| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1m.
Relnotes: yes
|
| |
|
|
|
|
|
|
|
| |
- Revert a portion of ASN1 change per suggested by OpenBSD
and OpenSSL developers. The change was removed from the
formal OpenSSL release and does not solve security issue.
- Properly fix CVE-2015-0209 and CVE-2015-0288.
Pointy hat to: delphij
|
| |
|
|
|
|
|
|
|
|
| |
Security: FreeBSD-SA-15:06.openssl
Security: CVE-2015-0209
Security: CVE-2015-0286
Security: CVE-2015-0287
Security: CVE-2015-0288
Security: CVE-2015-0289
Security: CVE-2015-0293
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1l.
Relnotes: yes
|
| |
|
|
| |
Merge OpenSSL 1.0.1k.
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1j.
Relnotes: yes
|
| |
|
|
| |
Merge OpenSSL 1.0.1i.
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1h.
Approved by: so (delphij)
|
| |
|
|
|
|
| |
Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224,
CVE-2014-3470
Security: SA-14:14.openssl
|
| |
|
|
|
|
| |
Obtained from: OpenBSD
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2014-0198
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix OpenSSL use-after-free vulnerability.
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
|
| |
|
|
| |
Merge OpenSSL 1.0.1f and 1.0.1g.
|
| |
|
|
|
| |
Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel
Attack in OpenSSL. [SA-14:06]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply vendor commits:
197e0ea Fix for TLS record tampering bug. (CVE-2013-4353).
3462896 For DTLS we might need to retransmit messages from the
previous session so keep a copy of write context in DTLS
retransmission buffers instead of replacing it after
sending CCS. (CVE-2013-6450).
ca98926 When deciding whether to use TLS 1.2 PRF and record hash
algorithms use the version number in the corresponding
SSL_METHOD structure instead of the SSL structure. The
SSL structure version is sometimes inaccurate.
Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449).
Security: CVE-2013-4353
Security: CVE-2013-6449
Security: CVE-2013-6450
|
| |
|
|
|
|
|
|
|
|
|
| |
Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.
Requested by: zi
Approved by: benl
|
| |\
| |
| |
| | |
Approved by: secteam (simon), benl (silence)
|
| | |
| |
| |
| |
| |
| | |
r237658.
Approved by: benl (maintainer, implicit)
|
| | |
| |
| |
| |
| | |
Submitted by: Christoph Mallon
MFC after: 3 days
|
| | |
| |
| |
| | |
X-MFC after: with r244974
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Integrate OpenSSL changeset 22950 (appro):
bn_word.c: fix overflow bug in BN_add_word.
MFC after: 2 weeks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
share/mk/sys.mk instead.
This is part of a medium term project to permit deterministic builds of
FreeBSD.
Submitted by: Erik Cederstrand <erik@cederstrand.dk>
Reviewed by: imp, toolchain@
Approved by: cperciva
MFC after: 2 weeks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
some time ago to use sysctl instead of /dev/random to get random data,
so is now much better choice, especially for sandboxed processes that have
no direct access to /dev/random.
Approved by: benl
MFC after: 2 weeks
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Note: I timed out waiting for an exp-run for this change but I survived
having it locally for quite a long time.
MFC after: 1 month
X-MFC note: SHLIB_MAJOR is 6 in stable/8 and stable/9
|
| |\ \
| |/
| |
| | |
Approved by: benl (maintainer)
|
| | |
| |
| |
| |
| |
| |
| | |
and engine(3) are generated from these pod files during merge process and
we do not want to re-apply these changes over and over again.
Approved by: benl (maintainer, implicit)
|
| | |
| |
| |
| |
| |
| | |
Reviewed by: stas
Approved by: benl (maintainer)
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02]
Security: FreeBSD-SA-12:01.openssl (revised)
Security: FreeBSD-SA-12:02.crypt
Approved by: so (bz, simon)
|
| | |
| |
| |
| |
| |
| |
| | |
Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109
Security: CVE-2012-0884, CVE-2012-2110
Security: FreeBSD-SA-12:01.openssl
Approved by: so (bz,simon)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
multi-threaded use of ECDH.
Security: CVE-2011-3210
Reviewed by: stas
Obtained from: OpenSSL CVS
Approved by: re (kib)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Obtained from: OpenSSL CVS
|
| |\ \
| |/
| |
| |
| |
| | |
Security: CVE-2010-4180
Security: http://www.openssl.org/news/secadv_20101202.txt
MFC after: 3 days
|
| | |
| |
| |
| |
| | |
Security: CVE-2010-3864
Security: http://www.openssl.org/news/secadv_20101116.txt
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
It has yet to be determined if this warrants a FreeBSD Security
Advisory, but we might as well get it fixed in the normal branches.
Obtained from: OpenSSL CVS
Security: CVE-2010-2939
X-MFC after: Not long...
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Make inline assembler clang-friendly [from HEAD].
openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2
openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1
Approved by: simon
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m)
but not -STABLE branches.
I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD.
This will be investigated further.
Security: CVE-2010-0433, CVE-2010-0740
Security: http://www.openssl.org/news/secadv_20100324.txt
|
| | |
| |
| |
| |
| |
| | |
mergemaster.
Suggested by: dougb
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This also "reverts" some FreeBSD local changes so we should now
be back to using entirely stock OpenSSL. The local changes were
simple $FreeBSD$ lines additions, which were required in the CVS
days, and the patch for FreeBSD-SA-09:15.ssl which has been
superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation
extension' support.
MFC after: 3 weeks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
protocol flaw. [09:15]
Correctly handle failures from unsetenv resulting from a corrupt
environment in rtld-elf. [09:16]
Fix permissions in freebsd-update in order to prevent leakage of
sensitive files. [09:17]
Approved by: so (cperciva)
Security: FreeBSD-SA-09:15.ssl
Security: FreeBSD-SA-09:16.rtld
Security: FreeBSD-SA-09:17.freebsd-udpate
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Fix memory consumption bug with "future epoch" DTLS records.
- Fix fragment handling memory leak.
- Do not access freed data structure.
- Fix DTLS fragment bug - out-of-sequence message handling which could
result in NULL pointer dereference in
dtls1_process_out_of_seq_message().
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
MFC after: 1 week
Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
for normal build, and doesn't export well to CVS.
If they are needed later a script will be added to recreate the symlinks
when needed at build time.
Approved by: re (rwatson)
|
| |\ \
| |/
| |
| | |
Approved by: re
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Sanity-check string lengths in order to stop OpenSSL crashing
when printing corrupt BMPString or UniversalString objects. [09:08]
Security: FreeBSD-SA-09:07.libc
Security: FreeBSD-SA-09:08.openssl
Security: CVE-2009-0590
Approved by: re (kensmith)
Approved by: so (cperciva)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
long commands into multiple requests. [09:01]
Fix incorrect OpenSSL checks for malformed signatures due to invalid
check of return value from EVP_VerifyFinal(), DSA_verify, and
DSA_do_verify. [09:02]
Security: FreeBSD-SA-09:01.lukemftpd
Security: FreeBSD-SA-09:02.openssl
Obtained from: NetBSD [SA-09:01]
Obtained from: OpenSSL Project [SA-09:02]
Approved by: so (simon)
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
with OpenSSL 0.9.8 import.
Note that this does not enable cryptodev by default, as it was the
case with OpenSSL 0.9.7 in FreeBSD base, but this change makes it
possible to enable cryptodev at all.
This has been submitted upstream as:
http://rt.openssl.org/Ticket/Display.html?id=1624
Submitted by: nork
|
| |\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From the OpenSSL advisory:
Andy Polyakov discovered a flaw in OpenSSL's DTLS
implementation which could lead to the compromise of clients
and servers with DTLS enabled.
DTLS is a datagram variant of TLS specified in RFC 4347 first
supported in OpenSSL version 0.9.8. Note that the
vulnerabilities do not affect SSL and TLS so only clients and
servers explicitly using DTLS are affected.
We believe this flaw will permit remote code execution.
Security: CVE-2007-4995
Security: http://www.openssl.org/news/secadv_20071012.txt
|
| | |
| |
| |
| |
| | |
Security: FreeBSD-SA-07:08.openssl
Approved by: re (security blanket)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
casts a bit less evil.
This was e.g. seen when using portsnap as:
Fetching snapshot tag from portsnap3.FreeBSD.org... Illegal instruction
Note the patch is slightly different from kan's original patch to
match style in the OpenSSL source files a bit better.
Submitted by: kan
Tested by: many
|
