From patchwork Tue Apr 21 13:36:51 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Titouan Christophe <titouan.christophe@railnova.eu>
X-Patchwork-Id: 1274269
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=railnova.eu
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=railnova-eu.20150623.gappssmtp.com
 header.i=@railnova-eu.20150623.gappssmtp.com header.a=rsa-sha256
 header.s=20150623 header.b=PdyDx727;
	dkim-atps=neutral
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4964Nx73BBz9sSY
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Tue, 21 Apr 2020 23:37:05 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 10F5286B05;
	Tue, 21 Apr 2020 13:37:04 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id tYS1xxHtb8QM; Tue, 21 Apr 2020 13:37:01 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 1886686AEB;
	Tue, 21 Apr 2020 13:37:01 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by ash.osuosl.org (Postfix) with ESMTP id 7CA841BF34E
 for <buildroot@lists.busybox.net>; Tue, 21 Apr 2020 13:36:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id 7944787C16
 for <buildroot@lists.busybox.net>; Tue, 21 Apr 2020 13:36:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id NJ+ssoZA4g5s for <buildroot@lists.busybox.net>;
 Tue, 21 Apr 2020 13:36:58 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com
 [209.85.128.65])
 by whitealder.osuosl.org (Postfix) with ESMTPS id BEE6887AEF
 for <buildroot@buildroot.org>; Tue, 21 Apr 2020 13:36:57 +0000 (UTC)
Received: by mail-wm1-f65.google.com with SMTP id g12so3710699wmh.3
 for <buildroot@buildroot.org>; Tue, 21 Apr 2020 06:36:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=railnova-eu.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=9ZMe0Ad5vePHAGAY7dRecwFOZn6H1Yjo+epOeQJERwg=;
 b=PdyDx72752ZvYr4g+uqc2gFhjTHqXpJf8BEgXakO2AGTd48MeBkq17Oa7tdEx0YDUC
 OBCQfZ0hNMWvgiOE2yN5QbPilo6R6D6XQZa1pkVF6FtjltXvl/a3e/IJ0LcNdplsNpqa
 IgeHP/j5cUv0hxD7W6xpiXSDmEZV/CJgPneqXLIe6ITRtnvG3FVQoTVBa44YR4GrFRUn
 L4uVgWKjFedXgbzJGNBYwlMW7vYDKobaurmprNdpixNF4vnvs1CnDaXyyc0m9R1Hztd2
 vYcMSAETgQMJffpyLHrfLhPd15+QnGPiXjHCDGSSLZ8Re2bffu11c/qwyjEKyY8v2Ea3
 lzxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=9ZMe0Ad5vePHAGAY7dRecwFOZn6H1Yjo+epOeQJERwg=;
 b=nTM2IAecKNaQSQ4MM7TBVZhDhx5vpvSQm/cknF8RQruEydPFvfrxCmDAdKoT7R+JaU
 6PKBfRbMSEqMEr+2hjGlAN15tynGQrT1cU0meAj6M+GmLUugkjGSiH9VpgDJTP1loMiM
 bCIDixrc9esjeQhV8Pe8Lm02HHiyIiUQQ6p0/hXIK+b5P33OeVKHpZhQ1VE3AOqg11E2
 iOHWKDCe2g0nthvGHD6eeVz5OQ/1yS+OMDmDJpgt7xUcTjGap6C9y/9YrHyba6fsgrr+
 T320SHlV+7dKFXqYKuw59nCAHxDhn0j4WVmcFt1iF+73LME0gplYkyxhMRvhqjuvYC5q
 AMug==
X-Gm-Message-State: AGi0PuZC5eH4HC+/cCzSvzhlLf3Ts7zkzJY+cTsk4zyhTWSTbgKCuswV
 ZfiRZmv01NGLsQc5KG3imszjnkKlgcw=
X-Google-Smtp-Source: 
 APiQypLQ3N2tkdRamGj6O2MqULsRz99hTetW1+zcu8QVnMjSwIwbLaPvVdUFIvDznOBWr5VOTTSLug==
X-Received: by 2002:a1c:4e12:: with SMTP id g18mr4902294wmh.11.1587476215955;
 Tue, 21 Apr 2020 06:36:55 -0700 (PDT)
Received: from localhost.localdomain
 ([2a02:a03f:63d3:7700:5fb9:2a66:a7a8:378f])
 by smtp.gmail.com with ESMTPSA id n6sm3466658wmc.28.2020.04.21.06.36.54
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 21 Apr 2020 06:36:55 -0700 (PDT)
From: Titouan Christophe <titouan.christophe@railnova.eu>
To: buildroot@buildroot.org
Date: Tue, 21 Apr 2020 15:36:51 +0200
Message-Id: <20200421133651.6921-1-titouan.christophe@railnova.eu>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/libopenssl: security bump to v1.1.1g
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>,
 Titouan Christophe <titouan.christophe@railnova.eu>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

This fixes CVE-2020-1967:
Server or client applications that call the SSL_check_chain() function during
or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
issue. This issue did not affect OpenSSL versions prior to 1.1.1d.

See https://www.openssl.org/news/secadv/20200421.txt

Also update the hash file to the new two spaces convention

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
---
 package/libopenssl/libopenssl.hash | 6 +++---
 package/libopenssl/libopenssl.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 3becd790ac..121e10c410 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.1.1d.tar.gz.sha256
-sha256	186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35	openssl-1.1.1f.tar.gz
+# From https://www.openssl.org/source/openssl-1.1.1g.tar.gz.sha256
+sha256  ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46  openssl-1.1.1g.tar.gz
 
 # License files
-sha256	c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c	LICENSE
+sha256  c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c  LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index 4639c63fac..a300458f85 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBOPENSSL_VERSION = 1.1.1f
+LIBOPENSSL_VERSION = 1.1.1g
 LIBOPENSSL_SITE = https://www.openssl.org/source
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = OpenSSL or SSLeay