* [Buildroot] [git commit branch/2022.02.x] package/libopenssl: security bump version to 1.1.1n
@ 2022-03-20 21:36 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2022-03-20 21:36 UTC (permalink / raw)
To: buildroot
[-- Attachment #1: Type: text/plain, Size: 3329 bytes --]
commit: https://git.buildroot.net/buildroot/commit/?id=e1fe19616196930cb803f52760c55340607c894e
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may
thus be subject to a denial of service attack. The infinite loop can also
be reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.
(CVE-2022-0778)
[Tomáš Mráz]
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
to the list of ciphersuites providing Perfect Forward Secrecy as
required by SECLEVEL >= 3.
[Dmitry Belyavskiy, Nicola Tuveri]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 66868e9fab2806686fd08850a3e56185ef00b127)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libopenssl/libopenssl.hash | 4 ++--
package/libopenssl/libopenssl.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index a055cbc270..22bb365bcc 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.1.1m.tar.gz.sha256
-sha256 f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 openssl-1.1.1m.tar.gz
+# From https://www.openssl.org/source/openssl-1.1.1n.tar.gz.sha256
+sha256 40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a openssl-1.1.1n.tar.gz
# License files
sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index bd8ef6141a..ae6658ed40 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBOPENSSL_VERSION = 1.1.1m
+LIBOPENSSL_VERSION = 1.1.1n
LIBOPENSSL_SITE = https://www.openssl.org/source
LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
LIBOPENSSL_LICENSE = OpenSSL or SSLeay
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-20 21:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-20 21:36 [Buildroot] [git commit branch/2022.02.x] package/libopenssl: security bump version to 1.1.1n Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.