CVSROOT: /cvs Module name: ports Changes by: t...@cvs.openbsd.org 2023/05/30 08:03:22
Modified files: security/openssl/1.1: Makefile distinfo Removed files: security/openssl/1.1/patches: patch-crypto_bn_build_info patch-crypto_rsa_rsa_ossl_c Log message: Update to OpenSSL 1.1.1u This includes a fix for quadratic time OID pretty printing (CVE-2023-2650). Then there are two fixes for the policy madness in RFC 5280 which mitigate the exponential growth of the policy tree by imposing a compile-time limit of 1000 nodes (CVE-2023-0464) and a parsing issue with invalid certificate policies in leaf certificates (CVE-2023-0465). Moreover, there is a documentation change for X509_VERIFY_PARAM_add0_policy() explaining that it doesn't enable policy checking contrary to the set1 version (CVE-2023-0466). Notably, this update reverts the "mongomery fix" for the RSA padding oracle (CVE-2022-4304) and includes a different curly thing (where the actual fix is hoisting the blinding a couple of lines), but at least it no longer involves 700 lines of garbage code that does things already done elsewhere in the lib. This allows us to remove the patches that neutered this insanity. Of course, the reason for the revert was performance. https://www.openssl.org/news/vulnerabilities.html