diff --git a/openssl-CVE-2015-0209.patch b/openssl-CVE-2015-0209.patch new file mode 100644 index 0000000..df5e828 --- /dev/null +++ b/openssl-CVE-2015-0209.patch @@ -0,0 +1,40 @@ +commit 89117535f1bb3ea72a17933b703271587d7aaf0b +Author: Matt Caswell +Date: Mon Feb 9 11:38:41 2015 +0000 + + Fix a failure to NULL a pointer freed on error. + + Inspired by BoringSSL commit 517073cd4b by Eric Roman + + CVE-2015-0209 + + Reviewed-by: Emilia Käsper + +Index: openssl-1.0.1k/crypto/ec/ec_asn1.c +=================================================================== +--- openssl-1.0.1k.orig/crypto/ec/ec_asn1.c 2015-03-19 15:58:22.021039425 +0100 ++++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 15:58:26.431103852 +0100 +@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + ERR_R_MALLOC_FAILURE); + goto err; + } +- if (a) +- *a = ret; + } + else + ret = *a; +@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + ret->enc_flag |= EC_PKEY_NO_PUBKEY; + } + ++ if (a) ++ *a = ret; + ok = 1; + err: + if (!ok) + { +- if (ret) ++ if (ret && (a == NULL || *a != ret)) + EC_KEY_free(ret); + ret = NULL; + } diff --git a/openssl-CVE-2015-0286.patch b/openssl-CVE-2015-0286.patch new file mode 100644 index 0000000..bf7f9e2 --- /dev/null +++ b/openssl-CVE-2015-0286.patch @@ -0,0 +1,28 @@ +commit ee5a1253285e5c9f406c8b57b0686319b70c07d8 +Author: Dr. Stephen Henson +Date: Mon Mar 9 23:11:45 2015 +0000 + + Fix ASN1_TYPE_cmp + + Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This + can be triggered during certificate verification so could be a DoS attack + against a client or a server enabling client authentication. + + CVE-2015-0286 + + Reviewed-by: Richard Levitte + +Index: openssl-1.0.1i/crypto/asn1/a_type.c +=================================================================== +--- openssl-1.0.1i.orig/crypto/asn1/a_type.c 2015-03-17 14:15:18.832332902 +0100 ++++ openssl-1.0.1i/crypto/asn1/a_type.c 2015-03-17 14:15:19.738346161 +0100 +@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co + case V_ASN1_OBJECT: + result = OBJ_cmp(a->value.object, b->value.object); + break; ++ case V_ASN1_BOOLEAN: ++ result = a->value.boolean - b->value.boolean; ++ break; + case V_ASN1_NULL: + result = 0; /* They do not have content. */ + break; diff --git a/openssl-CVE-2015-0287.patch b/openssl-CVE-2015-0287.patch new file mode 100644 index 0000000..3b4a371 --- /dev/null +++ b/openssl-CVE-2015-0287.patch @@ -0,0 +1,85 @@ +commit 1a87b757b9f755f687492f6b9f685be8e0cd82b0 +Author: Dr. Stephen Henson +Date: Mon Feb 23 12:57:50 2015 +0000 + + Free up passed ASN.1 structure if reused. + + Change the "reuse" behaviour in ASN1_item_d2i: if successful the old + structure is freed and a pointer to the new one used. If it is not + successful then the passed structure is untouched. + + Exception made for primitive types so ssl_asn1.c still works. + + Reviewed-by: Tim Hudson + Reviewed-by: Emilia Käsper + +commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875 +Author: Dr. Stephen Henson +Date: Mon Feb 23 02:32:44 2015 +0000 + + Free up ADB and CHOICE if already initialised. + + CVE-2015-0287 + + Reviewed-by: Tim Hudson + Reviewed-by: Emilia Käsper + +Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c +=================================================================== +--- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2015-03-17 13:18:26.732161376 +0100 ++++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2015-03-17 13:22:20.424576154 +0100 +@@ -311,9 +317,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + +- /* Allocate structure */ +- if (!*pval && !ASN1_item_ex_new(pval, it)) +- { ++ if (*pval) { ++ /* Free up and zero CHOICE value if initialised */ ++ i = asn1_get_choice_selector(pval, it); ++ if ((i >= 0) && (i < it->tcount)) { ++ tt = it->templates + i; ++ pchptr = asn1_get_field_ptr(pval, tt); ++ ASN1_template_free(pchptr, tt); ++ asn1_set_choice_selector(pval, -1, it); ++ } ++ } else if (!ASN1_item_ex_new(pval, it)) { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, + ERR_R_NESTED_ASN1_ERROR); + goto err; +@@ -407,6 +420,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + ++ /* Free up and zero any ADB found */ ++ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { ++ if (tt->flags & ASN1_TFLG_ADB_MASK) { ++ const ASN1_TEMPLATE *seqtt; ++ ASN1_VALUE **pseqval; ++ seqtt = asn1_do_adb(pval, tt, 1); ++ pseqval = asn1_get_field_ptr(pval, seqtt); ++ ASN1_template_free(pseqval, seqtt); ++ } ++ } ++ + /* Get each field entry */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) + { +Index: openssl-1.0.1i/doc/crypto/d2i_X509.pod +=================================================================== +--- openssl-1.0.1i.orig/doc/crypto/d2i_X509.pod 2015-03-17 13:18:26.731161362 +0100 ++++ openssl-1.0.1i/doc/crypto/d2i_X509.pod 2015-03-17 13:18:52.046531518 +0100 +@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts + persist if they are not present in the new one. As a result the use + of this "reuse" behaviour is strongly discouraged. + ++Current versions of OpenSSL will not modify B<*px> if an error occurs. ++If parsing succeeds then B<*px> is freed (if it is not NULL) and then ++set to the value of the newly decoded structure. As a result B<*px> ++B be allocated on the stack or an attempt will be made to ++free an invalid pointer. ++ + i2d_X509() will not return an error in many versions of OpenSSL, + if mandatory fields are not initialized due to a programming error + then the encoded structure may contain invalid data or omit the diff --git a/openssl-CVE-2015-0288.patch b/openssl-CVE-2015-0288.patch new file mode 100644 index 0000000..0988eba --- /dev/null +++ b/openssl-CVE-2015-0288.patch @@ -0,0 +1,25 @@ +commit 51527f1e3564f210e984fe5b654c45d34e4f03d7 +Author: Dr. Stephen Henson +Date: Wed Feb 18 00:34:59 2015 +0000 + + Check public key is not NULL. + + CVE-2015-0288 + PR#3708 + + Reviewed-by: Matt Caswell + (cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9) + +Index: openssl-1.0.1i/crypto/x509/x509_req.c +=================================================================== +--- openssl-1.0.1i.orig/crypto/x509/x509_req.c 2015-03-17 13:22:30.712726374 +0100 ++++ openssl-1.0.1i/crypto/x509/x509_req.c 2015-03-17 13:23:20.486453016 +0100 +@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_ + goto err; + + pktmp = X509_get_pubkey(x); ++ if (pktmp == NULL) ++ goto err; + i=X509_REQ_set_pubkey(ret,pktmp); + EVP_PKEY_free(pktmp); + if (!i) goto err; diff --git a/openssl-CVE-2015-0289.patch b/openssl-CVE-2015-0289.patch new file mode 100644 index 0000000..780b3a4 --- /dev/null +++ b/openssl-CVE-2015-0289.patch @@ -0,0 +1,191 @@ +commit d3d52c73544bba800c2a8f5ef3376358158cf2ca +Author: Emilia Kasper +Date: Fri Feb 27 16:52:23 2015 +0100 + + PKCS#7: avoid NULL pointer dereferences with missing content + + In PKCS#7, the ASN.1 content component is optional. + This typically applies to inner content (detached signatures), + however we must also handle unexpected missing outer content + correctly. + + This patch only addresses functions reachable from parsing, + decryption and verification, and functions otherwise associated + with reading potentially untrusted data. + + Correcting all low-level API calls requires further work. + + CVE-2015-0289 + + Thanks to Michal Zalewski (Google) for reporting this issue. + + Reviewed-by: Steve Henson + +Index: openssl-1.0.1i/crypto/pkcs7/pk7_doit.c +=================================================================== +--- openssl-1.0.1i.orig/crypto/pkcs7/pk7_doit.c 2015-03-17 13:23:33.961649688 +0100 ++++ openssl-1.0.1i/crypto/pkcs7/pk7_doit.c 2015-03-17 13:34:34.445347342 +0100 +@@ -272,6 +272,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) + PKCS7_RECIP_INFO *ri=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ /* ++ * The content field in the PKCS7 ContentInfo is optional, but that really ++ * only applies to inner content (precisely, detached signatures). ++ * ++ * When reading content, missing outer content is therefore treated as an ++ * error. ++ * ++ * When creating content, PKCS7_content_new() must be called before ++ * calling this method, so a NULL p7->d is always an error. ++ */ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -433,6 +452,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + unsigned char *ek = NULL, *tkey = NULL; + int eklen = 0, tkeylen = 0; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -752,6 +781,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + EVP_MD_CTX_init(&ctx_tmp); + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; +@@ -796,6 +835,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + /* If detached data then the content is excluded */ + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.sign->contents->d.data = NULL; + } + break; +@@ -806,6 +846,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) + { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.digest->contents->d.data = NULL; + } + break; +@@ -878,24 +919,31 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); + } + +- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) +- { +- char *cont; +- long contlen; +- btmp=BIO_find_type(bio,BIO_TYPE_MEM); +- if (btmp == NULL) +- { +- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); +- goto err; +- } +- contlen = BIO_get_mem_data(btmp, &cont); +- /* Mark the BIO read only then we can use its copy of the data +- * instead of making an extra copy. +- */ +- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); +- BIO_set_mem_eof_return(btmp, 0); +- ASN1_STRING_set0(os, (unsigned char *)cont, contlen); +- } ++ if (!PKCS7_is_detached(p7)) { ++ /* ++ * NOTE(emilia): I think we only reach os == NULL here because detached ++ * digested data support is broken. ++ */ ++ if (os == NULL) ++ goto err; ++ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { ++ char *cont; ++ long contlen; ++ btmp = BIO_find_type(bio, BIO_TYPE_MEM); ++ if (btmp == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO); ++ goto err; ++ } ++ contlen = BIO_get_mem_data(btmp, &cont); ++ /* ++ * Mark the BIO read only then we can use its copy of the data ++ * instead of making an extra copy. ++ */ ++ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); ++ BIO_set_mem_eof_return(btmp, 0); ++ ASN1_STRING_set0(os, (unsigned char *)cont, contlen); ++ } ++ } + ret=1; + err: + EVP_MD_CTX_cleanup(&ctx_tmp); +@@ -971,6 +1019,16 @@ int PKCS7_dataVerify(X509_STORE *cert_st + STACK_OF(X509) *cert; + X509 *x509; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + if (PKCS7_type_is_signed(p7)) + { + cert=p7->d.sign->cert; +Index: openssl-1.0.1i/crypto/pkcs7/pk7_lib.c +=================================================================== +--- openssl-1.0.1i.orig/crypto/pkcs7/pk7_lib.c 2015-03-17 13:23:37.451700626 +0100 ++++ openssl-1.0.1i/crypto/pkcs7/pk7_lib.c 2015-03-17 13:36:01.708627632 +0100 +@@ -71,6 +71,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long + + switch (cmd) + { ++ /* NOTE(emilia): does not support detached digested data. */ + case PKCS7_OP_SET_DETACHED_SIGNATURE: + if (nid == NID_pkcs7_signed) + { +@@ -459,6 +460,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV + + STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) + { ++ if (p7 == NULL || p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signed(p7)) + { + return(p7->d.sign->signer_info); diff --git a/openssl-CVE-2015-0293.patch b/openssl-CVE-2015-0293.patch new file mode 100644 index 0000000..467bf7c --- /dev/null +++ b/openssl-CVE-2015-0293.patch @@ -0,0 +1,124 @@ +commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2 +Author: Emilia Kasper +Date: Wed Mar 4 09:05:02 2015 -0800 + + Fix reachable assert in SSLv2 servers. + + This assert is reachable for servers that support SSLv2 and export ciphers. + Therefore, such servers can be DoSed by sending a specially crafted + SSLv2 CLIENT-MASTER-KEY. + + Also fix s2_srvr.c to error out early if the key lengths are malformed. + These lengths are sent unencrypted, so this does not introduce an oracle. + + CVE-2015-0293 + + This issue was discovered by Sean Burford (Google) and Emilia Käsper of + the OpenSSL development team. + + Reviewed-by: Richard Levitte + Reviewed-by: Tim Hudson + +Index: openssl-1.0.1i/ssl/s2_lib.c +=================================================================== +--- openssl-1.0.1i.orig/ssl/s2_lib.c 2015-03-17 14:05:13.745459798 +0100 ++++ openssl-1.0.1i/ssl/s2_lib.c 2015-03-17 14:05:14.763474757 +0100 +@@ -487,7 +487,7 @@ int ssl2_generate_key_material(SSL *s) + + OPENSSL_assert(s->session->master_key_length >= 0 + && s->session->master_key_length +- < (int)sizeof(s->session->master_key)); ++ <= (int)sizeof(s->session->master_key)); + EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); + EVP_DigestUpdate(&ctx,&c,1); + c++; +Index: openssl-1.0.1i/ssl/s2_srvr.c +=================================================================== +--- openssl-1.0.1i.orig/ssl/s2_srvr.c 2015-03-17 14:05:13.721459445 +0100 ++++ openssl-1.0.1i/ssl/s2_srvr.c 2015-03-17 14:07:43.262655766 +0100 +@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s) + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); + return(-1); + } +- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, +- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), +- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); + + is_export=SSL_C_IS_EXPORT(s->session->cipher); + +@@ -467,21 +464,59 @@ static int get_client_master_key(SSL *s) + else + ek=5; + ++ /* ++ * The format of the CLIENT-MASTER-KEY message is ++ * 1 byte message type ++ * 3 bytes cipher ++ * 2-byte clear key length (stored in s->s2->tmp.clear) ++ * 2-byte encrypted key length (stored in s->s2->tmp.enc) ++ * 2-byte key args length (IV etc) ++ * clear key ++ * encrypted key ++ * key args ++ * ++ * If the cipher is an export cipher, then the encrypted key bytes ++ * are a fixed portion of the total key (5 or 8 bytes). The size of ++ * this portion is in |ek|. If the cipher is not an export cipher, ++ * then the entire key material is encrypted (i.e., clear key length ++ * must be zero). ++ */ ++ if ((!is_export && s->s2->tmp.clear != 0) || ++ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) { ++ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); ++ return -1; ++ } ++ /* ++ * The encrypted blob must decrypt to the encrypted portion of the key. ++ * Decryption can't be expanding, so if we don't have enough encrypted ++ * bytes to fit the key in the buffer, stop now. ++ */ ++ if ((is_export && s->s2->tmp.enc < ek) || ++ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) { ++ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); ++ return -1; ++ } ++ ++ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, ++ &(p[s->s2->tmp.clear]), ++ &(p[s->s2->tmp.clear]), ++ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : ++ RSA_PKCS1_PADDING); ++ + /* bad decrypt */ + #if 1 + /* If a bad decrypt, continue with protocol but with a + * random master secret (Bleichenbacher attack) */ +- if ((i < 0) || +- ((!is_export && (i != EVP_CIPHER_key_length(c))) +- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != +- (unsigned int)EVP_CIPHER_key_length(c)))))) +- { ++ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) ++ || (is_export && i != ek))) { + ERR_clear_error(); + if (is_export) + i=ek; + else + i=EVP_CIPHER_key_length(c); +- if (RAND_pseudo_bytes(p,i) <= 0) ++ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) + return 0; + } + #else +@@ -505,7 +540,8 @@ static int get_client_master_key(SSL *s) + } + #endif + +- if (is_export) i+=s->s2->tmp.clear; ++ if (is_export) ++ i = EVP_CIPHER_key_length(c); + + if (i > SSL_MAX_MASTER_KEY_LENGTH) + { diff --git a/openssl.changes b/openssl.changes index 3072109..2fdc214 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Thu Mar 19 14:26:01 UTC 2015 - vcizek@suse.com + +- security update: + * CVE-2015-0209 (bnc#919648) + - Fix a failure to NULL a pointer freed on error + * CVE-2015-0286 (bnc#922496) + - Segmentation fault in ASN1_TYPE_cmp + * CVE-2015-0287 (bnc#922499) + - ASN.1 structure reuse memory corruption + * CVE-2015-0288 x509: (bnc#920236) + - added missing public key is not NULL check + * CVE-2015-0289 (bnc#922500) + - PKCS7 NULL pointer dereferences + * CVE-2015-0293 (bnc#922488) + - Fix reachable assert in SSLv2 servers + * added patches: + openssl-CVE-2015-0209.patch + openssl-CVE-2015-0286.patch + openssl-CVE-2015-0287.patch + openssl-CVE-2015-0288.patch + openssl-CVE-2015-0289.patch + openssl-CVE-2015-0293.patch + ------------------------------------------------------------------- Wed Feb 4 08:08:27 UTC 2015 - meissner@suse.com diff --git a/openssl.spec b/openssl.spec index bda31bc..71df433 100644 --- a/openssl.spec +++ b/openssl.spec @@ -75,6 +75,12 @@ Patch34: openssl-fips-hidden.patch Patch35: openssl-1.0.1e-add-suse-default-cipher.patch Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch +Patch52: openssl-CVE-2015-0209.patch +Patch53: openssl-CVE-2015-0286.patch +Patch54: openssl-CVE-2015-0287.patch +Patch55: openssl-CVE-2015-0288.patch +Patch56: openssl-CVE-2015-0289.patch +Patch57: openssl-CVE-2015-0293.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -191,6 +197,12 @@ this package's base documentation. %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure"