From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 0bbbac793499507a22f810c55f8a84f4dbec1b6e
Date: Tue, 30 Jan 2024 17:41:28 +0000 [thread overview]
Message-ID: <4TPXXS2Rx7z2xP9@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 16406 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 0bbbac793499507a22f810c55f8a84f4dbec1b6e (commit)
via 54387ef1436386ad2a116f2a5eeb956d0574f756 (commit)
from e2dce81ca343d4b55f6357417c556d63cb279f4e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0bbbac793499507a22f810c55f8a84f4dbec1b6e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 17:41:07 2024 +0000
core184: Ship OpenSSL
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 54387ef1436386ad2a116f2a5eeb956d0574f756
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 30 15:09:54 2024 +0000
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/openssl | 69 ++++++++++++++++++++++
.../{oldcore/100 => core/184}/filelists/openssl | 0
lfs/openssl | 4 +-
3 files changed, 71 insertions(+), 2 deletions(-)
copy config/rootfiles/{oldcore/100 => core/184}/filelists/openssl (100%)
Difference in files:
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 118b15e85..a3664a521 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -329,6 +329,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/CMS_get1_ReceiptRequest.html
#usr/share/doc/openssl/html/man3/CMS_sign.html
#usr/share/doc/openssl/html/man3/CMS_sign_receipt.html
+#usr/share/doc/openssl/html/man3/CMS_signed_get_attr.html
#usr/share/doc/openssl/html/man3/CMS_uncompress.html
#usr/share/doc/openssl/html/man3/CMS_verify.html
#usr/share/doc/openssl/html/man3/CMS_verify_receipt.html
@@ -431,6 +432,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/EVP_PKEY_encapsulate.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_encrypt.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_fromdata.html
+#usr/share/doc/openssl/html/man3/EVP_PKEY_get_attr.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_get_default_digest_nid.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_get_field_type.html
#usr/share/doc/openssl/html/man3/EVP_PKEY_get_group_name.html
@@ -812,6 +814,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/X509V3_get_d2i.html
#usr/share/doc/openssl/html/man3/X509V3_set_ctx.html
#usr/share/doc/openssl/html/man3/X509_ALGOR_dup.html
+#usr/share/doc/openssl/html/man3/X509_ATTRIBUTE.html
#usr/share/doc/openssl/html/man3/X509_CRL_get0_by_serial.html
#usr/share/doc/openssl/html/man3/X509_EXTENSION_set_object.html
#usr/share/doc/openssl/html/man3/X509_LOOKUP.html
@@ -823,6 +826,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/X509_NAME_get_index_by_NID.html
#usr/share/doc/openssl/html/man3/X509_NAME_print_ex.html
#usr/share/doc/openssl/html/man3/X509_PUBKEY_new.html
+#usr/share/doc/openssl/html/man3/X509_REQ_get_attr.html
#usr/share/doc/openssl/html/man3/X509_REQ_get_extensions.html
#usr/share/doc/openssl/html/man3/X509_SIG_get0.html
#usr/share/doc/openssl/html/man3/X509_STORE_CTX_get_by_subject.html
@@ -1812,7 +1816,27 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/CMS_sign.3ossl
#usr/share/man/man3/CMS_sign_ex.3ossl
#usr/share/man/man3/CMS_sign_receipt.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_signed_add1_attr_by_txt.3ossl
+#usr/share/man/man3/CMS_signed_delete_attr.3ossl
+#usr/share/man/man3/CMS_signed_get0_data_by_OBJ.3ossl
+#usr/share/man/man3/CMS_signed_get_attr.3ossl
+#usr/share/man/man3/CMS_signed_get_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_signed_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_signed_get_attr_count.3ossl
#usr/share/man/man3/CMS_uncompress.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_unsigned_add1_attr_by_txt.3ossl
+#usr/share/man/man3/CMS_unsigned_delete_attr.3ossl
+#usr/share/man/man3/CMS_unsigned_get0_data_by_OBJ.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr_by_NID.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/CMS_unsigned_get_attr_count.3ossl
#usr/share/man/man3/CMS_verify.3ossl
#usr/share/man/man3/CMS_verify_receipt.3ossl
#usr/share/man/man3/COMP_CTX_free.3ossl
@@ -2881,6 +2905,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/EVP_PKEY_CTX_settable_params.3ossl
#usr/share/man/man3/EVP_PKEY_METHOD.3ossl
#usr/share/man/man3/EVP_PKEY_Q_keygen.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr_by_NID.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/EVP_PKEY_add1_attr_by_txt.3ossl
#usr/share/man/man3/EVP_PKEY_asn1_add0.3ossl
#usr/share/man/man3/EVP_PKEY_asn1_add_alias.3ossl
#usr/share/man/man3/EVP_PKEY_asn1_copy.3ossl
@@ -2926,6 +2954,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/EVP_PKEY_decrypt.3ossl
#usr/share/man/man3/EVP_PKEY_decrypt_init.3ossl
#usr/share/man/man3/EVP_PKEY_decrypt_init_ex.3ossl
+#usr/share/man/man3/EVP_PKEY_delete_attr.3ossl
#usr/share/man/man3/EVP_PKEY_derive.3ossl
#usr/share/man/man3/EVP_PKEY_derive_init.3ossl
#usr/share/man/man3/EVP_PKEY_derive_init_ex.3ossl
@@ -2965,6 +2994,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/EVP_PKEY_get1_RSA.3ossl
#usr/share/man/man3/EVP_PKEY_get1_encoded_public_key.3ossl
#usr/share/man/man3/EVP_PKEY_get1_tls_encodedpoint.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr_by_NID.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/EVP_PKEY_get_attr_count.3ossl
#usr/share/man/man3/EVP_PKEY_get_base_id.3ossl
#usr/share/man/man3/EVP_PKEY_get_bits.3ossl
#usr/share/man/man3/EVP_PKEY_get_bn_param.3ossl
@@ -3558,13 +3591,16 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/OPENSSL_LH_error.3ossl
#usr/share/man/man3/OPENSSL_LH_flush.3ossl
#usr/share/man/man3/OPENSSL_LH_free.3ossl
+#usr/share/man/man3/OPENSSL_LH_get_down_load.3ossl
#usr/share/man/man3/OPENSSL_LH_insert.3ossl
#usr/share/man/man3/OPENSSL_LH_new.3ossl
#usr/share/man/man3/OPENSSL_LH_node_stats.3ossl
#usr/share/man/man3/OPENSSL_LH_node_stats_bio.3ossl
#usr/share/man/man3/OPENSSL_LH_node_usage_stats.3ossl
#usr/share/man/man3/OPENSSL_LH_node_usage_stats_bio.3ossl
+#usr/share/man/man3/OPENSSL_LH_num_items.3ossl
#usr/share/man/man3/OPENSSL_LH_retrieve.3ossl
+#usr/share/man/man3/OPENSSL_LH_set_down_load.3ossl
#usr/share/man/man3/OPENSSL_LH_stats.3ossl
#usr/share/man/man3/OPENSSL_LH_stats_bio.3ossl
#usr/share/man/man3/OPENSSL_LINE.3ossl
@@ -5669,9 +5705,20 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_ALGOR_new.3ossl
#usr/share/man/man3/X509_ALGOR_set0.3ossl
#usr/share/man/man3/X509_ALGOR_set_md.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_count.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create_by_NID.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create_by_OBJ.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_create_by_txt.3ossl
#usr/share/man/man3/X509_ATTRIBUTE_dup.3ossl
#usr/share/man/man3/X509_ATTRIBUTE_free.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_get0_data.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_get0_object.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_get0_type.3ossl
#usr/share/man/man3/X509_ATTRIBUTE_new.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_set1_data.3ossl
+#usr/share/man/man3/X509_ATTRIBUTE_set1_object.3ossl
#usr/share/man/man3/X509_CERT_AUX_free.3ossl
#usr/share/man/man3/X509_CERT_AUX_new.3ossl
#usr/share/man/man3/X509_CINF_free.3ossl
@@ -5826,9 +5873,14 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_PUBKEY_set0_public_key.3ossl
#usr/share/man/man3/X509_REQ_INFO_free.3ossl
#usr/share/man/man3/X509_REQ_INFO_new.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr_by_NID.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509_REQ_add1_attr_by_txt.3ossl
#usr/share/man/man3/X509_REQ_add_extensions.3ossl
#usr/share/man/man3/X509_REQ_add_extensions_nid.3ossl
#usr/share/man/man3/X509_REQ_check_private_key.3ossl
+#usr/share/man/man3/X509_REQ_delete_attr.3ossl
#usr/share/man/man3/X509_REQ_digest.3ossl
#usr/share/man/man3/X509_REQ_dup.3ossl
#usr/share/man/man3/X509_REQ_free.3ossl
@@ -5836,6 +5888,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_REQ_get0_pubkey.3ossl
#usr/share/man/man3/X509_REQ_get0_signature.3ossl
#usr/share/man/man3/X509_REQ_get_X509_PUBKEY.3ossl
+#usr/share/man/man3/X509_REQ_get_attr.3ossl
+#usr/share/man/man3/X509_REQ_get_attr_by_NID.3ossl
+#usr/share/man/man3/X509_REQ_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509_REQ_get_attr_count.3ossl
#usr/share/man/man3/X509_REQ_get_extensions.3ossl
#usr/share/man/man3/X509_REQ_get_pubkey.3ossl
#usr/share/man/man3/X509_REQ_get_signature_nid.3ossl
@@ -6126,6 +6182,16 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/X509_verify.3ossl
#usr/share/man/man3/X509_verify_cert.3ossl
#usr/share/man/man3/X509_verify_cert_error_string.3ossl
+#usr/share/man/man3/X509at_add1_attr.3ossl
+#usr/share/man/man3/X509at_add1_attr_by_NID.3ossl
+#usr/share/man/man3/X509at_add1_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509at_add1_attr_by_txt.3ossl
+#usr/share/man/man3/X509at_delete_attr.3ossl
+#usr/share/man/man3/X509at_get0_data_by_OBJ.3ossl
+#usr/share/man/man3/X509at_get_attr.3ossl
+#usr/share/man/man3/X509at_get_attr_by_NID.3ossl
+#usr/share/man/man3/X509at_get_attr_by_OBJ.3ossl
+#usr/share/man/man3/X509at_get_attr_count.3ossl
#usr/share/man/man3/X509v3_add_ext.3ossl
#usr/share/man/man3/X509v3_delete_ext.3ossl
#usr/share/man/man3/X509v3_get_ext.3ossl
@@ -6598,9 +6664,12 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/lh_TYPE_error.3ossl
#usr/share/man/man3/lh_TYPE_flush.3ossl
#usr/share/man/man3/lh_TYPE_free.3ossl
+#usr/share/man/man3/lh_TYPE_get_down_load.3ossl
#usr/share/man/man3/lh_TYPE_insert.3ossl
#usr/share/man/man3/lh_TYPE_new.3ossl
+#usr/share/man/man3/lh_TYPE_num_items.3ossl
#usr/share/man/man3/lh_TYPE_retrieve.3ossl
+#usr/share/man/man3/lh_TYPE_set_down_load.3ossl
#usr/share/man/man3/o2i_SCT.3ossl
#usr/share/man/man3/o2i_SCT_LIST.3ossl
#usr/share/man/man3/pem_password_cb.3ossl
diff --git a/config/rootfiles/core/184/filelists/openssl b/config/rootfiles/core/184/filelists/openssl
new file mode 120000
index 000000000..e011a9266
--- /dev/null
+++ b/config/rootfiles/core/184/filelists/openssl
@@ -0,0 +1 @@
+../../../common/openssl
\ No newline at end of file
diff --git a/lfs/openssl b/lfs/openssl
index 2a9de717a..695035742 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER = 3.2.0
+VER = 3.2.1
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 776123929796d2eb0f3974bf6ee3a55df9187231632837576bf5ded7b5917f052683cdfc756693c1bee6fe1ffc7c3cb1ebcf833018d3caf51886f4f4e7a495f1
+$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2024-01-30 17:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4TPXXS2Rx7z2xP9@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox