From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: OpenSSL security updates
Date: Mon, 26 Sep 2016 21:31:51 +0300 [thread overview]
Message-ID: <20160926183151.GH3742@macbook42.flashner.co.il> (raw)
In-Reply-To: <20160926170138.GA7875@jasmine>
[-- Attachment #1: Type: text/plain, Size: 5813 bytes --]
On Mon, Sep 26, 2016 at 01:01:38PM -0400, Leo Famulari wrote:
> There is a new round of OpenSSL security updates [0]. Patches are
> attached to this message.
>
> [0]
> https://www.openssl.org/news/secadv/20160926.txt
>
> Quoted from the link above:
>
> OpenSSL Security Advisory [26 Sep 2016]
> ========================================
>
> This security update addresses issues that were caused by patches
> included in our previous security update, released on 22nd September
> 2016. Given the Critical severity of one of these flaws we have
> chosen to release this advisory immediately to prevent upgrades to the
> affected version, rather than delaying in order to provide our usual
> public pre-notification.
>
>
> Fix Use After Free for large message sizes (CVE-2016-6309)
> ==========================================================
>
> Severity: Critical
>
> This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
>
> The patch applied to address CVE-2016-6307 resulted in an issue where if a
> message larger than approx 16k is received then the underlying buffer to store
> the incoming message is reallocated and moved. Unfortunately a dangling pointer
> to the old location is left which results in an attempt to write to the
> previously freed location. This is likely to result in a crash, however it
> could potentially lead to execution of arbitrary code.
>
> OpenSSL 1.1.0 users should upgrade to 1.1.0b
>
> This issue was reported to OpenSSL on 23rd September 2016 by Robert
> Święcki (Google Security Team), and was found using honggfuzz. The fix
> was developed by Matt Caswell of the OpenSSL development team.
>
> Missing CRL sanity check (CVE-2016-7052)
> ========================================
>
> Severity: Moderate
>
> This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
>
> A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
> but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
> CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
>
> OpenSSL 1.0.2i users should upgrade to 1.0.2j
>
> The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
> Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
> team.
> From 0f38dcc4f37853c831d11c5291b1c099ba36ea99 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 26 Sep 2016 12:53:00 -0400
> Subject: [PATCH] gnu: openssl-next: Update to 1.1.0b [fixes CVE-2016-6309].
>
> * gnu/packages/tls.scm (openssl-next): Update to 1.1.0b.
> ---
> gnu/packages/tls.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 93c78ae..9d91f15 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -391,7 +391,7 @@ required structures.")
> (inherit openssl)
> (name "openssl")
> (replacement #f)
> - (version "1.1.0a")
> + (version "1.1.0b")
> (source (origin
> (method url-fetch)
> (uri (list (string-append "ftp://ftp.openssl.org/source/"
> @@ -402,7 +402,7 @@ required structures.")
> (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
> (sha256
> (base32
> - "0as40a1lipl9qfax7495jc1xfb049ygavkaxxk4y5kcn8birdrn2"))))
> + "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4"))))
> (outputs '("out"
> "doc" ;1.3MiB of man3 pages
> "static")) ; 5.5MiB of .a files
> --
> 2.10.0
>
> From 0006affb67ef6513e8b8923824ca0cee37ea839b Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 26 Sep 2016 12:51:39 -0400
> Subject: [PATCH] gnu: openssl: Update replacement to 1.0.2j [fixes
> CVE-2016-7052].
>
> * gnu/packages/tls.scm (openssl): Update replacement to 1.0.2j.
> (openssl-1.0.2i): Replace with...
> (openssl-1.0.2j): ... new variable.
> ---
> gnu/packages/tls.scm | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 15e3e43..93c78ae 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -229,7 +229,7 @@ required structures.")
> (define-public openssl
> (package
> (name "openssl")
> - (replacement openssl-1.0.2i)
> + (replacement openssl-1.0.2j)
> (version "1.0.2h")
> (source (origin
> (method url-fetch)
> @@ -368,11 +368,11 @@ required structures.")
> (license license:openssl)
> (home-page "http://www.openssl.org/")))
>
> -(define openssl-1.0.2i
> +(define openssl-1.0.2j
> (package (inherit openssl)
> (source
> (let ((name "openssl")
> - (version "1.0.2i"))
> + (version "1.0.2j"))
> (origin
> (method url-fetch)
> (uri (list (string-append "ftp://ftp.openssl.org/source/"
> @@ -382,7 +382,7 @@ required structures.")
> "/" name "-" version ".tar.gz")))
> (sha256
> (base32
> - "0vyy038676cv3m2523fi9ll9nkjxadqdnz18zdp5nm6925yli1wj"))
> + "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
> (patches (search-patches "openssl-runpath.patch"
> "openssl-c-rehash-in.patch")))))))
>
> --
> 2.10.0
>
This looks pretty straight-forward.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-09-26 18:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-26 17:01 OpenSSL security updates Leo Famulari
2016-09-26 18:31 ` Efraim Flashner [this message]
2016-09-26 21:10 ` Leo Famulari
2016-10-05 23:46 ` Leo Famulari
2016-10-06 19:53 ` Ludovic Courtès
2016-10-06 21:51 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160926183151.GH3742@macbook42.flashner.co.il \
--to=efraim@flashner.co.il \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).