pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/openssl Update to v1.0.2t



details:   https://anonhg.NetBSD.org/pkgsrc/rev/5d859f6ab7ad
branches:  trunk
changeset: 418500:5d859f6ab7ad
user:      sevan <sevan%pkgsrc.org@localhost>
date:      Tue Nov 26 22:22:45 2019 +0000

description:
Update to v1.0.2t

Changes between 1.0.2s and 1.0.2t [10 Sep 2019]

   *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
      used even when parsing explicit parameters, when loading a serialized key
      or calling `EC_GROUP_new_from_ecpkparameters()`/
      `EC_GROUP_new_from_ecparameters()`.
      This prevents bypass of security hardening and performance gains,
      especially for curves with specialized EC_METHODs.
      By default, if a key encoded with explicit parameters is loaded and later
      serialized, the output is still encoded with explicit parameters, even if
      internally a "named" EC_GROUP is used for computation.
      [Nicola Tuveri]

  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
     this change, EC_GROUP_set_generator would accept order and/or cofactor as
     NULL. After this change, only the cofactor parameter can be NULL. It also
     does some minimal sanity checks on the passed order.
     (CVE-2019-1547)
     [Billy Bob Brumley]

  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
     An attack is simple, if the first CMS_recipientInfo is valid but the
     second CMS_recipientInfo is chosen ciphertext. If the second
     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
     encryption key will be replaced by garbage, and the message cannot be
     decoded, but if the RSA decryption fails, the correct encryption key is
     used and the recipient will not notice the attack.
     As a work around for this potential attack the length of the decrypted
     key must be equal to the cipher default key length, in case the
     certifiate is not given and all recipientInfo are tried out.
     The old behaviour can be re-enabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag.
     (CVE-2019-1563)
     [Bernd Edlinger]

  *) Document issue with installation paths in diverse Windows builds

     '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
     binaries and run-time config file.
     (CVE-2019-1552)
     [Richard Levitte]

diffstat:

 security/openssl/Makefile |   5 ++---
 security/openssl/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 8 deletions(-)

diffs (31 lines):

diff -r 7db826ac9598 -r 5d859f6ab7ad security/openssl/Makefile
--- a/security/openssl/Makefile Tue Nov 26 22:14:41 2019 +0000
+++ b/security/openssl/Makefile Tue Nov 26 22:22:45 2019 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.245 2019/11/24 01:45:12 gdt Exp $
+# $NetBSD: Makefile,v 1.246 2019/11/26 22:22:45 sevan Exp $
 
-DISTNAME=      openssl-1.0.2s
-PKGREVISION=   1
+DISTNAME=      openssl-1.0.2t
 CATEGORIES=    security
 MASTER_SITES=  https://www.openssl.org/source/
 
diff -r 7db826ac9598 -r 5d859f6ab7ad security/openssl/distinfo
--- a/security/openssl/distinfo Tue Nov 26 22:14:41 2019 +0000
+++ b/security/openssl/distinfo Tue Nov 26 22:22:45 2019 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.134 2019/06/30 22:52:54 sevan Exp $
+$NetBSD: distinfo,v 1.135 2019/11/26 22:22:45 sevan Exp $
 
-SHA1 (openssl-1.0.2s.tar.gz) = cf43d57a21e4baf420b3628677ebf1723ed53bc1
-RMD160 (openssl-1.0.2s.tar.gz) = 6067f88e5f1ac797e189648386adb12ca4aba85d
-SHA512 (openssl-1.0.2s.tar.gz) = 9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a
-Size (openssl-1.0.2s.tar.gz) = 5349149 bytes
+SHA1 (openssl-1.0.2t.tar.gz) = 8ac3fd379cf8c8ef570abb51ec52a88fd526f88a
+RMD160 (openssl-1.0.2t.tar.gz) = 60fa7238a3beefb1e95d76de607d69af7198118b
+SHA512 (openssl-1.0.2t.tar.gz) = 0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71
+Size (openssl-1.0.2t.tar.gz) = 5355422 bytes
 SHA1 (patch-Configure) = 2d963d781314276a0ee1bc531df6bc50f0f6b32b
 SHA1 (patch-Makefile.org) = d2a9295003a8b88718a328b01ff6bcbbc102ec0b
 SHA1 (patch-Makefile.shared) = 273154600c6cf0cf4de4ae16d56c5555bca5f9ad



Home | Main Index | Thread Index | Old Index