summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbsiegert <bsiegert>2015-12-26 23:07:24 +0000
committerbsiegert <bsiegert>2015-12-26 23:07:24 +0000
commit4c3d34b71bd9f4f75e959f43ac2cfef8fca9baac (patch)
tree91e34737725f658ce55cb4c2d3412e86b19351ed
parent24d11b4653a70a2b101b6255ba0f723924b62ee4 (diff)
downloadpkgsrc_2015Q3.tar.gz
Pullup ticket #4877 - requested by cyberpkgsrc_2015Q3
security/openssl: security fix Revisions pulled up: - security/openssl/Makefile 1.214-1.216 - security/openssl/PLIST.common 1.26 - security/openssl/distinfo 1.116,1.118 - security/openssl/patches/patch-Makefile.shared 1.3 --- Module Name: pkgsrc Committed By: jperkin Date: Fri Oct 9 11:44:48 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile Log Message: Force the "linux-elf" Configure target for Linux 32-bit, fixes the build when running with ABI=32 on a 64-bit native host. --- Module Name: pkgsrc Committed By: jperkin Date: Mon Oct 26 09:42:47 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-Makefile.shared Log Message: Support SunOS/clang and pass -h linker argument correctly. Doesn't fully fix the build yet, an additional patch to remove LD_LIBRARY_PATH is required but needs wider testing. --- Module Name: pkgsrc Committed By: jperkin Date: Mon Dec 7 15:57:42 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo Log Message: Update security/openssl to 1.0.2e. pkgsrc changes: - We now need to run 'make depend' after configure to pick up algorithm selection changes. Upstream changes: Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. This issue was reported to OpenSSL by Hanno Böck. (CVE-2015-3193) [Andy Polyakov] *) Certificate verify crash with missing PSS parameter The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). (CVE-2015-3194) [Stephen Henson] *) X509_ATTRIBUTE memory leak When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using libFuzzer. (CVE-2015-3195) [Stephen Henson] *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. This changes the decoding behaviour for some invalid messages, though the change is mostly in the more lenient direction, and legacy behaviour is preserved as much as possible. [Emilia Käsper] *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen <ismo.puustinen%intel.com@localhost>]
-rw-r--r--security/openssl/Makefile10
-rw-r--r--security/openssl/PLIST.common10
-rw-r--r--security/openssl/distinfo11
-rw-r--r--security/openssl/patches/patch-Makefile.shared23
4 files changed, 43 insertions, 11 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index ad2c0a9232b..877aaa54cee 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.213 2015/08/31 19:49:44 wiz Exp $
+# $NetBSD: Makefile,v 1.213.2.1 2015/12/26 23:07:24 bsiegert Exp $
-DISTNAME= openssl-1.0.2d
+DISTNAME= openssl-1.0.2e
CATEGORIES= security
MASTER_SITES= https://www.openssl.org/source/
@@ -21,6 +21,7 @@ USE_GCC_RUNTIME= yes
.include "../../mk/compiler.mk"
USE_TOOLS+= fgrep gmake perl
+BUILD_TARGET= depend all
TEST_TARGET= tests
MAKE_JOBS_SAFE= no
@@ -43,7 +44,7 @@ OPENSSL_MACHINE_ARCH= ${MACHINE_ARCH}
# back to ./config's autodetection if not.
. if defined(OPENSSL_MACHINE_ARCH) && !empty(OPENSSL_MACHINE_ARCH)
CONFIGURE_SCRIPT= ./Configure
-. if !empty(CC_VERSION:Mgcc*)
+. if ${PKGSRC_COMPILER} == "clang" || ${PKGSRC_COMPILER} == "gcc"
CONFIGURE_ARGS+= solaris${${ABI}==64:?64:}-${OPENSSL_MACHINE_ARCH}-gcc
. else
CONFIGURE_ARGS+= solaris${${ABI}==64:?64:}-${OPENSSL_MACHINE_ARCH}-cc
@@ -123,6 +124,9 @@ CONFIGURE_ARGS+= hpux-ia64-${CC}
. if ${MACHINE_ARCH} == "powerpc64"
CONFIGURE_SCRIPT= ./Configure
CONFIGURE_ARGS+= linux-ppc64
+. elif ${MACHINE_ARCH} == "i386"
+CONFIGURE_SCRIPT= ./Configure
+CONFIGURE_ARGS+= linux-elf
. endif
.elif ${OS_VARIANT} == "SCOOSR5"
# SIGILL in _sha1_block_data_order_ssse3().
diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common
index bab07c1ef18..32b9a63d4cb 100644
--- a/security/openssl/PLIST.common
+++ b/security/openssl/PLIST.common
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST.common,v 1.25 2015/07/09 13:37:56 wiz Exp $
+@comment $NetBSD: PLIST.common,v 1.25.2.1 2015/12/26 23:07:24 bsiegert Exp $
bin/c_rehash
bin/openssl
include/openssl/aes.h
@@ -416,7 +416,12 @@ man/man3/BN_zero.3
man/man3/BUF_MEM_free.3
man/man3/BUF_MEM_grow.3
man/man3/BUF_MEM_new.3
+man/man3/BUF_MEM_new_ex.3
+man/man3/BUF_memdup.3
man/man3/BUF_strdup.3
+man/man3/BUF_strlcat.3
+man/man3/BUF_strlcpy.3
+man/man3/BUF_strndup.3
man/man3/CMS_ReceiptRequest_create0.3
man/man3/CMS_ReceiptRequest_get0_values.3
man/man3/CMS_RecipientInfo_decrypt.3
@@ -838,6 +843,7 @@ man/man3/EVP_SealInit.3
man/man3/EVP_SealUpdate.3
man/man3/EVP_SignFinal.3
man/man3/EVP_SignInit.3
+man/man3/EVP_SignInit_ex.3
man/man3/EVP_SignUpdate.3
man/man3/EVP_VerifyFinal.3
man/man3/EVP_VerifyInit.3
@@ -1146,6 +1152,7 @@ man/man3/SSL_CTX_build_cert_chain.3
man/man3/SSL_CTX_callback_ctrl.3
man/man3/SSL_CTX_check_private_key.3
man/man3/SSL_CTX_clear_chain_certs.3
+man/man3/SSL_CTX_clear_extra_chain_certs.3
man/man3/SSL_CTX_clear_options.3
man/man3/SSL_CTX_ctrl.3
man/man3/SSL_CTX_flush_sessions.3
@@ -1271,6 +1278,7 @@ man/man3/SSL_alert_type_string.3
man/man3/SSL_alert_type_string_long.3
man/man3/SSL_build_cert_chain.3
man/man3/SSL_callback_ctrl.3
+man/man3/SSL_check_chain.3
man/man3/SSL_check_private_key.3
man/man3/SSL_clear.3
man/man3/SSL_clear_chain_certs.3
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index eac4dfc3622..7de3becf3b2 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.115 2015/07/09 13:37:56 wiz Exp $
+$NetBSD: distinfo,v 1.115.2.1 2015/12/26 23:07:24 bsiegert Exp $
-SHA1 (openssl-1.0.2d.tar.gz) = d01d17b44663e8ffa6a33a5a30053779d9593c3d
-RMD160 (openssl-1.0.2d.tar.gz) = a4389911e5f7436dc2f52e4968eb613a11e33027
-Size (openssl-1.0.2d.tar.gz) = 5295447 bytes
+SHA1 (openssl-1.0.2e.tar.gz) = 2c5691496761cb18f98476eefa4d35c835448fb6
+RMD160 (openssl-1.0.2e.tar.gz) = 324ed411043364af2ea908124225eece7d604a94
+SHA512 (openssl-1.0.2e.tar.gz) = b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f
+Size (openssl-1.0.2e.tar.gz) = 5256555 bytes
SHA1 (patch-Configure) = ce5f4ab244f49d3a556b1123190f2424b38fd789
SHA1 (patch-Makefile.org) = 72f023aeead660decaa09b6664936bd73a214069
-SHA1 (patch-Makefile.shared) = 709283ba4bb4bd568e289fe111b8dea319968328
+SHA1 (patch-Makefile.shared) = effbea94f9e7f399f4f46542bed6d54fc42748e6
SHA1 (patch-apps_Makefile) = 745e01fb967979f5105896f8a728fd7a041af6c9
SHA1 (patch-config) = ac8ced00cfa7d31b84afb08aedc38102fd777824
SHA1 (patch-crypto_bn_bn__prime.pl) = c07e8ccba319e4260af46e714c3be56f70579fa6
diff --git a/security/openssl/patches/patch-Makefile.shared b/security/openssl/patches/patch-Makefile.shared
index 0eea0d130c8..9e30f2e1a78 100644
--- a/security/openssl/patches/patch-Makefile.shared
+++ b/security/openssl/patches/patch-Makefile.shared
@@ -1,8 +1,9 @@
-$NetBSD: patch-Makefile.shared,v 1.2 2014/05/13 02:23:11 rodent Exp $
+$NetBSD: patch-Makefile.shared,v 1.2.12.1 2015/12/26 23:07:24 bsiegert Exp $
Adjust build procedure.
+Fix SunOS -h linker argument.
---- Makefile.shared.orig Mon Mar 17 16:14:20 2014
+--- Makefile.shared.orig 2015-07-09 11:53:21.000000000 +0000
+++ Makefile.shared
@@ -315,6 +315,11 @@ link_o.alpha-osf1:
@ if $(DETECT_GNU_LD); then \
@@ -58,6 +59,24 @@ Adjust build procedure.
fi; \
fi; \
$(LINK_SO_A)
+@@ -372,7 +382,7 @@ link_o.solaris:
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+ NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
+ fi; \
+ $(LINK_SO_O)
+ link_a.solaris:
+@@ -386,7 +396,7 @@ link_a.solaris:
+ SHLIB_SUFFIX=;\
+ ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+ NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
+ fi; \
+ $(LINK_SO_A)
+ link_app.solaris:
@@ -484,7 +494,7 @@ link_a.irix:
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
ALLSYMSFLAGS="$${MINUSWL}-all"; \