[mingw32-openssl/f13/master] CVE-2011-0014 openssl: OCSP stapling vulnerability fix for https://bugzilla.redhat.com/show_bug.cgi?
Kalev Lember
kalev at fedoraproject.org
Sat Apr 23 12:28:07 UTC 2011
commit aea5fb20d11e2c9eb52c3743ebdfb36e3bec9652
Author: Kai Tietz <ktietz at redhat.com>
Date: Fri Mar 4 11:03:42 2011 +0100
CVE-2011-0014 openssl: OCSP stapling vulnerability fix for
https://bugzilla.redhat.com/show_bug.cgi?id=676070
mingw32-openssl.spec | 7 ++++++-
openssl-1.0.0a-sslt1lib.patch | 28 ++++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 1 deletions(-)
---
diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec
index a956103..8e136bd 100644
--- a/mingw32-openssl.spec
+++ b/mingw32-openssl.spec
@@ -31,7 +31,7 @@
Name: mingw32-openssl
Version: 1.0.0
-Release: 0.6.%{beta}%{?dist}
+Release: 0.7.%{beta}%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
@@ -59,6 +59,7 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch
# Bug fixes
Patch23: openssl-1.0.0-beta4-default-paths.patch
Patch24: openssl-1.0.0-beta4-binutils.patch
+Patch25: openssl-1.0.0a-sslt1lib.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
@@ -166,6 +167,7 @@ Static version of the MinGW port of the OpenSSL toolkit.
%patch23 -p1 -b .default-paths
%patch24 -p1 -b .binutils
+%patch25 -p1 -b .sslt1lib
%patch32 -p1 -b .ia64
#patch33 is applied after make test
@@ -352,6 +354,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Mar 04 2011 Kai Tietz <ktietz at redhat.com> - 1.0.0-0.7.beta4
+- Fixes for CVE-2011-0014 openssl: OCSP stapling vulnerability
+
* Thu Nov 26 2009 Kalev Lember <kalev at smartlink.ee> - 1.0.0-0.6.beta4
- Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4)
- Dropped the patch to fix non-fips mingw build,
diff --git a/openssl-1.0.0a-sslt1lib.patch b/openssl-1.0.0a-sslt1lib.patch
new file mode 100644
index 0000000..2e7d2ff
--- /dev/null
+++ b/openssl-1.0.0a-sslt1lib.patch
@@ -0,0 +1,28 @@
+--- openssl-1.0.0a/ssl/t1_lib.c 25 Nov 2010 12:28:28 -0000 1.64.2.17
++++ openssl-1.0.0a/ssl/t1_lib.c 8 Feb 2011 00:00:00 -0000
+@@ -917,6 +917,7 @@
+ }
+ n2s(data, idsize);
+ dsize -= 2 + idsize;
++ size -= 2 + idsize;
+ if (dsize < 0)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+@@ -955,9 +956,14 @@
+ }
+
+ /* Read in request_extensions */
++ if (size < 2)
++ {
++ *al = SSL_AD_DECODE_ERROR;
++ return 0;
++ }
+ n2s(data,dsize);
+ size -= 2;
+- if (dsize > size)
++ if (dsize != size)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+
+
More information about the scm-commits
mailing list