diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-21 13:17:11 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-11-22 16:32:44 +0100 |
commit | 4e11a542c933faa6d47f65285d1ae727e7ecaa0d (patch) | |
tree | f9ca7966bb268c7383cae19b046908726dae70b6 | |
parent | 8318a0b07a3aac56659289654c3403dfb8ee5ae1 (diff) | |
download | aports-4e11a542c933faa6d47f65285d1ae727e7ecaa0d.tar.bz2 aports-4e11a542c933faa6d47f65285d1ae727e7ecaa0d.tar.xz |
main/openssl: upgrade to 1.0.2p
-rw-r--r-- | main/openssl/APKBUILD | 10 | ||||
-rw-r--r-- | main/openssl/CVE-2018-0732.patch | 39 | ||||
-rw-r--r-- | main/openssl/CVE-2018-0737.patch | 28 |
3 files changed, 3 insertions, 74 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index fe3391bacb..59ea4b6472 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl -pkgver=1.0.2o -pkgrel=1 +pkgver=1.0.2p +pkgrel=0 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="http://openssl.org" depends= @@ -29,8 +29,6 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz 1002-backport-changes-from-upstream-padlock-module.patch 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch 1004-crypto-engine-autoload-padlock-dynamic-engine.patch - CVE-2018-0732.patch - CVE-2018-0737.patch " # secfixes: @@ -162,7 +160,7 @@ libssl() { ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/} done } -sha512sums="8a2c93657c85143e76785bb32ee836908c31a6f5f8db993fa9777acba6079e630cdddd03edbad65d1587199fc13a1507789eacf038b56eb99139c2091d9df7fd openssl-1.0.2o.tar.gz +sha512sums="958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16 openssl-1.0.2p.tar.gz 80589e386fe57470818757a182f444a79050e1f19683650268d551d8aa436902b3bf565bb7a2aa8464013e50229c8bed5bb89fbd8387469cdfdcd3941eb3e5db 0001-fix-manpages.patch 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch @@ -177,5 +175,3 @@ fc4e383ec85c6543e4e82520904122a5a5601c68042ece1e95a0cae95e02d89174f06f78ba2f8aac a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch 6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3 1004-crypto-engine-autoload-padlock-dynamic-engine.patch" -ff91298629f157496a012da00ba7325923f5d087bfa54b60e205bf2dfb06374e958912e0df39dbdf39773555455c1a3afa3dcde1ddfec6e85cf89b0b62cc0eb4 CVE-2018-0732.patch -70be7fb9abad901fd84e8028e328c5b2fb7feff18547cfb749c5f59faf06eceab9052f9979d721670f6f3e099ba59761e8394e986565d349dd25e9718eaa99f0 CVE-2018-0737.patch" diff --git a/main/openssl/CVE-2018-0732.patch b/main/openssl/CVE-2018-0732.patch deleted file mode 100644 index 148e7c3bc1..0000000000 --- a/main/openssl/CVE-2018-0732.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 -From: Guido Vranken <guidovranken@gmail.com> -Date: Mon, 11 Jun 2018 19:38:54 +0200 -Subject: [PATCH] Reject excessively large primes in DH key generation. - -CVE-2018-0732 - -Signed-off-by: Guido Vranken <guidovranken@gmail.com> - -(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) - -Reviewed-by: Tim Hudson <tjh@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/6457) ---- - crypto/dh/dh_key.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 387558f1467..f235e0d682b 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -130,10 +130,15 @@ static int generate_key(DH *dh) - int ok = 0; - int generate_new_key = 0; - unsigned l; -- BN_CTX *ctx; -+ BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; diff --git a/main/openssl/CVE-2018-0737.patch b/main/openssl/CVE-2018-0737.patch deleted file mode 100644 index 162dc3d7fa..0000000000 --- a/main/openssl/CVE-2018-0737.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 -From: Billy Brumley <bbrumley@gmail.com> -Date: Wed, 11 Apr 2018 10:10:58 +0300 -Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont - both get called with BN_FLG_CONSTTIME flag set. - -CVE-2018-0737 - -Reviewed-by: Rich Salz <rsalz@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) ---- - crypto/rsa/rsa_gen.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index 9ca5dfefb70..42b89a8dfaa 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - if (BN_copy(rsa->e, e_value) == NULL) - goto err; - -+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); - BN_set_flags(r2, BN_FLG_CONSTTIME); - /* generate p and q */ - for (;;) { |