diff options
| author | bsiegert <bsiegert@pkgsrc.org> | 2017-11-24 20:34:23 +0000 |
|---|---|---|
| committer | bsiegert <bsiegert@pkgsrc.org> | 2017-11-24 20:34:23 +0000 |
| commit | 93bfd1ee02957f45cf5893c2b3656b9ae4089226 (patch) | |
| tree | e37eb39ecdefbbd42b502307352304b18c1cecb0 /security/openssl | |
| parent | 8ad7e613d3a344f99186b7aadfd272475eaad89c (diff) | |
| download | pkgsrc-93bfd1ee02957f45cf5893c2b3656b9ae4089226.tar.gz | |
Update openssl to 1.0.2m.
This is a recommended security update.
Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
*) bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3736)
[Andy Polyakov]
*) Malformed X.509 IPAddressFamily could cause OOB read
If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3735)
[Rich Salz]
Changes between 1.0.2k and 1.0.2l [25 May 2017]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
[Richard Levitte]
Diffstat (limited to 'security/openssl')
| -rw-r--r-- | security/openssl/Makefile | 5 | ||||
| -rw-r--r-- | security/openssl/PLIST.common | 90 | ||||
| -rw-r--r-- | security/openssl/distinfo | 11 | ||||
| -rw-r--r-- | security/openssl/patches/patch-crypto_x509v3_v3_addr.c | 25 |
4 files changed, 96 insertions, 35 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index e40acaa3130..5d966c17ca3 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.232 2017/09/22 21:02:43 tez Exp $ +# $NetBSD: Makefile,v 1.233 2017/11/24 20:34:23 bsiegert Exp $ -DISTNAME= openssl-1.0.2k -PKGREVISION= 1 +DISTNAME= openssl-1.0.2m CATEGORIES= security MASTER_SITES= https://www.openssl.org/source/ diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common index e2200138054..0592347096b 100644 --- a/security/openssl/PLIST.common +++ b/security/openssl/PLIST.common @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST.common,v 1.30 2016/09/22 12:28:55 jperkin Exp $ +@comment $NetBSD: PLIST.common,v 1.31 2017/11/24 20:34:23 bsiegert Exp $ bin/c_rehash bin/openssl include/openssl/aes.h @@ -122,6 +122,48 @@ man/man1/openssl_md5.1 man/man1/openssl_mdc2.1 man/man1/openssl_nseq.1 man/man1/openssl_ocsp.1 +man/man1/openssl_openssl-asn1parse.1 +man/man1/openssl_openssl-ca.1 +man/man1/openssl_openssl-ciphers.1 +man/man1/openssl_openssl-cms.1 +man/man1/openssl_openssl-crl.1 +man/man1/openssl_openssl-crl2pkcs7.1 +man/man1/openssl_openssl-dgst.1 +man/man1/openssl_openssl-dhparam.1 +man/man1/openssl_openssl-dsa.1 +man/man1/openssl_openssl-dsaparam.1 +man/man1/openssl_openssl-ec.1 +man/man1/openssl_openssl-ecparam.1 +man/man1/openssl_openssl-enc.1 +man/man1/openssl_openssl-errstr.1 +man/man1/openssl_openssl-gendsa.1 +man/man1/openssl_openssl-genpkey.1 +man/man1/openssl_openssl-genrsa.1 +man/man1/openssl_openssl-nseq.1 +man/man1/openssl_openssl-ocsp.1 +man/man1/openssl_openssl-passwd.1 +man/man1/openssl_openssl-pkcs12.1 +man/man1/openssl_openssl-pkcs7.1 +man/man1/openssl_openssl-pkcs8.1 +man/man1/openssl_openssl-pkey.1 +man/man1/openssl_openssl-pkeyparam.1 +man/man1/openssl_openssl-pkeyutl.1 +man/man1/openssl_openssl-rand.1 +man/man1/openssl_openssl-req.1 +man/man1/openssl_openssl-rsa.1 +man/man1/openssl_openssl-rsautl.1 +man/man1/openssl_openssl-s_client.1 +man/man1/openssl_openssl-s_server.1 +man/man1/openssl_openssl-s_time.1 +man/man1/openssl_openssl-sess_id.1 +man/man1/openssl_openssl-smime.1 +man/man1/openssl_openssl-speed.1 +man/man1/openssl_openssl-spkac.1 +man/man1/openssl_openssl-ts.1 +man/man1/openssl_openssl-tsget.1 +man/man1/openssl_openssl-verify.1 +man/man1/openssl_openssl-version.1 +man/man1/openssl_openssl-x509.1 man/man1/openssl_passwd.1 man/man1/openssl_pkcs12.1 man/man1/openssl_pkcs7.1 @@ -814,6 +856,7 @@ man/man3/EVP_PKEY_CTX_set_rsa_padding.3 man/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3 man/man3/EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3 man/man3/EVP_PKEY_CTX_set_signature_md.3 +man/man3/EVP_PKEY_METHOD.3 man/man3/EVP_PKEY_assign_DH.3 man/man3/EVP_PKEY_assign_DSA.3 man/man3/EVP_PKEY_assign_EC_KEY.3 @@ -837,6 +880,39 @@ man/man3/EVP_PKEY_get_default_digest.3 man/man3/EVP_PKEY_get_default_digest_nid.3 man/man3/EVP_PKEY_keygen.3 man/man3/EVP_PKEY_keygen_init.3 +man/man3/EVP_PKEY_meth_add0.3 +man/man3/EVP_PKEY_meth_copy.3 +man/man3/EVP_PKEY_meth_find.3 +man/man3/EVP_PKEY_meth_free.3 +man/man3/EVP_PKEY_meth_get_cleanup.3 +man/man3/EVP_PKEY_meth_get_copy.3 +man/man3/EVP_PKEY_meth_get_ctrl.3 +man/man3/EVP_PKEY_meth_get_decrypt.3 +man/man3/EVP_PKEY_meth_get_derive.3 +man/man3/EVP_PKEY_meth_get_encrypt.3 +man/man3/EVP_PKEY_meth_get_init.3 +man/man3/EVP_PKEY_meth_get_keygen.3 +man/man3/EVP_PKEY_meth_get_paramgen.3 +man/man3/EVP_PKEY_meth_get_sign.3 +man/man3/EVP_PKEY_meth_get_signctx.3 +man/man3/EVP_PKEY_meth_get_verify.3 +man/man3/EVP_PKEY_meth_get_verify_recover.3 +man/man3/EVP_PKEY_meth_get_verifyctx.3 +man/man3/EVP_PKEY_meth_new.3 +man/man3/EVP_PKEY_meth_set_cleanup.3 +man/man3/EVP_PKEY_meth_set_copy.3 +man/man3/EVP_PKEY_meth_set_ctrl.3 +man/man3/EVP_PKEY_meth_set_decrypt.3 +man/man3/EVP_PKEY_meth_set_derive.3 +man/man3/EVP_PKEY_meth_set_encrypt.3 +man/man3/EVP_PKEY_meth_set_init.3 +man/man3/EVP_PKEY_meth_set_keygen.3 +man/man3/EVP_PKEY_meth_set_paramgen.3 +man/man3/EVP_PKEY_meth_set_sign.3 +man/man3/EVP_PKEY_meth_set_signctx.3 +man/man3/EVP_PKEY_meth_set_verify.3 +man/man3/EVP_PKEY_meth_set_verify_recover.3 +man/man3/EVP_PKEY_meth_set_verifyctx.3 man/man3/EVP_PKEY_missing_parameters.3 man/man3/EVP_PKEY_new.3 man/man3/EVP_PKEY_paramgen.3 @@ -865,10 +941,14 @@ man/man3/EVP_SignUpdate.3 man/man3/EVP_VerifyFinal.3 man/man3/EVP_VerifyInit.3 man/man3/EVP_VerifyUpdate.3 +man/man3/EVP_aes_128_cbc_hmac_sha1.3 +man/man3/EVP_aes_128_cbc_hmac_sha256.3 man/man3/EVP_aes_128_ccm.3 man/man3/EVP_aes_128_gcm.3 man/man3/EVP_aes_192_ccm.3 man/man3/EVP_aes_192_gcm.3 +man/man3/EVP_aes_256_cbc_hmac_sha1.3 +man/man3/EVP_aes_256_cbc_hmac_sha256.3 man/man3/EVP_aes_256_ccm.3 man/man3/EVP_aes_256_gcm.3 man/man3/EVP_bf_cbc.3 @@ -918,6 +998,7 @@ man/man3/EVP_rc2_ecb.3 man/man3/EVP_rc2_ofb.3 man/man3/EVP_rc4.3 man/man3/EVP_rc4_40.3 +man/man3/EVP_rc4_hmac_md5.3 man/man3/EVP_rc5_32_12_16_cbc.3 man/man3/EVP_rc5_32_12_16_cfb.3 man/man3/EVP_rc5_32_12_16_ecb.3 @@ -1258,6 +1339,8 @@ man/man3/SSL_CTX_set_session_cache_mode.3 man/man3/SSL_CTX_set_session_id_context.3 man/man3/SSL_CTX_set_ssl_version.3 man/man3/SSL_CTX_set_timeout.3 +man/man3/SSL_CTX_set_tlsext_servername_arg.3 +man/man3/SSL_CTX_set_tlsext_servername_callback.3 man/man3/SSL_CTX_set_tlsext_status_arg.3 man/man3/SSL_CTX_set_tlsext_status_cb.3 man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 @@ -1307,6 +1390,7 @@ man/man3/SSL_clear_options.3 man/man3/SSL_connect.3 man/man3/SSL_ctrl.3 man/man3/SSL_do_handshake.3 +man/man3/SSL_export_keying_material.3 man/man3/SSL_flush_sessions.3 man/man3/SSL_free.3 man/man3/SSL_get0_alpn_selected.3 @@ -1342,6 +1426,8 @@ man/man3/SSL_get_quiet_shutdown.3 man/man3/SSL_get_rbio.3 man/man3/SSL_get_read_ahead.3 man/man3/SSL_get_secure_renegotiation_support.3 +man/man3/SSL_get_servername.3 +man/man3/SSL_get_servername_type.3 man/man3/SSL_get_session.3 man/man3/SSL_get_shared_curve.3 man/man3/SSL_get_shutdown.3 @@ -1494,6 +1580,7 @@ man/man3/X509_NAME_oneline.3 man/man3/X509_NAME_print.3 man/man3/X509_NAME_print_ex.3 man/man3/X509_NAME_print_ex_fp.3 +man/man3/X509_REQ_check_private_key.3 man/man3/X509_STORE_CTX_cleanup.3 man/man3/X509_STORE_CTX_free.3 man/man3/X509_STORE_CTX_get0_param.3 @@ -1537,6 +1624,7 @@ man/man3/X509_check_email.3 man/man3/X509_check_host.3 man/man3/X509_check_ip.3 man/man3/X509_check_ip_asc.3 +man/man3/X509_check_private_key.3 man/man3/X509_free.3 man/man3/X509_new.3 man/man3/X509_verify_cert.3 diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 925abc0422e..c659f2e2f4d 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.128 2017/09/22 21:02:43 tez Exp $ +$NetBSD: distinfo,v 1.129 2017/11/24 20:34:23 bsiegert Exp $ -SHA1 (openssl-1.0.2k.tar.gz) = 5f26a624479c51847ebd2f22bb9f84b3b44dcb44 -RMD160 (openssl-1.0.2k.tar.gz) = 56b70831e49f83987ec14b3878d0d693f9a7d862 -SHA512 (openssl-1.0.2k.tar.gz) = 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016 -Size (openssl-1.0.2k.tar.gz) = 5309236 bytes +SHA1 (openssl-1.0.2m.tar.gz) = 27fb00641260f97eaa587eb2b80fab3647f6013b +RMD160 (openssl-1.0.2m.tar.gz) = 353479313ecfee1abdf28170e642fc30a4c71c09 +SHA512 (openssl-1.0.2m.tar.gz) = 7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93 +Size (openssl-1.0.2m.tar.gz) = 5373776 bytes SHA1 (patch-Configure) = 2d963d781314276a0ee1bc531df6bc50f0f6b32b SHA1 (patch-Makefile.org) = d2a9295003a8b88718a328b01ff6bcbbc102ec0b SHA1 (patch-Makefile.shared) = d317004d6ade167fc3b6e533bb8a1e93657188b2 @@ -11,5 +11,4 @@ SHA1 (patch-apps_Makefile) = 60113291f2a25f5f1c1dba35e8173087bcd4cc30 SHA1 (patch-config) = 345cadece3bdf0ef0a273a6c9ba6d0cbb1026a31 SHA1 (patch-crypto_bn_bn__prime.pl) = a516f3709a862d85e659d466e895419b1e0a94c8 SHA1 (patch-crypto_des_Makefile) = 7a23f9883ff6c93ec0e5d08e1332cc95de8cdba2 -SHA1 (patch-crypto_x509v3_v3_addr.c) = 0782668ce0748b58eda9036ee93fa926e575698b SHA1 (patch-tools_Makefile) = 67f0b9b501969382fd89b678c277d32bf5d294bc diff --git a/security/openssl/patches/patch-crypto_x509v3_v3_addr.c b/security/openssl/patches/patch-crypto_x509v3_v3_addr.c deleted file mode 100644 index 76f8917b0b6..00000000000 --- a/security/openssl/patches/patch-crypto_x509v3_v3_addr.c +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-crypto_x509v3_v3_addr.c,v 1.1 2017/09/22 21:02:43 tez Exp $ - -Patch for CVE-2017-3735 from -https://github.com/openssl/openssl/commit/31c8b265591a0aaa462a1f3eb5770661aaac67db - - ---- crypto/x509v3/v3_addr.c -+++ crypto/x509v3/v3_addr.c -@@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi) - */ - unsigned int v3_addr_get_afi(const IPAddressFamily *f) - { -- return ((f != NULL && -- f->addressFamily != NULL && f->addressFamily->data != NULL) -- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) -- : 0); -+ if (f == NULL -+ || f->addressFamily == NULL -+ || f->addressFamily->data == NULL -+ || f->addressFamily->length < 2) -+ return 0; -+ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; - } - - /* |