[Pkg-openssl-changes] r709 - openssl/branches/wheezy/debian/patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Thu Jan 8 20:42:38 UTC 2015
Author: kroeckx
Date: 2015-01-08 20:42:37 +0000 (Thu, 08 Jan 2015)
New Revision: 709
Modified:
openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch
openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch
openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
Log:
Remove CHANGES from the commits so they apply.
Modified: openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch 2015-01-08 20:36:40 UTC (rev 708)
+++ openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch 2015-01-08 20:42:37 UTC (rev 709)
@@ -38,61 +38,12 @@
(cherry picked from commit 684400ce192dac51df3d3e92b61830a6ef90be3e)
---
- CHANGES | 37 +++++++++++++++++++++++++++++++++++++
crypto/asn1/a_verify.c | 12 ++++++++++++
crypto/dsa/dsa_asn1.c | 14 +++++++++++++-
crypto/ecdsa/ecs_vrf.c | 15 ++++++++++++++-
crypto/x509/x_all.c | 2 ++
5 files changed, 78 insertions(+), 2 deletions(-)
-diff --git a/CHANGES b/CHANGES
-index c3bb940..c91552c 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -4,6 +4,43 @@
-
- Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
-
-+ *) Fix various certificate fingerprint issues.
-+
-+ By using non-DER or invalid encodings outside the signed portion of a
-+ certificate the fingerprint can be changed without breaking the signature.
-+ Although no details of the signed portion of the certificate can be changed
-+ this can cause problems with some applications: e.g. those using the
-+ certificate fingerprint for blacklists.
-+
-+ 1. Reject signatures with non zero unused bits.
-+
-+ If the BIT STRING containing the signature has non zero unused bits reject
-+ the signature. All current signature algorithms require zero unused bits.
-+
-+ 2. Check certificate algorithm consistency.
-+
-+ Check the AlgorithmIdentifier inside TBS matches the one in the
-+ certificate signature. NB: this will result in signature failure
-+ errors for some broken certificates.
-+
-+ Thanks to Konrad Kraszewski from Google for reporting this issue.
-+
-+ 3. Check DSA/ECDSA signatures use DER.
-+
-+ Reencode DSA/ECDSA signatures and compare with the original received
-+ signature. Return an error if there is a mismatch.
-+
-+ This will reject various cases including garbage after signature
-+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
-+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
-+ (negative or with leading zeroes).
-+
-+ Further analysis was conducted and fixes were developed by Stephen Henson
-+ of the OpenSSL core team.
-+
-+ (CVE-2014-8275)
-+ [Steve Henson]
-+
- *) Do not resume sessions on the server if the negotiated protocol
- version does not match the session's version. Resuming with a different
- version, while not strictly forbidden by the RFC, is of questionable
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index fc84cd3..a571009 100644
--- a/crypto/asn1/a_verify.c
Modified: openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch 2015-01-08 20:36:40 UTC (rev 708)
+++ openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch 2015-01-08 20:42:37 UTC (rev 709)
@@ -13,28 +13,9 @@
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
---
- CHANGES | 7 +++++++
ssl/s3_clnt.c | 18 +++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
-diff --git a/CHANGES b/CHANGES
-index bfb75be..8d3e6ff 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -4,6 +4,13 @@
-
- Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
-
-+ *) Abort handshake if server key exchange message is omitted for ephemeral
-+ ECDH ciphersuites.
-+
-+ Thanks to Karthikeyan Bhargavan for reporting this issue.
-+ (CVE-2014-3572)
-+ [Steve Henson]
-+
- *) Ensure that the session ID context of an SSL is updated when its
- SSL_CTX is updated via SSL_set_SSL_CTX.
-
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7a95d5a..43ffc77 100644
--- a/ssl/s3_clnt.c
Modified: openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch 2015-01-08 20:36:40 UTC (rev 708)
+++ openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch 2015-01-08 20:42:37 UTC (rev 709)
@@ -18,7 +18,6 @@
Conflicts:
doc/ssl/SSL_CTX_set_options.pod
---
- CHANGES | 8 ++++++++
doc/ssl/SSL_CTX_set_options.pod | 10 +---------
doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 ++++++++---------------
ssl/d1_srvr.c | 21 ++++++---------------
@@ -27,25 +26,6 @@
ssl/ssl.h | 5 ++---
7 files changed, 38 insertions(+), 57 deletions(-)
-diff --git a/CHANGES b/CHANGES
-index 8d3e6ff..594d7c5 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -11,6 +11,14 @@
- (CVE-2014-3572)
- [Steve Henson]
-
-+ *) Remove non-export ephemeral RSA code on client and server. This code
-+ violated the TLS standard by allowing the use of temporary RSA keys in
-+ non-export ciphersuites and could be used by a server to effectively
-+ downgrade the RSA key length used to a value smaller than the server
-+ certificate. Thanks for Karthikeyan Bhargavan for reporting this issue.
-+ (CVE-2015-0204)
-+ [Steve Henson]
-+
- *) Ensure that the session ID context of an SSL is updated when its
- SSL_CTX is updated via SSL_set_SSL_CTX.
-
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 6e6b5e6..e80a72c 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
More information about the Pkg-openssl-changes
mailing list