---
- branch: pkgsrc-2015Q3
  date: Sat Dec 26 23:07:24 UTC 2015
  files:
  - new: 1.213.2.1
    old: '1.213'
    path: pkgsrc/security/openssl/Makefile
    pathrev: pkgsrc/security/openssl/Makefile@1.213.2.1
    type: modified
  - new: 1.25.2.1
    old: '1.25'
    path: pkgsrc/security/openssl/PLIST.common
    pathrev: pkgsrc/security/openssl/PLIST.common@1.25.2.1
    type: modified
  - new: 1.115.2.1
    old: '1.115'
    path: pkgsrc/security/openssl/distinfo
    pathrev: pkgsrc/security/openssl/distinfo@1.115.2.1
    type: modified
  - new: 1.2.12.1
    old: '1.2'
    path: pkgsrc/security/openssl/patches/patch-Makefile.shared
    pathrev: pkgsrc/security/openssl/patches/patch-Makefile.shared@1.2.12.1
    type: modified
  id: 20151226T230724Z.de9560b0c3c1cca249c9ea32fefea06e02d894d9
  log: "Pullup ticket #4877 - requested by cyber\nsecurity/openssl: security fix\n\nRevisions
    pulled up:\n- security/openssl/Makefile                                     1.214-1.216\n-
    security/openssl/PLIST.common                                 1.26\n- security/openssl/distinfo
    \                                    1.116,1.118\n- security/openssl/patches/patch-Makefile.shared
    \               1.3\n\n---\n   Module Name:    pkgsrc\n   Committed By:   jperkin\n
    \  Date:           Fri Oct  9 11:44:48 UTC 2015\n\n   Modified Files:\n           pkgsrc/security/openssl:
    Makefile\n\n   Log Message:\n   Force the \"linux-elf\" Configure target for Linux
    32-bit, fixes the build when\n   running with ABI=32 on a 64-bit native host.\n\n---\n
    \  Module Name:    pkgsrc\n   Committed By:   jperkin\n   Date:           Mon
    Oct 26 09:42:47 UTC 2015\n\n   Modified Files:\n           pkgsrc/security/openssl:
    Makefile distinfo\n           pkgsrc/security/openssl/patches: patch-Makefile.shared\n\n
    \  Log Message:\n   Support SunOS/clang and pass -h linker argument correctly.
    \ Doesn't fully\n   fix the build yet, an additional patch to remove LD_LIBRARY_PATH
    is required\n   but needs wider testing.\n\n---\n   Module Name:    pkgsrc\n   Committed
    By:   jperkin\n   Date:           Mon Dec  7 15:57:42 UTC 2015\n\n   Modified
    Files:\n           pkgsrc/security/openssl: Makefile PLIST.common distinfo\n\n
    \  Log Message:\n   Update security/openssl to 1.0.2e.\n\n   pkgsrc changes:\n\n
    \    - We now need to run 'make depend' after configure to pick up algorithm\n
    \      selection changes.\n\n   Upstream changes:\n\n    Changes between 1.0.2d
    and 1.0.2e [3 Dec 2015]\n\n     *) BN_mod_exp may produce incorrect results on
    x86_64\n\n        There is a carry propagating bug in the x86_64 Montgomery squaring\n
    \       procedure. No EC algorithms are affected. Analysis suggests that attacks\n
    \       against RSA and DSA as a result of this defect would be very difficult
    to\n        perform and are not believed likely. Attacks against DH are considered
    just\n        feasible (although very difficult) because most of the work necessary
    to\n        deduce information about a private key may be performed offline. The
    amount\n        of resources required for such an attack would be very significant
    and\n        likely only accessible to a limited number of attackers. An attacker
    would\n        additionally need online access to an unpatched system using the
    target\n        private key in a scenario with persistent DH parameters and a
    private\n        key that is shared between multiple clients. For example this
    can occur by\n        default in OpenSSL DHE based SSL/TLS ciphersuites.\n\n        This
    issue was reported to OpenSSL by Hanno Bæ\x97¦ck.\n        (CVE-2015-3193)\n        [Andy
    Polyakov]\n\n     *) Certificate verify crash with missing PSS parameter\n\n        The
    signature verification routines will crash with a NULL pointer\n        dereference
    if presented with an ASN.1 signature using the RSA PSS\n        algorithm and
    absent mask generation function parameter. Since these\n        routines are used
    to verify certificate signature algorithms this can be\n        used to crash
    any certificate verification operation and exploited in a\n        DoS attack.
    Any application which performs certificate verification is\n        vulnerable
    including OpenSSL clients and servers which enable client\n        authentication.\n\n
    \       This issue was reported to OpenSSL by Lo誰c Jonas Etienne (Qnective AG).\n
    \       (CVE-2015-3194)\n        [Stephen Henson]\n\n     *) X509_ATTRIBUTE memory
    leak\n\n        When presented with a malformed X509_ATTRIBUTE structure OpenSSL
    will leak\n        memory. This structure is used by the PKCS#7 and CMS routines
    so any\n        application which reads PKCS#7 or CMS data from untrusted sources
    is\n        affected. SSL/TLS is not affected.\n\n        This issue was reported
    to OpenSSL by Adam Langley (Google/BoringSSL) using\n        libFuzzer.\n        (CVE-2015-3195)\n
    \       [Stephen Henson]\n\n     *) Rewrite EVP_DecodeUpdate (base64 decoding)
    to fix several bugs.\n        This changes the decoding behaviour for some invalid
    messages,\n        though the change is mostly in the more lenient direction,
    and\n        legacy behaviour is preserved as much as possible.\n        [Emilia
    Kè¾°sper]\n\n     *) In DSA_generate_parameters_ex, if the provided seed is too
    short,\n        return an error\n        [Rich Salz and Ismo Puustinen <ismo.puustinen%intel.com@localhost>]\n"
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2015Q3] pkgsrc/security/openssl'
  unixtime: '1451171244'
  user: bsiegert