Navigation:
Browse pkgsrc
(this page) 2012-01-06 04:26:23 by Takahiro Kambe | Files touched by this commit (4) |  |
Log message:
Update openssl pacakge to 0.9.8s.
OpenSSL CHANGES
_______________
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen \
<tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia Käóper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia Käóper (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
[Steve Henson]
*) Fixed J-PAKE implementation error, originally discovered by
Sebastien Martini, further info and confirmation from Stefan
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
[Ben Laurie]
|
| 2011-11-17 14:03:19 by OBATA Akio | Files touched by this commit (1) |
Log message: Add BUILTIN_VERSION.openssl to MAKEVARS for later use. fixes PR pkg/44577. |
| 2011-11-02 23:51:07 by John Nemeth | Files touched by this commit (2) |
Log message: Add a new threads option which is on by default. The purpose of this is to allow other packages that can't handle threads to link against this. No revbump since there is no change to binary packages. |
| 2011-10-04 16:15:35 by Hans Rosenfeld | Files touched by this commit (1) |
Log message: Look in /usr/sfw to find built-in openssl on SunOS 5.10. |
| 2011-07-04 16:42:57 by Tim Zingelman | Files touched by this commit (3) |
Log message: Correct the fix for http://secunia.com/advisories/44572/ See the thread here: http://www.mail-archive.com/openssl-dev@openssl.org/msg29283.html |
| 2011-05-31 19:18:42 by Tim Zingelman | Files touched by this commit (3) |
Log message: Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf [Billy Bob Brumley and Nicola Tuveri] (patch confirmed in upstream cvs) |
| 2011-04-01 23:02:48 by Tim Zingelman | Files touched by this commit (1) |
Log message: Use solaris64 rather than solaris for ABI=64 build using gcc in SunOS fixes PR#44769 |
| 2011-02-09 01:15:30 by Takahiro Kambe | Files touched by this commit (3) |
Log message: Add fix for security issue CVE-2011-0014. Bump PKGREVISION. |
| 2011-01-20 17:25:21 by Tim Zingelman | Files touched by this commit (1) |
Log message: 'fix' pr#43939 by providing a pointer to the root cause |
| 2010-12-03 01:17:21 by Takahiro Kambe | Files touched by this commit (2) |
Log message:
Update openssl package to 0.9.8q.
OpenSSL version 0.9.8q released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8q of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release. For a complete
list of changes, please see
http://www.openssl.org/source/exp/CHANGES.
The most significant changes are:
o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
|
New packages: