This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 76f422025ffe1baed977b5c8e1f072e5981e46ff (commit) via 166ceacd6b375bc97eed722012a0f1fffd5a15e1 (commit) from c98304604bfed3b29bb384ab0999596644573f2c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 76f422025ffe1baed977b5c8e1f072e5981e46ff Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 27 16:05:07 2018 +0100
openssl: Update to 1.0.2o
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 166ceacd6b375bc97eed722012a0f1fffd5a15e1 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 27 15:59:04 2018 +0100
openssl: Update to 1.1.0h
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz.
This patch also entirely removes support for SSLv3. The patch to disable it didn't apply and since nobody has been using this before, we will not compile it into OpenSSL any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: lfs/openssl | 7 +-- lfs/openssl-compat | 4 +- src/patches/openssl-1.1.0-disable-ssl3.patch | 86 ---------------------------- 3 files changed, 4 insertions(+), 93 deletions(-) delete mode 100644 src/patches/openssl-1.1.0-disable-ssl3.patch
Difference in files: diff --git a/lfs/openssl b/lfs/openssl index 7a39f14de..71f2bc826 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 1.1.0g +VER = 1.1.0h
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -51,8 +51,6 @@ CONFIGURE_OPTIONS = \ enable-md2 \ enable-seed \ enable-rfc3779 \ - enable-ssl3 \ - enable-ssl3-method \ no-idea \ no-mdc2 \ no-rc5 \ @@ -89,7 +87,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ba5f1b8b835b88cadbce9b35ed9531a6 +$(DL_FILE)_MD5 = 5271477e4d93f4ea032b665ef095ff24
install : $(TARGET)
@@ -119,7 +117,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0-disable-ssl3.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ciphers.patch
# Apply our CFLAGS diff --git a/lfs/openssl-compat b/lfs/openssl-compat index 188baa073..9e991b496 100644 --- a/lfs/openssl-compat +++ b/lfs/openssl-compat @@ -24,7 +24,7 @@
include Config
-VER = 1.0.2n +VER = 1.0.2o
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -84,7 +84,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 13bdc1b1d1ff39b6fd42a255e74676a4 +$(DL_FILE)_MD5 = 44279b8557c3247cbe324e2322ecd114
install : $(TARGET)
diff --git a/src/patches/openssl-1.1.0-disable-ssl3.patch b/src/patches/openssl-1.1.0-disable-ssl3.patch deleted file mode 100644 index 267c02c62..000000000 --- a/src/patches/openssl-1.1.0-disable-ssl3.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c ---- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200 -+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200 -@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv) - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); - -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration "%s"\n", -diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c ---- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200 -+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200 -@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[] - } - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); -+ -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration "%s"\n", -diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c ---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200 -+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200 -@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - * or by using the SSL_CONF library. - */ - ret->options |= SSL_OP_NO_COMPRESSION; -+ /* -+ * Disable SSLv3 by default. Applications can -+ * re-enable it by configuring -+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ * or by using the SSL_CONF library. -+ */ -+ ret->options |= SSL_OP_NO_SSLv3; - - ret->tlsext_status_type = -1; - -diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c ---- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200 -+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200 -@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE - SSL_TEST_SERVERNAME_CB_NONE) { - server2_ctx = SSL_CTX_new(TLS_server_method()); - TEST_check(server2_ctx != NULL); -+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); - } - client_ctx = SSL_CTX_new(TLS_client_method()); - -@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE - resume_client_ctx = SSL_CTX_new(TLS_client_method()); - TEST_check(resume_server_ctx != NULL); - TEST_check(resume_client_ctx != NULL); -+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); - } - } - - TEST_check(server_ctx != NULL); - TEST_check(client_ctx != NULL); -+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); - - TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0); - -diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c ---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200 -+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200 -@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[]) - ERR_print_errors(bio_err); - goto end; - } -+ -+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); -+ - /* - * Since we will use low security ciphersuites and keys for testing set - * security level to zero by default. Tests can override this by adding
hooks/post-receive -- IPFire 2.x development tree