git: 04ffe8fb6bec - main - security/openssl: Update to 1.1.1v

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bernard Spil <brnrd_at_FreeBSD.org>
Date: Wed, 02 Aug 2023 19:28:21 UTC
The branch main has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333

commit 04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2023-08-02 19:27:30 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2023-08-02 19:27:30 +0000

    security/openssl: Update to 1.1.1v
    
     * MFH this version as this is a roll-up of multiple vulnerability fixes
    
    MFH:            2023Q3
---
 security/openssl/Makefile                  |  3 +-
 security/openssl/distinfo                  |  6 ++--
 security/openssl/files/patch-CVE-2023-3817 | 55 ------------------------------
 3 files changed, 4 insertions(+), 60 deletions(-)

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index d0ffd1cac2a2..886026009708 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	openssl
-PORTVERSION=	1.1.1u
-PORTREVISION=	1
+PORTVERSION=	1.1.1v
 PORTEPOCH=	1
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.openssl.org/source/ \
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index a37ebb5597c4..f9b0843950cb 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1685529813
-SHA256 (openssl-1.1.1u.tar.gz) = e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6
-SIZE (openssl-1.1.1u.tar.gz) = 9892176
+TIMESTAMP = 1691003970
+SHA256 (openssl-1.1.1v.tar.gz) = d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0
+SIZE (openssl-1.1.1v.tar.gz) = 9893443
diff --git a/security/openssl/files/patch-CVE-2023-3817 b/security/openssl/files/patch-CVE-2023-3817
deleted file mode 100644
index 3f1d5193c73f..000000000000
--- a/security/openssl/files/patch-CVE-2023-3817
+++ /dev/null
@@ -1,55 +0,0 @@
-From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 21 Jul 2023 11:39:41 +0200
-Subject: [PATCH] DH_check(): Do not try checking q properties if it is
- obviously invalid
-
-If  |q| >= |p| then the q value is obviously wrong as q
-is supposed to be a prime divisor of p-1.
-
-We check if p is overly large so this added test implies that
-q is not large either when performing subsequent tests using that
-q value.
-
-Otherwise if it is too large these additional checks of the q value
-such as the primality test can then trigger DoS by doing overly long
-computations.
-
-Fixes CVE-2023-3817
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21551)
----
- crypto/dh/dh_check.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 2001d2e7cb19..9ae96991eb4a 100644
---- crypto/dh/dh_check.c.orig
-+++ crypto/dh/dh_check.c
-@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh)
- 
- int DH_check(const DH *dh, int *ret)
- {
--    int ok = 0, r;
-+    int ok = 0, r, q_good = 0;
-     BN_CTX *ctx = NULL;
-     BIGNUM *t1 = NULL, *t2 = NULL;
- 
-@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret)
-     if (t2 == NULL)
-         goto err;
- 
--    if (dh->q) {
-+    if (dh->q != NULL) {
-+        if (BN_ucmp(dh->p, dh->q) > 0)
-+            q_good = 1;
-+        else
-+            *ret |= DH_CHECK_INVALID_Q_VALUE;
-+    }
-+
-+    if (q_good) {
-         if (BN_cmp(dh->g, BN_value_one()) <= 0)
-             *ret |= DH_NOT_SUITABLE_GENERATOR;
-         else if (BN_cmp(dh->g, dh->p) >= 0)