Mailinglist Archive: opensuse-commit (1670 mails)

[root@xxxxxxx (h_root)]

Hello community,

here is the log from the commit of package openssl
checked in at Mon Oct 9 19:30:12 CEST 2006.

--------
--- openssl/openssl.changes	2006-09-29 18:38:43.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes	2006-10-04 15:08:55.000000000 +0200
@@ -1,0 +2,7 @@
+Wed Oct  4 15:07:55 CEST 2006 - poeml@xxxxxxx
+
+- add patch for the CVE-2006-2940 fix: the newly introduced limit
+  on DH modulus size could lead to a crash when exerted. [#208971]
+  Discovered and fixed after the 0.9.8d release.
+
+-------------------------------------------------------------------

New:
----
  openssl-CVE-2006-2940-fixup.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.O6yWaG/_old	2006-10-09 19:19:43.000000000 +0200
+++ /var/tmp/diff_new_pack.O6yWaG/_new	2006-10-09 19:19:43.000000000 +0200
@@ -24,7 +24,7 @@
 Obsoletes:      ssleay
 Autoreqprov:    on
 Version:        0.9.8d
-Release:        1
+Release:        2
 Summary:        Secure Sockets and Transport Layer Security
 URL:            http://www.openssl.org/
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -42,6 +42,7 @@
 Patch11:        openssl-s390-config.diff
 Patch20:        openssl-0.9.8a.ca-app-segfault.bug128655.dif
 Patch21:        bswap.diff
+Patch22:        openssl-CVE-2006-2940-fixup.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -334,6 +335,10 @@
 %{_libdir}/engines
 
 %changelog -n openssl
+* Wed Oct 04 2006 - poeml@xxxxxxx
+- add patch for the CVE-2006-2940 fix: the newly introduced limit
+  on DH modulus size could lead to a crash when exerted. [#208971]
+  Discovered and fixed after the 0.9.8d release.
 * Fri Sep 29 2006 - poeml@xxxxxxx
 - update to 0.9.8d
   *) Introduce limits to prevent malicious keys being able to




++++++ openssl-CVE-2006-2940-fixup.patch ++++++
Fix for the CVE-2006-2940 fix

The newly introduced limit on DH modulus size could lead to a crash when
exerted.
This was fixed after the 0.9.8d release in the OpenSSL CVS:
http://cvs.openssl.org/chngview?cn=15607

--- crypto/dh/dh_key.c	2005-08-20 20:35:53.000000000 +0200
+++ crypto/dh/dh_key.c	2006-10-04 13:25:02.000000000 +0200
@@ -173,7 +173,7 @@
 
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	{
-	BN_CTX *ctx;
+	BN_CTX *ctx=NULL;
 	BN_MONT_CTX *mont=NULL;
 	BIGNUM *tmp;
 	int ret= -1;


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx