diff options
| author |  Peter Korsgaard <peter@korsgaard.com> | 2019-03-21 22:07:25 +0100 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2019-03-24 09:29:12 +0100 |
| commit | 71fec4456f0e45d59da6ee5731d60789e0a607ee (patch) | |
| tree | f4bc87416bb794901b3ad60253a1cff5bcd6d41c | |
| parent | 3e37abb31199c89649e09978262aac468a845f60 (diff) | |
| download | buildroot-71fec4456f0e45d59da6ee5731d60789e0a607ee.tar.gz buildroot-71fec4456f0e45d59da6ee5731d60789e0a607ee.tar.bz2 | |
package/libopenssl: security bump to version 1.0.2r
Fixes the following security issue:
0-byte record padding oracle (CVE-2019-1559)
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data.
For more details, see the advisory:
https://mta.openssl.org/pipermail/openssl-announce/2019-February/000148.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
| -rw-r--r-- | package/libopenssl/libopenssl.hash | 8 | ||||
| -rw-r--r-- | package/libopenssl/libopenssl.mk | 2 |
2 files changed, 5 insertions, 5 deletions
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash index 83fb8bd513..7e6e6057ee 100644 --- a/package/libopenssl/libopenssl.hash +++ b/package/libopenssl/libopenssl.hash @@ -1,7 +1,7 @@ -# From https://www.openssl.org/source/openssl-1.0.2q.tar.gz.sha256 -sha256 5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 openssl-1.0.2q.tar.gz -# From https://www.openssl.org/source/openssl-1.0.2q.tar.gz.sha1 -sha1 692f5f2f1b114f8adaadaa3e7be8cce1907f38c5 openssl-1.0.2q.tar.gz +# From https://www.openssl.org/source/openssl-1.0.2r.tar.gz.sha256 +sha256 ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6 openssl-1.0.2r.tar.gz +# From https://www.openssl.org/source/openssl-1.0.2r.tar.gz.sha1 +sha1 b9aec1fa5cedcfa433aed37c8fe06b0ab0ce748d openssl-1.0.2r.tar.gz # Locally computed sha256 eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9 openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d sha256 147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk index dc15abf66a..a53e78c07e 100644 --- a/package/libopenssl/libopenssl.mk +++ b/package/libopenssl/libopenssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBOPENSSL_VERSION = 1.0.2q +LIBOPENSSL_VERSION = 1.0.2r LIBOPENSSL_SITE = https://www.openssl.org/source LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz LIBOPENSSL_LICENSE = OpenSSL or SSLeay |