This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 9572ae7b1dc13902e39b4ad21e49cb33b2beee09 (commit) via 1bffb208e81b2d6edb1ade9e4bb0c5312c798f91 (commit) from 7b42d2f89a59cf4efe82c46a6fc510a02cab7c6f (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9572ae7b1dc13902e39b4ad21e49cb33b2beee09 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 16 17:34:10 2021 +0000
core155: Ship openssl
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1bffb208e81b2d6edb1ade9e4bb0c5312c798f91 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 16 17:28:17 2021 +0000
openssl: Update to 1.1.1j
Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) ====================================================================
Severity: Moderate
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j.
This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from Google. The fix was developed by Matt Caswell.
Incorrect SSLv2 rollback protection (CVE-2021-23839) ====================================================
Severity: Low
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested).
The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made.
Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must:
1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list)
OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version.
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j.
This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel Luellwitz from Trustwave. The fix was developed by Matt Caswell.
Integer overflow in CipherUpdate (CVE-2021-23840) =================================================
Severity: Low
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j.
This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix was developed by Matt Caswell.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/openssl | 4 ++++ .../rootfiles/{oldcore/100 => core/155}/filelists/i586/openssl-sse2 | 0 config/rootfiles/{oldcore/100 => core/155}/filelists/openssl | 0 lfs/openssl | 4 ++-- 4 files changed, 6 insertions(+), 2 deletions(-) copy config/rootfiles/{oldcore/100 => core/155}/filelists/i586/openssl-sse2 (100%) copy config/rootfiles/{oldcore/100 => core/155}/filelists/openssl (100%)
Difference in files: diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index df6bbe320..989670262 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -869,6 +869,7 @@ usr/lib/libssl.so.1.1 #usr/share/doc/openssl/html/man3/DH_check_pub_key_ex.html #usr/share/doc/openssl/html/man3/DH_clear_flags.html #usr/share/doc/openssl/html/man3/DH_compute_key.html +#usr/share/doc/openssl/html/man3/DH_compute_key_padded.html #usr/share/doc/openssl/html/man3/DH_free.html #usr/share/doc/openssl/html/man3/DH_generate_key.html #usr/share/doc/openssl/html/man3/DH_generate_parameters.html @@ -1983,6 +1984,7 @@ usr/lib/libssl.so.1.1 #usr/share/doc/openssl/html/man3/OCSP_REQUEST_new.html #usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_add1_header.html #usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_free.html +#usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_i2d.html #usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_set1_req.html #usr/share/doc/openssl/html/man3/OCSP_RESPBYTES_free.html #usr/share/doc/openssl/html/man3/OCSP_RESPBYTES_new.html @@ -4838,6 +4840,7 @@ usr/lib/libssl.so.1.1 #usr/share/man/man3/DH_check_pub_key_ex.3 #usr/share/man/man3/DH_clear_flags.3 #usr/share/man/man3/DH_compute_key.3 +#usr/share/man/man3/DH_compute_key_padded.3 #usr/share/man/man3/DH_free.3 #usr/share/man/man3/DH_generate_key.3 #usr/share/man/man3/DH_generate_parameters.3 @@ -5952,6 +5955,7 @@ usr/lib/libssl.so.1.1 #usr/share/man/man3/OCSP_REQUEST_new.3 #usr/share/man/man3/OCSP_REQ_CTX_add1_header.3 #usr/share/man/man3/OCSP_REQ_CTX_free.3 +#usr/share/man/man3/OCSP_REQ_CTX_i2d.3 #usr/share/man/man3/OCSP_REQ_CTX_set1_req.3 #usr/share/man/man3/OCSP_RESPBYTES_free.3 #usr/share/man/man3/OCSP_RESPBYTES_new.3 diff --git a/config/rootfiles/core/155/filelists/i586/openssl-sse2 b/config/rootfiles/core/155/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/core/155/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/155/filelists/openssl b/config/rootfiles/core/155/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/155/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/lfs/openssl b/lfs/openssl index 16e20b439..ea7eff135 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 1.1.1i +VER = 1.1.1j
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -87,7 +87,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 08987c3cf125202e2b0840035efb392c +$(DL_FILE)_MD5 = cccaa064ed860a2b4d1303811bf5c682
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree