Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/OPENSSL]: src/crypto/external/bsd/openssl/dist Changes between 1.1.1i an...



details:   https://anonhg.NetBSD.org/src/rev/508f289236dd
branches:  OPENSSL
changeset: 952865:508f289236dd
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Feb 20 03:12:10 2021 +0000

description:
Changes between 1.1.1i and 1.1.1j [16 Feb 2021]

  *) Fixed the X509_issuer_and_serial_hash() function. It attempts
     to create a unique hash value based on the issuer and serial
     number data contained within an X509 certificate. However it
     was failing to correctly handle any errors that may occur
     while parsing the issuer field (which might occur if the issuer
     field is maliciously constructed). This may subsequently result
     in a NULL pointer deref and a crash leading to a potential
     denial of service attack.
     (CVE-2021-23841)
     [Matt Caswell]

  *) Fixed the RSA_padding_check_SSLv23() function and the
     RSA_SSLV23_PADDING padding mode to correctly check for rollback
     attacks. This is considered a bug in OpenSSL 1.1.1 because it
     does not support SSLv2. In 1.0.2 this is CVE-2021-23839.
     [Matt Caswell]

  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
     functions. Previously they could overflow the output length
     argument in some cases where the input length is close to the
     maximum permissable length for an integer on the platform. In
     such cases the return value from the function call would be
     1 (indicating success), but the output length value would be
     negative. This could cause applications to behave incorrectly
     or crash.

     (CVE-2021-23840)
     [Matt Caswell]

  *) Fixed SRP_Calc_client_key so that it runs in constant time.
     The previous implementation called BN_mod_exp without setting
     BN_FLG_CONSTTIME.  This could be exploited in a side channel
     attack to recover the password. Since the attack is local host
     only this is outside of the current OpenSSL threat model and
     therefore no CVE is assigned.

     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting
     this issue.
     [Matt Caswell]

diffstat:

 crypto/external/bsd/openssl/dist/AUTHORS                               |    7 +
 crypto/external/bsd/openssl/dist/CHANGES                               |   37 +++
 crypto/external/bsd/openssl/dist/CONTRIBUTING                          |    4 +-
 crypto/external/bsd/openssl/dist/Configurations/10-main.conf           |    1 +
 crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl       |   36 +--
 crypto/external/bsd/openssl/dist/Configure                             |   29 +-
 crypto/external/bsd/openssl/dist/INSTALL                               |   15 +-
 crypto/external/bsd/openssl/dist/NEWS                                  |   10 +
 crypto/external/bsd/openssl/dist/NOTES.VMS                             |   12 +-
 crypto/external/bsd/openssl/dist/NOTES.WIN                             |    4 +-
 crypto/external/bsd/openssl/dist/README                                |    2 +-
 crypto/external/bsd/openssl/dist/VMS/msg_install.com                   |   19 +
 crypto/external/bsd/openssl/dist/VMS/msg_staging.com                   |   37 +++
 crypto/external/bsd/openssl/dist/apps/ca.c                             |   53 ++---
 crypto/external/bsd/openssl/dist/crypto/armcap.c                       |   19 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/charmap.h                 |    2 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.h                  |    2 +-
 crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c                |   16 +-
 crypto/external/bsd/openssl/dist/crypto/conf/conf_def.h                |    2 +-
 crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c                    |   33 ++-
 crypto/external/bsd/openssl/dist/crypto/err/openssl.txt                |    3 +-
 crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c                  |   27 ++
 crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c                  |    4 +-
 crypto/external/bsd/openssl/dist/crypto/mem_sec.c                      |    8 +-
 crypto/external/bsd/openssl/dist/crypto/objects/obj_dat.h              |    2 +-
 crypto/external/bsd/openssl/dist/crypto/objects/obj_xref.h             |    2 +-
 crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-armv4.pl |   13 +-
 crypto/external/bsd/openssl/dist/crypto/ppccap.c                       |   20 +-
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ssl.c                  |   10 +-
 crypto/external/bsd/openssl/dist/crypto/srp/srp_lib.c                  |   13 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c                |   22 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c                |   15 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x_all.c                   |    4 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x_attrib.c                |    5 +-
 crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c               |   14 +-
 crypto/external/bsd/openssl/dist/doc/man1/ca.pod                       |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/cms.pod                      |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/crl2pkcs7.pod                |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/dgst.pod                     |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/dsa.pod                      |    6 +-
 crypto/external/bsd/openssl/dist/doc/man1/ec.pod                       |    6 +-
 crypto/external/bsd/openssl/dist/doc/man1/enc.pod                      |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/genpkey.pod                  |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/genrsa.pod                   |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/pkcs12.pod                   |   14 +-
 crypto/external/bsd/openssl/dist/doc/man1/pkcs8.pod                    |    6 +-
 crypto/external/bsd/openssl/dist/doc/man1/pkey.pod                     |    6 +-
 crypto/external/bsd/openssl/dist/doc/man1/pkeyutl.pod                  |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/req.pod                      |    6 +-
 crypto/external/bsd/openssl/dist/doc/man1/rsa.pod                      |    6 +-
 crypto/external/bsd/openssl/dist/doc/man1/s_client.pod                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/s_server.pod                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/smime.pod                    |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/spkac.pod                    |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/storeutl.pod                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/ts.pod                       |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/x509.pod                     |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/DH_generate_key.pod          |   27 ++-
 crypto/external/bsd/openssl/dist/doc/man3/OCSP_sendreq_new.pod         |   28 ++-
 crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_malloc.pod           |    2 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_get_extension_flags.pod |   11 +-
 crypto/external/bsd/openssl/dist/fuzz/x509.c                           |    2 +
 crypto/external/bsd/openssl/dist/include/openssl/evperr.h              |    7 +-
 crypto/external/bsd/openssl/dist/include/openssl/obj_mac.h             |    2 +-
 crypto/external/bsd/openssl/dist/include/openssl/opensslv.h            |    4 +-
 crypto/external/bsd/openssl/dist/include/openssl/x509v3.h              |    7 +-
 crypto/external/bsd/openssl/dist/ssl/d1_lib.c                          |   11 +-
 crypto/external/bsd/openssl/dist/ssl/record/rec_layer_d1.c             |    5 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_local.h                       |    3 +-
 crypto/external/bsd/openssl/dist/ssl/statem/extensions.c               |    5 +-
 crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c              |    3 +-
 crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c               |   15 +-
 crypto/external/bsd/openssl/dist/test/build.info                       |    4 +-
 crypto/external/bsd/openssl/dist/test/certs/ca-pss-cert.pem            |   21 ++
 crypto/external/bsd/openssl/dist/test/certs/ca-pss-key.pem             |   28 ++
 crypto/external/bsd/openssl/dist/test/certs/ee-pss-cert.pem            |   21 ++
 crypto/external/bsd/openssl/dist/test/certs/invalid-cert.pem           |   19 +
 crypto/external/bsd/openssl/dist/test/certs/mkcert.sh                  |   24 +-
 crypto/external/bsd/openssl/dist/test/certs/setup.sh                   |   13 +-
 crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t         |    7 +-
 crypto/external/bsd/openssl/dist/test/recipes/70-test_verify_extra.t   |    5 +-
 crypto/external/bsd/openssl/dist/test/recipes/80-test_x509aux.t        |   15 +-
 crypto/external/bsd/openssl/dist/test/rsa_test.c                       |  105 ++++-----
 crypto/external/bsd/openssl/dist/test/sslapitest.c                     |   59 +++++
 crypto/external/bsd/openssl/dist/test/v3nametest.c                     |    2 +-
 crypto/external/bsd/openssl/dist/test/verify_extra_test.c              |   55 ++++-
 crypto/external/bsd/openssl/dist/test/x509aux.c                        |   19 +-
 87 files changed, 823 insertions(+), 318 deletions(-)

diffs (truncated from 2787 to 300 lines):

diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/AUTHORS
--- a/crypto/external/bsd/openssl/dist/AUTHORS  Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/AUTHORS  Sat Feb 20 03:12:10 2021 +0000
@@ -13,6 +13,8 @@
 Bernd Edlinger
 Bodo Möller
 David Benjamin
+David von Oheimb
+Dmitry Belyavskiy (Дмитрий Белявский)
 Emilia Käsper
 Eric Young
 Geoff Thorpe
@@ -22,14 +24,19 @@
 Mark J. Cox
 Matt Caswell
 Matthias St. Pierre
+Nicola Tuveri
 Nils Larsch
+Patrick Steuer
 Paul Dale
 Paul C. Sutton
+Paul Yang
 Ralf S. Engelschall
 Rich Salz
 Richard Levitte
+Shane Lontis
 Stephen Henson
 Steve Marquess
 Tim Hudson
+Tomáš Mráz
 Ulf Möller
 Viktor Dukhovni
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Sat Feb 20 03:12:10 2021 +0000
@@ -7,6 +7,43 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
+     create a unique hash value based on the issuer and serial number data
+     contained within an X509 certificate. However it was failing to correctly
+     handle any errors that may occur while parsing the issuer field (which might
+     occur if the issuer field is maliciously constructed). This may subsequently
+     result in a NULL pointer deref and a crash leading to a potential denial of
+     service attack.
+     (CVE-2021-23841)
+     [Matt Caswell]
+
+  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+     padding mode to correctly check for rollback attacks. This is considered a
+     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+     CVE-2021-23839.
+     [Matt Caswell]
+
+  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+     functions. Previously they could overflow the output length argument in some
+     cases where the input length is close to the maximum permissable length for
+     an integer on the platform. In such cases the return value from the function
+     call would be 1 (indicating success), but the output length value would be
+     negative. This could cause applications to behave incorrectly or crash.
+     (CVE-2021-23840)
+     [Matt Caswell]
+
+  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
+     implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
+     could be exploited in a side channel attack to recover the password. Since
+     the attack is local host only this is outside of the current OpenSSL
+     threat model and therefore no CVE is assigned.
+
+     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
+     issue.
+     [Matt Caswell]
+
  Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
 
   *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/CONTRIBUTING
--- a/crypto/external/bsd/openssl/dist/CONTRIBUTING     Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/CONTRIBUTING     Sat Feb 20 03:12:10 2021 +0000
@@ -41,8 +41,8 @@
     https://www.openssl.org/policies/codingstyle.html) and compile
     without warnings. Where gcc or clang is available you should use the
     --strict-warnings Configure option.  OpenSSL compiles on many varied
-    platforms: try to ensure you only use portable features.  Clean builds
-    via Travis and AppVeyor are required, and they are started automatically
+    platforms: try to ensure you only use portable features.  Clean builds via
+    GitHub Actions and AppVeyor are required, and they are started automatically
     whenever a PR is created or updated.
 
     5.  When at all possible, patches should include tests. These can
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/Configurations/10-main.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf      Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf      Sat Feb 20 03:12:10 2021 +0000
@@ -663,6 +663,7 @@
     "linux-ppc" => {
         inherit_from     => [ "linux-generic32", asm("ppc32_asm") ],
         perlasm_scheme   => "linux32",
+        lib_cppflags     => add("-DB_ENDIAN"),
     },
     "linux-ppc64" => {
         inherit_from     => [ "linux-generic64", asm("ppc64_asm") ],
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl
--- a/crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl  Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/descrip.mms.tmpl  Sat Feb 20 03:12:10 2021 +0000
@@ -377,8 +377,13 @@
         $(NODEBUG) !
         $(NODEBUG) ! Installation logical names
         $(NODEBUG) !
-        $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
-        $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+        $(NODEBUG) ! This also creates a few DCL variables that are used for
+        $(NODEBUG) ! the "install_msg" target.
+        $(NODEBUG) !
+        $(NODEBUG) installroot = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
+        $(NODEBUG) installtop = installroot + ".]"
+        $(NODEBUG) dataroot = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
+        $(NODEBUG) datatop = dataroot + ".]"
         $(NODEBUG) DEFINE ossl_installroot 'installtop'
         $(NODEBUG) DEFINE ossl_dataroot 'datatop'
         $(NODEBUG) !
@@ -455,30 +460,19 @@
         @ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options"
         @ ! {- output_on() if !$disabled{tests}; "" -}
 
-install : install_sw install_ssldirs install_docs
+install : install_sw install_ssldirs install_docs install_msg
+        @ !
+
+install_msg :
         @ WRITE SYS$OUTPUT ""
         @ WRITE SYS$OUTPUT "######################################################################"
         @ WRITE SYS$OUTPUT ""
         @ IF "$(DESTDIR)" .EQS. "" THEN -
-             PIPE ( WRITE SYS$OUTPUT "Installation complete" ; -
-                    WRITE SYS$OUTPUT "" ; -
-                    WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
-                    WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
-                    WRITE SYS$OUTPUT "" )
+             @{- sourcefile("VMS", "msg_install.com") -} "$(SYSTARTUP)" "{- $osslver -}"
         @ IF "$(DESTDIR)" .NES. "" THEN -
-             PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; -
-                    WRITE SYS$OUTPUT "" ; -
-                    WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; -
-                    WRITE SYS$OUTPUT staging_instdir ; -
-                    WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; -
-                    WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; -
-                    WRITE SYS$OUTPUT staging_datadir ; -
-                    WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; -
-                    WRITE SYS$OUTPUT "" ; -
-                    WRITE SYS$OUTPUT "When in its final destination," ; -
-                    WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
-                    WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
-                    WRITE SYS$OUTPUT "" )
+             @{- sourcefile("VMS", "msg_staging.com") -} -
+             "''installroot']" "''dataroot']" "$(INSTALLTOP)" "$(OPENSSLDIR)" -
+             "$(SYSTARTUP)" "{- $osslver -}"
 
 check_install :
         spawn/nolog @ossl_installroot:[SYSTEST]openssl_ivp{- $osslver -}.com
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure        Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure        Sat Feb 20 03:12:10 2021 +0000
@@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -1201,6 +1201,10 @@
 # At this point, we can forget everything about %user and %useradd,
 # because it's now all been merged into the corresponding $config entry
 
+if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
+    disable('static', 'pic', 'threads');
+}
+
 # Allow overriding the build file name
 $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";
 
@@ -1521,10 +1525,6 @@
                 }
         }
 
-if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
-    disable('static', 'pic', 'threads');
-}
-
 $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings'
                               ? @strict_warnings_collection
                               : ( $_ ) }
@@ -2611,19 +2611,22 @@
         }
         print "\nEnabled features:\n\n";
         foreach my $what (@disablables) {
-            print "    $what\n" unless $disabled{$what};
+            print "    $what\n"
+                unless grep { $_ =~ /^${what}$/ } keys %disabled;
         }
         print "\nDisabled features:\n\n";
         foreach my $what (@disablables) {
-            if ($disabled{$what}) {
-                print "    $what", ' ' x ($longest - length($what) + 1),
-                    "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1);
-                print $disabled_info{$what}->{macro}
-                    if $disabled_info{$what}->{macro};
+            my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled;
+            my $what3 = $what2[0];
+            if ($what3) {
+                print "    $what3", ' ' x ($longest - length($what3) + 1),
+                    "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1);
+                print $disabled_info{$what3}->{macro}
+                    if $disabled_info{$what3}->{macro};
                 print ' (skip ',
-                    join(', ', @{$disabled_info{$what}->{skipped}}),
+                    join(', ', @{$disabled_info{$what3}->{skipped}}),
                     ')'
-                    if $disabled_info{$what}->{skipped};
+                    if $disabled_info{$what3}->{skipped};
                 print "\n";
             }
         }
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/INSTALL
--- a/crypto/external/bsd/openssl/dist/INSTALL  Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/INSTALL  Sat Feb 20 03:12:10 2021 +0000
@@ -106,8 +106,7 @@
  This will build and install OpenSSL in the default location, which is:
 
   Unix:    normal installation directories under /usr/local
-  OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
-           OpenSSL version number with underscores instead of periods.
+  OpenVMS: SYS$COMMON:[OPENSSL]
   Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
 
  The installation directory should be appropriately protected to ensure
@@ -116,7 +115,9 @@
  your Operating System it is recommended that you do not overwrite the system
  version and instead install to somewhere else.
 
- If you want to install it anywhere else, run config like this:
+ If you want to install it anywhere else, run config like this (the options
+ --prefix and --openssldir are explained further down, and the values shown
+ here are mere examples):
 
   On Unix:
 
@@ -198,7 +199,7 @@
                    Unix:           /usr/local
                    Windows:        C:\Program Files\OpenSSL
                                 or C:\Program Files (x86)\OpenSSL
-                   OpenVMS:        SYS$COMMON:[OPENSSL-'version']
+                   OpenVMS:        SYS$COMMON:[OPENSSL]
 
   --release
                    Build OpenSSL without debugging symbols. This is the default.
@@ -961,9 +962,9 @@
          share/doc/openssl/html/man7
                         Contains the HTML rendition of the man-pages.
 
-       OpenVMS ('arch' is replaced with the architecture name, "Alpha"
-       or "ia64", 'sover' is replaced with the shared library version
-       (0101 for 1.1), and 'pz' is replaced with the pointer size
+       OpenVMS ('arch' is replaced with the architecture name, "ALPHA"
+       or "IA64", 'sover' is replaced with the shared library version
+       (0101 for 1.1.x), and 'pz' is replaced with the pointer size
        OpenSSL was built with):
 
          [.EXE.'arch']  Contains the openssl binary.
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Sat Feb 20 03:12:10 2021 +0000
@@ -5,6 +5,16 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+      o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+        function (CVE-2021-23841)
+      o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+        padding mode to correctly check for rollback attacks
+      o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+        EVP_DecryptUpdate functions (CVE-2021-23840)
+      o Fixed SRP_Calc_client_key so that it runs in constant time
+
   Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
 
       o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
diff -r 3c28b77def84 -r 508f289236dd crypto/external/bsd/openssl/dist/NOTES.VMS
--- a/crypto/external/bsd/openssl/dist/NOTES.VMS        Thu Dec 10 00:12:35 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/NOTES.VMS        Sat Feb 20 03:12:10 2021 +0000
@@ -90,9 +90,9 @@
  Unix mount point.
 
  The easiest way to check if everything got through as it should is to
- check for one of the following files:


Home | Main Index | Thread Index | Old Index