CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2022/11/01 10:00:10
Modified files:
security/openssl/3.0: Makefile distinfo
security/openssl/3.0/pkg: PLIST
Log message:
Update to OpenSSL 3.0.7
Fixes X.509 Email Address Buffer Overflows (CVE-2022-3602, CVE-2022-3786).
In good OpenSSL tradition, they ship ~250 commits since OpenSSL 3.0.5, the
last non-retracted release.
One might wonder how a punycode decoder that overflows on an example string
from the RFC makes it into a cryptographic library released in '21. Compare
test_puny_overrun() with RFC 3492 7.1 (L)... In PR 9654 someone asked about
tests early on - this was dismissed since a handful of cert chains suffices
to exercise a tricky decoder. The review could then focus on more important
things like file placement, license comments, comment formatting and style.
Ignoring a request for turning a magic number into a constant, not even one
of the 127 items on the PR is on the scary code itself.
It is also questionable whether it was really necessary to classify this as
CRITICAL and generate that much panic. It's bad, but not eye-wateringly bad
(disregarding the development process that led to this fiasco.)
Good thing this was at least downgraded to HIGH in the final announcement.
No one will be surprised that there is more than one issue in this code, so
instead of one CRITICAL issues, we get two HIGH ones. Sounds fair.
https://www.openssl.org/news/secadv/20221101.txt
https://www.openssl.org/news/secadv/20221101b.txt
