Received: by mail.netbsd.org (Postfix, from userid 605) id 2DAE984E29; Tue, 26 Nov 2019 22:22:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id AC5B984E26 for ; Tue, 26 Nov 2019 22:22:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id j2jCEyJDnahc for ; Tue, 26 Nov 2019 22:22:46 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 0AB2F84DFB for ; Tue, 26 Nov 2019 22:22:46 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id F0E06FA97; Tue, 26 Nov 2019 22:22:45 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1574806965227830" MIME-Version: 1.0 Date: Tue, 26 Nov 2019 22:22:45 +0000 From: "Sevan Janiyan" Subject: CVS commit: pkgsrc/security/openssl To: pkgsrc-changes@NetBSD.org Reply-To: sevan@netbsd.org X-Mailer: log_accum Message-Id: <20191126222245.F0E06FA97@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1574806965227830 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: sevan Date: Tue Nov 26 22:22:45 UTC 2019 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update to v1.0.2t Changes between 1.0.2s and 1.0.2t [10 Sep 2019] *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri] *) Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley] *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. (CVE-2019-1563) [Bernd Edlinger] *) Document issue with installation paths in diverse Windows builds '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL binaries and run-time config file. (CVE-2019-1552) [Richard Levitte] To generate a diff of this commit: cvs rdiff -u -r1.245 -r1.246 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.134 -r1.135 pkgsrc/security/openssl/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1574806965227830 Content-Disposition: inline Content-Length: 1868 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/openssl/Makefile diff -u pkgsrc/security/openssl/Makefile:1.245 pkgsrc/security/openssl/Makefile:1.246 --- pkgsrc/security/openssl/Makefile:1.245 Sun Nov 24 01:45:12 2019 +++ pkgsrc/security/openssl/Makefile Tue Nov 26 22:22:45 2019 @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.245 2019/11/24 01:45:12 gdt Exp $ +# $NetBSD: Makefile,v 1.246 2019/11/26 22:22:45 sevan Exp $ -DISTNAME= openssl-1.0.2s -PKGREVISION= 1 +DISTNAME= openssl-1.0.2t CATEGORIES= security MASTER_SITES= https://www.openssl.org/source/ Index: pkgsrc/security/openssl/distinfo diff -u pkgsrc/security/openssl/distinfo:1.134 pkgsrc/security/openssl/distinfo:1.135 --- pkgsrc/security/openssl/distinfo:1.134 Sun Jun 30 22:52:54 2019 +++ pkgsrc/security/openssl/distinfo Tue Nov 26 22:22:45 2019 @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.134 2019/06/30 22:52:54 sevan Exp $ +$NetBSD: distinfo,v 1.135 2019/11/26 22:22:45 sevan Exp $ -SHA1 (openssl-1.0.2s.tar.gz) = cf43d57a21e4baf420b3628677ebf1723ed53bc1 -RMD160 (openssl-1.0.2s.tar.gz) = 6067f88e5f1ac797e189648386adb12ca4aba85d -SHA512 (openssl-1.0.2s.tar.gz) = 9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a -Size (openssl-1.0.2s.tar.gz) = 5349149 bytes +SHA1 (openssl-1.0.2t.tar.gz) = 8ac3fd379cf8c8ef570abb51ec52a88fd526f88a +RMD160 (openssl-1.0.2t.tar.gz) = 60fa7238a3beefb1e95d76de607d69af7198118b +SHA512 (openssl-1.0.2t.tar.gz) = 0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 +Size (openssl-1.0.2t.tar.gz) = 5355422 bytes SHA1 (patch-Configure) = 2d963d781314276a0ee1bc531df6bc50f0f6b32b SHA1 (patch-Makefile.org) = d2a9295003a8b88718a328b01ff6bcbbc102ec0b SHA1 (patch-Makefile.shared) = 273154600c6cf0cf4de4ae16d56c5555bca5f9ad --_----------=_1574806965227830--