[Pkg-openssl-changes] r660 - in openssl/branches/1.0.1/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Mon May 12 21:13:11 UTC 2014
Author: kroeckx
Date: 2014-05-12 21:13:11 +0000 (Mon, 12 May 2014)
New Revision: 660
Added:
openssl/branches/1.0.1/debian/patches/CVE-2010-5298.patch
openssl/branches/1.0.1/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch
Modified:
openssl/branches/1.0.1/debian/changelog
openssl/branches/1.0.1/debian/libssl1.0.0.postinst
openssl/branches/1.0.1/debian/patches/series
Log:
* Fix CVE-2010-5298: use-after-free race condition.
* Propose restarting prosody on upgrade (Closes: #744871).
* Add more services to be checked for restart.
* Fix a bug where the critical flag for TSA extended key usage is not
always detected, and two other similar cases.
* Add support for 'libraries/restart-without-asking', which allows
services to be restarted automatically without prompting, or
requiring a response instead.
Modified: openssl/branches/1.0.1/debian/changelog
===================================================================
--- openssl/branches/1.0.1/debian/changelog 2014-05-12 21:11:36 UTC (rev 659)
+++ openssl/branches/1.0.1/debian/changelog 2014-05-12 21:13:11 UTC (rev 660)
@@ -1,3 +1,16 @@
+openssl (1.0.1g-3) unstable; urgency=medium
+
+ * Fix CVE-2010-5298: use-after-free race condition.
+ * Propose restarting prosody on upgrade (Closes: #744871).
+ * Add more services to be checked for restart.
+ * Fix a bug where the critical flag for TSA extended key usage is not
+ always detected, and two other similar cases.
+ * Add support for 'libraries/restart-without-asking', which allows
+ services to be restarted automatically without prompting, or
+ requiring a response instead.
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sat, 19 Apr 2014 18:38:32 +0200
+
openssl (1.0.1g-2) unstable; urgency=emergency
* Enable checking for services that may need to be restarted (Closes: #743889)
Modified: openssl/branches/1.0.1/debian/libssl1.0.0.postinst
===================================================================
--- openssl/branches/1.0.1/debian/libssl1.0.0.postinst 2014-05-12 21:11:36 UTC (rev 659)
+++ openssl/branches/1.0.1/debian/libssl1.0.0.postinst 2014-05-12 21:13:11 UTC (rev 660)
@@ -58,7 +58,6 @@
then
if [ ! -z "$2" ]; then
if dpkg --compare-versions "$2" lt 1.0.1g-2; then
- db_version 2.0
echo -n "Checking for services that may need to be restarted..."
check="amanda-server anon-proxy apache2 apache-ssl"
check="$check apf-firewall asterisk bacula-director-common"
@@ -102,7 +101,29 @@
s/nginx-common/nginx/g;
")
echo "done."
+ fi
+ if dpkg --compare-versions "$2" lt 1.0.1g-3; then
+ echo -n "Checking for services that may need to be restarted..."
+ check2="chef chef-expander chef-server-api"
+ check2="$check2 chef-solr pound postgresql-common"
+ check2="$check2 prosody puppet puppetmaster snmpd"
+ # Only get the ones that are installed, and configured
+ check2=$(dpkg -s $check2 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
+ # init script rewrites
+ check2=$(echo $check2 | sed -r "
+ s/chef\s/chef-client/g;
+ s/chef-server-api/chef-server/g;
+ s/postgresql-common/postgresql/g;
+ ")
+ echo "done."
+ if [ -n "$check2" ]; then
+ check="$check $check2"
+ fi
+ fi
+
+ if [ -n "$check" ]; then
+ db_version 2.0
echo "Checking init scripts..."
for service in $check; do
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
@@ -125,18 +146,23 @@
fi
done
if [ -n "$services" ]; then
- db_reset libssl1.0.0/restart-services
- db_set libssl1.0.0/restart-services "$services"
- db_input critical libssl1.0.0/restart-services || true
+ db_input critical libraries/restart-without-asking || true
db_go || true
- db_get libssl1.0.0/restart-services
-
- if [ "x$RET" != "x" ]
- then
- services=$RET
- answer=yes
- else
- answer=no
+ db_get libraries/restart-without-asking
+ if [ "x$RET" != xtrue ]; then
+ db_reset libssl1.0.0/restart-services
+ db_set libssl1.0.0/restart-services "$services"
+ db_input critical libssl1.0.0/restart-services || true
+ db_go || true
+ db_get libssl1.0.0/restart-services
+
+ if [ "x$RET" != "x" ]
+ then
+ services=$RET
+ answer=yes
+ else
+ answer=no
+ fi
fi
echo
if [ "$answer" = yes ] && [ "$services" != "" ]; then
Added: openssl/branches/1.0.1/debian/patches/CVE-2010-5298.patch
===================================================================
--- openssl/branches/1.0.1/debian/patches/CVE-2010-5298.patch (rev 0)
+++ openssl/branches/1.0.1/debian/patches/CVE-2010-5298.patch 2014-05-12 21:13:11 UTC (rev 660)
@@ -0,0 +1,27 @@
+From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt at roeckx.be>
+Date: Sun, 13 Apr 2014 15:05:30 +0200
+Subject: [PATCH] Don't release the buffer when there still is data in it
+
+RT: 2167, 3265
+---
+ ssl/s3_pkt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index b9e45c7..32e9207 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+ {
+ s->rstate=SSL_ST_READ_HEADER;
+ rr->off=0;
+- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
++ if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
++ s->s3->rbuf.left == 0)
+ ssl3_release_read_buffer(s);
+ }
+ }
+--
+1.9.1
+
Added: openssl/branches/1.0.1/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch
===================================================================
--- openssl/branches/1.0.1/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch (rev 0)
+++ openssl/branches/1.0.1/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch 2014-05-12 21:13:11 UTC (rev 660)
@@ -0,0 +1,40 @@
+From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 15 Apr 2014 18:48:54 +0100
+Subject: [PATCH] Extension checking fixes.
+
+When looking for an extension we need to set the last found
+position to -1 to properly search all extensions.
+
+PR#3309.
+---
+ crypto/x509v3/v3_purp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 6c40c7d..5f931db 100644
+--- a/crypto/x509v3/v3_purp.c
++++ b/crypto/x509v3/v3_purp.c
+@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
+ /* Handle proxy certificates */
+ if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+ if (x->ex_flags & EXFLAG_CA
+- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
++ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
++ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
+ x->ex_flags |= EXFLAG_INVALID;
+ }
+ if (pci->pcPathLengthConstraint) {
+@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
+ return 0;
+
+ /* Extended Key Usage MUST be critical */
+- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
++ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
+ if (i_ext >= 0)
+ {
+ X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
+--
+1.9.1
+
Modified: openssl/branches/1.0.1/debian/patches/series
===================================================================
--- openssl/branches/1.0.1/debian/patches/series 2014-05-12 21:11:36 UTC (rev 659)
+++ openssl/branches/1.0.1/debian/patches/series 2014-05-12 21:13:11 UTC (rev 660)
@@ -22,3 +22,5 @@
defaults.patch
openssl_fix_for_x32.patch
fix-pod-errors.patch
+CVE-2010-5298.patch
+CVE-2014-XXXX-Extension-checking-fixes.patch
More information about the Pkg-openssl-changes
mailing list