| Message ID | 20200421133651.6921-1-titouan.christophe@railnova.eu |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/libopenssl: security bump to v1.1.1g | expand |
On Tue, 21 Apr 2020 15:36:51 +0200 Titouan Christophe <titouan.christophe@railnova.eu> wrote: > This fixes CVE-2020-1967: > Server or client applications that call the SSL_check_chain() function during > or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a > result of incorrect handling of the "signature_algorithms_cert" TLS extension. > The crash occurs if an invalid or unrecognised signature algorithm is received > from the peer. This could be exploited by a malicious peer in a Denial of > Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this > issue. This issue did not affect OpenSSL versions prior to 1.1.1d. > > See https://www.openssl.org/news/secadv/20200421.txt > > Also update the hash file to the new two spaces convention > > Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu> > --- > package/libopenssl/libopenssl.hash | 6 +++--- > package/libopenssl/libopenssl.mk | 2 +- > 2 files changed, 4 insertions(+), 4 deletions(-) Applied to master, thanks. Thomas
Hi, Can this be applied to 2020.2.x, please? Thanks, Johan Op di 21 apr. 2020 om 22:30 schreef Thomas Petazzoni <thomas.petazzoni@bootlin.com>: > > On Tue, 21 Apr 2020 15:36:51 +0200 > Titouan Christophe <titouan.christophe@railnova.eu> wrote: > > > This fixes CVE-2020-1967: > > Server or client applications that call the SSL_check_chain() function during > > or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a > > result of incorrect handling of the "signature_algorithms_cert" TLS extension. > > The crash occurs if an invalid or unrecognised signature algorithm is received > > from the peer. This could be exploited by a malicious peer in a Denial of > > Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this > > issue. This issue did not affect OpenSSL versions prior to 1.1.1d. > > > > See https://www.openssl.org/news/secadv/20200421.txt > > > > Also update the hash file to the new two spaces convention > > > > Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu> > > --- > > package/libopenssl/libopenssl.hash | 6 +++--- > > package/libopenssl/libopenssl.mk | 2 +- > > 2 files changed, 4 insertions(+), 4 deletions(-) > > Applied to master, thanks. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
>>>>> "Titouan" == Titouan Christophe <titouan.christophe@railnova.eu> writes: > This fixes CVE-2020-1967: > Server or client applications that call the SSL_check_chain() function during > or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a > result of incorrect handling of the "signature_algorithms_cert" TLS extension. > The crash occurs if an invalid or unrecognised signature algorithm is received > from the peer. This could be exploited by a malicious peer in a Denial of > Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this > issue. This issue did not affect OpenSSL versions prior to 1.1.1d. > See https://www.openssl.org/news/secadv/20200421.txt > Also update the hash file to the new two spaces convention > Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu> Committed to 2020.02.x, thanks.
>>>>> "Johan" == Johan Derycke <johanderycke@gmail.com> writes: > Hi, > Can this be applied to 2020.2.x, please? Sure, done. I normally sync 2020.02.x with master every 1-2 weeks, but am running a bit late right now.
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash index 3becd790ac..121e10c410 100644 --- a/package/libopenssl/libopenssl.hash +++ b/package/libopenssl/libopenssl.hash @@ -1,5 +1,5 @@ -# From https://www.openssl.org/source/openssl-1.1.1d.tar.gz.sha256 -sha256 186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 openssl-1.1.1f.tar.gz +# From https://www.openssl.org/source/openssl-1.1.1g.tar.gz.sha256 +sha256 ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 openssl-1.1.1g.tar.gz # License files -sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE +sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk index 4639c63fac..a300458f85 100644 --- a/package/libopenssl/libopenssl.mk +++ b/package/libopenssl/libopenssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBOPENSSL_VERSION = 1.1.1f +LIBOPENSSL_VERSION = 1.1.1g LIBOPENSSL_SITE = https://www.openssl.org/source LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz LIBOPENSSL_LICENSE = OpenSSL or SSLeay
This fixes CVE-2020-1967: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. See https://www.openssl.org/news/secadv/20200421.txt Also update the hash file to the new two spaces convention Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu> --- package/libopenssl/libopenssl.hash | 6 +++--- package/libopenssl/libopenssl.mk | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-)