Date: Wed, 2 Aug 2023 19:28:21 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 04ffe8fb6bec - main - security/openssl: Update to 1.1.1v Message-ID: <202308021928.372JSL1J035231@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333 commit 04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2023-08-02 19:27:30 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2023-08-02 19:27:30 +0000 security/openssl: Update to 1.1.1v * MFH this version as this is a roll-up of multiple vulnerability fixes MFH: 2023Q3 --- security/openssl/Makefile | 3 +- security/openssl/distinfo | 6 ++-- security/openssl/files/patch-CVE-2023-3817 | 55 ------------------------------ 3 files changed, 4 insertions(+), 60 deletions(-) diff --git a/security/openssl/Makefile b/security/openssl/Makefile index d0ffd1cac2a2..886026009708 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,6 +1,5 @@ PORTNAME= openssl -PORTVERSION= 1.1.1u -PORTREVISION= 1 +PORTVERSION= 1.1.1v PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ diff --git a/security/openssl/distinfo b/security/openssl/distinfo index a37ebb5597c4..f9b0843950cb 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1685529813 -SHA256 (openssl-1.1.1u.tar.gz) = e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6 -SIZE (openssl-1.1.1u.tar.gz) = 9892176 +TIMESTAMP = 1691003970 +SHA256 (openssl-1.1.1v.tar.gz) = d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 +SIZE (openssl-1.1.1v.tar.gz) = 9893443 diff --git a/security/openssl/files/patch-CVE-2023-3817 b/security/openssl/files/patch-CVE-2023-3817 deleted file mode 100644 index 3f1d5193c73f..000000000000 --- a/security/openssl/files/patch-CVE-2023-3817 +++ /dev/null @@ -1,55 +0,0 @@ -From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz <tomas@openssl.org> -Date: Fri, 21 Jul 2023 11:39:41 +0200 -Subject: [PATCH] DH_check(): Do not try checking q properties if it is - obviously invalid - -If |q| >= |p| then the q value is obviously wrong as q -is supposed to be a prime divisor of p-1. - -We check if p is overly large so this added test implies that -q is not large either when performing subsequent tests using that -q value. - -Otherwise if it is too large these additional checks of the q value -such as the primality test can then trigger DoS by doing overly long -computations. - -Fixes CVE-2023-3817 - -Reviewed-by: Paul Dale <pauli@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/21551) ---- - crypto/dh/dh_check.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 2001d2e7cb19..9ae96991eb4a 100644 ---- crypto/dh/dh_check.c.orig -+++ crypto/dh/dh_check.c -@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh) - - int DH_check(const DH *dh, int *ret) - { -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret) - if (t2 == NULL) - goto err; - -- if (dh->q) { -+ if (dh->q != NULL) { -+ if (BN_ucmp(dh->p, dh->q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->g, dh->p) >= 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308021928.372JSL1J035231>