CVS commit: pkgsrc/security/openssl

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/openssl
From: "OBATA Akio" <obache%netbsd.org@localhost>
Date: Tue, 8 Apr 2014 06:20:44 +0000

Module Name:    pkgsrc
Committed By:   obache
Date:           Tue Apr  8 06:20:44 UTC 2014

Modified Files:
        pkgsrc/security/openssl: Makefile distinfo
Removed Files:
        pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h
            patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c

Log Message:
Update openssl to 1.0.1g.
(CVE-2014-0076 is already fixed in pkgsrc).

 OpenSSL CHANGES
 _______________

 Changes between 1.0.1f and 1.0.1g [7 Apr 2014]

  *) A missing bounds check in the handling of the TLS heartbeat extension
     can be used to reveal up to 64k of memory to a connected client or
     server.

     Thanks for Neel Mehta of Google Security for discovering this bug and to
     Adam Langley <agl%chromium.org@localhost> and Bodo Moeller 
<bmoeller%acm.org@localhost> for
     preparing the fix (CVE-2014-0160)
     [Adam Langley, Bodo Moeller]

  *) Fix for the attack described in the paper "Recovering OpenSSL
     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     by Yuval Yarom and Naomi Benger. Details can be obtained from:
     http://eprint.iacr.org/2014/140

     Thanks to Yuval Yarom and Naomi Benger for discovering this
     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
     [Yuval Yarom and Naomi Benger]

  *) TLS pad extension: draft-agl-tls-padding-03

     Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the
     TLS client Hello record length value would otherwise be > 255 and
     less that 512 pad with a dummy extension containing zeroes so it
     is at least 512 bytes long.

     [Adam Langley, Steve Henson]


To generate a diff of this commit:
cvs rdiff -u -r1.187 -r1.188 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.103 -r1.104 pkgsrc/security/openssl/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/security/openssl/patches/patch-crypto_bn_bn.h \
    pkgsrc/security/openssl/patches/patch-crypto_bn_bn__lib.c \
    pkgsrc/security/openssl/patches/patch-crypto_ec_ec2__mult.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/lang/gcc48
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang/gcc48
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index