diff options
| author | taca <taca@pkgsrc.org> | 2010-04-12 14:19:17 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2010-04-12 14:19:17 +0000 |
| commit | 662d52e48844980a77dca0bd333db6e61e836e69 (patch) | |
| tree | 44fb858a7261aada05ea7237f9bee8f391c72fe9 /security | |
| parent | 2a3ed356282cb7ba087377bf7c9d391f76efea2f (diff) | |
| download | pkgsrc-662d52e48844980a77dca0bd333db6e61e836e69.tar.gz | |
Update openssl package from 0.9.8m to 0.9.8n.
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
*) When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl@chromium.org>]
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]
Diffstat (limited to 'security')
| -rw-r--r-- | security/openssl/Makefile | 5 | ||||
| -rw-r--r-- | security/openssl/distinfo | 9 | ||||
| -rw-r--r-- | security/openssl/patches/patch-bc | 19 |
3 files changed, 6 insertions, 27 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 97469d43fbe..695636860b1 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.146 2010/03/26 00:20:49 taca Exp $ +# $NetBSD: Makefile,v 1.147 2010/04/12 14:19:17 taca Exp $ OPENSSL_SNAPSHOT?= # empty OPENSSL_STABLE?= # empty -OPENSSL_VERS?= 0.9.8m -PKGREVISION= 2 +OPENSSL_VERS?= 0.9.8n .if empty(OPENSSL_SNAPSHOT) DISTNAME= openssl-${OPENSSL_VERS} diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 1e1681a6c45..3f4a3a08aa7 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.73 2010/03/26 00:20:49 taca Exp $ +$NetBSD: distinfo,v 1.74 2010/04/12 14:19:17 taca Exp $ -SHA1 (openssl-0.9.8m.tar.gz) = 2511c709a47f34d5fa6cd1a1c9cb1699bdffa912 -RMD160 (openssl-0.9.8m.tar.gz) = 0296af151993008526b4f2b3a6810e20c4ad3759 -Size (openssl-0.9.8m.tar.gz) = 3767604 bytes +SHA1 (openssl-0.9.8n.tar.gz) = 595f5ebf592568515964f0adc62239e7012ef08b +RMD160 (openssl-0.9.8n.tar.gz) = 8eb5e877c2bab203e8eb108e42d60580a478f718 +Size (openssl-0.9.8n.tar.gz) = 3770041 bytes SHA1 (patch-aa) = b3899aebeea9bd9ead58771ca52ecec049589a55 SHA1 (patch-ac) = 6ff4a20440666f5c520837e10547091e1bee2208 SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3 @@ -11,4 +11,3 @@ SHA1 (patch-af) = 2610930b6b06397fa2e3955b3244c02193f5b7a6 SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 -SHA1 (patch-bc) = 9200ae3c86fb5c278c9692441555faa4c51afb30 diff --git a/security/openssl/patches/patch-bc b/security/openssl/patches/patch-bc deleted file mode 100644 index d150c8acb7c..00000000000 --- a/security/openssl/patches/patch-bc +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-bc,v 1.1 2010/03/26 00:20:49 taca Exp $ - -Fix for CVE-2010-0740: http://www.openssl.org/news/secadv_20100324.txt - ---- ssl/s3_pkt.c.orig 2010-01-24 13:52:38.000000000 +0000 -+++ ssl/s3_pkt.c -@@ -291,9 +291,9 @@ again: - if (version != s->version) - { - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); -- /* Send back error using their -- * version number :-) */ -- s->version=version; -+ if ((s->version & 0xFF00) == (version & 0xFF00)) -+ /* Send back error using their minor version number :-) */ -+ s->version = (unsigned short)version; - al=SSL_AD_PROTOCOL_VERSION; - goto f_err; - } |