--- - branch: MAIN date: Sun Apr 5 15:50:17 UTC 2009 files: - new: '1.138' old: '1.137' path: pkgsrc/security/openssl/Makefile pathrev: pkgsrc/security/openssl/Makefile@1.138 type: modified - new: '1.66' old: '1.65' path: pkgsrc/security/openssl/distinfo pathrev: pkgsrc/security/openssl/distinfo@1.66 type: modified - new: '0' old: '1.6' path: pkgsrc/security/openssl/patches/patch-am pathrev: pkgsrc/security/openssl/patches/patch-am@0 type: deleted id: 20090405T155017Z.d524aa701efda5e2f14f34e5ec30994071cd826a log: | Update to openssl-0.9.8k. Changes between 0.9.8j and 0.9.8k [25 Mar 2009] *) Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void *) > sizeof(long) this can result in zeroing past the valid field. (CVE-2009-0789) *) Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. (CVE-2009-0591) *) Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. (CVE-2009-0590) *) Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level. *) Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. *) Improve efficiency of mem_gets: don't search whole buffer each time for a '\n' *) New -hex option for openssl rand. *) Print out UTF8String and NumericString when parsing ASN1. *) Support NumericString type for name components. *) Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler. module: pkgsrc subject: 'CVS commit: pkgsrc/security/openssl' unixtime: '1238946617' user: tnn