From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: OpenSSL security updates Date: Mon, 26 Sep 2016 13:01:38 -0400 Message-ID: <20160926170138.GA7875@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42222) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boZHz-0004xS-C1 for guix-devel@gnu.org; Mon, 26 Sep 2016 13:02:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1boZHv-0001XQ-NU for guix-devel@gnu.org; Mon, 26 Sep 2016 13:01:59 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48632) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boZHq-0001QS-AL for guix-devel@gnu.org; Mon, 26 Sep 2016 13:01:55 -0400 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id A1EFFCCEA8 for ; Mon, 26 Sep 2016 13:01:40 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --7ZAtKRhVyVSsbBD2 Content-Type: multipart/mixed; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There is a new round of OpenSSL security updates [0]. Patches are attached to this message. [0] https://www.openssl.org/news/secadv/20160926.txt Quoted from the link above: OpenSSL Security Advisory [26 Sep 2016] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification. Fix Use After Free for large message sizes (CVE-2016-6309) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D Severity: Critical This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to st= ore the incoming message is reallocated and moved. Unfortunately a dangling poi= nter to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code. OpenSSL 1.1.0 users should upgrade to 1.1.0b This issue was reported to OpenSSL on 23rd September 2016 by Robert =C5=9Awi=C4=99cki (Google Security Team), and was found using honggfuzz. Th= e fix was developed by Matt Caswell of the OpenSSL development team. Missing CRL sanity check (CVE-2016-7052) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Severity: Moderate This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016. A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. OpenSSL 1.0.2i users should upgrade to 1.0.2j The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens = and Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL develop= ment team. --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-openssl-next-Update-to-1.1.0b-fixes-CVE-2016-630.patch" Content-Transfer-Encoding: quoted-printable =46rom 0f38dcc4f37853c831d11c5291b1c099ba36ea99 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 26 Sep 2016 12:53:00 -0400 Subject: [PATCH] gnu: openssl-next: Update to 1.1.0b [fixes CVE-2016-6309]. * gnu/packages/tls.scm (openssl-next): Update to 1.1.0b. --- gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 93c78ae..9d91f15 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -391,7 +391,7 @@ required structures.") (inherit openssl) (name "openssl") (replacement #f) - (version "1.1.0a") + (version "1.1.0b") (source (origin (method url-fetch) (uri (list (string-append "ftp://ftp.openssl.org/source/" @@ -402,7 +402,7 @@ required structures.") (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) (sha256 (base32 - "0as40a1lipl9qfax7495jc1xfb049ygavkaxxk4y5kcn8birdrn2")))) + "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4")))) (outputs '("out" "doc" ;1.3MiB of man3 pages "static")) ; 5.5MiB of .a files --=20 2.10.0 --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-openssl-Update-replacement-to-1.0.2j-fixes-CVE-2.patch" Content-Transfer-Encoding: quoted-printable =46rom 0006affb67ef6513e8b8923824ca0cee37ea839b Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 26 Sep 2016 12:51:39 -0400 Subject: [PATCH] gnu: openssl: Update replacement to 1.0.2j [fixes CVE-2016-7052]. * gnu/packages/tls.scm (openssl): Update replacement to 1.0.2j. (openssl-1.0.2i): Replace with... (openssl-1.0.2j): ... new variable. --- gnu/packages/tls.scm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 15e3e43..93c78ae 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -229,7 +229,7 @@ required structures.") (define-public openssl (package (name "openssl") - (replacement openssl-1.0.2i) + (replacement openssl-1.0.2j) (version "1.0.2h") (source (origin (method url-fetch) @@ -368,11 +368,11 @@ required structures.") (license license:openssl) (home-page "http://www.openssl.org/"))) =20 -(define openssl-1.0.2i +(define openssl-1.0.2j (package (inherit openssl) (source (let ((name "openssl") - (version "1.0.2i")) + (version "1.0.2j")) (origin (method url-fetch) (uri (list (string-append "ftp://ftp.openssl.org/source/" @@ -382,7 +382,7 @@ required structures.") "/" name "-" version ".tar.gz"))) (sha256 (base32 - "0vyy038676cv3m2523fi9ll9nkjxadqdnz18zdp5nm6925yli1wj")) + "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7")) (patches (search-patches "openssl-runpath.patch" "openssl-c-rehash-in.patch"))))))) =20 --=20 2.10.0 --mYCpIKhGyMATD0i+-- --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX6VRuAAoJECZG+jC6yn8I2s4QAMlM2p4qWjt2geDrwQGnUm+T yNEJRy3JOpH4tXQLrwHiMcpTIhrdWi0BF0cqLg9HlNW8mGBaif2GbKm//TmymqMd 5hqJ++nS1YS4BsBLkH0E20OXYd+54ZCylualI32/rBJWlifoUE4HeCgYvUUyYWPO wYCTiyPucnGutb4N6zHI2SCuic90OXm0eUSqTk08vg8iZXqU5WCAHwLuU1QiWXKP K9PL7S3f1g/VcHocRww3SouRgRgEMjhWMYUkS637HqY4YcWN0w28SYG/VnaxEnfP cktQT224vHS0TK+Uf7fCThm/9h5Z+1gw+Di68o5GjyZBDhjd4x9ns3+/mX3g9iep Kbxg+ELqlqpq/jug2UQEYjD2c881/I6CguuVwrj+vHTPTbyxPUmo39/nkCXg1qlf 6KNJCZTXJ8YevjTyGmpR//ZPJAiEB26cPifkHApnmsVjS8Apt+hxBv5cZuwBKkHW znLzGPe1Nb5lVHaeRfmkri3cADCKfNvfAUr0O4PeICg1X/sI/sJb0cBCoC6A36tW wTiBAryUBPy8VRItBL56oD8BMmJa5HGHuwbPtfjxLFdwztKG81Ai9ZO4B21muoX1 ta3zkAaydhgwFygKluzZQUDaft95vZafz6AYzYmZRUZSnczqDHSJ2p5tGaTVTgh/ HOZYV29/4+axfAXYV4Pq =NozD -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2--