On Mon, Sep 26, 2016 at 01:01:38PM -0400, Leo Famulari wrote: > There is a new round of OpenSSL security updates [0]. Patches are > attached to this message. > > [0] > https://www.openssl.org/news/secadv/20160926.txt > > Quoted from the link above: > > OpenSSL Security Advisory [26 Sep 2016] > ======================================== > > This security update addresses issues that were caused by patches > included in our previous security update, released on 22nd September > 2016. Given the Critical severity of one of these flaws we have > chosen to release this advisory immediately to prevent upgrades to the > affected version, rather than delaying in order to provide our usual > public pre-notification. > > > Fix Use After Free for large message sizes (CVE-2016-6309) > ========================================================== > > Severity: Critical > > This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. > > The patch applied to address CVE-2016-6307 resulted in an issue where if a > message larger than approx 16k is received then the underlying buffer to store > the incoming message is reallocated and moved. Unfortunately a dangling pointer > to the old location is left which results in an attempt to write to the > previously freed location. This is likely to result in a crash, however it > could potentially lead to execution of arbitrary code. > > OpenSSL 1.1.0 users should upgrade to 1.1.0b > > This issue was reported to OpenSSL on 23rd September 2016 by Robert > Święcki (Google Security Team), and was found using honggfuzz. The fix > was developed by Matt Caswell of the OpenSSL development team. > > Missing CRL sanity check (CVE-2016-7052) > ======================================== > > Severity: Moderate > > This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016. > > A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 > but was omitted from OpenSSL 1.0.2i. As a result any attempt to use > CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. > > OpenSSL 1.0.2i users should upgrade to 1.0.2j > > The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and > Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development > team. > From 0f38dcc4f37853c831d11c5291b1c099ba36ea99 Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Mon, 26 Sep 2016 12:53:00 -0400 > Subject: [PATCH] gnu: openssl-next: Update to 1.1.0b [fixes CVE-2016-6309]. > > * gnu/packages/tls.scm (openssl-next): Update to 1.1.0b. > --- > gnu/packages/tls.scm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm > index 93c78ae..9d91f15 100644 > --- a/gnu/packages/tls.scm > +++ b/gnu/packages/tls.scm > @@ -391,7 +391,7 @@ required structures.") > (inherit openssl) > (name "openssl") > (replacement #f) > - (version "1.1.0a") > + (version "1.1.0b") > (source (origin > (method url-fetch) > (uri (list (string-append "ftp://ftp.openssl.org/source/" > @@ -402,7 +402,7 @@ required structures.") > (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) > (sha256 > (base32 > - "0as40a1lipl9qfax7495jc1xfb049ygavkaxxk4y5kcn8birdrn2")))) > + "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4")))) > (outputs '("out" > "doc" ;1.3MiB of man3 pages > "static")) ; 5.5MiB of .a files > -- > 2.10.0 > > From 0006affb67ef6513e8b8923824ca0cee37ea839b Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Mon, 26 Sep 2016 12:51:39 -0400 > Subject: [PATCH] gnu: openssl: Update replacement to 1.0.2j [fixes > CVE-2016-7052]. > > * gnu/packages/tls.scm (openssl): Update replacement to 1.0.2j. > (openssl-1.0.2i): Replace with... > (openssl-1.0.2j): ... new variable. > --- > gnu/packages/tls.scm | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm > index 15e3e43..93c78ae 100644 > --- a/gnu/packages/tls.scm > +++ b/gnu/packages/tls.scm > @@ -229,7 +229,7 @@ required structures.") > (define-public openssl > (package > (name "openssl") > - (replacement openssl-1.0.2i) > + (replacement openssl-1.0.2j) > (version "1.0.2h") > (source (origin > (method url-fetch) > @@ -368,11 +368,11 @@ required structures.") > (license license:openssl) > (home-page "http://www.openssl.org/"))) > > -(define openssl-1.0.2i > +(define openssl-1.0.2j > (package (inherit openssl) > (source > (let ((name "openssl") > - (version "1.0.2i")) > + (version "1.0.2j")) > (origin > (method url-fetch) > (uri (list (string-append "ftp://ftp.openssl.org/source/" > @@ -382,7 +382,7 @@ required structures.") > "/" name "-" version ".tar.gz"))) > (sha256 > (base32 > - "0vyy038676cv3m2523fi9ll9nkjxadqdnz18zdp5nm6925yli1wj")) > + "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7")) > (patches (search-patches "openssl-runpath.patch" > "openssl-c-rehash-in.patch"))))))) > > -- > 2.10.0 > This looks pretty straight-forward. -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted