* [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g
@ 2020-04-21 13:36 Titouan Christophe
2020-04-21 20:29 ` Thomas Petazzoni
2020-05-07 21:56 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Titouan Christophe @ 2020-04-21 13:36 UTC (permalink / raw)
To: buildroot
This fixes CVE-2020-1967:
Server or client applications that call the SSL_check_chain() function during
or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
issue. This issue did not affect OpenSSL versions prior to 1.1.1d.
See https://www.openssl.org/news/secadv/20200421.txt
Also update the hash file to the new two spaces convention
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
---
package/libopenssl/libopenssl.hash | 6 +++---
package/libopenssl/libopenssl.mk | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 3becd790ac..121e10c410 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.1.1d.tar.gz.sha256
-sha256 186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 openssl-1.1.1f.tar.gz
+# From https://www.openssl.org/source/openssl-1.1.1g.tar.gz.sha256
+sha256 ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 openssl-1.1.1g.tar.gz
# License files
-sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE
+sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index 4639c63fac..a300458f85 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBOPENSSL_VERSION = 1.1.1f
+LIBOPENSSL_VERSION = 1.1.1g
LIBOPENSSL_SITE = https://www.openssl.org/source
LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
LIBOPENSSL_LICENSE = OpenSSL or SSLeay
--
2.24.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g
2020-04-21 13:36 [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g Titouan Christophe
@ 2020-04-21 20:29 ` Thomas Petazzoni
2020-05-06 14:33 ` Johan Derycke
2020-05-07 21:56 ` Peter Korsgaard
1 sibling, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2020-04-21 20:29 UTC (permalink / raw)
To: buildroot
On Tue, 21 Apr 2020 15:36:51 +0200
Titouan Christophe <titouan.christophe@railnova.eu> wrote:
> This fixes CVE-2020-1967:
> Server or client applications that call the SSL_check_chain() function during
> or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
> result of incorrect handling of the "signature_algorithms_cert" TLS extension.
> The crash occurs if an invalid or unrecognised signature algorithm is received
> from the peer. This could be exploited by a malicious peer in a Denial of
> Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
> issue. This issue did not affect OpenSSL versions prior to 1.1.1d.
>
> See https://www.openssl.org/news/secadv/20200421.txt
>
> Also update the hash file to the new two spaces convention
>
> Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
> ---
> package/libopenssl/libopenssl.hash | 6 +++---
> package/libopenssl/libopenssl.mk | 2 +-
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g
2020-04-21 20:29 ` Thomas Petazzoni
@ 2020-05-06 14:33 ` Johan Derycke
2020-05-07 21:57 ` Peter Korsgaard
0 siblings, 1 reply; 5+ messages in thread
From: Johan Derycke @ 2020-05-06 14:33 UTC (permalink / raw)
To: buildroot
Hi,
Can this be applied to 2020.2.x, please?
Thanks,
Johan
Op di 21 apr. 2020 om 22:30 schreef Thomas Petazzoni
<thomas.petazzoni@bootlin.com>:
>
> On Tue, 21 Apr 2020 15:36:51 +0200
> Titouan Christophe <titouan.christophe@railnova.eu> wrote:
>
> > This fixes CVE-2020-1967:
> > Server or client applications that call the SSL_check_chain() function during
> > or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
> > result of incorrect handling of the "signature_algorithms_cert" TLS extension.
> > The crash occurs if an invalid or unrecognised signature algorithm is received
> > from the peer. This could be exploited by a malicious peer in a Denial of
> > Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
> > issue. This issue did not affect OpenSSL versions prior to 1.1.1d.
> >
> > See https://www.openssl.org/news/secadv/20200421.txt
> >
> > Also update the hash file to the new two spaces convention
> >
> > Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
> > ---
> > package/libopenssl/libopenssl.hash | 6 +++---
> > package/libopenssl/libopenssl.mk | 2 +-
> > 2 files changed, 4 insertions(+), 4 deletions(-)
>
> Applied to master, thanks.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g
2020-04-21 13:36 [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g Titouan Christophe
2020-04-21 20:29 ` Thomas Petazzoni
@ 2020-05-07 21:56 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-05-07 21:56 UTC (permalink / raw)
To: buildroot
>>>>> "Titouan" == Titouan Christophe <titouan.christophe@railnova.eu> writes:
> This fixes CVE-2020-1967:
> Server or client applications that call the SSL_check_chain() function during
> or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
> result of incorrect handling of the "signature_algorithms_cert" TLS extension.
> The crash occurs if an invalid or unrecognised signature algorithm is received
> from the peer. This could be exploited by a malicious peer in a Denial of
> Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
> issue. This issue did not affect OpenSSL versions prior to 1.1.1d.
> See https://www.openssl.org/news/secadv/20200421.txt
> Also update the hash file to the new two spaces convention
> Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g
2020-05-06 14:33 ` Johan Derycke
@ 2020-05-07 21:57 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-05-07 21:57 UTC (permalink / raw)
To: buildroot
>>>>> "Johan" == Johan Derycke <johanderycke@gmail.com> writes:
> Hi,
> Can this be applied to 2020.2.x, please?
Sure, done.
I normally sync 2020.02.x with master every 1-2 weeks, but am running a
bit late right now.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-05-07 21:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-21 13:36 [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g Titouan Christophe
2020-04-21 20:29 ` Thomas Petazzoni
2020-05-06 14:33 ` Johan Derycke
2020-05-07 21:57 ` Peter Korsgaard
2020-05-07 21:56 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox