CVSROOT: /cvs
Module name: ports
Changes by: t...@cvs.openbsd.org 2023/05/30 08:03:22
Modified files:
security/openssl/1.1: Makefile distinfo
Removed files:
security/openssl/1.1/patches: patch-crypto_bn_build_info
patch-crypto_rsa_rsa_ossl_c
Log message:
Update to OpenSSL 1.1.1u
This includes a fix for quadratic time OID pretty printing (CVE-2023-2650).
Then there are two fixes for the policy madness in RFC 5280 which mitigate
the exponential growth of the policy tree by imposing a compile-time limit
of 1000 nodes (CVE-2023-0464) and a parsing issue with invalid certificate
policies in leaf certificates (CVE-2023-0465). Moreover, there is a
documentation change for X509_VERIFY_PARAM_add0_policy() explaining that it
doesn't enable policy checking contrary to the set1 version (CVE-2023-0466).
Notably, this update reverts the "mongomery fix" for the RSA padding oracle
(CVE-2022-4304) and includes a different curly thing (where the actual fix is
hoisting the blinding a couple of lines), but at least it no longer involves
700 lines of garbage code that does things already done elsewhere in the lib.
This allows us to remove the patches that neutered this insanity. Of course,
the reason for the revert was performance.
https://www.openssl.org/news/vulnerabilities.html
