| Message ID | 20240208111214.679980-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/libopenssl: security bump to version 3.2.1 | expand |
Peter, all, On 2024-02-08 12:12 +0100, Peter Korsgaard spake thusly: > And drop the now upstreamed patches. > > Fixes the following (low severity) issues: > > - CVE-2023-6129 POLY1305 MAC implementation corrupts vector registers on > PowerPC > https://www.openssl.org/news/secadv/20240109.txt > > - CVE-2023-6237 Excessive time spent checking invalid RSA public keys > https://www.openssl.org/news/secadv/20240115.txt > > - CVE-2024-0727 PKCS12 Decoding crashes > https://www.openssl.org/news/secadv/20240125.txt > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > ...x-mispelling-of-extension-test-macro.patch | 30 ----- > ...x-genstr-genconf-option-in-asn1parse.patch | 42 ------ > ...en-asn1-oid-loader-to-invalid-inputs.patch | 122 ------------------ > package/libopenssl/libopenssl.hash | 4 +- > package/libopenssl/libopenssl.mk | 2 +- > 5 files changed, 3 insertions(+), 197 deletions(-) > delete mode 100644 package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch > delete mode 100644 package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch > delete mode 100644 package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch > > diff --git a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch b/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch > deleted file mode 100644 > index 93b191a61c..0000000000 > --- a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch > +++ /dev/null > @@ -1,30 +0,0 @@ > -From 68c549df05892c16b99603b9a831c79c540f268c Mon Sep 17 00:00:00 2001 > -From: Grant Nichol <me@grantnichol.com> > -Date: Fri, 22 Dec 2023 23:46:39 -0600 > -Subject: [PATCH] riscv: Fix mispelling of extension test macro > - > -When refactoring the riscv extension test macros, > -RISCV_HAS_ZKND_AND_ZKNE was mispelled. > - > -Upstream: https://github.com/openssl/openssl/pull/23139 > -Signed-off-by: Grant Nichol <me@grantnichol.com> > ---- > - providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c > -index b35b71020e..65adc47d1f 100644 > ---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c > -+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c > -@@ -285,7 +285,7 @@ static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = { \ > - # define PROV_CIPHER_HW_select_xts() \ > - if (RISCV_HAS_ZBKB_AND_ZKND_AND_ZKNE()) \ > - return &aes_xts_rv32i_zbkb_zknd_zkne; \ > --if (RISCV_HAS_ZKND_ZKNE()) \ > -+if (RISCV_HAS_ZKND_AND_ZKNE()) \ > - return &aes_xts_rv32i_zknd_zkne; > - # else > - /* The generic case */ > --- > -2.43.0 > - > diff --git a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch b/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch > deleted file mode 100644 > index 9fa36d83be..0000000000 > --- a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch > +++ /dev/null > @@ -1,42 +0,0 @@ > -From 749fcc0e3ce796474a15d6fac221e57daeacff1e Mon Sep 17 00:00:00 2001 > -From: Neil Horman <nhorman@openssl.org> > -Date: Tue, 5 Dec 2023 14:50:01 -0500 > -Subject: [PATCH] Fix genstr/genconf option in asn1parse > - > -At some point the asn1parse applet was changed to default the inform to > -PEM, and defalt input file to stdin. Doing so broke the -genstr|conf options, > -in that, before we attempt to generate an ASN1 block from the provided > -genstr string, we attempt to read a PEM input from stdin. As a result, > -this command: > -openssl asn1parse -genstr OID:1.2.3.4 > -hangs because we are attempting a blocking read on stdin, waiting for > -data that never arrives > - > -Fix it by giving priority to genstr|genconf, such that, if set, will just run > -do_generate on that string and exit > - > -Reviewed-by: Hugo Landau <hlandau@openssl.org> > -Reviewed-by: Tomas Mraz <tomas@openssl.org> > -(Merged from https://github.com/openssl/openssl/pull/22957) > -Upstream: https://github.com/openssl/openssl/commit/749fcc0e3ce796474a15d6fac221e57daeacff1e > -Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com> > ---- > - apps/asn1parse.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/apps/asn1parse.c b/apps/asn1parse.c > -index 097b0cc1ed..6597a6180b 100644 > ---- a/apps/asn1parse.c > -+++ b/apps/asn1parse.c > -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) > - > - if ((buf = BUF_MEM_new()) == NULL) > - goto end; > -- if (informat == FORMAT_PEM) { > -+ if (genstr == NULL && informat == FORMAT_PEM) { > - if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { > - BIO_printf(bio_err, "Error reading PEM file\n"); > - ERR_print_errors(bio_err); > --- > -2.40.0 > - > diff --git a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch b/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch > deleted file mode 100644 > index 299ecbc2ed..0000000000 > --- a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch > +++ /dev/null > @@ -1,122 +0,0 @@ > -From a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 Mon Sep 17 00:00:00 2001 > -From: Neil Horman <nhorman@openssl.org> > -Date: Tue, 5 Dec 2023 15:24:20 -0500 > -Subject: [PATCH] Harden asn1 oid loader to invalid inputs > - > -In the event that a config file contains this sequence: > -======= > -openssl_conf = openssl_init > - > -config_diagnostics = 1 > - > -[openssl_init] > -oid_section = oids > - > -[oids] > -testoid1 = 1.2.3.4.1 > -testoid2 = A Very Long OID Name, 1.2.3.4.2 > -testoid3 = ,1.2.3.4.3 > -====== > - > -The leading comma in testoid3 can cause a heap buffer overflow, as the > -parsing code will move the string pointer back 1 character, thereby > -pointing to an invalid memory space > - > -correct the parser to detect this condition and handle it by treating it > -as if the comma doesn't exist (i.e. an empty long oid name) > - > -Reviewed-by: Hugo Landau <hlandau@openssl.org> > -Reviewed-by: Tomas Mraz <tomas@openssl.org> > -(Merged from https://github.com/openssl/openssl/pull/22957) > -Upstream: https://github.com/openssl/openssl/commit/a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 > -Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com> > ---- > - apps/asn1parse.c | 2 +- > - crypto/asn1/asn_moid.c | 4 ++++ > - test/recipes/04-test_asn1_parse.t | 26 ++++++++++++++++++++++++++ > - test/test_asn1_parse.cnf | 12 ++++++++++++ > - 4 files changed, 43 insertions(+), 1 deletion(-) > - create mode 100644 test/recipes/04-test_asn1_parse.t > - create mode 100644 test/test_asn1_parse.cnf > - > -diff --git a/apps/asn1parse.c b/apps/asn1parse.c > -index 6597a6180b..bf62f85947 100644 > ---- a/apps/asn1parse.c > -+++ b/apps/asn1parse.c > -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) > - > - if ((buf = BUF_MEM_new()) == NULL) > - goto end; > -- if (genstr == NULL && informat == FORMAT_PEM) { > -+ if (genconf == NULL && genstr == NULL && informat == FORMAT_PEM) { > - if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { > - BIO_printf(bio_err, "Error reading PEM file\n"); > - ERR_print_errors(bio_err); > -diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c > -index 6f816307af..1e183f4f18 100644 > ---- a/crypto/asn1/asn_moid.c > -+++ b/crypto/asn1/asn_moid.c > -@@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name) > - if (p == NULL) { > - ln = name; > - ostr = value; > -+ } else if (p == value) { > -+ /* we started with a leading comma */ > -+ ln = name; > -+ ostr = p + 1; > - } else { > - ln = value; > - ostr = p + 1; > -diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t > -new file mode 100644 > -index 0000000000..f3af436592 > ---- /dev/null > -+++ b/test/recipes/04-test_asn1_parse.t > -@@ -0,0 +1,26 @@ > -+#! /usr/bin/env perl > -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. > -+# > -+# Licensed under the Apache License 2.0 (the "License"). You may not use > -+# this file except in compliance with the License. You can obtain a copy > -+# in the file LICENSE in the source distribution or at > -+# https://www.openssl.org/source/license.html > -+ > -+use strict; > -+use OpenSSL::Test qw(:DEFAULT srctop_file); > -+use OpenSSL::Test::Utils; > -+ > -+setup("test_asn1_parse"); > -+ > -+plan tests => 3; > -+ > -+$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf"); > -+ > -+ok(run(app(([ 'openssl', 'asn1parse', > -+ '-genstr', 'OID:1.2.3.4.1'])))); > -+ > -+ok(run(app(([ 'openssl', 'asn1parse', > -+ '-genstr', 'OID:1.2.3.4.2'])))); > -+ > -+ok(run(app(([ 'openssl', 'asn1parse', > -+ '-genstr', 'OID:1.2.3.4.3'])))); > -diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf > -new file mode 100644 > -index 0000000000..5f0305657e > ---- /dev/null > -+++ b/test/test_asn1_parse.cnf > -@@ -0,0 +1,12 @@ > -+openssl_conf = openssl_init > -+ > -+# Comment out the next line to ignore configuration errors > -+config_diagnostics = 1 > -+ > -+[openssl_init] > -+oid_section = oids > -+ > -+[oids] > -+testoid1 = 1.2.3.4.1 > -+testoid2 = A Very Long OID Name, 1.2.3.4.2 > -+testoid3 = ,1.2.3.4.3 > --- > -2.40.0 > - > diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash > index 9e09e12461..841d4b4cfd 100644 > --- a/package/libopenssl/libopenssl.hash > +++ b/package/libopenssl/libopenssl.hash > @@ -1,5 +1,5 @@ > -# From https://www.openssl.org/source/openssl-3.2.0.tar.gz.sha256 > -sha256 14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e openssl-3.2.0.tar.gz > +# From https://www.openssl.org/source/openssl-3.2.1.tar.gz.sha256 > +sha256 83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 openssl-3.2.1.tar.gz > > # License files > sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt > diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk > index 7dc6d93256..feb5026c02 100644 > --- a/package/libopenssl/libopenssl.mk > +++ b/package/libopenssl/libopenssl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBOPENSSL_VERSION = 3.2.0 > +LIBOPENSSL_VERSION = 3.2.1 > LIBOPENSSL_SITE = https://www.openssl.org/source > LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz > LIBOPENSSL_LICENSE = Apache-2.0 > -- > 2.39.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch b/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch deleted file mode 100644 index 93b191a61c..0000000000 --- a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 68c549df05892c16b99603b9a831c79c540f268c Mon Sep 17 00:00:00 2001 -From: Grant Nichol <me@grantnichol.com> -Date: Fri, 22 Dec 2023 23:46:39 -0600 -Subject: [PATCH] riscv: Fix mispelling of extension test macro - -When refactoring the riscv extension test macros, -RISCV_HAS_ZKND_AND_ZKNE was mispelled. - -Upstream: https://github.com/openssl/openssl/pull/23139 -Signed-off-by: Grant Nichol <me@grantnichol.com> ---- - providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c -index b35b71020e..65adc47d1f 100644 ---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c -@@ -285,7 +285,7 @@ static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = { \ - # define PROV_CIPHER_HW_select_xts() \ - if (RISCV_HAS_ZBKB_AND_ZKND_AND_ZKNE()) \ - return &aes_xts_rv32i_zbkb_zknd_zkne; \ --if (RISCV_HAS_ZKND_ZKNE()) \ -+if (RISCV_HAS_ZKND_AND_ZKNE()) \ - return &aes_xts_rv32i_zknd_zkne; - # else - /* The generic case */ --- -2.43.0 - diff --git a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch b/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch deleted file mode 100644 index 9fa36d83be..0000000000 --- a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 749fcc0e3ce796474a15d6fac221e57daeacff1e Mon Sep 17 00:00:00 2001 -From: Neil Horman <nhorman@openssl.org> -Date: Tue, 5 Dec 2023 14:50:01 -0500 -Subject: [PATCH] Fix genstr/genconf option in asn1parse - -At some point the asn1parse applet was changed to default the inform to -PEM, and defalt input file to stdin. Doing so broke the -genstr|conf options, -in that, before we attempt to generate an ASN1 block from the provided -genstr string, we attempt to read a PEM input from stdin. As a result, -this command: -openssl asn1parse -genstr OID:1.2.3.4 -hangs because we are attempting a blocking read on stdin, waiting for -data that never arrives - -Fix it by giving priority to genstr|genconf, such that, if set, will just run -do_generate on that string and exit - -Reviewed-by: Hugo Landau <hlandau@openssl.org> -Reviewed-by: Tomas Mraz <tomas@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/22957) -Upstream: https://github.com/openssl/openssl/commit/749fcc0e3ce796474a15d6fac221e57daeacff1e -Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com> ---- - apps/asn1parse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/apps/asn1parse.c b/apps/asn1parse.c -index 097b0cc1ed..6597a6180b 100644 ---- a/apps/asn1parse.c -+++ b/apps/asn1parse.c -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) - - if ((buf = BUF_MEM_new()) == NULL) - goto end; -- if (informat == FORMAT_PEM) { -+ if (genstr == NULL && informat == FORMAT_PEM) { - if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { - BIO_printf(bio_err, "Error reading PEM file\n"); - ERR_print_errors(bio_err); --- -2.40.0 - diff --git a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch b/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch deleted file mode 100644 index 299ecbc2ed..0000000000 --- a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch +++ /dev/null @@ -1,122 +0,0 @@ -From a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 Mon Sep 17 00:00:00 2001 -From: Neil Horman <nhorman@openssl.org> -Date: Tue, 5 Dec 2023 15:24:20 -0500 -Subject: [PATCH] Harden asn1 oid loader to invalid inputs - -In the event that a config file contains this sequence: -======= -openssl_conf = openssl_init - -config_diagnostics = 1 - -[openssl_init] -oid_section = oids - -[oids] -testoid1 = 1.2.3.4.1 -testoid2 = A Very Long OID Name, 1.2.3.4.2 -testoid3 = ,1.2.3.4.3 -====== - -The leading comma in testoid3 can cause a heap buffer overflow, as the -parsing code will move the string pointer back 1 character, thereby -pointing to an invalid memory space - -correct the parser to detect this condition and handle it by treating it -as if the comma doesn't exist (i.e. an empty long oid name) - -Reviewed-by: Hugo Landau <hlandau@openssl.org> -Reviewed-by: Tomas Mraz <tomas@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/22957) -Upstream: https://github.com/openssl/openssl/commit/a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 -Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com> ---- - apps/asn1parse.c | 2 +- - crypto/asn1/asn_moid.c | 4 ++++ - test/recipes/04-test_asn1_parse.t | 26 ++++++++++++++++++++++++++ - test/test_asn1_parse.cnf | 12 ++++++++++++ - 4 files changed, 43 insertions(+), 1 deletion(-) - create mode 100644 test/recipes/04-test_asn1_parse.t - create mode 100644 test/test_asn1_parse.cnf - -diff --git a/apps/asn1parse.c b/apps/asn1parse.c -index 6597a6180b..bf62f85947 100644 ---- a/apps/asn1parse.c -+++ b/apps/asn1parse.c -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) - - if ((buf = BUF_MEM_new()) == NULL) - goto end; -- if (genstr == NULL && informat == FORMAT_PEM) { -+ if (genconf == NULL && genstr == NULL && informat == FORMAT_PEM) { - if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { - BIO_printf(bio_err, "Error reading PEM file\n"); - ERR_print_errors(bio_err); -diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c -index 6f816307af..1e183f4f18 100644 ---- a/crypto/asn1/asn_moid.c -+++ b/crypto/asn1/asn_moid.c -@@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name) - if (p == NULL) { - ln = name; - ostr = value; -+ } else if (p == value) { -+ /* we started with a leading comma */ -+ ln = name; -+ ostr = p + 1; - } else { - ln = value; - ostr = p + 1; -diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t -new file mode 100644 -index 0000000000..f3af436592 ---- /dev/null -+++ b/test/recipes/04-test_asn1_parse.t -@@ -0,0 +1,26 @@ -+#! /usr/bin/env perl -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+use OpenSSL::Test qw(:DEFAULT srctop_file); -+use OpenSSL::Test::Utils; -+ -+setup("test_asn1_parse"); -+ -+plan tests => 3; -+ -+$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf"); -+ -+ok(run(app(([ 'openssl', 'asn1parse', -+ '-genstr', 'OID:1.2.3.4.1'])))); -+ -+ok(run(app(([ 'openssl', 'asn1parse', -+ '-genstr', 'OID:1.2.3.4.2'])))); -+ -+ok(run(app(([ 'openssl', 'asn1parse', -+ '-genstr', 'OID:1.2.3.4.3'])))); -diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf -new file mode 100644 -index 0000000000..5f0305657e ---- /dev/null -+++ b/test/test_asn1_parse.cnf -@@ -0,0 +1,12 @@ -+openssl_conf = openssl_init -+ -+# Comment out the next line to ignore configuration errors -+config_diagnostics = 1 -+ -+[openssl_init] -+oid_section = oids -+ -+[oids] -+testoid1 = 1.2.3.4.1 -+testoid2 = A Very Long OID Name, 1.2.3.4.2 -+testoid3 = ,1.2.3.4.3 --- -2.40.0 - diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash index 9e09e12461..841d4b4cfd 100644 --- a/package/libopenssl/libopenssl.hash +++ b/package/libopenssl/libopenssl.hash @@ -1,5 +1,5 @@ -# From https://www.openssl.org/source/openssl-3.2.0.tar.gz.sha256 -sha256 14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e openssl-3.2.0.tar.gz +# From https://www.openssl.org/source/openssl-3.2.1.tar.gz.sha256 +sha256 83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 openssl-3.2.1.tar.gz # License files sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk index 7dc6d93256..feb5026c02 100644 --- a/package/libopenssl/libopenssl.mk +++ b/package/libopenssl/libopenssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBOPENSSL_VERSION = 3.2.0 +LIBOPENSSL_VERSION = 3.2.1 LIBOPENSSL_SITE = https://www.openssl.org/source LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz LIBOPENSSL_LICENSE = Apache-2.0
And drop the now upstreamed patches. Fixes the following (low severity) issues: - CVE-2023-6129 POLY1305 MAC implementation corrupts vector registers on PowerPC https://www.openssl.org/news/secadv/20240109.txt - CVE-2023-6237 Excessive time spent checking invalid RSA public keys https://www.openssl.org/news/secadv/20240115.txt - CVE-2024-0727 PKCS12 Decoding crashes https://www.openssl.org/news/secadv/20240125.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- ...x-mispelling-of-extension-test-macro.patch | 30 ----- ...x-genstr-genconf-option-in-asn1parse.patch | 42 ------ ...en-asn1-oid-loader-to-invalid-inputs.patch | 122 ------------------ package/libopenssl/libopenssl.hash | 4 +- package/libopenssl/libopenssl.mk | 2 +- 5 files changed, 3 insertions(+), 197 deletions(-) delete mode 100644 package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch delete mode 100644 package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch delete mode 100644 package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch