Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a:

- Malformed ECParameters causes infinite loop
  When processing an ECParameters structure OpenSSL enters an infinite loop
  if the curve specified is over a specially malformed binary polynomial
  field.
  This can be used to perform denial of service against any
  system which processes public keys, certificate requests or
  certificates.  This includes TLS clients and TLS servers with
  client authentication enabled.
  This issue was reported to OpenSSL by Joseph Barr-Pixton.
  (CVE-2015-1788)
  [Andy Polyakov]
- Exploitable out-of-bounds read in X509_cmp_time
  X509_cmp_time does not properly check the length of the ASN1_TIME
  string and can read a few bytes out of bounds. In addition,
  X509_cmp_time accepts an arbitrary number of fractional seconds in the
  time string.
  An attacker can use this to craft malformed certificates and CRLs of
  various sizes and potentially cause a segmentation fault, resulting in
  a DoS on applications that verify certificates or CRLs. TLS clients
  that verify CRLs are affected. TLS clients and servers with client
  authentication enabled may be affected if they use custom verification
  callbacks.
  This issue was reported to OpenSSL by Robert Swiecki (Google), and
  independently by Hanno Böck.
  (CVE-2015-1789)
  [Emilia Käsper]
- PKCS7 crash with missing EnvelopedContent
  The PKCS#7 parsing code does not handle missing inner EncryptedContent
  correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
  with missing content and trigger a NULL pointer dereference on parsing.
  Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
  structures from untrusted sources are affected. OpenSSL clients and
  servers are not affected.
  This issue was reported to OpenSSL by Michal Zalewski (Google).
  (CVE-2015-1790)
  [Emilia Käsper]
- CMS verify infinite loop with unknown hash function
  When verifying a signedData message the CMS code can enter an infinite loop
  if presented with an unknown hash function OID. This can be used to perform
  denial of service against any system which verifies signedData messages using
  the CMS code.
  This issue was reported to OpenSSL by Johannes Bauer.
  (CVE-2015-1792)
  [Stephen Henson]
- Race condition handling NewSessionTicket
  If a NewSessionTicket is received by a multi-threaded client when
  attempting to reuse a previous ticket then a race condition can occur
  potentially leading to a double free of the ticket data.
  (CVE-2015-1791)
  [Matt Caswell]
- Removed support for the two export grade static DH ciphersuites
  EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
  were newly added (along with a number of other static DH ciphersuites) to
  1.0.2. However the two export ones have *never* worked since they were
  introduced. It seems strange in any case to be adding new export
  ciphersuites, and given "logjam" it also does not seem correct to fix them.
  [Matt Caswell]
- Only support 256-bit or stronger elliptic curves with the
  'ecdh_auto' setting (server) or by default (client). Of supported
  curves, prefer P-256 (both).
  [Emilia Kasper]
- Reject DH handshakes with parameters shorter than 768 bits.
  [Kurt Roeckx and Emilia Kasper]

4 files changed, 23 insertions, 20 deletions

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 86fa24e4ff4..4692741bc06 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.207 2015/06/12 10:51:03 wiz Exp $
+# $NetBSD: Makefile,v 1.208 2015/06/12 17:02:24 tron Exp $
 
-DISTNAME=	openssl-1.0.2a
-PKGREVISION=	1
+DISTNAME=	openssl-1.0.2b
 CATEGORIES=	security
 MASTER_SITES=	http://www.openssl.org/source/
 
diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common
index 3c93ef2b743..31ae743c617 100644
--- a/security/openssl/PLIST.common
+++ b/security/openssl/PLIST.common
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST.common,v 1.23 2015/03/19 22:11:22 tron Exp $
+@comment $NetBSD: PLIST.common,v 1.24 2015/06/12 17:02:24 tron Exp $
 bin/c_rehash
 bin/openssl
 include/openssl/aes.h
@@ -1125,6 +1125,7 @@ man/man3/SSL_CIPHER_get_bits.3
 man/man3/SSL_CIPHER_get_name.3
 man/man3/SSL_CIPHER_get_version.3
 man/man3/SSL_COMP_add_compression_method.3
+man/man3/SSL_COMP_free_compression_methods.3
 man/man3/SSL_CONF_CTX_clear_flags.3
 man/man3/SSL_CONF_CTX_free.3
 man/man3/SSL_CONF_CTX_new.3
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index ffe588f7335..a262a950080 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.112 2015/03/19 22:11:22 tron Exp $
+$NetBSD: distinfo,v 1.113 2015/06/12 17:02:24 tron Exp $
 
-SHA1 (openssl-1.0.2a.tar.gz) = 46ecd325b8e587fa491f6bb02ad4a9fb9f382f5f
-RMD160 (openssl-1.0.2a.tar.gz) = 2974a0a8cc469d85a5391a64aa0a2b2c5b00acfa
-Size (openssl-1.0.2a.tar.gz) = 5262089 bytes
-SHA1 (patch-Configure) = d57986a34cd88a27c5d94df5a3cc3e2c12bf8bbe
+SHA1 (openssl-1.0.2b.tar.gz) = 9006e53ca56a14d041e3875320eedfa63d82aba7
+RMD160 (openssl-1.0.2b.tar.gz) = 543a4d9d4fe08ddcae0937334224d8479d9b602a
+Size (openssl-1.0.2b.tar.gz) = 5281009 bytes
+SHA1 (patch-Configure) = ce5f4ab244f49d3a556b1123190f2424b38fd789
 SHA1 (patch-Makefile.org) = 72f023aeead660decaa09b6664936bd73a214069
 SHA1 (patch-Makefile.shared) = 709283ba4bb4bd568e289fe111b8dea319968328
 SHA1 (patch-apps_Makefile) = 745e01fb967979f5105896f8a728fd7a041af6c9
diff --git a/security/openssl/patches/patch-Configure b/security/openssl/patches/patch-Configure
index cb83dd7609f..38933a3ae4b 100644
--- a/security/openssl/patches/patch-Configure
+++ b/security/openssl/patches/patch-Configure
@@ -1,12 +1,12 @@
-$NetBSD: patch-Configure,v 1.4 2015/03/19 22:11:22 tron Exp $
+$NetBSD: patch-Configure,v 1.5 2015/06/12 17:02:24 tron Exp $
 
 * Avoid -fast on Solaris, creates non-portable packages which depend on
   host-specific CPU features.
 * Add GNU/kFreeBSD support.
 
---- Configure.orig	2015-03-19 13:30:36.000000000 +0000
-+++ Configure	2015-03-19 20:58:06.000000000 +0000
-@@ -341,6 +341,7 @@
+--- Configure.orig	2015-06-11 14:50:11.000000000 +0100
++++ Configure	2015-06-12 12:07:54.000000000 +0100
+@@ -358,6 +358,7 @@
  #
  "osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
  "osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
@@ -14,10 +14,11 @@ $NetBSD: patch-Configure,v 1.4 2015/03/19 22:11:22 tron Exp $
  "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
  
  ####
-@@ -464,6 +465,29 @@
+@@ -481,8 +482,31 @@
  "BSD-ia64",	"gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "BSD-x86_64",	"gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "BSD-x86_64",	"cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  
+-"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"NetBSD","gcc:-DTERMIOS -O2 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"NetBSD-alpha", "gcc:-DTERMIOS -DL_ENDIAN -O2 -Wall::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"NetBSD-arm", "gcc:-DTERMIOS -DL_ENDIAN -O2 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -39,12 +40,14 @@ $NetBSD: patch-Configure,v 1.4 2015/03/19 22:11:22 tron Exp $
 +"DragonFly-x86_64",    "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"GNU/kFreeBSD-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIOS -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"GNU/kFreeBSD-i386", "gcc:-DL_ENDIAN -DTERMIOS -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
-+
- "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  
++
++ "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++ 
  "nextstep",	"cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
-@@ -915,7 +939,7 @@
+ "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+ 
+@@ -932,7 +956,7 @@
  			# The check for the option is there so scripts aren't
  			# broken
  			}
@@ -53,7 +56,7 @@ $NetBSD: patch-Configure,v 1.4 2015/03/19 22:11:22 tron Exp $
  			{
  			if (/^--prefix=(.*)$/)
  				{
-@@ -1737,7 +1761,7 @@
+@@ -1764,7 +1788,7 @@
  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
  		{
  		my $sotmp = $1;