diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-21 13:17:11 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-11-22 13:10:21 +0100 |
commit | 14f735f6a8fd51d868bfb6540d9c2c4e45f09630 (patch) | |
tree | d7660849c8b92c1c96ee06bcab19e05d94e40179 | |
parent | b40f23f8d0765c072759e2a479ed8d550deab9aa (diff) | |
download | aports-14f735f6a8fd51d868bfb6540d9c2c4e45f09630.tar.bz2 aports-14f735f6a8fd51d868bfb6540d9c2c4e45f09630.tar.xz |
main/openssl1.0: upgrade to 1.0.2p
-rw-r--r-- | main/openssl/APKBUILD | 40 | ||||
-rw-r--r-- | main/openssl/CVE-2018-0732.patch | 39 | ||||
-rw-r--r-- | main/openssl/CVE-2018-0737.patch | 28 |
3 files changed, 4 insertions, 103 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 6682b7f7a0..7253b8af6a 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl -pkgver=1.0.2o -pkgrel=1 +pkgver=1.0.2p +pkgrel=0 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="http://openssl.org" depends= @@ -26,8 +26,6 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch 1002-backport-changes-from-upstream-padlock-module.patch 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch - CVE-2018-0732.patch - CVE-2018-0737.patch " # secfixes: @@ -131,35 +129,7 @@ libssl() { done } -md5sums="44279b8557c3247cbe324e2322ecd114 openssl-1.0.2o.tar.gz -67bdfe450143a41042d2c318003e963a 0002-busybox-basename.patch -84c03f201f55ca7fbfde364cfdfc9cf4 0003-use-termios.patch -9bb9dffdd871eeccc945494771302cc3 0004-fix-default-ca-path-for-apps.patch -ed6e779e9799aeb7e029929a5719e631 0005-fix-parallel-build.patch -5a5753f52b9f54f769f1ad915d0119bd 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch -7a2f9c883ecdfca3087062df4a68150a 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch -28e89dd715fc4ed85e747bd7306f2970 0009-no-rpath.patch -742ee13d88b13414248f329a09f9a92d 0010-ssl-env-zlib.patch -25091afb907de2b504f8bad6bf70002c 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -aa16c89b283faf0fe546e3f897279c44 1002-backport-changes-from-upstream-padlock-module.patch -57cca845e22c178c3b317010be56edf0 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch -2e05ad02a120eab569e367007f97e3b4 CVE-2018-0732.patch -d6ef51f3aada02c039a4e24314ae6694 CVE-2018-0737.patch" -sha256sums="ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d openssl-1.0.2o.tar.gz -b449fb998b5f60a3a1779ac2f432b2c7f08ae52fc6dfa98bca37d735f863d400 0002-busybox-basename.patch -c3e6a9710726dac72e3eeffd78961d3bae67a480f6bde7890e066547da25cdfd 0003-use-termios.patch -1f022ccab9b2e5850f32d2ac75cb617c8ce7b803a4548ce71e82776fe5b15b67 0004-fix-default-ca-path-for-apps.patch -aa1fed25880313bd77fe06fc8a42ac65e02ac944eb4052480de2abbde7867380 0005-fix-parallel-build.patch -9baecc8024bd5004ef045c6c53537f7453029c1e273874ce639834145564ca6d 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch -1030f885dc76f352854a7a95d73e68cfd1479c5f9ee198d6afef6b0755ee1c81 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch -6b7ac5c9db430d9d3e8aaf87e0e95aa8a0ef460517d6563cca24014d4d890fbc 0009-no-rpath.patch -fa2e3101ca7c6daed7ea063860d586424be7590b1cec4302bc2beee1a3c6039f 0010-ssl-env-zlib.patch -2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 1002-backport-changes-from-upstream-padlock-module.patch -c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch -1561e1208db0913fd916212db09ca606569de12c2c8b7ecca1983dea5035cf04 CVE-2018-0732.patch -7c9cde92a3d72dbfdf741cdc0d1b6e0f866fce38357da943c79beee4d33967f7 CVE-2018-0737.patch" -sha512sums="8a2c93657c85143e76785bb32ee836908c31a6f5f8db993fa9777acba6079e630cdddd03edbad65d1587199fc13a1507789eacf038b56eb99139c2091d9df7fd openssl-1.0.2o.tar.gz +sha512sums="958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16 openssl-1.0.2p.tar.gz 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch @@ -170,6 +140,4 @@ c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723e 5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch 8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch -6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch -ff91298629f157496a012da00ba7325923f5d087bfa54b60e205bf2dfb06374e958912e0df39dbdf39773555455c1a3afa3dcde1ddfec6e85cf89b0b62cc0eb4 CVE-2018-0732.patch -70be7fb9abad901fd84e8028e328c5b2fb7feff18547cfb749c5f59faf06eceab9052f9979d721670f6f3e099ba59761e8394e986565d349dd25e9718eaa99f0 CVE-2018-0737.patch" +6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch" diff --git a/main/openssl/CVE-2018-0732.patch b/main/openssl/CVE-2018-0732.patch deleted file mode 100644 index 148e7c3bc1..0000000000 --- a/main/openssl/CVE-2018-0732.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 -From: Guido Vranken <guidovranken@gmail.com> -Date: Mon, 11 Jun 2018 19:38:54 +0200 -Subject: [PATCH] Reject excessively large primes in DH key generation. - -CVE-2018-0732 - -Signed-off-by: Guido Vranken <guidovranken@gmail.com> - -(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) - -Reviewed-by: Tim Hudson <tjh@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/6457) ---- - crypto/dh/dh_key.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 387558f1467..f235e0d682b 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -130,10 +130,15 @@ static int generate_key(DH *dh) - int ok = 0; - int generate_new_key = 0; - unsigned l; -- BN_CTX *ctx; -+ BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; diff --git a/main/openssl/CVE-2018-0737.patch b/main/openssl/CVE-2018-0737.patch deleted file mode 100644 index 162dc3d7fa..0000000000 --- a/main/openssl/CVE-2018-0737.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 -From: Billy Brumley <bbrumley@gmail.com> -Date: Wed, 11 Apr 2018 10:10:58 +0300 -Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont - both get called with BN_FLG_CONSTTIME flag set. - -CVE-2018-0737 - -Reviewed-by: Rich Salz <rsalz@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) ---- - crypto/rsa/rsa_gen.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index 9ca5dfefb70..42b89a8dfaa 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - if (BN_copy(rsa->e, e_value) == NULL) - goto err; - -+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); - BN_set_flags(r2, BN_FLG_CONSTTIME); - /* generate p and q */ - for (;;) { |