Hello community, here is the log from the commit of package openssl for openSUSE:11.4 checked in at Tue Sep 20 12:06:29 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2011-05-31 09:28:35.000000000 +0200 +++ 11.4/openssl/openssl.changes 2011-09-20 10:48:32.000000000 +0200 @@ -1,0 +2,13 @@ +Tue Sep 20 08:47:15 UTC 2011 - [email protected] + +- fix bug[bnc#716144] - VUL-0: openssl ECDH crash. + CVE-2011-3210 + +------------------------------------------------------------------- +Tue Sep 13 03:05:41 UTC 2011 - [email protected] + +- Fix bug[bnc#716143].Fix bug where CRLs with nextUpdate + in the past are sometimes accepted by initialising + X509_STORE_CTX properly. (CVE-2011-3207) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- CVE-2011-3207.patch CVE-2011-3210.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.f8BAhE/_old 2011-09-20 12:06:10.000000000 +0200 +++ /var/tmp/diff_new_pack.f8BAhE/_new 2011-09-20 12:06:10.000000000 +0200 @@ -30,10 +30,8 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -# -#Version: 1.0.0 Version: 1.0.0c -Release: 18.<RELEASE19> +Release: 18.<RELEASE21> Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -50,6 +48,8 @@ #Patch6: CVE-2010-3864.patch Patch7: openssl-1.0.0b-aesni.patch Patch8: ECDSA_signatures_timing_attack.patch +Patch9: CVE-2011-3207.patch +Patch10: CVE-2011-3210.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -185,6 +185,8 @@ #%patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++++++ CVE-2011-3207.patch ++++++ Index: openssl-1.0.0c/crypto/x509/x509_vfy.c =================================================================== --- openssl-1.0.0c.orig/crypto/x509/x509_vfy.c +++ openssl-1.0.0c/crypto/x509/x509_vfy.c @@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ct x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; + ctx->current_crl_score = 0; ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) { @@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX * ctx->error_depth=0; ctx->current_cert=NULL; ctx->current_issuer=NULL; + ctx->current_crl=NULL; + ctx->current_crl_score=0; + ctx->current_reasons=0; ctx->tree = NULL; ctx->parent = NULL; ++++++ CVE-2011-3210.patch ++++++ Index: openssl-1.0.0c/ssl/d1_srvr.c =================================================================== --- openssl-1.0.0c.orig/ssl/d1_srvr.c +++ openssl-1.0.0c/ssl/d1_srvr.c @@ -1017,12 +1017,11 @@ int dtls1_send_server_key_exchange(SSL * SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - if (!EC_KEY_up_ref(ecdhp)) + if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - ecdh = ecdhp; s->s3->tmp.ecdh=ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || Index: openssl-1.0.0c/ssl/s3_lib.c =================================================================== --- openssl-1.0.0c.orig/ssl/s3_lib.c +++ openssl-1.0.0c/ssl/s3_lib.c @@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s) } #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) + { DH_free(s->s3->tmp.dh); + s->s3->tmp.dh = NULL; + } #endif #ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) + { EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } #endif rp = s->s3->rbuf.buf; Index: openssl-1.0.0c/ssl/s3_srvr.c =================================================================== --- openssl-1.0.0c.orig/ssl/s3_srvr.c +++ openssl-1.0.0c/ssl/s3_srvr.c @@ -778,6 +778,13 @@ int ssl3_check_client_hello(SSL *s) s->s3->tmp.dh = NULL; } #endif +#ifndef OPENSSL_NO_ECDH + if (s->s3->tmp.ecdh != NULL) + { + EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } +#endif return 2; } return 1; @@ -1491,7 +1498,6 @@ int ssl3_send_server_key_exchange(SSL *s if (s->s3->tmp.dh != NULL) { - DH_free(dh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1552,7 +1558,6 @@ int ssl3_send_server_key_exchange(SSL *s if (s->s3->tmp.ecdh != NULL) { - EC_KEY_free(s->s3->tmp.ecdh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1563,12 +1568,11 @@ int ssl3_send_server_key_exchange(SSL *s SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - if (!EC_KEY_up_ref(ecdhp)) + if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - ecdh = ecdhp; s->s3->tmp.ecdh=ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || @@ -2440,6 +2444,12 @@ int ssl3_get_client_key_exchange(SSL *s) /* Get encoded point length */ i = *p; p += 1; + if (n != 1 + i) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_EC_LIB); + goto err; + } if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
