From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 0bbbac793499507a22f810c55f8a84f4dbec1b6e Date: Tue, 30 Jan 2024 17:41:28 +0000 Message-ID: <4TPXXS2Rx7z2xP9@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8882081154054723059==" List-Id: --===============8882081154054723059== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 0bbbac793499507a22f810c55f8a84f4dbec1b6e (commit) via 54387ef1436386ad2a116f2a5eeb956d0574f756 (commit) from e2dce81ca343d4b55f6357417c556d63cb279f4e (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0bbbac793499507a22f810c55f8a84f4dbec1b6e Author: Michael Tremer Date: Tue Jan 30 17:41:07 2024 +0000 core184: Ship OpenSSL =20 Signed-off-by: Michael Tremer commit 54387ef1436386ad2a116f2a5eeb956d0574f756 Author: Michael Tremer Date: Tue Jan 30 15:09:54 2024 +0000 openssl: Update to 3.2.1 =20 * A file in PKCS12 format can contain certificates and keys and may come= from an untrusted source. The PKCS12 specification allows certain fields to= be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted s= ource using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. =20 OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_auths= afes() and PKCS12_newpass(). =20 We have also fixed a similar issue in SMIME_write_PKCS7(). However sin= ce this function is related to writing data we do not consider it security significant. =20 ([CVE-2024-0727]) =20 *Matt Caswell* =20 * When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. =20 An application that calls EVP_PKEY_public_check() and supplies an RSA = key obtained from an untrusted source could be vulnerable to a Denial of S= ervice attack. =20 The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if us= ed with the "-pubin" and "-check" options on untrusted data. =20 To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BIT= S will now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error r= eason. =20 ([CVE-2023-6237]) =20 *Tom=C3=A1=C5=A1 Mr=C3=A1z* =20 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey rather than SM2. =20 *Richard Levitte* =20 * The POLY1305 MAC (message authentication code) implementation in OpenS= SL for PowerPC CPUs saves the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable co= de is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. =20 The consequences of this kind of internal application state corruption= can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the wo= rst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector regis= ters for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. =20 ([CVE-2023-6129]) =20 *Rohan McLure* =20 * Fix excessive time spent in DH check / generation with large Q paramet= er value. =20 Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that u= se DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long de= lays. Where the key or parameters that are being checked have been obtained = from an untrusted source this may lead to a Denial of Service. =20 ([CVE-2023-5678]) =20 *Richard Levitte* =20 * Disable building QUIC server utility when OpenSSL is configured with `no-apps`. =20 *Vitalii Koshura* =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/openssl | 69 ++++++++++++++++++++= ++ .../{oldcore/100 =3D> core/184}/filelists/openssl | 0 lfs/openssl | 4 +- 3 files changed, 71 insertions(+), 2 deletions(-) copy config/rootfiles/{oldcore/100 =3D> core/184}/filelists/openssl (100%) Difference in files: diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index 118b15e85..a3664a521 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -329,6 +329,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/CMS_get1_ReceiptRequest.html #usr/share/doc/openssl/html/man3/CMS_sign.html #usr/share/doc/openssl/html/man3/CMS_sign_receipt.html +#usr/share/doc/openssl/html/man3/CMS_signed_get_attr.html #usr/share/doc/openssl/html/man3/CMS_uncompress.html #usr/share/doc/openssl/html/man3/CMS_verify.html #usr/share/doc/openssl/html/man3/CMS_verify_receipt.html @@ -431,6 +432,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/EVP_PKEY_encapsulate.html #usr/share/doc/openssl/html/man3/EVP_PKEY_encrypt.html #usr/share/doc/openssl/html/man3/EVP_PKEY_fromdata.html +#usr/share/doc/openssl/html/man3/EVP_PKEY_get_attr.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_default_digest_nid.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_field_type.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_group_name.html @@ -812,6 +814,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/X509V3_get_d2i.html #usr/share/doc/openssl/html/man3/X509V3_set_ctx.html #usr/share/doc/openssl/html/man3/X509_ALGOR_dup.html +#usr/share/doc/openssl/html/man3/X509_ATTRIBUTE.html #usr/share/doc/openssl/html/man3/X509_CRL_get0_by_serial.html #usr/share/doc/openssl/html/man3/X509_EXTENSION_set_object.html #usr/share/doc/openssl/html/man3/X509_LOOKUP.html @@ -823,6 +826,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/X509_NAME_get_index_by_NID.html #usr/share/doc/openssl/html/man3/X509_NAME_print_ex.html #usr/share/doc/openssl/html/man3/X509_PUBKEY_new.html +#usr/share/doc/openssl/html/man3/X509_REQ_get_attr.html #usr/share/doc/openssl/html/man3/X509_REQ_get_extensions.html #usr/share/doc/openssl/html/man3/X509_SIG_get0.html #usr/share/doc/openssl/html/man3/X509_STORE_CTX_get_by_subject.html @@ -1812,7 +1816,27 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/CMS_sign.3ossl #usr/share/man/man3/CMS_sign_ex.3ossl #usr/share/man/man3/CMS_sign_receipt.3ossl +#usr/share/man/man3/CMS_signed_add1_attr.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_NID.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_txt.3ossl +#usr/share/man/man3/CMS_signed_delete_attr.3ossl +#usr/share/man/man3/CMS_signed_get0_data_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_get_attr.3ossl +#usr/share/man/man3/CMS_signed_get_attr_by_NID.3ossl +#usr/share/man/man3/CMS_signed_get_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_get_attr_count.3ossl #usr/share/man/man3/CMS_uncompress.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_NID.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_txt.3ossl +#usr/share/man/man3/CMS_unsigned_delete_attr.3ossl +#usr/share/man/man3/CMS_unsigned_get0_data_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_by_NID.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_count.3ossl #usr/share/man/man3/CMS_verify.3ossl #usr/share/man/man3/CMS_verify_receipt.3ossl #usr/share/man/man3/COMP_CTX_free.3ossl @@ -2881,6 +2905,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_CTX_settable_params.3ossl #usr/share/man/man3/EVP_PKEY_METHOD.3ossl #usr/share/man/man3/EVP_PKEY_Q_keygen.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_NID.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_txt.3ossl #usr/share/man/man3/EVP_PKEY_asn1_add0.3ossl #usr/share/man/man3/EVP_PKEY_asn1_add_alias.3ossl #usr/share/man/man3/EVP_PKEY_asn1_copy.3ossl @@ -2926,6 +2954,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_decrypt.3ossl #usr/share/man/man3/EVP_PKEY_decrypt_init.3ossl #usr/share/man/man3/EVP_PKEY_decrypt_init_ex.3ossl +#usr/share/man/man3/EVP_PKEY_delete_attr.3ossl #usr/share/man/man3/EVP_PKEY_derive.3ossl #usr/share/man/man3/EVP_PKEY_derive_init.3ossl #usr/share/man/man3/EVP_PKEY_derive_init_ex.3ossl @@ -2965,6 +2994,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_get1_RSA.3ossl #usr/share/man/man3/EVP_PKEY_get1_encoded_public_key.3ossl #usr/share/man/man3/EVP_PKEY_get1_tls_encodedpoint.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_by_NID.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_by_OBJ.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_count.3ossl #usr/share/man/man3/EVP_PKEY_get_base_id.3ossl #usr/share/man/man3/EVP_PKEY_get_bits.3ossl #usr/share/man/man3/EVP_PKEY_get_bn_param.3ossl @@ -3558,13 +3591,16 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/OPENSSL_LH_error.3ossl #usr/share/man/man3/OPENSSL_LH_flush.3ossl #usr/share/man/man3/OPENSSL_LH_free.3ossl +#usr/share/man/man3/OPENSSL_LH_get_down_load.3ossl #usr/share/man/man3/OPENSSL_LH_insert.3ossl #usr/share/man/man3/OPENSSL_LH_new.3ossl #usr/share/man/man3/OPENSSL_LH_node_stats.3ossl #usr/share/man/man3/OPENSSL_LH_node_stats_bio.3ossl #usr/share/man/man3/OPENSSL_LH_node_usage_stats.3ossl #usr/share/man/man3/OPENSSL_LH_node_usage_stats_bio.3ossl +#usr/share/man/man3/OPENSSL_LH_num_items.3ossl #usr/share/man/man3/OPENSSL_LH_retrieve.3ossl +#usr/share/man/man3/OPENSSL_LH_set_down_load.3ossl #usr/share/man/man3/OPENSSL_LH_stats.3ossl #usr/share/man/man3/OPENSSL_LH_stats_bio.3ossl #usr/share/man/man3/OPENSSL_LINE.3ossl @@ -5669,9 +5705,20 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_ALGOR_new.3ossl #usr/share/man/man3/X509_ALGOR_set0.3ossl #usr/share/man/man3/X509_ALGOR_set_md.3ossl +#usr/share/man/man3/X509_ATTRIBUTE.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_count.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_NID.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_OBJ.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_txt.3ossl #usr/share/man/man3/X509_ATTRIBUTE_dup.3ossl #usr/share/man/man3/X509_ATTRIBUTE_free.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_data.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_object.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_type.3ossl #usr/share/man/man3/X509_ATTRIBUTE_new.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_set1_data.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_set1_object.3ossl #usr/share/man/man3/X509_CERT_AUX_free.3ossl #usr/share/man/man3/X509_CERT_AUX_new.3ossl #usr/share/man/man3/X509_CINF_free.3ossl @@ -5826,9 +5873,14 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_PUBKEY_set0_public_key.3ossl #usr/share/man/man3/X509_REQ_INFO_free.3ossl #usr/share/man/man3/X509_REQ_INFO_new.3ossl +#usr/share/man/man3/X509_REQ_add1_attr.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_NID.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_txt.3ossl #usr/share/man/man3/X509_REQ_add_extensions.3ossl #usr/share/man/man3/X509_REQ_add_extensions_nid.3ossl #usr/share/man/man3/X509_REQ_check_private_key.3ossl +#usr/share/man/man3/X509_REQ_delete_attr.3ossl #usr/share/man/man3/X509_REQ_digest.3ossl #usr/share/man/man3/X509_REQ_dup.3ossl #usr/share/man/man3/X509_REQ_free.3ossl @@ -5836,6 +5888,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_REQ_get0_pubkey.3ossl #usr/share/man/man3/X509_REQ_get0_signature.3ossl #usr/share/man/man3/X509_REQ_get_X509_PUBKEY.3ossl +#usr/share/man/man3/X509_REQ_get_attr.3ossl +#usr/share/man/man3/X509_REQ_get_attr_by_NID.3ossl +#usr/share/man/man3/X509_REQ_get_attr_by_OBJ.3ossl +#usr/share/man/man3/X509_REQ_get_attr_count.3ossl #usr/share/man/man3/X509_REQ_get_extensions.3ossl #usr/share/man/man3/X509_REQ_get_pubkey.3ossl #usr/share/man/man3/X509_REQ_get_signature_nid.3ossl @@ -6126,6 +6182,16 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_verify.3ossl #usr/share/man/man3/X509_verify_cert.3ossl #usr/share/man/man3/X509_verify_cert_error_string.3ossl +#usr/share/man/man3/X509at_add1_attr.3ossl +#usr/share/man/man3/X509at_add1_attr_by_NID.3ossl +#usr/share/man/man3/X509at_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/X509at_add1_attr_by_txt.3ossl +#usr/share/man/man3/X509at_delete_attr.3ossl +#usr/share/man/man3/X509at_get0_data_by_OBJ.3ossl +#usr/share/man/man3/X509at_get_attr.3ossl +#usr/share/man/man3/X509at_get_attr_by_NID.3ossl +#usr/share/man/man3/X509at_get_attr_by_OBJ.3ossl +#usr/share/man/man3/X509at_get_attr_count.3ossl #usr/share/man/man3/X509v3_add_ext.3ossl #usr/share/man/man3/X509v3_delete_ext.3ossl #usr/share/man/man3/X509v3_get_ext.3ossl @@ -6598,9 +6664,12 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/lh_TYPE_error.3ossl #usr/share/man/man3/lh_TYPE_flush.3ossl #usr/share/man/man3/lh_TYPE_free.3ossl +#usr/share/man/man3/lh_TYPE_get_down_load.3ossl #usr/share/man/man3/lh_TYPE_insert.3ossl #usr/share/man/man3/lh_TYPE_new.3ossl +#usr/share/man/man3/lh_TYPE_num_items.3ossl #usr/share/man/man3/lh_TYPE_retrieve.3ossl +#usr/share/man/man3/lh_TYPE_set_down_load.3ossl #usr/share/man/man3/o2i_SCT.3ossl #usr/share/man/man3/o2i_SCT_LIST.3ossl #usr/share/man/man3/pem_password_cb.3ossl diff --git a/config/rootfiles/core/184/filelists/openssl b/config/rootfiles/c= ore/184/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/184/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/lfs/openssl b/lfs/openssl index 2a9de717a..695035742 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 3.2.0 +VER =3D 3.2.1 =20 THISAPP =3D openssl-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -72,7 +72,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D 776123929796d2eb0f3974bf6ee3a55df9187231632837576bf5de= d7b5917f052683cdfc756693c1bee6fe1ffc7c3cb1ebcf833018d3caf51886f4f4e7a495f1 +$(DL_FILE)_BLAKE2 =3D 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060= 166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 =20 install : $(TARGET) =20 hooks/post-receive -- IPFire 2.x development tree --===============8882081154054723059==--