* [gentoo-commits] gentoo-x86 commit in dev-libs/openssl/files: openssl-0.9.8l-CVE-2009-2409.patch
@ 2009-11-27 22:00 Mike Frysinger (vapier)
0 siblings, 0 replies; only message in thread
From: Mike Frysinger (vapier) @ 2009-11-27 22:00 UTC (permalink / raw
To: gentoo-commits
vapier 09/11/27 22:00:12
Modified: openssl-0.9.8l-CVE-2009-2409.patch
Log:
Add other half of MD2 disable so that root certs arent checked #294615 by Alexander Danilov.
(Portage version: 2.2_rc51/cvs/Linux x86_64, RepoMan options: --force)
Revision Changes Path
1.2 dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch?r1=1.1&r2=1.2
Index: openssl-0.9.8l-CVE-2009-2409.patch
===================================================================
RCS file: /var/cvsroot/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssl-0.9.8l-CVE-2009-2409.patch 21 Nov 2009 03:09:54 -0000 1.1
+++ openssl-0.9.8l-CVE-2009-2409.patch 27 Nov 2009 22:00:12 -0000 1.2
@@ -2,11 +2,48 @@
fix from upstream
+http://cvs.openssl.org/chngview?cn=18260
+
+Index: openssl/crypto/x509/x509_vfy.c
+RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v
+rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null
+--- crypto/x509/x509_vfy.c 2008/07/13 14:33:15 1.77.2.8
++++ crypto/x509/x509_vfy.c 2009/06/15 14:52:38 1.77.2.9
+@@ -986,7 +986,11 @@
+ while (n >= 0)
+ {
+ ctx->error_depth=n;
+- if (!xs->valid)
++
++ /* Skip signature check for self signed certificates. It
++ * doesn't add any security and just wastes time.
++ */
++ if (!xs->valid && xs != xi)
+ {
+ if ((pkey=X509_get_pubkey(xi)) == NULL)
+ {
+@@ -996,13 +1000,6 @@
+ if (!ok) goto end;
+ }
+ else if (X509_verify(xs,pkey) <= 0)
+- /* XXX For the final trusted self-signed cert,
+- * this is a waste of time. That check should
+- * optional so that e.g. 'openssl x509' can be
+- * used to detect invalid self-signatures, but
+- * we don't verify again and again in SSL
+- * handshakes and the like once the cert has
+- * been declared trusted. */
+ {
+ ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
+ ctx->current_cert=xs;
+
+http://cvs.openssl.org/chngview?cn=18317
+
Index: openssl/crypto/evp/c_alld.c
RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v
rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null
---- c_alld.c 2005/04/30 21:51:40 1.7
-+++ c_alld.c 2009/07/08 08:33:26 1.7.2.1
+--- crypto/evp/c_alld.c 2005/04/30 21:51:40 1.7
++++ crypto/evp/c_alld.c 2009/07/08 08:33:26 1.7.2.1
@@ -64,9 +64,6 @@
void OpenSSL_add_all_digests(void)
@@ -20,8 +57,8 @@
Index: openssl/ssl/ssl_algs.c
RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v
rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null
---- ssl_algs.c 2007/04/23 23:50:21 1.12.2.3
-+++ ssl_algs.c 2009/07/08 08:33:27 1.12.2.4
+--- ssl/ssl_algs.c 2007/04/23 23:50:21 1.12.2.3
++++ ssl/ssl_algs.c 2009/07/08 08:33:27 1.12.2.4
@@ -92,9 +92,6 @@
EVP_add_cipher(EVP_seed_cbc());
#endif
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-11-27 22:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-27 22:00 [gentoo-commits] gentoo-x86 commit in dev-libs/openssl/files: openssl-0.9.8l-CVE-2009-2409.patch Mike Frysinger (vapier)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox