On Sat, Dec 26, 2020 at 11:09:41PM +0100, Lucas Nussbaum wrote: > Source: serf > Version: 1.3.9-8 > [...] > > Trailer-Test: f > > ...........F...................................................... > > > > There was 1 failure: > > 1) test_ssl_handshake: test/test_util.c:456: expected <0> but was <120199>
It looks like the change from libssl1.1 version 1.1.1h to 1.1.1i regressed this test. The documented changes between these two releases are: Changes between 1.1.1h and 1.1.1i [8 Dec 2020] *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. If an attacker can control both items being compared then this could lead to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) (CVE-2020-1971) [Matt Caswell] *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target. [Stuart Carnie] *) The security callback, which can be customised by application code, supports the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY in the "other" parameter. In most places this is what is passed. All these places occur server side. However there was one client side call of this security operation and it passed a DH object instead. This is incorrect according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other locations. Therefore this client side call has been changed to pass an EVP_PKEY instead. [Matt Caswell] *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected when validating a certificate path. This check is restored in 1.1.1i. [David von Oheimb] The full diff is at https://github.com/openssl/openssl/compare/OpenSSL_1_1_1h...OpenSSL_1_1_1i Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB