Fixes:
CVE-2016-7052 - Missing CRL sanity check
[Peter: drop CVE 6309 from description as pointed out by Baruch]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://www.openssl.org/news/secadv/20160922.txt
Fixes
SSL_peek() hang on empty record (CVE-2016-6305)
SWEET32 Mitigation (CVE-2016-2183)
OOB write in MDC2_Update() (CVE-2016-6303)
Malformed SHA512 ticket DoS (CVE-2016-6302)
OOB write in BN_bn2dec() (CVE-2016-2182)
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
Pointer arithmetic undefined behaviour (CVE-2016-2177)
Constant time flag not preserved in DSA signing (CVE-2016-2178)
DTLS buffered message DoS (CVE-2016-2179)
DTLS replay protection DoS (CVE-2016-2181)
Certificate message OOB reads (CVE-2016-6306)
Excessive allocation of memory in tls_get_message_header()
(CVE-2016-6307)
Excessive allocation of memory in dtls1_preprocess_fragment()
(CVE-2016-6308)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous incarnation was incomplete, it only applied one of the
Gentoo patches, hence it had corner cases.
Apply all 4 patches as pointed out by Mike on the mailing list.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-3193 - BN_mod_exp may produce incorrect results on x86_64
CVE-2015-3194 - Certificate verify crash with missing PSS parameter
CVE-2015-3195 - X509_ATTRIBUTE memory leak
Enable IDEA as well since otherwise the build breaks (always great
upstream) - it's no longer patent encumbered.
[Peter: correct sha256]
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a patch that is originally based on a patch Thomas P.
submitted for an earlier version of this package. I have adopted this
patch to use the latest available Gentoo parallel patch. I have also
seen about a minute improvement on my build times of openssl.
Part of Thomas P's original message:
On my build server, the current build of OpenSSL takes 1 minutes and
20 seconds. With this commit applied, enabling parallel build and
installation, the build only takes 28 seconds.
All the patches are downloaded from Gentoo.
There is apparently some interest in upstream OpenSSL to enable
parallel build, see for example commit
c3f22253b1. This
commit is not part of any OpenSSL release, but we can hope that the
problem will resolved in the future.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Gustavo Zacarias <gustavo@zacarias.com.ar>
CC: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes HMAC ABI breakage from 1.0.2b
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Bump version to 1.0.2
- Adapt patches to new version
- Update hash value
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
