package/libressl: security bump to 3.2.5

It includes the following bug fix:

 * A TLS client using session resumption may cause a use-after-free.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt

Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
---
 package/libressl/libressl.hash | 2 +-
 package/libressl/libressl.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Ismael, All,

On 2021-03-21 00:03 +0100, Ismael Luceno spake thusly:
> It includes the following bug fix:
> 
>  * A TLS client using session resumption may cause a use-after-free.
> 
> https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt
> 
> Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/libressl/libressl.hash | 2 +-
>  package/libressl/libressl.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/libressl/libressl.hash b/package/libressl/libressl.hash
> index 0dd0ffcaed03..9f216bf2f143 100644
> --- a/package/libressl/libressl.hash
> +++ b/package/libressl/libressl.hash
> @@ -1,4 +1,4 @@
>  # From https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/SHA256
> -sha256  412dc2baa739228c7779e93eb07cd645d5c964d2f2d837a9fd56db7498463d73  libressl-3.2.3.tar.gz
> +sha256  798a65fd61d385e09d559810cdfa46512f8def5919264cfef241a7b086ce7cfe  libressl-3.2.5.tar.gz
>  # Locally computed
>  sha256  5c63613f008f16a9c0025c096bbd736cecf720494d121b5c5203e0ec6e5955b1  COPYING
> diff --git a/package/libressl/libressl.mk b/package/libressl/libressl.mk
> index 654b8bda2622..ad345ba3f091 100644
> --- a/package/libressl/libressl.mk
> +++ b/package/libressl/libressl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBRESSL_VERSION = 3.2.3
> +LIBRESSL_VERSION = 3.2.5
>  LIBRESSL_SITE = https://ftp.openbsd.org/pub/OpenBSD/LibreSSL
>  LIBRESSL_LICENSE = ISC (new additions), OpenSSL or SSLeay (original OpenSSL code)
>  LIBRESSL_LICENSE_FILES = COPYING
> -- 
> 2.31.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

>>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes:

 > It includes the following bug fix:
 >  * A TLS client using session resumption may cause a use-after-free.

 > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt

 > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>

Committed to 2020.11.x and 2021.02.x, thanks.

It it not really clear to me if this is only an issue in 3.2.x /
TLSv1.3?

On 26/Mar/2021 23:47, Peter Korsgaard wrote:
> >>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes:
> 
>  > It includes the following bug fix:
>  >  * A TLS client using session resumption may cause a use-after-free.
> 
>  > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt
> 
>  > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
> 
> Committed to 2020.11.x and 2021.02.x, thanks.
> 
> It it not really clear to me if this is only an issue in 3.2.x /
> TLSv1.3?

AFAICT, it's covered; 3.1 branch is unaffected, the field causing the issue
was introduced in the 3.2 branch. BTW, 3.3.1 also seems to be affected.

>>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes:

 > On 26/Mar/2021 23:47, Peter Korsgaard wrote:
 >> >>>>> "Ismael" == Ismael Luceno <ismael@iodev.co.uk> writes:
 >> 
 >> > It includes the following bug fix:
 >> >  * A TLS client using session resumption may cause a use-after-free.
 >> 
 >> > https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt
 >> 
 >> > Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
 >> 
 >> Committed to 2020.11.x and 2021.02.x, thanks.
 >> 
 >> It it not really clear to me if this is only an issue in 3.2.x /
 >> TLSv1.3?

 > AFAICT, it's covered; 3.1 branch is unaffected, the field causing the issue
 > was introduced in the 3.2 branch. BTW, 3.3.1 also seems to be affected.

Ok, thanks!