such an attack would be very significant and
        likely only accessible to a limited number of attackers. An attacker would
        additionally need online access to an unpatched system using the target
        private key in a scenario with persistent DH parameters and a private
        key that is shared between multiple clients. For example this can occur by
        default in OpenSSL DHE based SSL/TLS ciphersuites.

        This issue was reported to OpenSSL by Hanno Böck.
        (CVE-2015-3193)
        [Andy Polyakov]

     *) Certificate verify crash with missing PSS parameter

        The signature verification routines will crash with a NULL pointer
        dereference if presented with an ASN.1 signature using the RSA PSS
        algorithm and absent mask generation function parameter. Since these
        routines are used to verify certificate signature algorithms this can be
        used to crash any certificate verification operation and exploited in a
        DoS attack. Any application which performs certificate verification is
        vulnerable including OpenSSL clients and servers which enable client
        authentication.

        This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
        (CVE-2015-3194)
        [Stephen Henson]

     *) X509_ATTRIBUTE memory leak

        When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
        memory. This structure is used by the PKCS#7 and CMS routines so any
        application which reads PKCS#7 or CMS data from untrusted sources is
        affected. SSL/TLS is not affected.

        This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
        libFuzzer.
        (CVE-2015-3195)
        [Stephen Henson]

     *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
        This changes the decoding behaviour for some invalid messages,
        though the change is mostly in the more lenient direction, and
        legacy behaviour is preserved as much as possible.
        [Emilia Käsper]

     *) In DSA_generate_parameters_ex, if the provided seed is too short,
        return an error
        [Rich Salz and Ismo Puustinen <ismo.puustinen%intel.com@localhost>]

0 files changed, 0 insertions, 0 deletions