This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 31269e52cb47dab4bfd404b5d95842461d33f7df (commit) via fc4b02df53bc8c2e584281eec104a0647044649c (commit) via 7e8fc770bdd3bbeb98ba281208c2e735e46dee09 (commit) from b4880b752e3eeb61a95a6701066e2cf240737371 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 31269e52cb47dab4bfd404b5d95842461d33f7df Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 30 17:42:53 2024 +0000
core183: Ship vpnmain.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fc4b02df53bc8c2e584281eec104a0647044649c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 30 17:18:40 2024 +0000
vpnmain.cgi: Fix parsing CN from certificates generated by OpenSSL 3.2
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7e8fc770bdd3bbeb98ba281208c2e735e46dee09 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 30 15:09:54 2024 +0000
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs saves the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions.
The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter value.
Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with `no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/openssl | 69 +++++++++++++++++++++++++++++++ config/rootfiles/core/183/filelists/files | 1 + html/cgi-bin/vpnmain.cgi | 2 +- lfs/openssl | 4 +- 4 files changed, 73 insertions(+), 3 deletions(-)
Difference in files: diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index 118b15e85..a3664a521 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -329,6 +329,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/CMS_get1_ReceiptRequest.html #usr/share/doc/openssl/html/man3/CMS_sign.html #usr/share/doc/openssl/html/man3/CMS_sign_receipt.html +#usr/share/doc/openssl/html/man3/CMS_signed_get_attr.html #usr/share/doc/openssl/html/man3/CMS_uncompress.html #usr/share/doc/openssl/html/man3/CMS_verify.html #usr/share/doc/openssl/html/man3/CMS_verify_receipt.html @@ -431,6 +432,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/EVP_PKEY_encapsulate.html #usr/share/doc/openssl/html/man3/EVP_PKEY_encrypt.html #usr/share/doc/openssl/html/man3/EVP_PKEY_fromdata.html +#usr/share/doc/openssl/html/man3/EVP_PKEY_get_attr.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_default_digest_nid.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_field_type.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_group_name.html @@ -812,6 +814,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/X509V3_get_d2i.html #usr/share/doc/openssl/html/man3/X509V3_set_ctx.html #usr/share/doc/openssl/html/man3/X509_ALGOR_dup.html +#usr/share/doc/openssl/html/man3/X509_ATTRIBUTE.html #usr/share/doc/openssl/html/man3/X509_CRL_get0_by_serial.html #usr/share/doc/openssl/html/man3/X509_EXTENSION_set_object.html #usr/share/doc/openssl/html/man3/X509_LOOKUP.html @@ -823,6 +826,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/X509_NAME_get_index_by_NID.html #usr/share/doc/openssl/html/man3/X509_NAME_print_ex.html #usr/share/doc/openssl/html/man3/X509_PUBKEY_new.html +#usr/share/doc/openssl/html/man3/X509_REQ_get_attr.html #usr/share/doc/openssl/html/man3/X509_REQ_get_extensions.html #usr/share/doc/openssl/html/man3/X509_SIG_get0.html #usr/share/doc/openssl/html/man3/X509_STORE_CTX_get_by_subject.html @@ -1812,7 +1816,27 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/CMS_sign.3ossl #usr/share/man/man3/CMS_sign_ex.3ossl #usr/share/man/man3/CMS_sign_receipt.3ossl +#usr/share/man/man3/CMS_signed_add1_attr.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_NID.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_txt.3ossl +#usr/share/man/man3/CMS_signed_delete_attr.3ossl +#usr/share/man/man3/CMS_signed_get0_data_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_get_attr.3ossl +#usr/share/man/man3/CMS_signed_get_attr_by_NID.3ossl +#usr/share/man/man3/CMS_signed_get_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_get_attr_count.3ossl #usr/share/man/man3/CMS_uncompress.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_NID.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_txt.3ossl +#usr/share/man/man3/CMS_unsigned_delete_attr.3ossl +#usr/share/man/man3/CMS_unsigned_get0_data_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_by_NID.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_count.3ossl #usr/share/man/man3/CMS_verify.3ossl #usr/share/man/man3/CMS_verify_receipt.3ossl #usr/share/man/man3/COMP_CTX_free.3ossl @@ -2881,6 +2905,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_CTX_settable_params.3ossl #usr/share/man/man3/EVP_PKEY_METHOD.3ossl #usr/share/man/man3/EVP_PKEY_Q_keygen.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_NID.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_txt.3ossl #usr/share/man/man3/EVP_PKEY_asn1_add0.3ossl #usr/share/man/man3/EVP_PKEY_asn1_add_alias.3ossl #usr/share/man/man3/EVP_PKEY_asn1_copy.3ossl @@ -2926,6 +2954,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_decrypt.3ossl #usr/share/man/man3/EVP_PKEY_decrypt_init.3ossl #usr/share/man/man3/EVP_PKEY_decrypt_init_ex.3ossl +#usr/share/man/man3/EVP_PKEY_delete_attr.3ossl #usr/share/man/man3/EVP_PKEY_derive.3ossl #usr/share/man/man3/EVP_PKEY_derive_init.3ossl #usr/share/man/man3/EVP_PKEY_derive_init_ex.3ossl @@ -2965,6 +2994,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_get1_RSA.3ossl #usr/share/man/man3/EVP_PKEY_get1_encoded_public_key.3ossl #usr/share/man/man3/EVP_PKEY_get1_tls_encodedpoint.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_by_NID.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_by_OBJ.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_count.3ossl #usr/share/man/man3/EVP_PKEY_get_base_id.3ossl #usr/share/man/man3/EVP_PKEY_get_bits.3ossl #usr/share/man/man3/EVP_PKEY_get_bn_param.3ossl @@ -3558,13 +3591,16 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/OPENSSL_LH_error.3ossl #usr/share/man/man3/OPENSSL_LH_flush.3ossl #usr/share/man/man3/OPENSSL_LH_free.3ossl +#usr/share/man/man3/OPENSSL_LH_get_down_load.3ossl #usr/share/man/man3/OPENSSL_LH_insert.3ossl #usr/share/man/man3/OPENSSL_LH_new.3ossl #usr/share/man/man3/OPENSSL_LH_node_stats.3ossl #usr/share/man/man3/OPENSSL_LH_node_stats_bio.3ossl #usr/share/man/man3/OPENSSL_LH_node_usage_stats.3ossl #usr/share/man/man3/OPENSSL_LH_node_usage_stats_bio.3ossl +#usr/share/man/man3/OPENSSL_LH_num_items.3ossl #usr/share/man/man3/OPENSSL_LH_retrieve.3ossl +#usr/share/man/man3/OPENSSL_LH_set_down_load.3ossl #usr/share/man/man3/OPENSSL_LH_stats.3ossl #usr/share/man/man3/OPENSSL_LH_stats_bio.3ossl #usr/share/man/man3/OPENSSL_LINE.3ossl @@ -5669,9 +5705,20 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_ALGOR_new.3ossl #usr/share/man/man3/X509_ALGOR_set0.3ossl #usr/share/man/man3/X509_ALGOR_set_md.3ossl +#usr/share/man/man3/X509_ATTRIBUTE.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_count.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_NID.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_OBJ.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_txt.3ossl #usr/share/man/man3/X509_ATTRIBUTE_dup.3ossl #usr/share/man/man3/X509_ATTRIBUTE_free.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_data.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_object.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_type.3ossl #usr/share/man/man3/X509_ATTRIBUTE_new.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_set1_data.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_set1_object.3ossl #usr/share/man/man3/X509_CERT_AUX_free.3ossl #usr/share/man/man3/X509_CERT_AUX_new.3ossl #usr/share/man/man3/X509_CINF_free.3ossl @@ -5826,9 +5873,14 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_PUBKEY_set0_public_key.3ossl #usr/share/man/man3/X509_REQ_INFO_free.3ossl #usr/share/man/man3/X509_REQ_INFO_new.3ossl +#usr/share/man/man3/X509_REQ_add1_attr.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_NID.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_txt.3ossl #usr/share/man/man3/X509_REQ_add_extensions.3ossl #usr/share/man/man3/X509_REQ_add_extensions_nid.3ossl #usr/share/man/man3/X509_REQ_check_private_key.3ossl +#usr/share/man/man3/X509_REQ_delete_attr.3ossl #usr/share/man/man3/X509_REQ_digest.3ossl #usr/share/man/man3/X509_REQ_dup.3ossl #usr/share/man/man3/X509_REQ_free.3ossl @@ -5836,6 +5888,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_REQ_get0_pubkey.3ossl #usr/share/man/man3/X509_REQ_get0_signature.3ossl #usr/share/man/man3/X509_REQ_get_X509_PUBKEY.3ossl +#usr/share/man/man3/X509_REQ_get_attr.3ossl +#usr/share/man/man3/X509_REQ_get_attr_by_NID.3ossl +#usr/share/man/man3/X509_REQ_get_attr_by_OBJ.3ossl +#usr/share/man/man3/X509_REQ_get_attr_count.3ossl #usr/share/man/man3/X509_REQ_get_extensions.3ossl #usr/share/man/man3/X509_REQ_get_pubkey.3ossl #usr/share/man/man3/X509_REQ_get_signature_nid.3ossl @@ -6126,6 +6182,16 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_verify.3ossl #usr/share/man/man3/X509_verify_cert.3ossl #usr/share/man/man3/X509_verify_cert_error_string.3ossl +#usr/share/man/man3/X509at_add1_attr.3ossl +#usr/share/man/man3/X509at_add1_attr_by_NID.3ossl +#usr/share/man/man3/X509at_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/X509at_add1_attr_by_txt.3ossl +#usr/share/man/man3/X509at_delete_attr.3ossl +#usr/share/man/man3/X509at_get0_data_by_OBJ.3ossl +#usr/share/man/man3/X509at_get_attr.3ossl +#usr/share/man/man3/X509at_get_attr_by_NID.3ossl +#usr/share/man/man3/X509at_get_attr_by_OBJ.3ossl +#usr/share/man/man3/X509at_get_attr_count.3ossl #usr/share/man/man3/X509v3_add_ext.3ossl #usr/share/man/man3/X509v3_delete_ext.3ossl #usr/share/man/man3/X509v3_get_ext.3ossl @@ -6598,9 +6664,12 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/lh_TYPE_error.3ossl #usr/share/man/man3/lh_TYPE_flush.3ossl #usr/share/man/man3/lh_TYPE_free.3ossl +#usr/share/man/man3/lh_TYPE_get_down_load.3ossl #usr/share/man/man3/lh_TYPE_insert.3ossl #usr/share/man/man3/lh_TYPE_new.3ossl +#usr/share/man/man3/lh_TYPE_num_items.3ossl #usr/share/man/man3/lh_TYPE_retrieve.3ossl +#usr/share/man/man3/lh_TYPE_set_down_load.3ossl #usr/share/man/man3/o2i_SCT.3ossl #usr/share/man/man3/o2i_SCT_LIST.3ossl #usr/share/man/man3/pem_password_cb.3ossl diff --git a/config/rootfiles/core/183/filelists/files b/config/rootfiles/core/183/filelists/files index 8839504f4..b89f6e95c 100644 --- a/config/rootfiles/core/183/filelists/files +++ b/config/rootfiles/core/183/filelists/files @@ -4,6 +4,7 @@ etc/rc.d/init.d/networking/red.up/60-collectd srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/backupiso var/ipfire/backup/bin/backup.pl var/ipfire/header.pl diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 63f875c6a..53507305f 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -244,7 +244,7 @@ sub callssl ($) { sub getCNfromcert ($) { #&General::log("ipsec", "Extracting name from $_[0]..."); my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN = (.*)[\n]/; + $temp =~ /Subject:.*CN\s*=\s*(.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; $temp =~ s/ ST = / S = /; diff --git a/lfs/openssl b/lfs/openssl index 2a9de717a..695035742 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 3.2.0 +VER = 3.2.1
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 776123929796d2eb0f3974bf6ee3a55df9187231632837576bf5ded7b5917f052683cdfc756693c1bee6fe1ffc7c3cb1ebcf833018d3caf51886f4f4e7a495f1 +$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree