[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 76f422025ffe1baed977b5c8e1f072e5981e46ff

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 76f422025ffe1baed977b5c8e1f072e5981e46ff
Date: Tue, 27 Mar 2018 16:06:17 +0100	[thread overview]
Message-ID: <20180327150617.EA1051081DF2@git01.ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 8609 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  76f422025ffe1baed977b5c8e1f072e5981e46ff (commit)
       via  166ceacd6b375bc97eed722012a0f1fffd5a15e1 (commit)
      from  c98304604bfed3b29bb384ab0999596644573f2c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 76f422025ffe1baed977b5c8e1f072e5981e46ff
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 27 16:05:07 2018 +0100

    openssl: Update to 1.0.2o
    
    CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
    
    Constructed ASN.1 types with a recursive definition (such as can be
    found in PKCS7) could eventually exceed the stack given malicious
    input with excessive recursion. This could result in a Denial Of
    Service attack. There are no such structures used within SSL/TLS
    that come from untrusted sources so this is considered safe.
    Reported by OSS-fuzz.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit 166ceacd6b375bc97eed722012a0f1fffd5a15e1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 27 15:59:04 2018 +0100

    openssl: Update to 1.1.0h
    
    CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
    
    Constructed ASN.1 types with a recursive definition (such as can be
    found in PKCS7) could eventually exceed the stack given malicious
    input with excessive recursion. This could result in a Denial Of
    Service attack. There are no such structures used within SSL/TLS
    that come from untrusted sources so this is considered safe.
    Reported by OSS-fuzz.
    
    This patch also entirely removes support for SSLv3. The patch to
    disable it didn't apply and since nobody has been using this before,
    we will not compile it into OpenSSL any more.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/openssl                                  |  7 +--
 lfs/openssl-compat                           |  4 +-
 src/patches/openssl-1.1.0-disable-ssl3.patch | 86 ----------------------------
 3 files changed, 4 insertions(+), 93 deletions(-)
 delete mode 100644 src/patches/openssl-1.1.0-disable-ssl3.patch

Difference in files:
diff --git a/lfs/openssl b/lfs/openssl
index 7a39f14de..71f2bc826 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.1.0g
+VER        = 1.1.0h
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -51,8 +51,6 @@ CONFIGURE_OPTIONS = \
 	enable-md2 \
 	enable-seed \
 	enable-rfc3779 \
-	enable-ssl3 \
-	enable-ssl3-method \
 	no-idea \
 	no-mdc2 \
 	no-rc5 \
@@ -89,7 +87,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = ba5f1b8b835b88cadbce9b35ed9531a6
+$(DL_FILE)_MD5 = 5271477e4d93f4ea032b665ef095ff24
 
 install : $(TARGET)
 
@@ -119,7 +117,6 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0-disable-ssl3.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ciphers.patch
 
 	# Apply our CFLAGS
diff --git a/lfs/openssl-compat b/lfs/openssl-compat
index 188baa073..9e991b496 100644
--- a/lfs/openssl-compat
+++ b/lfs/openssl-compat
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.0.2n
+VER        = 1.0.2o
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -84,7 +84,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 13bdc1b1d1ff39b6fd42a255e74676a4
+$(DL_FILE)_MD5 = 44279b8557c3247cbe324e2322ecd114
 
 install : $(TARGET)
 
diff --git a/src/patches/openssl-1.1.0-disable-ssl3.patch b/src/patches/openssl-1.1.0-disable-ssl3.patch
deleted file mode 100644
index 267c02c62..000000000
--- a/src/patches/openssl-1.1.0-disable-ssl3.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
---- openssl-1.1.0f/apps/s_client.c.disable-ssl3	2017-06-05 15:42:44.838853312 +0200
-+++ openssl-1.1.0f/apps/s_client.c	2017-07-17 14:50:06.468821871 +0200
-@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
- 
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (ssl_config) {
-         if (SSL_CTX_config(ctx, ssl_config) == 0) {
-             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
---- openssl-1.1.0f/apps/s_server.c.disable-ssl3	2017-05-25 14:46:18.000000000 +0200
-+++ openssl-1.1.0f/apps/s_server.c	2017-07-17 14:49:50.434447583 +0200
-@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
-     }
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
-+
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (ssl_config) {
-         if (SSL_CTX_config(ctx, ssl_config) == 0) {
-             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
-+++ openssl-1.1.0/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
-@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-      * or by using the SSL_CONF library.
-      */
-     ret->options |= SSL_OP_NO_COMPRESSION;
-+    /*
-+     * Disable SSLv3 by default.  Applications can
-+     * re-enable it by configuring
-+     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+     * or by using the SSL_CONF library.
-+     */
-+    ret->options |= SSL_OP_NO_SSLv3;
- 
-     ret->tlsext_status_type = -1;
- 
-diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
---- openssl-1.1.0/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
-+++ openssl-1.1.0/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
-@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
-             SSL_TEST_SERVERNAME_CB_NONE) {
-             server2_ctx = SSL_CTX_new(TLS_server_method());
-             TEST_check(server2_ctx != NULL);
-+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
-         }
-         client_ctx = SSL_CTX_new(TLS_client_method());
- 
-@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
-             resume_client_ctx = SSL_CTX_new(TLS_client_method());
-             TEST_check(resume_server_ctx != NULL);
-             TEST_check(resume_client_ctx != NULL);
-+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
-         }
-     }
- 
-     TEST_check(server_ctx != NULL);
-     TEST_check(client_ctx != NULL);
-+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
- 
-     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
- 
-diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
-+++ openssl-1.1.0/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
-@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
-         ERR_print_errors(bio_err);
-         goto end;
-     }
-+
-+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
-     /*
-      * Since we will use low security ciphersuites and keys for testing set
-      * security level to zero by default. Tests can override this by adding


hooks/post-receive
--
IPFire 2.x development tree

                 reply	other threads:[~2018-03-27 15:06 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180327150617.EA1051081DF2@git01.ipfire.org \
    --to=git@ipfire.org \
    --cc=ipfire-scm@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox