Hello community, here is the log from the commit of package libopenssl0_9_8 for openSUSE:11.4 checked in at Wed Sep 21 18:37:10 CEST 2011. -------- --- old-versions/11.4/all/libopenssl0_9_8/libopenssl0_9_8.changes 2010-04-12 10:19:19.000000000 +0200 +++ 11.4/libopenssl0_9_8/libopenssl0_9_8.changes 2011-09-20 11:19:59.000000000 +0200 @@ -1,0 +2,14 @@ +Tue Sep 20 09:18:23 UTC 2011 - gjhe@suse.com + +- fix bug[bnc#716144] - VUL-0: openssl ECDH crash. + CVE-2011-3210 + +------------------------------------------------------------------- +Thu Dec 9 04:59:29 UTC 2010 - gjhe@novell.com + +- fix bug [bnc#657663] + CVE-2010-4180 + for CVE-2010-4252,no patch is added(for the J-PAKE + implementaion is not compiled in by default). + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libopenssl0_9_8 Destination is old-versions/11.4/UPDATES/all/libopenssl0_9_8 calling whatdependson for 11.4-i586 New: ---- CVE-2010-4180.patch CVE-2011-3210.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libopenssl0_9_8.spec ++++++ --- /var/tmp/diff_new_pack.2gWZt8/_old 2011-09-21 18:36:59.000000000 +0200 +++ /var/tmp/diff_new_pack.2gWZt8/_new 2011-09-21 18:36:59.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libopenssl0_9_8 (Version 0.9.8m) +# spec file for package libopenssl0_9_8 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ AutoReqProv: on # Version: 0.9.8m -Release: 2 +Release: 6.<RELEASE7> Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.openssl.org/source/openssl-%{version}.tar.bz2 @@ -34,6 +34,8 @@ Source10: README.SuSE Patch0: merge_from_0_9_8k.patch Patch1: openssl-CVE-2010-0740.patch +Patch2: CVE-2010-4180.patch +Patch3: CVE-2011-3210.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Recommends: openssl-certs @@ -57,6 +59,8 @@ %setup -q -n openssl-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++++++ CVE-2010-4180.patch ++++++ Index: openssl-0.9.8m/doc/ssl/SSL_CTX_set_options.pod =================================================================== --- openssl-0.9.8m.orig/doc/ssl/SSL_CTX_set_options.pod +++ openssl-0.9.8m/doc/ssl/SSL_CTX_set_options.pod @@ -78,18 +78,7 @@ this breaks this server so 16 bytes is t =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG -ssl3.netscape.com:443, first a connection is established with RC4-MD5. -If it is then resumed, we end up using DES-CBC3-SHA. It should be -RC4-MD5 according to 7.6.1.3, 'cipher_suite'. - -Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. -It only really shows up when connecting via SSLv2/v3 then reconnecting -via SSLv3. The cipher list changes.... - -NEW INFORMATION. Try connecting with a cipher list of just -DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses -RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when -doing a re-connect, always takes the first cipher in the cipher list. +As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG Index: openssl-0.9.8m/ssl/s3_clnt.c =================================================================== --- openssl-0.9.8m.orig/ssl/s3_clnt.c +++ openssl-0.9.8m/ssl/s3_clnt.c @@ -815,8 +815,11 @@ int ssl3_get_server_hello(SSL *s) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { +/* Workaround is now obsolete */ +#if 0 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) +#endif { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); Index: openssl-0.9.8m/ssl/s3_srvr.c =================================================================== --- openssl-0.9.8m.orig/ssl/s3_srvr.c +++ openssl-0.9.8m/ssl/s3_srvr.c @@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s) break; } } +/* Disabled because it can be used in a ciphersuite downgrade + * attack: CVE-2010-4180. + */ +#if 0 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may @@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s) j = 1; } } +#endif if (j == 0) { /* we need to have the cipher in the cipher ++++++ CVE-2011-3210.patch ++++++ Index: openssl-0.9.8h/ssl/s3_lib.c =================================================================== --- openssl-0.9.8h.orig/ssl/s3_lib.c +++ openssl-0.9.8h/ssl/s3_lib.c @@ -1722,11 +1722,17 @@ void ssl3_clear(SSL *s) } #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) + { DH_free(s->s3->tmp.dh); + s->s3->tmp.dh = NULL; + } #endif #ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) + { EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } #endif rp = s->s3->rbuf.buf; Index: openssl-0.9.8h/ssl/s3_srvr.c =================================================================== --- openssl-0.9.8h.orig/ssl/s3_srvr.c +++ openssl-0.9.8h/ssl/s3_srvr.c @@ -712,6 +712,13 @@ int ssl3_check_client_hello(SSL *s) s->s3->tmp.dh = NULL; } #endif +#ifndef OPENSSL_NO_ECDH + if (s->s3->tmp.ecdh != NULL) + { + EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } +#endif return 2; } return 1; @@ -1316,7 +1323,6 @@ int ssl3_send_server_key_exchange(SSL *s if (s->s3->tmp.dh != NULL) { - DH_free(dh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1377,7 +1383,6 @@ int ssl3_send_server_key_exchange(SSL *s if (s->s3->tmp.ecdh != NULL) { - EC_KEY_free(s->s3->tmp.ecdh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1388,12 +1393,11 @@ int ssl3_send_server_key_exchange(SSL *s SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - if (!EC_KEY_up_ref(ecdhp)) + if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - ecdh = ecdhp; s->s3->tmp.ecdh=ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || @@ -2247,6 +2251,12 @@ int ssl3_get_client_key_exchange(SSL *s) /* Get encoded point length */ i = *p; p += 1; + if (n != 1 + i) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_EC_LIB); + goto err; + } if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org