This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 31269e52cb47dab4bfd404b5d95842461d33f7df (commit)
via fc4b02df53bc8c2e584281eec104a0647044649c (commit)
via 7e8fc770bdd3bbeb98ba281208c2e735e46dee09 (commit)
from b4880b752e3eeb61a95a6701066e2cf240737371 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 31269e52cb47dab4bfd404b5d95842461d33f7df
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 17:42:53 2024 +0000
core183: Ship vpnmain.cgi
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit fc4b02df53bc8c2e584281eec104a0647044649c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 17:18:40 2024 +0000
vpnmain.cgi: Fix parsing CN from certificates generated by OpenSSL 3.2
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7e8fc770bdd3bbeb98ba281208c2e735e46dee09
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 15:09:54 2024 +0000
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/openssl | 69 +++++++++++++++++++++++++++++++
config/rootfiles/core/183/filelists/files | 1 +
html/cgi-bin/vpnmain.cgi | 2 +-
lfs/openssl | 4 +-
4 files changed, 73 insertions(+), 3 deletions(-)
Difference in files:
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 118b15e85..a3664a521 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -329,6 +329,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/CMS_get1_ReceiptRequest.html
#usr/share/doc/openssl/html/man3/CMS_sign.html
#usr/share/doc/openssl/html/man3/CMS_sign_receipt.html
+#usr/share/doc/openssl/html/man3/CMS_signed_get_attr.html
#usr/share/doc/openssl/html/man3/CMS_uncompress.html
#usr/share/doc/openssl/html/man3/CMS_verify.html
#usr/share/doc/openssl/html/man3/CMS_verify_receipt.html
@@ -431,6 +432,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/EVP_PKEY_encapsulate.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_encrypt.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_fromdata.html
+#usr/share/doc/openssl/html/man3/EVP_PKEY_get_attr.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_get_default_digest_nid.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_get_field_type.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_get_group_name.html
@@ -812,6 +814,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/X509V3_get_d2i.html
#usr/share/doc/openssl/html/man3/X509V3_set_ctx.html
#usr/share/doc/openssl/html/man3/X509_ALGOR_dup.html
+#usr/share/doc/openssl/html/man3/X509_ATTRIBUTE.html
#usr/share/doc/openssl/html/man3/X509_CRL_get0_by_serial.html
#usr/share/doc/openssl/html/man3/X509_EXTENSION_set_object.html
#usr/share/doc/openssl/html/man3/X509_LOOKUP.html
@@ -823,6 +826,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/X509_NAME_get_index_by_NID.html
#usr/share/doc/openssl/html/man3/X509_NAME_print_ex.html
#usr/share/doc/openssl/html/man3/X509_PUBKEY_new.html
+#usr/share/doc/openssl/html/man3/X509_REQ_get_attr.html
#usr/share/doc/openssl/html/man3/X509_REQ_get_extensions.html
#usr/share/doc/openssl/html/man3/X509_SIG_get0.html
#usr/share/doc/openssl/html/man3/X509_STORE_CTX_get_by_subject.html
@@ -1812,7 +1816,27 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/CMS_sign.3ossl
#usr/share/man/man3/CMS_sign_ex.3ossl
#usr/share/man/man3/CMS_sign_receipt.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr_by_txt.3ossl
+#usr/share/man/man3/CMS_signed_delete_attr.3ossl
+#usr/share/man/man3/CMS_signed_get0_data_by_OBJ.3ossl
+#usr/share/man/man3/CMS_signed_get_attr.3ossl
+#usr/share/man/man3/CMS_signed_get_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_signed_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_signed_get_attr_count.3ossl
#usr/share/man/man3/CMS_uncompress.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr_by_txt.3ossl
+#usr/share/man/man3/CMS_unsigned_delete_attr.3ossl
+#usr/share/man/man3/CMS_unsigned_get0_data_by_OBJ.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr_count.3ossl
#usr/share/man/man3/CMS_verify.3ossl
#usr/share/man/man3/CMS_verify_receipt.3ossl
#usr/share/man/man3/COMP_CTX_free.3ossl
@@ -2881,6 +2905,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/EVP_PKEY_CTX_settable_params.3ossl
#usr/share/man/man3/EVP_PKEY_METHOD.3ossl
#usr/share/man/man3/EVP_PKEY_Q_keygen.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr_by_NID.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr_by_txt.3ossl
#usr/share/man/man3/EVP_PKEY_asn1_add0.3ossl
#usr/share/man/man3/EVP_PKEY_asn1_add_alias.3ossl
#usr/share/man/man3/EVP_PKEY_asn1_copy.3ossl
@@ -2926,6 +2954,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/EVP_PKEY_decrypt.3ossl
#usr/share/man/man3/EVP_PKEY_decrypt_init.3ossl
#usr/share/man/man3/EVP_PKEY_decrypt_init_ex.3ossl
+#usr/share/man/man3/EVP_PKEY_delete_attr.3ossl
#usr/share/man/man3/EVP_PKEY_derive.3ossl
#usr/share/man/man3/EVP_PKEY_derive_init.3ossl
#usr/share/man/man3/EVP_PKEY_derive_init_ex.3ossl
@@ -2965,6 +2994,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/EVP_PKEY_get1_RSA.3ossl
#usr/share/man/man3/EVP_PKEY_get1_encoded_public_key.3ossl
#usr/share/man/man3/EVP_PKEY_get1_tls_encodedpoint.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr_by_NID.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr_count.3ossl
#usr/share/man/man3/EVP_PKEY_get_base_id.3ossl
#usr/share/man/man3/EVP_PKEY_get_bits.3ossl
#usr/share/man/man3/EVP_PKEY_get_bn_param.3ossl
@@ -3558,13 +3591,16 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/OPENSSL_LH_error.3ossl
#usr/share/man/man3/OPENSSL_LH_flush.3ossl
#usr/share/man/man3/OPENSSL_LH_free.3ossl
+#usr/share/man/man3/OPENSSL_LH_get_down_load.3ossl
#usr/share/man/man3/OPENSSL_LH_insert.3ossl
#usr/share/man/man3/OPENSSL_LH_new.3ossl
#usr/share/man/man3/OPENSSL_LH_node_stats.3ossl
#usr/share/man/man3/OPENSSL_LH_node_stats_bio.3ossl
#usr/share/man/man3/OPENSSL_LH_node_usage_stats.3ossl
#usr/share/man/man3/OPENSSL_LH_node_usage_stats_bio.3ossl
+#usr/share/man/man3/OPENSSL_LH_num_items.3ossl
#usr/share/man/man3/OPENSSL_LH_retrieve.3ossl
+#usr/share/man/man3/OPENSSL_LH_set_down_load.3ossl
#usr/share/man/man3/OPENSSL_LH_stats.3ossl
#usr/share/man/man3/OPENSSL_LH_stats_bio.3ossl
#usr/share/man/man3/OPENSSL_LINE.3ossl
@@ -5669,9 +5705,20 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_ALGOR_new.3ossl
#usr/share/man/man3/X509_ALGOR_set0.3ossl
#usr/share/man/man3/X509_ALGOR_set_md.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_count.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create_by_NID.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create_by_OBJ.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create_by_txt.3ossl
#usr/share/man/man3/X509_ATTRIBUTE_dup.3ossl
#usr/share/man/man3/X509_ATTRIBUTE_free.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_get0_data.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_get0_object.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_get0_type.3ossl
#usr/share/man/man3/X509_ATTRIBUTE_new.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_set1_data.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_set1_object.3ossl
#usr/share/man/man3/X509_CERT_AUX_free.3ossl
#usr/share/man/man3/X509_CERT_AUX_new.3ossl
#usr/share/man/man3/X509_CINF_free.3ossl
@@ -5826,9 +5873,14 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_PUBKEY_set0_public_key.3ossl
#usr/share/man/man3/X509_REQ_INFO_free.3ossl
#usr/share/man/man3/X509_REQ_INFO_new.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr_by_NID.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr_by_txt.3ossl
#usr/share/man/man3/X509_REQ_add_extensions.3ossl
#usr/share/man/man3/X509_REQ_add_extensions_nid.3ossl
#usr/share/man/man3/X509_REQ_check_private_key.3ossl
+#usr/share/man/man3/X509_REQ_delete_attr.3ossl
#usr/share/man/man3/X509_REQ_digest.3ossl
#usr/share/man/man3/X509_REQ_dup.3ossl
#usr/share/man/man3/X509_REQ_free.3ossl
@@ -5836,6 +5888,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_REQ_get0_pubkey.3ossl
#usr/share/man/man3/X509_REQ_get0_signature.3ossl
#usr/share/man/man3/X509_REQ_get_X509_PUBKEY.3ossl
+#usr/share/man/man3/X509_REQ_get_attr.3ossl
+#usr/share/man/man3/X509_REQ_get_attr_by_NID.3ossl
+#usr/share/man/man3/X509_REQ_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509_REQ_get_attr_count.3ossl
#usr/share/man/man3/X509_REQ_get_extensions.3ossl
#usr/share/man/man3/X509_REQ_get_pubkey.3ossl
#usr/share/man/man3/X509_REQ_get_signature_nid.3ossl
@@ -6126,6 +6182,16 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_verify.3ossl
#usr/share/man/man3/X509_verify_cert.3ossl
#usr/share/man/man3/X509_verify_cert_error_string.3ossl
+#usr/share/man/man3/X509at_add1_attr.3ossl
+#usr/share/man/man3/X509at_add1_attr_by_NID.3ossl
+#usr/share/man/man3/X509at_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509at_add1_attr_by_txt.3ossl
+#usr/share/man/man3/X509at_delete_attr.3ossl
+#usr/share/man/man3/X509at_get0_data_by_OBJ.3ossl
+#usr/share/man/man3/X509at_get_attr.3ossl
+#usr/share/man/man3/X509at_get_attr_by_NID.3ossl
+#usr/share/man/man3/X509at_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509at_get_attr_count.3ossl
#usr/share/man/man3/X509v3_add_ext.3ossl
#usr/share/man/man3/X509v3_delete_ext.3ossl
#usr/share/man/man3/X509v3_get_ext.3ossl
@@ -6598,9 +6664,12 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/lh_TYPE_error.3ossl
#usr/share/man/man3/lh_TYPE_flush.3ossl
#usr/share/man/man3/lh_TYPE_free.3ossl
+#usr/share/man/man3/lh_TYPE_get_down_load.3ossl
#usr/share/man/man3/lh_TYPE_insert.3ossl
#usr/share/man/man3/lh_TYPE_new.3ossl
+#usr/share/man/man3/lh_TYPE_num_items.3ossl
#usr/share/man/man3/lh_TYPE_retrieve.3ossl
+#usr/share/man/man3/lh_TYPE_set_down_load.3ossl
#usr/share/man/man3/o2i_SCT.3ossl
#usr/share/man/man3/o2i_SCT_LIST.3ossl
#usr/share/man/man3/pem_password_cb.3ossl
diff --git a/config/rootfiles/core/183/filelists/files b/config/rootfiles/core/183/filelists/files
index 8839504f4..b89f6e95c 100644
--- a/config/rootfiles/core/183/filelists/files
+++ b/config/rootfiles/core/183/filelists/files
@@ -4,6 +4,7 @@ etc/rc.d/init.d/networking/red.up/60-collectd
srv/web/ipfire/cgi-bin/dhcp.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
+srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/local/bin/backupiso
var/ipfire/backup/bin/backup.pl
var/ipfire/header.pl
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 63f875c6a..53507305f 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -244,7 +244,7 @@ sub callssl ($) {
sub getCNfromcert ($) {
#&General::log("ipsec", "Extracting name from $_[0]...");
my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
- $temp =~ /Subject:.*CN = (.*)[\n]/;
+ $temp =~ /Subject:.*CN\s*=\s*(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST = / S = /;
diff --git a/lfs/openssl b/lfs/openssl
index 2a9de717a..695035742 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER = 3.2.0
+VER = 3.2.1
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 776123929796d2eb0f3974bf6ee3a55df9187231632837576bf5ded7b5917f052683cdfc756693c1bee6fe1ffc7c3cb1ebcf833018d3caf51886f4f4e7a495f1
+$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree