From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree tag, v2.25-core155,
 created. c1472bdfdbd2f22de7a1ebe4d79d1ec065bd5679
Date: Fri, 26 Mar 2021 12:17:35 +0000
Message-ID: <4F6LZl64Vdz2xL9@people01.haj.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6988136343454319537=="
List-Id: <ipfire-scm.lists.ipfire.org>

--===============6988136343454319537==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The tag, v2.25-core155 has been created
        at  c1472bdfdbd2f22de7a1ebe4d79d1ec065bd5679 (commit)

- Log -----------------------------------------------------------------
commit c1472bdfdbd2f22de7a1ebe4d79d1ec065bd5679
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Thu Mar 25 14:36:34 2021 +0000

    openssl: Update to 1.1.1k
   =20
    From https://www.openssl.org/news/secadv/20210325.txt:
   =20
    OpenSSL Security Advisory [25 March 2021]
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   =20
    CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   =20
    Severity: High
   =20
    The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
    certificates present in a certificate chain. It is not set by default.
   =20
    Starting from OpenSSL version 1.1.1h a check to disallow certificates in
    the chain that have explicitly encoded elliptic curve parameters was added
    as an additional strict check.
   =20
    An error in the implementation of this check meant that the result of a
    previous check to confirm that certificates in the chain are valid CA
    certificates was overwritten. This effectively bypasses the check
    that non-CA certificates must not be able to issue other certificates.
   =20
    If a "purpose" has been configured then there is a subsequent opportunity
    for checks that the certificate is a valid CA.  All of the named "purpose"
    values implemented in libcrypto perform this check.  Therefore, where
    a purpose is set the certificate chain will still be rejected even when t=
he
    strict flag has been used. A purpose is set by default in libssl client a=
nd
    server certificate verification routines, but it can be overridden or
    removed by an application.
   =20
    In order to be affected, an application must explicitly set the
    X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
    for the certificate verification or, in the case of TLS client or server
    applications, override the default purpose.
   =20
    OpenSSL versions 1.1.1h and newer are affected by this issue. Users of th=
ese
    versions should upgrade to OpenSSL 1.1.1k.
   =20
    OpenSSL 1.0.2 is not impacted by this issue.
   =20
    This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk
    from Akamai and was discovered by Xiang Ding and others at Akamai. The fi=
x was
    developed by Tom=C3=A1=C5=A1 Mr=C3=A1z.
   =20
    NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   =20
    Severity: High
   =20
    An OpenSSL TLS server may crash if sent a maliciously crafted renegotiati=
on
    ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello=
 omits
    the signature_algorithms extension (where it was present in the initial
    ClientHello), but includes a signature_algorithms_cert extension then a N=
ULL
    pointer dereference will result, leading to a crash and a denial of servi=
ce
    attack.
   =20
    A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (=
which
    is the default configuration). OpenSSL TLS clients are not impacted by th=
is
    issue.
   =20
    All OpenSSL 1.1.1 versions are affected by this issue. Users of these ver=
sions
    should upgrade to OpenSSL 1.1.1k.
   =20
    OpenSSL 1.0.2 is not impacted by this issue.
   =20
    This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix w=
as
    developed by Peter K=C3=A4stle and Samuel Sapalski from Nokia.
   =20
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------


hooks/post-receive
--
IPFire 2.x development tree

--===============6988136343454319537==--