From 712cc1be28600a839f3531326752e629a4db9eec0557c96a65ae4f91186dccdf Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Fri, 9 Sep 2011 09:49:14 +0000 Subject: [PATCH] Accepting request 81348 from Base:System - Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210 see http://openssl.org/news/secadv_20110906.txt for details. (forwarded request 81347 from elvigia) OBS-URL: https://build.opensuse.org/request/show/81348 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=67 --- ECDSA_signatures_timing_attack.patch | 43 ---------------------------- openssl-1.0.0d.tar.bz2 | 3 -- openssl-1.0.0e.tar.bz2 | 3 ++ openssl.changes | 6 ++++ openssl.spec | 4 +-- 5 files changed, 10 insertions(+), 49 deletions(-) delete mode 100644 ECDSA_signatures_timing_attack.patch delete mode 100644 openssl-1.0.0d.tar.bz2 create mode 100644 openssl-1.0.0e.tar.bz2 diff --git a/ECDSA_signatures_timing_attack.patch b/ECDSA_signatures_timing_attack.patch deleted file mode 100644 index 4dc55b4..0000000 --- a/ECDSA_signatures_timing_attack.patch +++ /dev/null @@ -1,43 +0,0 @@ -Index: openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c -=================================================================== ---- openssl-1.0.0c.orig/crypto/ecdsa/ecs_ossl.c -+++ openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c -@@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke - } - while (BN_is_zero(k)); - -+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME -+ /* We do not want timing information to leak the length of k, -+ * so we compute G*k using an equivalent scalar of fixed -+ * bit-length. */ -+ -+ if (!BN_add(k, k, order)) goto err; -+ if (BN_num_bits(k) <= BN_num_bits(order)) -+ if (!BN_add(k, k, order)) goto err; -+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ -+ - /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) - { -Index: openssl-1.0.0c/crypto/ocsp/ocsp_lib.c -=================================================================== ---- openssl-1.0.0c.orig/crypto/ocsp/ocsp_lib.c -+++ openssl-1.0.0c/crypto/ocsp/ocsp_lib.c -@@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho - - char *host, *port; - -+ *phost = NULL; -+ *pport = NULL; -+ *ppath = NULL; -+ - /* dup the buffer since we are going to mess with it */ - buf = BUF_strdup(url); - if (!buf) goto mem_err; - -- *phost = NULL; -- *pport = NULL; -- *ppath = NULL; - - /* Check for initial colon */ - p = strchr(buf, ':'); diff --git a/openssl-1.0.0d.tar.bz2 b/openssl-1.0.0d.tar.bz2 deleted file mode 100644 index a0885fb..0000000 --- a/openssl-1.0.0d.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1544c7464c7b6cd40bed63cf9e7e27a913d1af881f14d9afd15e61f401056eda -size 3223694 diff --git a/openssl-1.0.0e.tar.bz2 b/openssl-1.0.0e.tar.bz2 new file mode 100644 index 0000000..6d130d7 --- /dev/null +++ b/openssl-1.0.0e.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d4cecef7f43d8adc75d7eb6aa9b96cbd8048d919fae6a9d4e89acedac3eabc33 +size 3222400 diff --git a/openssl.changes b/openssl.changes index 063411c..edd4a0b 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org + +- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210 + see http://openssl.org/news/secadv_20110906.txt for details. + ------------------------------------------------------------------- Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org diff --git a/openssl.spec b/openssl.spec index 89d4ac2..a22b4d7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -32,7 +32,7 @@ Obsoletes: openssl-64bit %endif # #Version: 1.0.0 -Version: 1.0.0d +Version: 1.0.0e Release: 31 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ @@ -50,7 +50,6 @@ Patch2: bug610223.patch #Patch6: CVE-2010-3864.patch Patch7: openssl-1.0.0b-aesni.patch #Patch8: CVE-2011-0014.patch -Patch9: ECDSA_signatures_timing_attack.patch Patch10: openssl-call-engine-reg-comp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -188,7 +187,6 @@ Authors: #%patch6 -p1 %patch7 -p1 #%patch8 -p1 -%patch9 -p1 %patch10 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure"