[packages/openssl] - up to 1.0.1h; fixes: * SSL/TLS MITM vulnerability (CVE-2014-0224) * DTLS recursion flaw (CVE-201
arekm
arekm at pld-linux.org
Thu Jun 5 18:21:27 CEST 2014
commit ce33e8e7b9227478170d2f90b2345a4141bc9545
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Thu Jun 5 18:20:47 2014 +0200
- up to 1.0.1h; fixes:
* SSL/TLS MITM vulnerability (CVE-2014-0224)
* DTLS recursion flaw (CVE-2014-0221)
* DTLS invalid fragment vulnerability (CVE-2014-0195)
* SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
* SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
* Anonymous ECDH denial of service (CVE-2014-3470)
openssl-fix_use_after_free.patch | 13 --
openssl-pod.patch | 448 ---------------------------------------
openssl.spec | 13 +-
3 files changed, 3 insertions(+), 471 deletions(-)
---
diff --git a/openssl.spec b/openssl.spec
index ddc441a..c3cfbfe 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -16,12 +16,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol
Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer
Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
Name: openssl
-Version: 1.0.1g
-Release: 2
+Version: 1.0.1h
+Release: 1
License: Apache-like
Group: Libraries
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
-# Source0-md5: de62b43dfcd858e66a74bee1c834e959
+# Source0-md5: 8d6d684a9430d5cc98a62a5d8fbda8cf
Source2: %{name}.1.pl
Source3: %{name}-ssl-certificate.sh
Source4: %{name}-c_rehash.sh
@@ -34,16 +34,12 @@ Patch5: %{name}-asflag.patch
Patch6: %{name}-ca-certificates.patch
Patch7: %{name}-ldflags.patch
Patch8: %{name}-find.patch
-Patch9: %{name}-pod.patch
# from debian
Patch10: default_bits.patch
Patch11: pic.patch
Patch12: stddef.patch
-# from upstream
-Patch13: %{name}-fix_use_after_free.patch
-
URL: http://www.openssl.org/
BuildRequires: bc
BuildRequires: perl-devel >= 1:5.6.1
@@ -259,14 +255,11 @@ RC4, RSA и SSL. Включает статические библиотеки д
%patch6 -p1
%patch7 -p1
%patch8 -p1
-%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
-%patch13 -p1
-
sed -i -e 's|\$prefix/\$libdir/engines|/%{_lib}/engines|g' Configure
%build
diff --git a/openssl-fix_use_after_free.patch b/openssl-fix_use_after_free.patch
deleted file mode 100644
index af1b5ef..0000000
--- a/openssl-fix_use_after_free.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index b9e45c7..d601a18 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1334,7 +1334,7 @@ start:
- {
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
-- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
- ssl3_release_read_buffer(s);
- }
- }
diff --git a/openssl-pod.patch b/openssl-pod.patch
deleted file mode 100644
index 0b1bdfc..0000000
--- a/openssl-pod.patch
+++ /dev/null
@@ -1,448 +0,0 @@
-diff -urN openssl-1.0.1f.org/doc/apps/cms.pod openssl-1.0.1f/doc/apps/cms.pod
---- openssl-1.0.1f.org/doc/apps/cms.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/apps/cms.pod 2014-01-19 01:10:11.205967419 +0100
-@@ -450,28 +450,28 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- the operation was completely successfully.
-
--=item 1
-+=item C<1>
-
- an error occurred parsing the command options.
-
--=item 2
-+=item C<2>
-
- one of the input files could not be read.
-
--=item 3
-+=item C<3>
-
- an error occurred creating the CMS file or when reading the MIME
- message.
-
--=item 4
-+=item C<4>
-
- an error occurred decrypting or verifying the message.
-
--=item 5
-+=item C<5>
-
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff -urN openssl-1.0.1f.org/doc/apps/smime.pod openssl-1.0.1f/doc/apps/smime.pod
---- openssl-1.0.1f.org/doc/apps/smime.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/apps/smime.pod 2014-01-19 01:10:11.229301529 +0100
-@@ -308,28 +308,28 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- the operation was completely successfully.
-
--=item 1
-+=item C<1>
-
- an error occurred parsing the command options.
-
--=item 2
-+=item C<2>
-
- one of the input files could not be read.
-
--=item 3
-+=item C<3>
-
- an error occurred creating the PKCS#7 file or when reading the MIME
- message.
-
--=item 4
-+=item C<4>
-
- an error occurred decrypting or verifying the message.
-
--=item 5
-+=item C<5>
-
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff -urN openssl-1.0.1f.org/doc/apps/ts.pod openssl-1.0.1f/doc/apps/ts.pod
---- openssl-1.0.1f.org/doc/apps/ts.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/apps/ts.pod 2014-01-19 01:10:11.239301862 +0100
-@@ -58,19 +58,19 @@
-
- =over 4
-
--=item 1.
-+=item C<1>.
-
- The TSA client computes a one-way hash value for a data file and sends
- the hash to the TSA.
-
--=item 2.
-+=item C<2>.
-
- The TSA attaches the current date and time to the received hash value,
- signs them and sends the time stamp token back to the client. By
- creating this token the TSA certifies the existence of the original
- data file at the time of response generation.
-
--=item 3.
-+=item C<3>.
-
- The TSA client receives the time stamp token and verifies the
- signature on it. It also checks if the token contains the same hash
-diff -urN openssl-1.0.1f.org/doc/crypto/rand.pod openssl-1.0.1f/doc/crypto/rand.pod
---- openssl-1.0.1f.org/doc/crypto/rand.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/crypto/rand.pod 2014-01-19 01:10:11.382639970 +0100
-@@ -74,16 +74,16 @@
-
- =over 4
-
--=item 1
-+=item C<1>
-
- A good hashing algorithm to mix things up and to convert the RNG 'state'
- to random numbers.
-
--=item 2
-+=item C<2>
-
- An initial source of random 'state'.
-
--=item 3
-+=item C<3>
-
- The state should be very large. If the RNG is being used to generate
- 4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
-@@ -93,13 +93,13 @@
- a bad idea to keep quite a lot of RNG state. It should be easier to
- break a cipher than guess the RNG seed data.
-
--=item 4
-+=item C<4>
-
- Any RNG seed data should influence all subsequent random numbers
- generated. This implies that any random seed data entered will have
- an influence on all subsequent random numbers generated.
-
--=item 5
-+=item C<5>
-
- When using data to seed the RNG state, the data used should not be
- extractable from the RNG state. I believe this should be a
-@@ -108,12 +108,12 @@
- not be disclosed by either subsequent random numbers or a
- 'core' dump left by a program crash.
-
--=item 6
-+=item C<6>
-
- Given the same initial 'state', 2 systems should deviate in their RNG state
- (and hence the random numbers generated) over time if at all possible.
-
--=item 7
-+=item C<7>
-
- Given the random number output stream, it should not be possible to determine
- the RNG state or the next random number.
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_accept.pod openssl-1.0.1f/doc/ssl/SSL_accept.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_accept.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_accept.pod 2014-01-19 01:10:11.409307524 +0100
-@@ -44,13 +44,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item 1
-+=item C<1>
-
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_clear.pod openssl-1.0.1f/doc/ssl/SSL_clear.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_clear.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_clear.pod 2014-01-19 01:10:11.415974413 +0100
-@@ -56,12 +56,12 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The SSL_clear() operation could not be performed. Check the error stack to
- find out the reason.
-
--=item 1
-+=item C<1>
-
- The SSL_clear() operation was successful.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-19 01:10:11.415974413 +0100
-@@ -53,11 +53,11 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation succeeded.
-
--=item 1
-+=item C<1>
-
- The operation failed. Check the error queue to find out the reason.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_connect.pod openssl-1.0.1f/doc/ssl/SSL_connect.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_connect.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_connect.pod 2014-01-19 01:10:11.415974413 +0100
-@@ -41,13 +41,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item 1
-+=item C<1>
-
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_add_session.pod openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod 2014-01-19 01:10:11.419307858 +0100
-@@ -52,13 +52,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed. In case of the add operation, it was tried to add
- the same (identical) session twice. In case of the remove operation, the
- session was not found in the cache.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_load_verify_locations.pod openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-19 01:10:11.422641302 +0100
-@@ -100,13 +100,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed because B<CAfile> and B<CApath> are NULL or the
- processing at one of the locations specified failed. Check the error
- stack to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_client_CA_list.pod openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-19 01:10:11.429308190 +0100
-@@ -66,13 +66,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
- the X509_NAME could not be extracted from B<cacert>. Check the error stack
- to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_session_id_context.pod openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-19 01:10:11.439308524 +0100
-@@ -64,13 +64,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
- the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
- is logged to the error stack.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_ssl_version.pod openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-19 01:10:11.439308524 +0100
-@@ -42,11 +42,11 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The new choice failed, check the error stack to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_use_psk_identity_hint.pod openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-19 01:10:11.445975412 +0100
-@@ -96,7 +96,7 @@
- connection will fail with decryption_error before it will be finished
- completely.
-
--=item 0
-+=item C<0>
-
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_do_handshake.pod openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_do_handshake.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-01-19 01:10:11.445975412 +0100
-@@ -45,13 +45,13 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item 1
-+=item C<1>
-
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_read.pod openssl-1.0.1f/doc/ssl/SSL_read.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_read.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-01-19 01:10:11.459309190 +0100
-@@ -86,7 +86,7 @@
- The read operation was successful; the return value is the number of
- bytes actually read from the TLS/SSL connection.
-
--=item 0
-+=item C<0>
-
- The read operation was not successful. The reason may either be a clean
- shutdown due to a "close notify" alert sent by the peer (in which case
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_session_reused.pod openssl-1.0.1f/doc/ssl/SSL_session_reused.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_session_reused.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod 2014-01-19 01:10:11.465976078 +0100
-@@ -27,11 +27,11 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- A new session was negotiated.
-
--=item 1
-+=item C<1>
-
- A session was reused.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_set_fd.pod openssl-1.0.1f/doc/ssl/SSL_set_fd.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_set_fd.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod 2014-01-19 01:10:11.469309522 +0100
-@@ -35,11 +35,11 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed. Check the error stack to find out why.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_set_session.pod openssl-1.0.1f/doc/ssl/SSL_set_session.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_set_session.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod 2014-01-19 01:10:11.469309522 +0100
-@@ -37,11 +37,11 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed; check the error stack to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_shutdown.pod openssl-1.0.1f/doc/ssl/SSL_shutdown.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_shutdown.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod 2014-01-19 01:10:11.469309522 +0100
-@@ -92,14 +92,14 @@
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
- if a bidirectional shutdown shall be performed.
- The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
- erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
-
--=item 1
-+=item C<1>
-
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
-diff -urN openssl-1.0.1f.org/doc/ssl/SSL_write.pod openssl-1.0.1f/doc/ssl/SSL_write.pod
---- openssl-1.0.1f.org/doc/ssl/SSL_write.pod 2014-01-06 14:47:42.000000000 +0100
-+++ openssl-1.0.1f/doc/ssl/SSL_write.pod 2014-01-19 01:10:11.475976412 +0100
-@@ -79,7 +79,7 @@
- The write operation was successful, the return value is the number of
- bytes actually written to the TLS/SSL connection.
-
--=item 0
-+=item C<0>
-
- The write operation was not successful. Probably the underlying connection
- was closed. Call SSL_get_error() with the return value B<ret> to find out,
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openssl.git/commitdiff/ce33e8e7b9227478170d2f90b2345a4141bc9545
More information about the pld-cvs-commit
mailing list