| Message ID | 1474933495-2967-1-git-send-email-gustavo@zacarias.com.ar |
|---|---|
| State | Accepted |
| Commit | 7ba5ed97bc1bf9b4f8aef2dec4a64520b444b677 |
| Headers | show |
Hi Gustavo, On Mon, Sep 26, 2016 at 08:44:55PM -0300, Gustavo Zacarias wrote: > Fixes: > CVE-2016-6309 - Fix Use After Free for large message sizes According to https://www.openssl.org/news/secadv/20160926.txt, CVE-2016-6309 only affects 1.1.0a. baruch > CVE-2016-7052 - Missing CRL sanity check > > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> > --- > package/openssl/openssl.hash | 4 ++-- > package/openssl/openssl.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/openssl/openssl.hash b/package/openssl/openssl.hash > index 50a0cc7..0dc5450 100644 > --- a/package/openssl/openssl.hash > +++ b/package/openssl/openssl.hash > @@ -1,5 +1,5 @@ > -# From https://www.openssl.org/source/openssl-1.0.2i.tar.gz.sha256 > -sha256 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f openssl-1.0.2i.tar.gz > +# From https://www.openssl.org/source/openssl-1.0.2j.tar.gz.sha256 > +sha256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 openssl-1.0.2j.tar.gz > # Locally computed > sha256 eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9 openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d > sha256 147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d > diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk > index 055ed79..6dc4b85 100644 > --- a/package/openssl/openssl.mk > +++ b/package/openssl/openssl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -OPENSSL_VERSION = 1.0.2i > +OPENSSL_VERSION = 1.0.2j > OPENSSL_SITE = http://www.openssl.org/source > OPENSSL_LICENSE = OpenSSL or SSLeay > OPENSSL_LICENSE_FILES = LICENSE
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes: > Fixes: > CVE-2016-6309 - Fix Use After Free for large message sizes > CVE-2016-7052 - Missing CRL sanity check Committed after removing the 6309 CVE reference as pointed out by Baruch, thanks.
diff --git a/package/openssl/openssl.hash b/package/openssl/openssl.hash index 50a0cc7..0dc5450 100644 --- a/package/openssl/openssl.hash +++ b/package/openssl/openssl.hash @@ -1,5 +1,5 @@ -# From https://www.openssl.org/source/openssl-1.0.2i.tar.gz.sha256 -sha256 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f openssl-1.0.2i.tar.gz +# From https://www.openssl.org/source/openssl-1.0.2j.tar.gz.sha256 +sha256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 openssl-1.0.2j.tar.gz # Locally computed sha256 eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9 openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d sha256 147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk index 055ed79..6dc4b85 100644 --- a/package/openssl/openssl.mk +++ b/package/openssl/openssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -OPENSSL_VERSION = 1.0.2i +OPENSSL_VERSION = 1.0.2j OPENSSL_SITE = http://www.openssl.org/source OPENSSL_LICENSE = OpenSSL or SSLeay OPENSSL_LICENSE_FILES = LICENSE
Fixes: CVE-2016-6309 - Fix Use After Free for large message sizes CVE-2016-7052 - Missing CRL sanity check Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> --- package/openssl/openssl.hash | 4 ++-- package/openssl/openssl.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)