Tried to accept via the gui, not sure why the changelog didn't formulate. Guess will use command-line from now on.
Here the changelog (rdiff Trunk:Testing/openssl Trunk/openssl) Index: openssl.changes =================================================================== --- openssl.changes (revision 4) +++ openssl.changes (revision 5) @@ -1,3 +1,7 @@ +* Mon Sep 20 2010 Passion Zhao <[email protected]> - 0.9.8m-3 +- Add openssl-0.9.8m-CVE-2010-2939.patch to fix BMC#5667 + Double free issue to cause openssl client to DoS via a crafted private key + * Wed Mar 10 2010 Passion Zhao <[email protected]> - 0.9.8m-2 - Add openssl_patchset_19374.diff to address CVE-2010-0433: where some kerberos enabled versions of OpenSSL could be crashed Index: openssl.spec =================================================================== --- openssl.spec (revision 4) +++ openssl.spec (revision 5) @@ -75,6 +75,7 @@ #openssl_patchset_19374.diff Patch63: openssl-0.9.8m-CVE-2010-0433.patch +Patch64: openssl-0.9.8m-CVE-2010-2939.patch License: OpenSSL Group: System/Libraries @@ -152,6 +153,7 @@ %patch62 -p0 -b .cve-2008-1671 %patch63 -p1 -b .CVE-2010-0433 +%patch64 -p1 -b .CVE-2010-2939 # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` Index: openssl-0.9.8m-CVE-2010-2939.patch =================================================================== --- openssl-0.9.8m-CVE-2010-2939.patch (revision 0) +++ openssl-0.9.8m-CVE-2010-2939.patch (revision 5) @@ -0,0 +1,12 @@ +Index: openssl-0.9.8o/ssl/s3_clnt.c +=================================================================== +--- openssl-0.9.8o.orig/ssl/s3_clnt.c 2010-01-26 19:40:36.000000000 +0000 ++++ openssl-0.9.8o/ssl/s3_clnt.c 2010-08-26 16:45:11.000000000 +0000 +@@ -1377,6 +1377,7 @@ + s->session->sess_cert->peer_ecdh_tmp=ecdh; + ecdh=NULL; + BN_CTX_free(bn_ctx); ++ bn_ctx = NULL; + EC_POINT_free(srvr_ecpoint); + srvr_ecpoint = NULL; + } On 9/21/10 6:30 PM, "Rolla Selbak" <[email protected]> wrote: Hi Passion Zhao, The following change has been accepted. See the changelog below. Comments: Reviewed ok Thanks, MeeGo Release Engineering Team [This message was auto-generated] --- Request #7619: submit: home:qzhao9:branches:Trunk:Testing/openssl(r2)(cleanup) -> Trunk:Testing/openssl Message: Add openssl-0.9.8m-CVE-2010-2939.patch to fix BMC#5667: Double free issue to cause openssl client to DoS via a crafted private key State: accepted 2010-09-21T18:30:36 rolla Comment: Reviewed ok History: new 2010-09-20T02:46:57 qzhao9 _______________________________________________ Meego-commits mailing list [email protected] http://lists.meego.com/listinfo/meego-commits _______________________________________________ MeeGo-packaging mailing list [email protected] http://lists.meego.com/listinfo/meego-packaging
