diff options
| author | jperkin <jperkin@pkgsrc.org> | 2014-10-15 19:04:40 +0000 |
|---|---|---|
| committer | jperkin <jperkin@pkgsrc.org> | 2014-10-15 19:04:40 +0000 |
| commit | c1779e05887b5986f905b5b656ea36daa54681a3 (patch) | |
| tree | 20045b7562dd8db2329375d77706386e7f05aff0 /security | |
| parent | a701b657ce2203833507f7f8dfcc89a889feefa2 (diff) | |
| download | pkgsrc-c1779e05887b5986f905b5b656ea36daa54681a3.tar.gz | |
Update to openssl-1.0.1j.
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently known.
[Steve Henson]
Diffstat (limited to 'security')
| -rw-r--r-- | security/openssl/Makefile | 4 | ||||
| -rw-r--r-- | security/openssl/PLIST.common | 11 | ||||
| -rw-r--r-- | security/openssl/distinfo | 8 |
3 files changed, 14 insertions, 9 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 3c083af9393..0623049bb88 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.199 2014/10/09 14:06:52 wiz Exp $ +# $NetBSD: Makefile,v 1.200 2014/10/15 19:04:40 jperkin Exp $ -DISTNAME= openssl-1.0.1i +DISTNAME= openssl-1.0.1j MASTER_SITES= http://ftp.openssl.org/source/ CATEGORIES= security diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common index ccb00694b52..7bdd658df5e 100644 --- a/security/openssl/PLIST.common +++ b/security/openssl/PLIST.common @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST.common,v 1.19 2014/08/07 01:29:45 obache Exp $ +@comment $NetBSD: PLIST.common,v 1.20 2014/10/15 19:04:40 jperkin Exp $ bin/c_rehash bin/openssl include/openssl/aes.h @@ -98,6 +98,7 @@ lib/pkgconfig/openssl.pc man/man1/CA.pl.1 man/man1/openssl.1 man/man1/openssl_asn1parse.1 +man/man1/openssl_c_rehash.1 man/man1/openssl_ca.1 man/man1/openssl_ciphers.1 man/man1/openssl_cms.1 @@ -107,6 +108,7 @@ man/man1/openssl_dgst.1 man/man1/openssl_dhparam.1 man/man1/openssl_dsa.1 man/man1/openssl_dsaparam.1 +man/man1/openssl_dss1.1 man/man1/openssl_ec.1 man/man1/openssl_ecparam.1 man/man1/openssl_enc.1 @@ -138,6 +140,10 @@ man/man1/openssl_s_time.1 man/man1/openssl_sess_id.1 man/man1/openssl_sha.1 man/man1/openssl_sha1.1 +man/man1/openssl_sha224.1 +man/man1/openssl_sha256.1 +man/man1/openssl_sha384.1 +man/man1/openssl_sha512.1 man/man1/openssl_smime.1 man/man1/openssl_speed.1 man/man1/openssl_spkac.1 @@ -370,7 +376,6 @@ man/man3/BN_num_bits.3 man/man3/BN_num_bits_word.3 man/man3/BN_num_bytes.3 man/man3/BN_one.3 -man/man3/BN_print.3 man/man3/BN_print_fp.3 man/man3/BN_pseudo_rand.3 man/man3/BN_rand.3 @@ -409,6 +414,7 @@ man/man3/CMS_add0_recipient_key.3 man/man3/CMS_add1_ReceiptRequest.3 man/man3/CMS_add1_cert.3 man/man3/CMS_add1_recipient_cert.3 +man/man3/CMS_add1_signer.3 man/man3/CMS_compress.3 man/man3/CMS_decrypt.3 man/man3/CMS_encrypt.3 @@ -423,7 +429,6 @@ man/man3/CMS_get1_crls.3 man/man3/CMS_set1_eContentType.3 man/man3/CMS_set1_signer_certs.3 man/man3/CMS_sign.3 -man/man3/CMS_sign_add1_signer.3 man/man3/CMS_sign_receipt.3 man/man3/CMS_uncompress.3 man/man3/CMS_verify.3 diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 5549c3b90be..16308d2ea9d 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.108 2014/08/07 01:29:45 obache Exp $ +$NetBSD: distinfo,v 1.109 2014/10/15 19:04:40 jperkin Exp $ -SHA1 (openssl-1.0.1i.tar.gz) = 74eed314fa2c93006df8d26cd9fc630a101abd76 -RMD160 (openssl-1.0.1i.tar.gz) = aa566f80f79aec8edb07fd61d917f62052a73155 -Size (openssl-1.0.1i.tar.gz) = 4422117 bytes +SHA1 (openssl-1.0.1j.tar.gz) = cff86857507624f0ad42d922bb6f77c4f1c2b819 +RMD160 (openssl-1.0.1j.tar.gz) = 6b26ea6db32911eaf98a532cafdc6b3a7c1cf358 +Size (openssl-1.0.1j.tar.gz) = 4432964 bytes SHA1 (patch-Configure) = f8b8b3ecfa9d23530d13f8f93582db857f772fc4 SHA1 (patch-Makefile.org) = be55df602286c7f0265a8c5c3d8edaea13b1d966 SHA1 (patch-Makefile.shared) = 709283ba4bb4bd568e289fe111b8dea319968328 |