From 4e6fc10d5990a097e5c5a99aa776f939729a76f3 Mon Sep 17 00:00:00 2001 From: taca Date: Mon, 12 Apr 2010 14:19:17 +0000 Subject: Update openssl package from 0.9.8m to 0.9.8n. Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley ] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger ] --- security/openssl/Makefile | 5 ++--- security/openssl/distinfo | 9 ++++----- security/openssl/patches/patch-bc | 19 ------------------- 3 files changed, 6 insertions(+), 27 deletions(-) delete mode 100644 security/openssl/patches/patch-bc (limited to 'security') diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 97469d43fbe..695636860b1 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.146 2010/03/26 00:20:49 taca Exp $ +# $NetBSD: Makefile,v 1.147 2010/04/12 14:19:17 taca Exp $ OPENSSL_SNAPSHOT?= # empty OPENSSL_STABLE?= # empty -OPENSSL_VERS?= 0.9.8m -PKGREVISION= 2 +OPENSSL_VERS?= 0.9.8n .if empty(OPENSSL_SNAPSHOT) DISTNAME= openssl-${OPENSSL_VERS} diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 1e1681a6c45..3f4a3a08aa7 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.73 2010/03/26 00:20:49 taca Exp $ +$NetBSD: distinfo,v 1.74 2010/04/12 14:19:17 taca Exp $ -SHA1 (openssl-0.9.8m.tar.gz) = 2511c709a47f34d5fa6cd1a1c9cb1699bdffa912 -RMD160 (openssl-0.9.8m.tar.gz) = 0296af151993008526b4f2b3a6810e20c4ad3759 -Size (openssl-0.9.8m.tar.gz) = 3767604 bytes +SHA1 (openssl-0.9.8n.tar.gz) = 595f5ebf592568515964f0adc62239e7012ef08b +RMD160 (openssl-0.9.8n.tar.gz) = 8eb5e877c2bab203e8eb108e42d60580a478f718 +Size (openssl-0.9.8n.tar.gz) = 3770041 bytes SHA1 (patch-aa) = b3899aebeea9bd9ead58771ca52ecec049589a55 SHA1 (patch-ac) = 6ff4a20440666f5c520837e10547091e1bee2208 SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3 @@ -11,4 +11,3 @@ SHA1 (patch-af) = 2610930b6b06397fa2e3955b3244c02193f5b7a6 SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 -SHA1 (patch-bc) = 9200ae3c86fb5c278c9692441555faa4c51afb30 diff --git a/security/openssl/patches/patch-bc b/security/openssl/patches/patch-bc deleted file mode 100644 index d150c8acb7c..00000000000 --- a/security/openssl/patches/patch-bc +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-bc,v 1.1 2010/03/26 00:20:49 taca Exp $ - -Fix for CVE-2010-0740: http://www.openssl.org/news/secadv_20100324.txt - ---- ssl/s3_pkt.c.orig 2010-01-24 13:52:38.000000000 +0000 -+++ ssl/s3_pkt.c -@@ -291,9 +291,9 @@ again: - if (version != s->version) - { - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); -- /* Send back error using their -- * version number :-) */ -- s->version=version; -+ if ((s->version & 0xFF00) == (version & 0xFF00)) -+ /* Send back error using their minor version number :-) */ -+ s->version = (unsigned short)version; - al=SSL_AD_PROTOCOL_VERSION; - goto f_err; - } -- cgit v1.2.3