Преглед изворни кода

package/libopenssl: security bump to version 1.0.2r

Fixes the following security issue:

0-byte record padding oracle (CVE-2019-1559)

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC.  If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data.

For more details, see the advisory:

https://mta.openssl.org/pipermail/openssl-announce/2019-February/000148.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard пре 6 година
родитељ
комит
71fec4456f
2 измењених фајлова са 5 додато и 5 уклоњено
  1. 4 4
      package/libopenssl/libopenssl.hash
  2. 1 1
      package/libopenssl/libopenssl.mk

+ 4 - 4
package/libopenssl/libopenssl.hash

@@ -1,7 +1,7 @@
-# From https://www.openssl.org/source/openssl-1.0.2q.tar.gz.sha256
-sha256	5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684	openssl-1.0.2q.tar.gz
-# From https://www.openssl.org/source/openssl-1.0.2q.tar.gz.sha1
-sha1	692f5f2f1b114f8adaadaa3e7be8cce1907f38c5				openssl-1.0.2q.tar.gz
+# From https://www.openssl.org/source/openssl-1.0.2r.tar.gz.sha256
+sha256	ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6	openssl-1.0.2r.tar.gz
+# From https://www.openssl.org/source/openssl-1.0.2r.tar.gz.sha1
+sha1	b9aec1fa5cedcfa433aed37c8fe06b0ab0ce748d				openssl-1.0.2r.tar.gz
 # Locally computed
 sha256	eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9	openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
 sha256	147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f	openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d

+ 1 - 1
package/libopenssl/libopenssl.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBOPENSSL_VERSION = 1.0.2q
+LIBOPENSSL_VERSION = 1.0.2r
 LIBOPENSSL_SITE = https://www.openssl.org/source
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = OpenSSL or SSLeay