Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id EEC84A663B for ; Wed, 15 Oct 2014 19:04:46 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 205AA14A1A5; Wed, 15 Oct 2014 19:04:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0A3AB14A19E for ; Wed, 15 Oct 2014 19:04:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id ZtPkljLqQoXK for ; Wed, 15 Oct 2014 19:04:40 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 5C09114A199 for ; Wed, 15 Oct 2014 19:04:40 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 4FA7A98; Wed, 15 Oct 2014 19:04:40 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Wed, 15 Oct 2014 19:04:40 +0000 From: "Jonathan Perkin" Subject: CVS commit: pkgsrc/security/openssl To: pkgsrc-changes@NetBSD.org Reply-To: jperkin@netbsd.org X-Mailer: log_accum Message-Id: <20141015190440.4FA7A98@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: jperkin Date: Wed Oct 15 19:04:40 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo Log Message: Update to openssl-1.0.1j. Changes between 1.0.1i and 1.0.1j [15 Oct 2014] *) SRTP Memory Leak. A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. The fix was developed by the OpenSSL team. (CVE-2014-3513) [OpenSSL team] *) Session Ticket Memory Leak. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. (CVE-2014-3567) [Steve Henson] *) Build option no-ssl3 is incomplete. When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. (CVE-2014-3568) [Akamai and the OpenSSL team] *) Add support for TLS_FALLBACK_SCSV. Client applications doing fallback retries should call SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). (CVE-2014-3566) [Adam Langley, Bodo Moeller] *) Add additional DigestInfo checks. Reencode DigestInto in DER and check against the original when verifying RSA signature: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure and no attacks are currently known. [Steve Henson] To generate a diff of this commit: cvs rdiff -u -r1.199 -r1.200 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.19 -r1.20 pkgsrc/security/openssl/PLIST.common cvs rdiff -u -r1.108 -r1.109 pkgsrc/security/openssl/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.