[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSL security updates
|
From: |
Efraim Flashner |
|
Subject: |
Re: OpenSSL security updates |
|
Date: |
Mon, 26 Sep 2016 21:31:51 +0300 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Mon, Sep 26, 2016 at 01:01:38PM -0400, Leo Famulari wrote:
> There is a new round of OpenSSL security updates [0]. Patches are
> attached to this message.
>
> [0]
> https://www.openssl.org/news/secadv/20160926.txt
>
> Quoted from the link above:
>
> OpenSSL Security Advisory [26 Sep 2016]
> ========================================
>
> This security update addresses issues that were caused by patches
> included in our previous security update, released on 22nd September
> 2016. Given the Critical severity of one of these flaws we have
> chosen to release this advisory immediately to prevent upgrades to the
> affected version, rather than delaying in order to provide our usual
> public pre-notification.
>
>
> Fix Use After Free for large message sizes (CVE-2016-6309)
> ==========================================================
>
> Severity: Critical
>
> This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
>
> The patch applied to address CVE-2016-6307 resulted in an issue where if a
> message larger than approx 16k is received then the underlying buffer to store
> the incoming message is reallocated and moved. Unfortunately a dangling
> pointer
> to the old location is left which results in an attempt to write to the
> previously freed location. This is likely to result in a crash, however it
> could potentially lead to execution of arbitrary code.
>
> OpenSSL 1.1.0 users should upgrade to 1.1.0b
>
> This issue was reported to OpenSSL on 23rd September 2016 by Robert
> Święcki (Google Security Team), and was found using honggfuzz. The fix
> was developed by Matt Caswell of the OpenSSL development team.
>
> Missing CRL sanity check (CVE-2016-7052)
> ========================================
>
> Severity: Moderate
>
> This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
>
> A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
> but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
> CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
>
> OpenSSL 1.0.2i users should upgrade to 1.0.2j
>
> The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
> Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL
> development
> team.
> From 0f38dcc4f37853c831d11c5291b1c099ba36ea99 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Mon, 26 Sep 2016 12:53:00 -0400
> Subject: [PATCH] gnu: openssl-next: Update to 1.1.0b [fixes CVE-2016-6309].
>
> * gnu/packages/tls.scm (openssl-next): Update to 1.1.0b.
> ---
> gnu/packages/tls.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 93c78ae..9d91f15 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -391,7 +391,7 @@ required structures.")
> (inherit openssl)
> (name "openssl")
> (replacement #f)
> - (version "1.1.0a")
> + (version "1.1.0b")
> (source (origin
> (method url-fetch)
> (uri (list (string-append "ftp://ftp.openssl.org/source/";
> @@ -402,7 +402,7 @@ required structures.")
> (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
> (sha256
> (base32
> - "0as40a1lipl9qfax7495jc1xfb049ygavkaxxk4y5kcn8birdrn2"))))
> + "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4"))))
> (outputs '("out"
> "doc" ;1.3MiB of man3 pages
> "static")) ; 5.5MiB of .a files
> --
> 2.10.0
>
> From 0006affb67ef6513e8b8923824ca0cee37ea839b Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Mon, 26 Sep 2016 12:51:39 -0400
> Subject: [PATCH] gnu: openssl: Update replacement to 1.0.2j [fixes
> CVE-2016-7052].
>
> * gnu/packages/tls.scm (openssl): Update replacement to 1.0.2j.
> (openssl-1.0.2i): Replace with...
> (openssl-1.0.2j): ... new variable.
> ---
> gnu/packages/tls.scm | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 15e3e43..93c78ae 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -229,7 +229,7 @@ required structures.")
> (define-public openssl
> (package
> (name "openssl")
> - (replacement openssl-1.0.2i)
> + (replacement openssl-1.0.2j)
> (version "1.0.2h")
> (source (origin
> (method url-fetch)
> @@ -368,11 +368,11 @@ required structures.")
> (license license:openssl)
> (home-page "http://www.openssl.org/";)))
>
> -(define openssl-1.0.2i
> +(define openssl-1.0.2j
> (package (inherit openssl)
> (source
> (let ((name "openssl")
> - (version "1.0.2i"))
> + (version "1.0.2j"))
> (origin
> (method url-fetch)
> (uri (list (string-append "ftp://ftp.openssl.org/source/";
> @@ -382,7 +382,7 @@ required structures.")
> "/" name "-" version ".tar.gz")))
> (sha256
> (base32
> - "0vyy038676cv3m2523fi9ll9nkjxadqdnz18zdp5nm6925yli1wj"))
> + "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
> (patches (search-patches "openssl-runpath.patch"
> "openssl-c-rehash-in.patch")))))))
>
> --
> 2.10.0
>
This looks pretty straight-forward.
--
Efraim Flashner <address@hidden> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature