Navigation:
Browse pkgsrc
(this page)
New packages:Log Message:
Pullup ticket #4359 - requested by obache
security/openssl: security update
Revisions pulled up:
- security/openssl/Makefile 1.186-1.188
- security/openssl/distinfo 1.103-1.104
- security/openssl/patches/patch-Configure 1.1
- security/openssl/patches/patch-Makefile.org 1.1
- security/openssl/patches/patch-Makefile.shared 1.1
- security/openssl/patches/patch-aa deleted
- security/openssl/patches/patch-ac deleted
- security/openssl/patches/patch-ad deleted
- security/openssl/patches/patch-ae deleted
- security/openssl/patches/patch-af deleted
- security/openssl/patches/patch-ag deleted
- security/openssl/patches/patch-ak deleted
- security/openssl/patches/patch-apps_Makefile 1.1
- security/openssl/patches/patch-config 1.1
- security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.1
- security/openssl/patches/patch-tools_Makefile 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Wed Apr 2 12:11:35 UTC 2014
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
Added Files:
pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org
patch-Makefile.shared patch-apps_Makefile patch-config
patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c
patch-crypto_bn_bn__prime.pl patch-crypto_ec_ec2__mult.c
patch-tools_Makefile
Removed Files:
pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-ae
patch-af patch-ag patch-ak
Log Message:
Rename all remaining patch-?? files using the newer naming convention.
Add a fix for CVE-2014-0076:
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
Fix from culled from
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f
91e57d247d0fc667aef29
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: obache
Date: Tue Apr 8 02:48:38 UTC 2014
Modified Files:
pkgsrc/security/openssl: Makefile
Log Message:
p5-Perl4-CoreLibs is not required for perl<5.16
---
Module Name: pkgsrc
Committed By: obache
Date: Tue Apr 8 06:20:44 UTC 2014
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
Removed Files:
pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h
patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c
Log Message:
Update openssl to 1.0.1g.
(CVE-2014-0076 is already fixed in pkgsrc).
OpenSSL CHANGES
_______________
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and
to
Adam Langley <agl@chromium.org> and Bodo Moeller \
<bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) TLS pad extension: draft-agl-tls-padding-03
Workaround for the "TLS hang bug" (see FAQ and \
opensslPR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long.
[Adam Langley, Steve Henson]