Bug 198718 - [PATCH] security/libressl: update to 2.1.6, fix vulns and default libtls
Summary: [PATCH] security/libressl: update to 2.1.6, fix vulns and default libtls
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vsevolod Stakhov
Keywords: patch
Depends on:
Reported: 2015-03-19 19:47 UTC by Bernard Spil
Modified: 2015-03-19 23:13 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (vsevolod)

svn diff for security/libressl (20.61 KB, patch)
2015-03-19 19:47 UTC, Bernard Spil
no flags Details | Diff
Poudriere build log of security/libressl (267.22 KB, text/plain)
2015-03-19 19:48 UTC, Bernard Spil
no flags Details
vuxml entry (1.85 KB, patch)
2015-03-19 20:31 UTC, Bernard Spil
no flags Details | Diff
vuxml entry, fixed (1.81 KB, patch)
2015-03-19 20:41 UTC, Johannes Jost Meixner
no flags Details | Diff
vuln.xml entry (46.68 KB, patch)
2015-03-19 20:43 UTC, Bernard Spil
no flags Details | Diff
vuxml entry (1.85 KB, patch)
2015-03-19 20:47 UTC, Bernard Spil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2015-03-19 19:47:53 UTC
Created attachment 154535 [details]
svn diff for security/libressl

LibreSSL has released a next version with fixes for 
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Furthermore, the libtls ABI is declared stable and enabled by default. This is now fixed.
Comment 1 Bernard Spil freebsd_committer 2015-03-19 19:48:15 UTC
Created attachment 154536 [details]
Poudriere build log of security/libressl
Comment 2 Bernard Spil freebsd_committer 2015-03-19 20:31:53 UTC
Created attachment 154537 [details]
vuxml entry
Comment 3 Johannes Jost Meixner freebsd_committer 2015-03-19 20:41:25 UTC
Created attachment 154538 [details]
vuxml entry, fixed

Previous vuxml entry had all <cvename> tags with -0207. Fixed in patch attached.
Comment 4 Bernard Spil freebsd_committer 2015-03-19 20:43:22 UTC
Created attachment 154539 [details]
vuln.xml entry

Fixes the references entries
Comment 5 Bernard Spil freebsd_committer 2015-03-19 20:47:52 UTC
Created attachment 154540 [details]
vuxml entry

Now using the raw payload from GitHub...
Comment 6 Vsevolod Stakhov freebsd_committer 2015-03-19 21:25:01 UTC
I'd suggest to use normal HTML <ul>...</ul> for list and not just <p> in description of vulnxml entry.
Comment 7 commit-hook freebsd_committer 2015-03-19 22:54:39 UTC
A commit references this bug:

Author: delphij
Date: Thu Mar 19 22:54:15 UTC 2015
New revision: 381700
URL: https://svnweb.freebsd.org/changeset/ports/381700

  Mention LibreSSL too.  Use <ul>'s per suggestion from vsevolod [1].

  PR:		198718 [1]

Comment 8 Xin LI freebsd_committer 2015-03-19 22:55:07 UTC
I've merged the vuxml entries with the OpenSSL one.  Vsevolod would you please merge the port change?
Comment 9 commit-hook freebsd_committer 2015-03-19 23:12:43 UTC
A commit references this bug:

Author: vsevolod
Date: Thu Mar 19 23:11:51 UTC 2015
New revision: 381701
URL: https://svnweb.freebsd.org/changeset/ports/381701

  - Update to 2.1.6
  - Remove incorrectly added patch files

  PR:		198718
  Submitted by:	Bernard Spil <spil.oss at gmail.com>
  Security:	CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289

Comment 10 Vsevolod Stakhov freebsd_committer 2015-03-19 23:13:59 UTC
Committed, thank you!