4 files changed, 2 insertions(+), 74 deletions(-)
M gnu-system.am
M gnu/packages/openssl.scm
D gnu/packages/patches/openssl-CVE-2010-5298.patch
D gnu/packages/patches/openssl-extension-checking-fixes.patch
M gnu-system.am => gnu-system.am +0 -2
@@ 332,8 332,6 @@ dist_patch_DATA = \
gnu/packages/patches/mit-krb5-init-fix.patch \
gnu/packages/patches/mpc123-initialize-ao.patch \
gnu/packages/patches/module-init-tools-moduledir.patch \
- gnu/packages/patches/openssl-CVE-2010-5298.patch \
- gnu/packages/patches/openssl-extension-checking-fixes.patch \
gnu/packages/patches/patchelf-page-size.patch \
gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \
gnu/packages/patches/perl-no-sys-dirs.patch \
M gnu/packages/openssl.scm => gnu/packages/openssl.scm +2 -5
@@ 28,17 28,14 @@
(define-public openssl
(package
(name "openssl")
- (version "1.0.1g")
+ (version "1.0.1h")
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.openssl.org/source/openssl-" version
".tar.gz"))
(sha256
(base32
- "0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))
- (patches
- (list (search-patch "openssl-CVE-2010-5298.patch")
- (search-patch "openssl-extension-checking-fixes.patch")))))
+ "14yhsgag5as7nhxnw7f0vklwjwa3pmn1i15nmp3f4qxa6sc8l74x"))))
(build-system gnu-build-system)
(native-inputs `(("perl" ,perl)))
(arguments
D gnu/packages/patches/openssl-CVE-2010-5298.patch => gnu/packages/patches/openssl-CVE-2010-5298.patch +0 -27
@@ 1,27 0,0 @@
-From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
-From: Kurt Roeckx <kurt@roeckx.be>
-Date: Sun, 13 Apr 2014 15:05:30 +0200
-Subject: [PATCH] Don't release the buffer when there still is data in it
-
-RT: 2167, 3265
----
- ssl/s3_pkt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index b9e45c7..32e9207 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
- {
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
-- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+ if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
-+ s->s3->rbuf.left == 0)
- ssl3_release_read_buffer(s);
- }
- }
---
-1.9.1
-
D gnu/packages/patches/openssl-extension-checking-fixes.patch => gnu/packages/patches/openssl-extension-checking-fixes.patch +0 -40
@@ 1,40 0,0 @@
-From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Tue, 15 Apr 2014 18:48:54 +0100
-Subject: [PATCH] Extension checking fixes.
-
-When looking for an extension we need to set the last found
-position to -1 to properly search all extensions.
-
-PR#3309.
----
- crypto/x509v3/v3_purp.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
-index 6c40c7d..5f931db 100644
---- a/crypto/x509v3/v3_purp.c
-+++ b/crypto/x509v3/v3_purp.c
-@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
- /* Handle proxy certificates */
- if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
- if (x->ex_flags & EXFLAG_CA
-- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
-+ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
-+ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
- x->ex_flags |= EXFLAG_INVALID;
- }
- if (pci->pcPathLengthConstraint) {
-@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
- return 0;
-
- /* Extended Key Usage MUST be critical */
-- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
-+ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
- if (i_ext >= 0)
- {
- X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
---
-1.9.1
-