head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2 pkgsrc-2010Q1:1.1.0.4 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2010.04.12.14.19.17; author taca; state dead; branches; next 1.1; 1.1 date 2010.03.26.00.20.49; author taca; state Exp; branches 1.1.2.1 1.1.4.1; next ; 1.1.2.1 date 2010.03.26.00.20.49; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2010.03.27.14.44.42; author tron; state Exp; branches; next ; 1.1.4.1 date 2010.06.03.08.33.32; author spz; state dead; branches; next ; desc @@ 1.2 log @Update openssl package from 0.9.8m to 0.9.8n. Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley ] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger ] @ text @$NetBSD: patch-bc,v 1.1 2010/03/26 00:20:49 taca Exp $ Fix for CVE-2010-0740: http://www.openssl.org/news/secadv_20100324.txt --- ssl/s3_pkt.c.orig 2010-01-24 13:52:38.000000000 +0000 +++ ssl/s3_pkt.c @@@@ -291,9 +291,9 @@@@ again: if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - /* Send back error using their - * version number :-) */ - s->version=version; + if ((s->version & 0xFF00) == (version & 0xFF00)) + /* Send back error using their minor version number :-) */ + s->version = (unsigned short)version; al=SSL_AD_PROTOCOL_VERSION; goto f_err; } @ 1.1 log @Add a patch for Fix for CVE-2010-0740, DoS problem. http://www.openssl.org/news/secadv_20100324.txt Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.4.1 log @Pullup ticket 3135 - requested by taca security update Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.149 - pkgsrc/security/openssl/distinfo 1.75 Files removed: pkgsrc/security/openssl/patches/patch-bc ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Mon Apr 12 14:19:17 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-bc Log Message: Update openssl package from 0.9.8m to 0.9.8n. Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley ] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger ] To generate a diff of this commit: cvs rdiff -u -r1.146 -r1.147 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.73 -r1.74 pkgsrc/security/openssl/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/security/openssl/patches/patch-bc ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: adam Date: Sat May 8 06:33:41 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile Log Message: Set correct architecture on Darwin To generate a diff of this commit: cvs rdiff -u -r1.147 -r1.148 pkgsrc/security/openssl/Makefile ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Wed Jun 2 13:30:11 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update security/openssl package to 0.9.8o. OpenSSL CHANGES _______________ Changes between 0.9.8n and 0.9.8o [01 Jun 2010] *) Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) [Steve Henson, Ronald Moesbergen ] *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. [Steve Henson] *) VMS fixes: Reduce copying into .apps and .test in makevms.com Don't try to use blank CA certificate in CA.com Allow use of C files from original directories in maketests.com [Steven M. Schweda" ] To generate a diff of this commit: cvs rdiff -u -r1.148 -r1.149 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.74 -r1.75 pkgsrc/security/openssl/distinfo @ text @d1 1 a1 1 $NetBSD: patch-bc,v 1.1 2010/03/26 00:20:49 taca Exp $ @ 1.1.2.1 log @file patch-bc was added on branch pkgsrc-2009Q4 on 2010-03-27 14:44:42 +0000 @ text @d1 19 @ 1.1.2.2 log @Pullup ticket #3065 - requested by taca openssl: security update Revisions pulled up: - security/openssl/Makefile 1.144-1.1.146 - security/openssl/PLIST.common 1.17 - security/openssl/distinfo 1.72-1.73 - security/openssl/patches/patch-aa 1.23 - security/openssl/patches/patch-ac 1.38 - security/openssl/patches/patch-af 1.24 - security/openssl/patches/patch-ax delete - security/openssl/patches/patch-ay delete - security/openssl/patches/patch-az delete - security/openssl/patches/patch-ba delete - security/openssl/patches/patch-bb delete - security/openssl/patches/patch-bc 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Feb 26 03:15:14 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af Removed Files: pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba patch-bb Log Message: Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. --- Module Name: pkgsrc Committed By: taca Date: Mon Mar 1 08:15:40 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common Log Message: Fix broken PLIST. (I wonder why "make print-PLIST" generated wrong result before...") Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Fri Mar 26 00:20:49 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-bc Log Message: Add a patch for Fix for CVE-2010-0740, DoS problem. http://www.openssl.org/news/secadv_20100324.txt Bump PKGREVISION. @ text @a0 19 $NetBSD: patch-bc,v 1.1 2010/03/26 00:20:49 taca Exp $ Fix for CVE-2010-0740: http://www.openssl.org/news/secadv_20100324.txt --- ssl/s3_pkt.c.orig 2010-01-24 13:52:38.000000000 +0000 +++ ssl/s3_pkt.c @@@@ -291,9 +291,9 @@@@ again: if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - /* Send back error using their - * version number :-) */ - s->version=version; + if ((s->version & 0xFF00) == (version & 0xFF00)) + /* Send back error using their minor version number :-) */ + s->version = (unsigned short)version; al=SSL_AD_PROTOCOL_VERSION; goto f_err; } @