Bug 198718

Summary:

[PATCH] security/libressl: update to 2.1.6, fix vulns and default libtls

Product:

Ports & Packages

Reporter:

Bernard Spil <brnrd>

Component:

Individual Port(s)

Assignee:

Vsevolod Stakhov <vsevolod>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

delphij, xmj

Priority:

---

Keywords:

patch

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (vsevolod)

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
svn diff for security/libressl	none
Poudriere build log of security/libressl	none
vuxml entry	none
vuxml entry, fixed	none
vuln.xml entry	none
vuxml entry	none

Description Bernard Spil freebsd_committer

2015-03-19 19:47:53 UTC

Created attachment 154535 [details]
svn diff for security/libressl

LibreSSL has released a next version with fixes for 
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Furthermore, the libtls ABI is declared stable and enabled by default. This is now fixed.

Comment 1 Bernard Spil freebsd_committer

2015-03-19 19:48:15 UTC

Created attachment 154536 [details]
Poudriere build log of security/libressl

Comment 2 Bernard Spil freebsd_committer

2015-03-19 20:31:53 UTC

Created attachment 154537 [details]
vuxml entry

Comment 3 Johannes Jost Meixner freebsd_committer

2015-03-19 20:41:25 UTC

Created attachment 154538 [details]
vuxml entry, fixed

Previous vuxml entry had all <cvename> tags with -0207. Fixed in patch attached.

Comment 4 Bernard Spil freebsd_committer

2015-03-19 20:43:22 UTC

Created attachment 154539 [details]
vuln.xml entry

Fixes the references entries

Comment 5 Bernard Spil freebsd_committer

2015-03-19 20:47:52 UTC

Created attachment 154540 [details]
vuxml entry

Now using the raw payload from GitHub...

Comment 6 Vsevolod Stakhov freebsd_committer

2015-03-19 21:25:01 UTC

I'd suggest to use normal HTML <ul>...</ul> for list and not just <p> in description of vulnxml entry.

Comment 7 commit-hook freebsd_committer

2015-03-19 22:54:39 UTC

A commit references this bug:

Author: delphij
Date: Thu Mar 19 22:54:15 UTC 2015
New revision: 381700
URL: https://svnweb.freebsd.org/changeset/ports/381700

Log:
  Mention LibreSSL too.  Use <ul>'s per suggestion from vsevolod [1].

  PR:		198718 [1]

Changes:
  head/security/vuxml/vuln.xml

Comment 8 Xin LI freebsd_committer

2015-03-19 22:55:07 UTC

I've merged the vuxml entries with the OpenSSL one.  Vsevolod would you please merge the port change?

Comment 9 commit-hook freebsd_committer

2015-03-19 23:12:43 UTC

A commit references this bug:

Author: vsevolod
Date: Thu Mar 19 23:11:51 UTC 2015
New revision: 381701
URL: https://svnweb.freebsd.org/changeset/ports/381701

Log:
  - Update to 2.1.6
  - Remove incorrectly added patch files

  PR:		198718
  Submitted by:	Bernard Spil <spil.oss at gmail.com>
  Security:	CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289

Changes:
  head/security/libressl/Makefile
  head/security/libressl/distinfo
  head/security/libressl/files/patch-include-openssl-opensslv.h
  head/security/libressl/pkg-plist
  head/security/libressl/security/

Comment 10 Vsevolod Stakhov freebsd_committer

2015-03-19 23:13:59 UTC

Committed, thank you!