diff options
| author | jperkin <jperkin@pkgsrc.org> | 2016-01-28 16:30:42 +0000 |
|---|---|---|
| committer | jperkin <jperkin@pkgsrc.org> | 2016-01-28 16:30:42 +0000 |
| commit | 2608c62603504cb024fbfadd9dfe515129d6a252 (patch) | |
| tree | 330001f1220e42cb12845af5c6b340adf7cb0282 /security | |
| parent | 194786847ed171c7dbed8fbaa202f43ee30f86ba (diff) | |
| download | pkgsrc-2608c62603504cb024fbfadd9dfe515129d6a252.tar.gz | |
Update security/openssl to version 1.0.2f.
Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
*) DH small subgroups
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
The fix for this issue adds an additional check where a "q" parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH
ciphersuites. This could have some performance impact.
Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
default and cannot be disabled. This could have some performance impact.
This issue was reported to OpenSSL by Antonio Sanso (Adobe).
(CVE-2016-0701)
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
*) Reject DH handshakes with parameters shorter than 1024 bits.
[Kurt Roeckx]
Diffstat (limited to 'security')
| -rw-r--r-- | security/openssl/Makefile | 4 | ||||
| -rw-r--r-- | security/openssl/PLIST.common | 7 | ||||
| -rw-r--r-- | security/openssl/distinfo | 28 | ||||
| -rw-r--r-- | security/openssl/patches/patch-Configure | 12 | ||||
| -rw-r--r-- | security/openssl/patches/patch-Makefile.org | 12 | ||||
| -rw-r--r-- | security/openssl/patches/patch-Makefile.shared | 4 | ||||
| -rw-r--r-- | security/openssl/patches/patch-apps_Makefile | 4 | ||||
| -rw-r--r-- | security/openssl/patches/patch-config | 4 | ||||
| -rw-r--r-- | security/openssl/patches/patch-crypto_bn_bn__prime.pl | 4 | ||||
| -rw-r--r-- | security/openssl/patches/patch-crypto_des_Makefile | 4 | ||||
| -rw-r--r-- | security/openssl/patches/patch-engines_ccgost_Makefile | 4 | ||||
| -rw-r--r-- | security/openssl/patches/patch-tools_Makefile | 4 |
12 files changed, 48 insertions, 43 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 17d2cb0b597..1e2072aae76 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.219 2016/01/24 16:14:45 jperkin Exp $ +# $NetBSD: Makefile,v 1.220 2016/01/28 16:30:42 jperkin Exp $ -DISTNAME= openssl-1.0.2e +DISTNAME= openssl-1.0.2f CATEGORIES= security MASTER_SITES= https://www.openssl.org/source/ diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common index 5898629b1ff..707d281b359 100644 --- a/security/openssl/PLIST.common +++ b/security/openssl/PLIST.common @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST.common,v 1.26 2015/12/07 15:57:42 jperkin Exp $ +@comment $NetBSD: PLIST.common,v 1.27 2016/01/28 16:30:42 jperkin Exp $ bin/c_rehash bin/openssl include/openssl/aes.h @@ -1239,6 +1239,8 @@ man/man3/SSL_CTX_set_session_cache_mode.3 man/man3/SSL_CTX_set_session_id_context.3 man/man3/SSL_CTX_set_ssl_version.3 man/man3/SSL_CTX_set_timeout.3 +man/man3/SSL_CTX_set_tlsext_status_arg.3 +man/man3/SSL_CTX_set_tlsext_status_cb.3 man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 man/man3/SSL_CTX_set_tmp_dh.3 man/man3/SSL_CTX_set_tmp_dh_callback.3 @@ -1324,6 +1326,7 @@ man/man3/SSL_get_session.3 man/man3/SSL_get_shared_curve.3 man/man3/SSL_get_shutdown.3 man/man3/SSL_get_ssl_method.3 +man/man3/SSL_get_tlsext_status_ocsp_resp.3 man/man3/SSL_get_verify_callback.3 man/man3/SSL_get_verify_depth.3 man/man3/SSL_get_verify_mode.3 @@ -1374,6 +1377,8 @@ man/man3/SSL_set_session.3 man/man3/SSL_set_session_id_context.3 man/man3/SSL_set_shutdown.3 man/man3/SSL_set_ssl_method.3 +man/man3/SSL_set_tlsext_status_ocsp_resp.3 +man/man3/SSL_set_tlsext_status_type.3 man/man3/SSL_set_tmp_dh.3 man/man3/SSL_set_tmp_dh_callback.3 man/man3/SSL_set_tmp_rsa.3 diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 7699d2e9090..fe94fed701e 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,15 +1,15 @@ -$NetBSD: distinfo,v 1.119 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: distinfo,v 1.120 2016/01/28 16:30:42 jperkin Exp $ -SHA1 (openssl-1.0.2e.tar.gz) = 2c5691496761cb18f98476eefa4d35c835448fb6 -RMD160 (openssl-1.0.2e.tar.gz) = 324ed411043364af2ea908124225eece7d604a94 -SHA512 (openssl-1.0.2e.tar.gz) = b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f -Size (openssl-1.0.2e.tar.gz) = 5256555 bytes -SHA1 (patch-Configure) = 2e39c50188600e7e491b77dd47b14a27198c1860 -SHA1 (patch-Makefile.org) = f4525cbd71e8b537033c0f39d695b73ae8cdb9e3 -SHA1 (patch-Makefile.shared) = 15b0238b1e0be0e8ca05f1a557b1cb55039ed5fd -SHA1 (patch-apps_Makefile) = 15150b4f4325c4a74ebb513994faf7649976282f -SHA1 (patch-config) = 1476fa7bcc3469fb940825650b550a920b84a945 -SHA1 (patch-crypto_bn_bn__prime.pl) = 834e11bc0b214fc5dcb9a651e13369003708b4ce -SHA1 (patch-crypto_des_Makefile) = f5f92b1e9597c068ab63332e38904a6e115a0a0d -SHA1 (patch-engines_ccgost_Makefile) = 68b46f01f06f98e860d3fd585fe8c72627ea7675 -SHA1 (patch-tools_Makefile) = 52bac15bd2aa02725545f5168c95c8ba4721b409 +SHA1 (openssl-1.0.2f.tar.gz) = 2047c592a6e5a42bd37970bdb4a931428110a927 +RMD160 (openssl-1.0.2f.tar.gz) = 1065dfc99a4c549c34249700e834a08e6de9881c +SHA512 (openssl-1.0.2f.tar.gz) = 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 +Size (openssl-1.0.2f.tar.gz) = 5258384 bytes +SHA1 (patch-Configure) = bebb9c435914b89ab9d5afabceb7d95903d4b56a +SHA1 (patch-Makefile.org) = d2a9295003a8b88718a328b01ff6bcbbc102ec0b +SHA1 (patch-Makefile.shared) = d317004d6ade167fc3b6e533bb8a1e93657188b2 +SHA1 (patch-apps_Makefile) = 60113291f2a25f5f1c1dba35e8173087bcd4cc30 +SHA1 (patch-config) = 345cadece3bdf0ef0a273a6c9ba6d0cbb1026a31 +SHA1 (patch-crypto_bn_bn__prime.pl) = a516f3709a862d85e659d466e895419b1e0a94c8 +SHA1 (patch-crypto_des_Makefile) = 7a23f9883ff6c93ec0e5d08e1332cc95de8cdba2 +SHA1 (patch-engines_ccgost_Makefile) = 5ff1e2705f6cb46075d5e005af9e804bb81d65e5 +SHA1 (patch-tools_Makefile) = 67f0b9b501969382fd89b678c277d32bf5d294bc diff --git a/security/openssl/patches/patch-Configure b/security/openssl/patches/patch-Configure index 1c01eb7457a..30d68e3062f 100644 --- a/security/openssl/patches/patch-Configure +++ b/security/openssl/patches/patch-Configure @@ -1,12 +1,12 @@ -$NetBSD: patch-Configure,v 1.6 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-Configure,v 1.7 2016/01/28 16:30:43 jperkin Exp $ * Avoid -fast on Solaris, creates non-portable packages which depend on host-specific CPU features. * Add GNU/kFreeBSD support. ---- Configure.orig 2015-12-03 14:04:23.000000000 +0000 +--- Configure.orig 2016-01-28 13:56:08.000000000 +0000 +++ Configure -@@ -358,6 +358,7 @@ my %table=( +@@ -361,6 +361,7 @@ my %table=( # "osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", @@ -14,7 +14,7 @@ $NetBSD: patch-Configure,v 1.6 2015/12/08 16:53:32 jperkin Exp $ "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so", #### -@@ -482,8 +483,31 @@ my %table=( +@@ -485,8 +486,31 @@ my %table=( "BSD-ia64", "gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-x86_64", "cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -47,7 +47,7 @@ $NetBSD: patch-Configure,v 1.6 2015/12/08 16:53:32 jperkin Exp $ "nextstep", "cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", "nextstep3.3", "cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", -@@ -933,7 +957,7 @@ PROCESS_ARGS: +@@ -936,7 +960,7 @@ PROCESS_ARGS: # The check for the option is there so scripts aren't # broken } @@ -56,7 +56,7 @@ $NetBSD: patch-Configure,v 1.6 2015/12/08 16:53:32 jperkin Exp $ { if (/^--prefix=(.*)$/) { -@@ -1767,7 +1791,7 @@ while (<IN>) +@@ -1770,7 +1794,7 @@ while (<IN>) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; diff --git a/security/openssl/patches/patch-Makefile.org b/security/openssl/patches/patch-Makefile.org index a192fe0a417..95db775ddca 100644 --- a/security/openssl/patches/patch-Makefile.org +++ b/security/openssl/patches/patch-Makefile.org @@ -1,8 +1,8 @@ -$NetBSD: patch-Makefile.org,v 1.4 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-Makefile.org,v 1.5 2016/01/28 16:30:43 jperkin Exp $ Adjust build procedure. ---- Makefile.org.orig 2015-12-03 14:04:23.000000000 +0000 +--- Makefile.org.orig 2016-01-28 13:56:08.000000000 +0000 +++ Makefile.org @@ -28,6 +28,7 @@ INSTALLTOP=/usr/local/ssl @@ -29,16 +29,16 @@ Adjust build procedure. SHARED_LDFLAGS= GENERAL= Makefile -@@ -532,7 +534,7 @@ dist: - dist_pem_h: - (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) +@@ -528,7 +530,7 @@ dist: + @$(MAKE) SDIRS='$(SDIRS)' clean + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar -install: all install_docs install_sw +install: install_docs install_sw install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ -@@ -641,41 +643,56 @@ install_docs: +@@ -637,41 +639,56 @@ install_docs: @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ here="`pwd`"; \ filecase=; \ diff --git a/security/openssl/patches/patch-Makefile.shared b/security/openssl/patches/patch-Makefile.shared index f5c46fba431..9fbf10b8a10 100644 --- a/security/openssl/patches/patch-Makefile.shared +++ b/security/openssl/patches/patch-Makefile.shared @@ -1,9 +1,9 @@ -$NetBSD: patch-Makefile.shared,v 1.4 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-Makefile.shared,v 1.5 2016/01/28 16:30:43 jperkin Exp $ Adjust build procedure. Fix SunOS -h linker argument. ---- Makefile.shared.orig 2015-12-03 14:04:23.000000000 +0000 +--- Makefile.shared.orig 2016-01-28 13:38:30.000000000 +0000 +++ Makefile.shared @@ -315,6 +315,11 @@ link_o.alpha-osf1: @ if $(DETECT_GNU_LD); then \ diff --git a/security/openssl/patches/patch-apps_Makefile b/security/openssl/patches/patch-apps_Makefile index a44b59b048b..50c1838d524 100644 --- a/security/openssl/patches/patch-apps_Makefile +++ b/security/openssl/patches/patch-apps_Makefile @@ -1,8 +1,8 @@ -$NetBSD: patch-apps_Makefile,v 1.3 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-apps_Makefile,v 1.4 2016/01/28 16:30:43 jperkin Exp $ Adjust build procedure. ---- apps/Makefile.orig 2015-12-03 14:44:30.000000000 +0000 +--- apps/Makefile.orig 2016-01-28 13:57:21.000000000 +0000 +++ apps/Makefile @@ -4,6 +4,7 @@ diff --git a/security/openssl/patches/patch-config b/security/openssl/patches/patch-config index b851b33169c..740eaa9725a 100644 --- a/security/openssl/patches/patch-config +++ b/security/openssl/patches/patch-config @@ -1,8 +1,8 @@ -$NetBSD: patch-config,v 1.3 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-config,v 1.4 2016/01/28 16:30:43 jperkin Exp $ Adjust config procedure. ---- config.orig 2015-12-03 14:04:23.000000000 +0000 +--- config.orig 2016-01-28 13:56:08.000000000 +0000 +++ config @@ -49,6 +49,7 @@ done # First get uname entries that we use below diff --git a/security/openssl/patches/patch-crypto_bn_bn__prime.pl b/security/openssl/patches/patch-crypto_bn_bn__prime.pl index 153b05b7bd7..0544c710f7d 100644 --- a/security/openssl/patches/patch-crypto_bn_bn__prime.pl +++ b/security/openssl/patches/patch-crypto_bn_bn__prime.pl @@ -1,6 +1,6 @@ -$NetBSD: patch-crypto_bn_bn__prime.pl,v 1.3 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-crypto_bn_bn__prime.pl,v 1.4 2016/01/28 16:30:43 jperkin Exp $ ---- crypto/bn/bn_prime.pl.orig 2015-12-03 14:04:23.000000000 +0000 +--- crypto/bn/bn_prime.pl.orig 2016-01-28 13:38:30.000000000 +0000 +++ crypto/bn/bn_prime.pl @@ -1,6 +1,8 @@ #!/usr/local/bin/perl diff --git a/security/openssl/patches/patch-crypto_des_Makefile b/security/openssl/patches/patch-crypto_des_Makefile index c7a53673f8b..f85986e5d30 100644 --- a/security/openssl/patches/patch-crypto_des_Makefile +++ b/security/openssl/patches/patch-crypto_des_Makefile @@ -1,8 +1,8 @@ -$NetBSD: patch-crypto_des_Makefile,v 1.3 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-crypto_des_Makefile,v 1.4 2016/01/28 16:30:43 jperkin Exp $ Not all m4 macro processors have severe buffer limitations. ---- crypto/des/Makefile.orig 2015-12-03 14:44:18.000000000 +0000 +--- crypto/des/Makefile.orig 2016-01-28 13:57:09.000000000 +0000 +++ crypto/des/Makefile @@ -60,7 +60,11 @@ des: des.o cbc3_enc.o lib $(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB) diff --git a/security/openssl/patches/patch-engines_ccgost_Makefile b/security/openssl/patches/patch-engines_ccgost_Makefile index 7e2f7e68b91..0be590e39c0 100644 --- a/security/openssl/patches/patch-engines_ccgost_Makefile +++ b/security/openssl/patches/patch-engines_ccgost_Makefile @@ -1,8 +1,8 @@ -$NetBSD: patch-engines_ccgost_Makefile,v 1.3 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-engines_ccgost_Makefile,v 1.4 2016/01/28 16:30:43 jperkin Exp $ * Make sure rpath is set properly on the libgost.so engine lib. ---- engines/ccgost/Makefile.orig 2015-12-03 14:44:29.000000000 +0000 +--- engines/ccgost/Makefile.orig 2016-01-28 13:57:20.000000000 +0000 +++ engines/ccgost/Makefile @@ -32,7 +32,7 @@ lib: $(LIBOBJ) $(MAKE) -f $(TOP)/Makefile.shared -e \ diff --git a/security/openssl/patches/patch-tools_Makefile b/security/openssl/patches/patch-tools_Makefile index ec0dc7f42ee..7d2612b2e69 100644 --- a/security/openssl/patches/patch-tools_Makefile +++ b/security/openssl/patches/patch-tools_Makefile @@ -1,8 +1,8 @@ -$NetBSD: patch-tools_Makefile,v 1.3 2015/12/08 16:53:32 jperkin Exp $ +$NetBSD: patch-tools_Makefile,v 1.4 2016/01/28 16:30:43 jperkin Exp $ Adjust build procedure. ---- tools/Makefile.orig 2015-12-03 14:04:23.000000000 +0000 +--- tools/Makefile.orig 2016-01-28 13:38:31.000000000 +0000 +++ tools/Makefile @@ -4,6 +4,7 @@ |