Re: CVS commit: pkgsrc/security/openssl

To: tron%netbsd.org@localhost
Subject: Re: CVS commit: pkgsrc/security/openssl
From: Filip Hajny <filip%joyent.com@localhost>
Date: Fri, 12 Jun 2015 19:10:57 +0200

Thanks! However, 1.0.2c is out there and needs to be used instead...

https://twitter.com/mancha140/status/609386942489178112

-F

> 12. 6. 2015 v 19:02, Matthias Scheler <tron%netbsd.org@localhost>:
> 
> Module Name:  pkgsrc
> Committed By: tron
> Date:         Fri Jun 12 17:02:24 UTC 2015
> 
> Modified Files:
>       pkgsrc/security/openssl: Makefile PLIST.common distinfo
>       pkgsrc/security/openssl/patches: patch-Configure
> 
> Log Message:
> Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a:
> - Malformed ECParameters causes infinite loop
>  When processing an ECParameters structure OpenSSL enters an infinite loop
>  if the curve specified is over a specially malformed binary polynomial
>  field.
>  This can be used to perform denial of service against any
>  system which processes public keys, certificate requests or
>  certificates.  This includes TLS clients and TLS servers with
>  client authentication enabled.
>  This issue was reported to OpenSSL by Joseph Barr-Pixton.
>  (CVE-2015-1788)
>  [Andy Polyakov]
> - Exploitable out-of-bounds read in X509_cmp_time
>  X509_cmp_time does not properly check the length of the ASN1_TIME
>  string and can read a few bytes out of bounds. In addition,
>  X509_cmp_time accepts an arbitrary number of fractional seconds in the
>  time string.
>  An attacker can use this to craft malformed certificates and CRLs of
>  various sizes and potentially cause a segmentation fault, resulting in
>  a DoS on applications that verify certificates or CRLs. TLS clients
>  that verify CRLs are affected. TLS clients and servers with client
>  authentication enabled may be affected if they use custom verification
>  callbacks.
>  This issue was reported to OpenSSL by Robert Swiecki (Google), and
>  independently by Hanno B�ck.
>  (CVE-2015-1789)
>  [Emilia K�sper]
> - PKCS7 crash with missing EnvelopedContent
>  The PKCS#7 parsing code does not handle missing inner EncryptedContent
>  correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
>  with missing content and trigger a NULL pointer dereference on parsing.
>  Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
>  structures from untrusted sources are affected. OpenSSL clients and
>  servers are not affected.
>  This issue was reported to OpenSSL by Michal Zalewski (Google).
>  (CVE-2015-1790)
>  [Emilia K�sper]
> - CMS verify infinite loop with unknown hash function
>  When verifying a signedData message the CMS code can enter an infinite loop
>  if presented with an unknown hash function OID. This can be used to perform
>  denial of service against any system which verifies signedData messages using
>  the CMS code.
>  This issue was reported to OpenSSL by Johannes Bauer.
>  (CVE-2015-1792)
>  [Stephen Henson]
> - Race condition handling NewSessionTicket
>  If a NewSessionTicket is received by a multi-threaded client when
>  attempting to reuse a previous ticket then a race condition can occur
>  potentially leading to a double free of the ticket data.
>  (CVE-2015-1791)
>  [Matt Caswell]
> - Removed support for the two export grade static DH ciphersuites
>  EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
>  were newly added (along with a number of other static DH ciphersuites) to
>  1.0.2. However the two export ones have *never* worked since they were
>  introduced. It seems strange in any case to be adding new export
>  ciphersuites, and given "logjam" it also does not seem correct to fix them.
>  [Matt Caswell]
> - Only support 256-bit or stronger elliptic curves with the
>  'ecdh_auto' setting (server) or by default (client). Of supported
>  curves, prefer P-256 (both).
>  [Emilia Kasper]
> - Reject DH handshakes with parameters shorter than 768 bits.
>  [Kurt Roeckx and Emilia Kasper]
> 
> 
> To generate a diff of this commit:
> cvs rdiff -u -r1.207 -r1.208 pkgsrc/security/openssl/Makefile
> cvs rdiff -u -r1.23 -r1.24 pkgsrc/security/openssl/PLIST.common
> cvs rdiff -u -r1.112 -r1.113 pkgsrc/security/openssl/distinfo
> cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssl/patches/patch-Configure
> 
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>

References:
- CVS commit: pkgsrc/security/openssl
  - From: Matthias Scheler

Prev by Date: CVS commit: [pkgsrc-2015Q1] pkgsrc/lang
Next by Date: CVS commit: pkgsrc/mk/scripts
Previous by Thread: CVS commit: pkgsrc/security/openssl
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index