From owner-svn-doc-all@freebsd.org Sat Dec 5 10:05:09 2015 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AA22A4238D; Sat, 5 Dec 2015 10:05:09 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E12641BBA; Sat, 5 Dec 2015 10:05:08 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tB5A57L9013754; Sat, 5 Dec 2015 10:05:07 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tB5A57G0013746; Sat, 5 Dec 2015 10:05:07 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201512051005.tB5A57G0013746@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Sat, 5 Dec 2015 10:05:07 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47823 - in head/share: security/advisories security/patches/SA-15:26 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2015 10:05:09 -0000 Author: delphij Date: Sat Dec 5 10:05:07 2015 New Revision: 47823 URL: https://svnweb.freebsd.org/changeset/doc/47823 Log: Add advisory and patches for SA-15:26.openssl. Added: head/share/security/advisories/FreeBSD-SA-15:26.openssl.asc (contents, props changed) head/share/security/patches/SA-15:26/ head/share/security/patches/SA-15:26/openssl-10.1.patch (contents, props changed) head/share/security/patches/SA-15:26/openssl-10.1.patch.asc (contents, props changed) head/share/security/patches/SA-15:26/openssl-10.2.patch (contents, props changed) head/share/security/patches/SA-15:26/openssl-10.2.patch.asc (contents, props changed) head/share/security/patches/SA-15:26/openssl-9.3.patch (contents, props changed) head/share/security/patches/SA-15:26/openssl-9.3.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:26.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:26.openssl.asc Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:26.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple OpenSSL vulnerabilities + +Category: contrib +Module: openssl +Announced: 2015-12-05 +Affects: All supported versions of FreeBSD. +Corrected: 2015-12-03 21:18:48 UTC (stable/10, 10.2-STABLE) + 2015-12-05 09:53:58 UTC (releng/10.2, 10.2-RELEASE-p8) + 2015-12-05 09:53:58 UTC (releng/10.1, 10.1-RELEASE-p25) + 2015-12-03 21:24:40 UTC (stable/9, 9.3-STABLE) + 2015-12-05 09:53:58 UTC (releng/9.3, 9.3-RELEASE-p31) +CVE Name: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +The signature verification routines will crash with a NULL pointer dereference +if presented with an ASN.1 signature using the RSA PSS algorithm and absent +mask generation function parameter. [CVE-2015-3194] + +When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak +memory. [CVE-2015-3195] + +If PSK identity hints are received by a multi-threaded client then the values +are incorrectly updated in the parent SSL_CTX structure. [CVE-2015-3196] + +III. Impact + +A remote attacker who can present a specifically crafted certificate may +cause a OpenSSL client or server application that performs certificate +signature verification to crash with a NULL pointer dereference, resulting +in a Denial of Service. [CVE-2015-3194] This affects FreeBSD 10.x only. + +An attacker who is able to feed specifically crafted PKCS#7/CMS data to an +OpenSSL application can cause memory leak which may eventually result in a +Denial of Service. [CVE-2015-3195] + +A remote attacker who can send PSK identity hints to a multi-thread client +may trigger a double fault of hint data, which may lead to crash the client +application. [CVE-2015-3196]. This affects FreeBSD 10.1 only. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Reboot is optional but recommended. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is optional but recommended. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-9.3.patch +# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-9.3.patch.asc +# gpg --verify openssl-9.3.patch.asc + +[FreeBSD 10.1] +# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.1.patch +# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.1.patch.asc +# gpg --verify openssl-10.1.patch.asc + +[FreeBSD 10.2] +# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.2.patch +# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.2.patch.asc +# gpg --verify openssl-10.2.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all deamons using the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r291722 +releng/9.3/ r291854 +stable/10/ r291721 +releng/10.1/ r291854 +releng/10.2/ r291854 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAEBCgAGBQJWYrWXAAoJEO1n7NZdz2rnLS8QAJvvKkFk/l4lvh34dmy9rGU5 +pEoeR47Mw9KGirjARBwuOerqykBO+2vUPAnOFUMcQTuG4V23s9u2v9T8dO70feu8 +o6eTtYrOyliECEywoGmuKmTVjtpGnXTg5BeAuG6i/C2XphEB+6Qq7eCz64n8TZQN +NB9emfqE6p0/ndxf3oyrcgw6gLgawmfBH4cWGa07Vd9X2XVc6sPjODDoXmXS8uj3 +xtPNFy7L48YfMAhd6l55hO9qxqTY5Pq8EkvZVWPlCYSET+4FBwIIU6Nwpzgpr8bd +viTHhwk/pf5wk1rMZzQVbrriQ7vAW4TG6oVsbTHLLC/prNzmTvW2KPqXyWWscRHS +2HWQ1at/b0brA+0rnzEVMQk/nH2031AuXy8o1gizNJoLItuS9Lp7P6xOPaogqss5 +J1wmaEkWRSItCGlCIJAxiw1dqbk5tH8Isy1Axno7doTKloeLFanhdPoJP5BexLuo +Vbl7A92xQVJLJKLoklVy3QaiKmcbJ/tdgSeI7e3gP8MDkblvSd6UIvHQfUigrA5B +JXYQWQgsHpc3tIGaDsbnrkV27O0yUXNipnj8PAEgaknXX5n6Zpyz9Z9Vitfnj1tC +1LAGo/kW8+L1hAX3W5XgsIOe9jWxae19uTGOoaM8tnVtH5bQpjjdWFE2zunzzfJe +bCPjBJfZw5z5rvQAkBuY +=p0x+ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:26/openssl-10.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:26/openssl-10.1.patch Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,99 @@ +Index: crypto/openssl/crypto/asn1/tasn_dec.c +=================================================================== +--- crypto/openssl/crypto/asn1/tasn_dec.c (revision 291751) ++++ crypto/openssl/crypto/asn1/tasn_dec.c (working copy) +@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **va + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, +Index: crypto/openssl/crypto/rsa/rsa_ameth.c +=================================================================== +--- crypto/openssl/crypto/rsa/rsa_ameth.c (revision 291751) ++++ crypto/openssl/crypto/rsa/rsa_ameth.c (working copy) +@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_A + { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 +- && param->type == V_ASN1_SEQUENCE) ++ && param && param->type == V_ASN1_SEQUENCE) + { + p = param->value.sequence->data; + plen = param->value.sequence->length; +Index: crypto/openssl/ssl/s3_clnt.c +=================================================================== +--- crypto/openssl/ssl/s3_clnt.c (revision 291751) ++++ crypto/openssl/ssl/s3_clnt.c (working copy) +@@ -1360,8 +1360,6 @@ int ssl3_get_key_exchange(SSL *s) + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) + { +- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; +- + param_len = 2; + if (param_len > n) + { +@@ -1390,16 +1388,8 @@ int ssl3_get_key_exchange(SSL *s) + } + param_len += i; + +- /* If received PSK identity hint contains NULL +- * characters, the hint is truncated from the first +- * NULL. p may not be ending with NULL, so create a +- * NULL-terminated string. */ +- memcpy(tmp_id_hint, p, i); +- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); +- if (s->ctx->psk_identity_hint != NULL) +- OPENSSL_free(s->ctx->psk_identity_hint); +- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); +- if (s->ctx->psk_identity_hint == NULL) ++ s->session->psk_identity_hint = BUF_strndup((char *)p, i); ++ if (s->session->psk_identity_hint == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); +@@ -3009,7 +2999,7 @@ int ssl3_send_client_key_exchange(SSL *s) + } + + memset(identity, 0, sizeof(identity)); +- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, ++ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, + identity, sizeof(identity) - 1, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_len > PSK_MAX_PSK_LEN) +Index: crypto/openssl/ssl/s3_srvr.c +=================================================================== +--- crypto/openssl/ssl/s3_srvr.c (revision 291751) ++++ crypto/openssl/ssl/s3_srvr.c (working copy) +@@ -2827,7 +2827,7 @@ int ssl3_get_client_key_exchange(SSL *s) + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); +- s->session->psk_identity = BUF_strdup((char *)p); ++ s->session->psk_identity = BUF_strndup((char *)p, i); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, Added: head/share/security/patches/SA-15:26/openssl-10.1.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:26/openssl-10.1.patch.asc Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAABCgAGBQJWYrONAAoJEO1n7NZdz2rnDDsP+wWOZMMicG+mxEJkj11+dN+y +04zWcfalpz92mE9OfrHSNOqGvA4iGRuMpbcXPJv0sdXvQsVmF31eo7rt7I2eyNVy +xrYSzitW7zLHkj5bELMwwLB5LMnYqZRAhFPQ3DL6JRfTWxWgH6rU79J47dLlZ10/ +3uEoK2mxMpAxSQ6VvShXzuyqOhvJgZoSLdBqEqnl7q42Dk/A3cYojuwvvhhk0Ira +xlDA2jzz1X/2dS53TaxpxVW4FIr831QuFZluqfGEuVGVVq9zKPvFOrytYysa/8vx +eUMVUlHFJ+xFNNIaNshELDptTFx7znwWImYy3pK9cl2N8aFpWFMymQKR6V48Y8zR +uDxW1DWDSRtRKf3PpyrBdsaimIJjrNtbjErmTokvFbcIV9s86EWi0vVXhs693sQ4 +exzns5cVE8bdxC5KdXBkqgrsTripNPIsUlZkI8wB2jPCWjqA+PTepio/W6yT/pGR +mrTmTWKoH21vhKDYlRYyinz1BUGjShbSR31ClkLpJNpXzKlnnQ96liGe8VJwTQmS +UbpJhODsMNgYBoJGuQrw+tFmkbjRBLtMjemReLF0AUKsDzg3Brl8leH2zklm5Nsp +lU++r1XGWZuVIj687w6ObtUqg4Oa7V1CdwvHxt2UoCX+sK7siIsKqPqYDeKc+ToG +8Z0e5mZabsYPVSdh/UoL +=OObW +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:26/openssl-10.2.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:26/openssl-10.2.patch Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,45 @@ +Index: crypto/openssl/crypto/asn1/tasn_dec.c +=================================================================== +--- crypto/openssl/crypto/asn1/tasn_dec.c (revision 291751) ++++ crypto/openssl/crypto/asn1/tasn_dec.c (working copy) +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **va + } else { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); + goto err; +Index: crypto/openssl/crypto/rsa/rsa_ameth.c +=================================================================== +--- crypto/openssl/crypto/rsa/rsa_ameth.c (revision 291751) ++++ crypto/openssl/crypto/rsa/rsa_ameth.c (working copy) +@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_A + if (pss->maskGenAlgorithm) { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 +- && param->type == V_ASN1_SEQUENCE) { ++ && param && param->type == V_ASN1_SEQUENCE) { + p = param->value.sequence->data; + plen = param->value.sequence->length; + *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); Added: head/share/security/patches/SA-15:26/openssl-10.2.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:26/openssl-10.2.patch.asc Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAABCgAGBQJWYrOZAAoJEO1n7NZdz2rneXgQAKibSNQBuEk7NefLXohrSKsX +PQD55JpxI65MqWLbfwRo5jMIXPnjtIYDMQT0sPFTADS+wSEYrmBTE2VfxM3h3VQP +somTG2inRaK+JzD4Ry8eo2cyKXEnbONcc+lK0IRbJSKQYuFvg1zTPevtjgWjSUaD +DW2PyAop5gLOiYwKBs3rqPv36RV4T7ZWCoM9c+ybSSQi1PQ3Tpw/Ccjc5mp8N+mj +BcLw622/xl+WeVpWf3Ai1dg5u7b9cEu7BKpoALjqyjQcilui1Fzga+dsHGmXpXTh +a85VJS+jG1nzaBD6ZM3CVsWe2HTlhakUiOrZfH+VrjPagWnXzKm+p9ov8Tp87RYr +EG5rWrE2KTRf28s5uf/xDrrryGUxlnjoIK8a+BcX0cL4GAX9Yas3PHyIOd3d1Lz9 +KOxNBWtQVoDyJFnPvak9Aqt1GDROIaKOXaeuoCxMW5Ys0N4tZS+9wF4Ul8dwfcdQ +BoFjtuej6qZcyeVQSmX5X2xENU/uuADc6fJoXiR1Xy/a3MwJ/S73vjlDxLutgCe2 +aiGbPUPRQF0hFx481Kn+/f+pp2Slxn4MRM46uCjGXAIYxItKax0kC3Ly3YkZXScu +77Vge/9GL0pHUbeJimowu2xbiNEGCVJIPZbGQbfMuaLHjSmu70elcFCaceNjETYR +rt3WjCL9VvJ7X6/8Pzxc +=EMbB +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:26/openssl-9.3.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:26/openssl-9.3.patch Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,32 @@ +Index: crypto/openssl/crypto/asn1/tasn_dec.c +=================================================================== +--- crypto/openssl/crypto/asn1/tasn_dec.c (revision 291751) ++++ crypto/openssl/crypto/asn1/tasn_dec.c (working copy) +@@ -167,6 +167,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -532,7 +534,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -758,7 +761,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **va + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, Added: head/share/security/patches/SA-15:26/openssl-9.3.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:26/openssl-9.3.patch.asc Sat Dec 5 10:05:07 2015 (r47823) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAABCgAGBQJWYrOcAAoJEO1n7NZdz2rnacwQAKcafYRsZN53PevgCRkB4ncy +xcHTOutAExUrx7mIS18MiculjEEKeVZNau/CksoXPupqzW5K3yja3Crw5jS2bl6u +xN5BYoki5RxLcnwwcJPloHwFnpBkQS+/W0SKVwomXtjOmhsbetRAH6RK+iS3Vc+y +T3i4I8pcJMeXxIMCV+ZTcfEH0BVoYwkHM1ncO/N4tdrGFUSz35JR+nJNAQZ7EL1s +HmftsXzjoQqNlqhOdFTSubwqWdoPKBo1ql5wsAEvPskXuvPTQuUVB4onGkoBnGYI +T+M8gP/LNRGksjzfIG09yTVqj/Zeu/lPWMwoEpzPseO6l03twUmHd4E4NgUr8mYZ +AWHfCccM5g/1lvNOqSfHOxpKhlhRaOmISKhM1sAw04nX+Hqa6gNWsK2Or9avva6p +BuYa5Sa5aEMzb8s4EAKeAPXqoUy62d6mlCd4oneCcM36445CbD22sh/Yco8xyr5p +CHSLKPEcjWbckEREl880NgP2KMjk8L8s1S3hymYP4t3yhulhtlLdjEqp0rRc4wKn +sDS7PT07PIRxZcSfyvYYrIV7cJuoFlidpJmMEPU5T5qG7+fBen5S0Uc147ZcC13F +ofPqxctVZOwMQVkYkG64j/XY8O9Z3m1qlNRUtc4iZPM+wwqQM1lwuCZjVDj30PXO +lUpmCtANfuny1Qz+8RDB +=Drsr +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Sat Dec 5 09:15:53 2015 (r47822) +++ head/share/xml/advisories.xml Sat Dec 5 10:05:07 2015 (r47823) @@ -8,6 +8,18 @@ 2015 + 12 + + + 6 + + + FreeBSD-SA-15:26.openssl + + + + + 10