From mail to openssl-announce: The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1g. This release will be made available on Tuesday 21st April 2020 between 1300-1700 UTC. OpenSSL 1.1.g is a security-fix release. The highest severity issue fixed in this release is HIGH: https://www.openssl.org/policies/secpolicy.html#high
Description: "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Reported by Bernd Edlinger." Patch: https://github.com/openssl/openssl/commit/eb563247aef3e83dda7679c43f9649270462e5b1 Affected: 1.1.1d - 1.1.1f @maintainer(s), please create an appropriate ebuild (1.1.1g, just released).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43795668935812c25e76cc2bca2758347b6357a6 commit 43795668935812c25e76cc2bca2758347b6357a6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-21 14:05:53 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-21 14:10:34 +0000 dev-libs/openssl: bump to v1.1.1g Bug: https://bugs.gentoo.org/717442 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/openssl/Manifest | 1 + dev-libs/openssl/openssl-1.1.1g.ebuild | 324 +++++++++++++++++++++++++++++++++ 2 files changed, 325 insertions(+)
This affects TLS 1.3 only.
amd64 stable
sparc stable
arm64 stable
arm stable
s390 stable
x86 stable
This issue was resolved and addressed in GLSA 202004-10 at https://security.gentoo.org/glsa/202004-10 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
hppa stable, forgot to un-CC
@ppc, ppc64: ping
on both little-endian and big-endian ppc64 same test failure ../test/recipes/30-test_afalg.t .................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests
ppc64 stable ppc stable arches done, security please proceed.
(In reply to Georgy Yakovlev from comment #15) > ppc64 stable > ppc stable > > arches done, security please proceed. Thanks. @maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bce053e42181beb3ae28cc8585516202954a248 commit 9bce053e42181beb3ae28cc8585516202954a248 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-06-04 17:53:01 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-06-04 17:53:01 +0000 dev-libs/openssl: security cleanup Bug: https://bugs.gentoo.org/717442 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/openssl/Manifest | 3 - ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch | 42 --- ...x-potential-memleaks-w-BN_to_ASN1_INTEGER.patch | 107 ------- .../openssl/files/openssl-1.1.1d-fix-zlib.patch | 52 ---- ...stitched-AES-CBC-HMAC-SHA-implementations.patch | 62 ---- dev-libs/openssl/openssl-1.1.1d-r3.ebuild | 328 --------------------- dev-libs/openssl/openssl-1.1.1f.ebuild | 324 -------------------- 7 files changed, 918 deletions(-)
All done.