pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/openssl Update security/openssl to 1.0.2k.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/53728cb97203
branches:  trunk
changeset: 357722:53728cb97203
user:      jperkin <jperkin%pkgsrc.org@localhost>
date:      Thu Jan 26 16:31:57 2017 +0000

description:
Update security/openssl to 1.0.2k.

Changes between 1.0.2j and 1.0.2k [26 Jan 2017]

  *) Truncated packet could crash via OOB read

     If one side of an SSL/TLS path is running on a 32-bit host and a specific
     cipher is being used, then a truncated packet can cause that host to
     perform an out-of-bounds read, usually resulting in a crash.

     This issue was reported to OpenSSL by Robert ?wi?cki of Google.
     (CVE-2017-3731)
     [Andy Polyakov]

  *) BN_mod_exp may produce incorrect results on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that attacks
     against RSA and DSA as a result of this defect would be very difficult to
     perform and are not believed likely. Attacks against DH are considered just
     feasible (although very difficult) because most of the work necessary to
     deduce information about a private key may be performed offline. The amount
     of resources required for such an attack would be very significant and
     likely only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the target
     private key in a scenario with persistent DH parameters and a private
     key that is shared between multiple clients. For example this can occur by
     default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
     similar to CVE-2015-3193 but must be treated as a separate problem.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     (CVE-2017-3732)
     [Andy Polyakov]

  *) Montgomery multiplication may produce incorrect results

     There is a carry propagating bug in the Broadwell-specific Montgomery
     multiplication procedure that handles input lengths divisible by, but
     longer than 256 bits. Analysis suggests that attacks against RSA, DSA
     and DH private keys are impossible. This is because the subroutine in
     question is not used in operations with the private key itself and an input
     of the attacker's direct choice. Otherwise the bug can manifest itself as
     transient authentication and key negotiation failures or reproducible
     erroneous outcome of public-key operations with specially crafted input.
     Among EC algorithms only Brainpool P-512 curves are affected and one
     presumably can attack ECDH key negotiation. Impact was not analyzed in
     detail, because pre-requisites for attack are considered unlikely. Namely
     multiple clients have to choose the curve in question and the server has to
     share the private key among them, neither of which is default behaviour.
     Even then only clients that chose the curve will be affected.

     This issue was publicly reported as transient failures and was not
     initially recognized as a security issue. Thanks to Richard Morgan for
     providing reproducible case.
     (CVE-2016-7055)
     [Andy Polyakov]

  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
     prevent issues where no progress is being made and the peer continually
     sends unrecognised record types, using up resources processing them.
     [Matt Caswell]

diffstat:

 security/openssl/Makefile                              |   5 ++---
 security/openssl/distinfo                              |  11 +++++------
 security/openssl/patches/patch-engines_ccgost_Makefile |  15 ---------------
 3 files changed, 7 insertions(+), 24 deletions(-)

diffs (56 lines):

diff -r 8dbc75713e43 -r 53728cb97203 security/openssl/Makefile
--- a/security/openssl/Makefile Thu Jan 26 15:12:42 2017 +0000
+++ b/security/openssl/Makefile Thu Jan 26 16:31:57 2017 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.229 2016/12/06 18:18:54 marino Exp $
+# $NetBSD: Makefile,v 1.230 2017/01/26 16:31:57 jperkin Exp $
 
-DISTNAME=      openssl-1.0.2j
-PKGREVISION=   1
+DISTNAME=      openssl-1.0.2k
 CATEGORIES=    security
 MASTER_SITES=  https://www.openssl.org/source/
 
diff -r 8dbc75713e43 -r 53728cb97203 security/openssl/distinfo
--- a/security/openssl/distinfo Thu Jan 26 15:12:42 2017 +0000
+++ b/security/openssl/distinfo Thu Jan 26 16:31:57 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.126 2016/11/02 13:10:31 maya Exp $
+$NetBSD: distinfo,v 1.127 2017/01/26 16:31:57 jperkin Exp $
 
-SHA1 (openssl-1.0.2j.tar.gz) = bdfbdb416942f666865fa48fe13c2d0e588df54f
-RMD160 (openssl-1.0.2j.tar.gz) = d5be416caf523f3496323dbd05547144348e7854
-SHA512 (openssl-1.0.2j.tar.gz) = 7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd
-Size (openssl-1.0.2j.tar.gz) = 5307912 bytes
+SHA1 (openssl-1.0.2k.tar.gz) = 5f26a624479c51847ebd2f22bb9f84b3b44dcb44
+RMD160 (openssl-1.0.2k.tar.gz) = 56b70831e49f83987ec14b3878d0d693f9a7d862
+SHA512 (openssl-1.0.2k.tar.gz) = 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016
+Size (openssl-1.0.2k.tar.gz) = 5309236 bytes
 SHA1 (patch-Configure) = 2d963d781314276a0ee1bc531df6bc50f0f6b32b
 SHA1 (patch-Makefile.org) = d2a9295003a8b88718a328b01ff6bcbbc102ec0b
 SHA1 (patch-Makefile.shared) = d317004d6ade167fc3b6e533bb8a1e93657188b2
@@ -11,5 +11,4 @@
 SHA1 (patch-config) = 345cadece3bdf0ef0a273a6c9ba6d0cbb1026a31
 SHA1 (patch-crypto_bn_bn__prime.pl) = a516f3709a862d85e659d466e895419b1e0a94c8
 SHA1 (patch-crypto_des_Makefile) = 7a23f9883ff6c93ec0e5d08e1332cc95de8cdba2
-SHA1 (patch-engines_ccgost_Makefile) = 5ff1e2705f6cb46075d5e005af9e804bb81d65e5
 SHA1 (patch-tools_Makefile) = 67f0b9b501969382fd89b678c277d32bf5d294bc
diff -r 8dbc75713e43 -r 53728cb97203 security/openssl/patches/patch-engines_ccgost_Makefile
--- a/security/openssl/patches/patch-engines_ccgost_Makefile    Thu Jan 26 15:12:42 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-$NetBSD: patch-engines_ccgost_Makefile,v 1.4 2016/01/28 16:30:43 jperkin Exp $
-
-* Make sure rpath is set properly on the libgost.so engine lib.
-
---- engines/ccgost/Makefile.orig       2016-01-28 13:57:20.000000000 +0000
-+++ engines/ccgost/Makefile
-@@ -32,7 +32,7 @@ lib: $(LIBOBJ)
-               $(MAKE) -f $(TOP)/Makefile.shared -e \
-                       LIBNAME=$(LIBNAME) \
-                       LIBEXTRAS='$(LIBOBJ)' \
--                      LIBDEPS='-L$(TOP) -lcrypto' \
-+                      LIBDEPS='-L$(TOP) -lcrypto $(EX_LIBS)' \
-                       link_o.$(SHLIB_TARGET); \
-       else \
-               $(AR) $(LIB) $(LIBOBJ); \



Home | Main Index | Thread Index | Old Index