./security/openssl, Secure Socket Layer and cryptographic library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.0.2nnb1, Package name: openssl-1.0.2nnb1, Maintainer: pkgsrc-users

The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as
a full-strength general purpose cryptography library. The
project is managed by a worldwide community of volunteers
that use the Internet to communicate, plan, and develop the
OpenSSL toolkit and its related documentation.

MESSAGE.SunOS [+/-]

Required to run:
[lang/perl5]

Required to build:
[devel/p5-Perl4-CoreLibs] [pkgtools/cwrappers]

Package options: idea, md2, mdc2, threads

Master sites:

SHA1: 0ca2957869206de193603eca6d89f532f61680b1
RMD160: 90fbf1df8986e04921e14e4c6e408458b5b31f6c
Filesize: 5249.807 KB

Version history: (Expand)


CVS history: (Expand)


   2018-01-16 10:48:46 by Jonathan Perkin | Files touched by this commit (2)
Log message:
openssl: Don't set LD_LIBRARY_PATH during build.
   2018-01-07 14:04:44 by Roland Illig | Files touched by this commit (583)
Log message:
Fix indentation in buildlink3.mk files.

The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.

There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
   2018-01-02 06:37:24 by Maya Rashish | Files touched by this commit (25)
Log message:
Remove traces of crypto restrictions from packages.

ok for idea riastradh.
   2017-12-14 21:44:20 by Matthias Scheler | Files touched by this commit (1)
Log message:
openssl: Fix packaging under macOS

The last change for fixing packaging under macOS did not work when
the object directory resides on a case insensitive file-system.
   2017-12-14 10:18:47 by Jonathan Perkin | Files touched by this commit (2) | Package updated
Log message:
openssl: Avoid case-sensitive issue on Darwin.  Bump PKGREVISION.
   2017-12-09 19:02:02 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/openssl to 1.0.2n.

Read/write after SSL object in error state (CVE-2017-3737)
==========================================================

Severity: Moderate

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
mechanism. The intent was that if a fatal error occurred during a handshake then
OpenSSL would move into the error state and would immediately fail if you
attempted to continue the handshake. This works as designed for the explicit
handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
however due to a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a fatal error
will be returned in the initial function call. If SSL_read()/SSL_write() is
subsequently called by the application for the same SSL object then it will
succeed and the data is passed without being decrypted/encrypted directly from
the SSL/TLS record layer.

In order to exploit this issue an application bug would have to be present that
resulted in a call to SSL_read()/SSL_write() being issued after having already
received a fatal error.

rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
=========================================================

Severity: Low

There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.

This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
   2017-11-24 21:34:23 by Benny Siegert | Files touched by this commit (4) | Package updated
Log message:
Update openssl to 1.0.2m.

This is a recommended security update.

Changes between 1.0.2l and 1.0.2m [2 Nov 2017]

 *) bn_sqrx8x_internal carry bug on x86_64

    There is a carry propagating bug in the x86_64 Montgomery squaring
    procedure. No EC algorithms are affected. Analysis suggests that attacks
    against RSA and DSA as a result of this defect would be very difficult to
    perform and are not believed likely. Attacks against DH are considered just
    feasible (although very difficult) because most of the work necessary to
    deduce information about a private key may be performed offline. The amount
    of resources required for such an attack would be very significant and
    likely only accessible to a limited number of attackers. An attacker would
    additionally need online access to an unpatched system using the target
    private key in a scenario with persistent DH parameters and a private
    key that is shared between multiple clients.

    This only affects processors that support the BMI1, BMI2 and ADX extensions
    like Intel Broadwell (5th generation) and later or AMD Ryzen.

    This issue was reported to OpenSSL by the OSS-Fuzz project.
    (CVE-2017-3736)
    [Andy Polyakov]

 *) Malformed X.509 IPAddressFamily could cause OOB read

    If an X.509 certificate has a malformed IPAddressFamily extension,
    OpenSSL could do a one-byte buffer overread. The most likely result
    would be an erroneous display of the certificate in text format.

    This issue was reported to OpenSSL by the OSS-Fuzz project.
    (CVE-2017-3735)
    [Rich Salz]

Changes between 1.0.2k and 1.0.2l [25 May 2017]

 *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
    platform rather than 'mingw'.
    [Richard Levitte]
   2017-09-22 23:02:43 by Tim Zingelman | Files touched by this commit (3)
Log message:
openssl: fix for CVE-2017-3735