import CS git openssl-1.1.1k-17.el8_6
This commit is contained in:
parent
e924678fa0
commit
7caaa430c5
@ -1,11 +1,13 @@
|
||||
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
|
||||
@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static int init_srp(SSL *s, unsigned int context);
|
||||
#endif
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||
+#endif
|
||||
static int init_etm(SSL *s, unsigned int context);
|
||||
static int init_ems(SSL *s, unsigned int context);
|
||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||
@ -18,10 +20,11 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||
final_ec_pt_formats
|
||||
},
|
||||
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
|
||||
@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||
+{
|
||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
@ -30,6 +33,7 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
static int init_etm(SSL *s, unsigned int context)
|
||||
{
|
||||
|
||||
81
SOURCES/openssl-1.1.1-cve-2026-28390.patch
Normal file
81
SOURCES/openssl-1.1.1-cve-2026-28390.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From 2ff16c29c115c131fbcf196ab66ca0ef822c7ab0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
|
||||
Date: Wed, 13 May 2026 16:22:35 +0200
|
||||
Subject: [PATCH] Fix CVE-2026-28390
|
||||
|
||||
Ensure that if we are missing parameters in
|
||||
RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
|
||||
we don't segfault when decrypting.
|
||||
---
|
||||
crypto/rsa/rsa_ameth.c | 30 ++++++++++++++++++++----------
|
||||
1 file changed, 20 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
||||
index fb04554..dfce3e2 100644
|
||||
--- a/crypto/rsa/rsa_ameth.c
|
||||
+++ b/crypto/rsa/rsa_ameth.c
|
||||
@@ -918,10 +918,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
|
||||
X509_ALGOR *cmsalg;
|
||||
int nid;
|
||||
int rv = -1;
|
||||
- unsigned char *label = NULL;
|
||||
+ const unsigned char *label = NULL;
|
||||
int labellen = 0;
|
||||
const EVP_MD *mgf1md = NULL, *md = NULL;
|
||||
RSA_OAEP_PARAMS *oaep;
|
||||
+ const ASN1_OBJECT *aoid;
|
||||
+ const void *parameter = NULL;
|
||||
+ int ptype = 0;
|
||||
|
||||
pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
|
||||
if (pkctx == NULL)
|
||||
@@ -951,21 +954,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
|
||||
goto err;
|
||||
|
||||
if (oaep->pSourceFunc != NULL) {
|
||||
- X509_ALGOR *plab = oaep->pSourceFunc;
|
||||
+ X509_ALGOR_get0(&aoid, &ptype, ¶meter, oaep->pSourceFunc);
|
||||
|
||||
- if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
|
||||
+ if (OBJ_obj2nid(aoid) != NID_pSpecified) {
|
||||
RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
|
||||
goto err;
|
||||
}
|
||||
- if (plab->parameter->type != V_ASN1_OCTET_STRING) {
|
||||
+ if (ptype != V_ASN1_OCTET_STRING) {
|
||||
RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
|
||||
goto err;
|
||||
}
|
||||
|
||||
- label = plab->parameter->value.octet_string->data;
|
||||
- /* Stop label being freed when OAEP parameters are freed */
|
||||
- plab->parameter->value.octet_string->data = NULL;
|
||||
- labellen = plab->parameter->value.octet_string->length;
|
||||
+ label = ASN1_STRING_get0_data(parameter);
|
||||
+ labellen = ASN1_STRING_length(parameter);
|
||||
}
|
||||
|
||||
if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
|
||||
@@ -974,8 +975,17 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
|
||||
goto err;
|
||||
if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
|
||||
goto err;
|
||||
- if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
|
||||
- goto err;
|
||||
+ if (label != NULL) {
|
||||
+ unsigned char *dup_label = OPENSSL_memdup(label, labellen);
|
||||
+
|
||||
+ if (dup_label == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
|
||||
+ OPENSSL_free(dup_label);
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
/* Carry on */
|
||||
rv = 1;
|
||||
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1k
|
||||
Release: 16%{?dist}
|
||||
Release: 17%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -99,17 +99,18 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
|
||||
# Backport from OpenSSL 3.2/RHEL 9
|
||||
# Proper fix for CVE-2020-25659
|
||||
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
||||
# Backport from OpenSSL 3.2
|
||||
# Backport from OpenSSL 3.0
|
||||
# Fix for CVE-2024-5535
|
||||
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
||||
# Fix for CVE-2025-9230
|
||||
Patch110: openssl-1.1.1-cve-2025-9230.patch
|
||||
Patch111: openssl-1.1.1-ticket_lifetime_hint.patch
|
||||
# Fix for CVE-2025-69419 (next two)
|
||||
# Fix for CVE-2025-69419
|
||||
Patch112: openssl-1.1.1-hardening-from-openssl-3.0.1.patch
|
||||
Patch113: openssl-1.1.1-cve-2025-69419.patch
|
||||
Patch114: openssl-1.1.1-cve-2026-45447.patch
|
||||
Patch115: openssl-1.1.1-cve-2024-4741.patch
|
||||
# Fix for CVE-2026-28390
|
||||
Patch116: openssl-1.1.1-cve-2026-28390.patch
|
||||
|
||||
License: OpenSSL and ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -188,68 +189,69 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
cp %{SOURCE12} crypto/ec/
|
||||
cp %{SOURCE13} test/
|
||||
|
||||
%patch -P1 -p1 -b .build %{?_rawbuild}
|
||||
%patch -P2 -p1 -b .defaults
|
||||
%patch -P3 -p1 -b .no-html %{?_rawbuild}
|
||||
%patch -P4 -p1 -b .man-rename
|
||||
%patch1 -p1 -b .build %{?_rawbuild}
|
||||
%patch2 -p1 -b .defaults
|
||||
%patch3 -p1 -b .no-html %{?_rawbuild}
|
||||
%patch4 -p1 -b .man-rename
|
||||
|
||||
%patch -P31 -p1 -b .conf-paths
|
||||
%patch -P32 -p1 -b .version-add-engines
|
||||
%patch -P33 -p1 -b .dgst
|
||||
%patch -P36 -p1 -b .no-brainpool
|
||||
%patch -P37 -p1 -b .curves
|
||||
%patch -P38 -p1 -b .no-weak-verify
|
||||
%patch -P40 -p1 -b .sslv3-abi
|
||||
%patch -P41 -p1 -b .system-cipherlist
|
||||
%patch -P42 -p1 -b .fips
|
||||
%patch -P44 -p1 -b .version-override
|
||||
%patch -P45 -p1 -b .weak-ciphers
|
||||
%patch -P46 -p1 -b .seclevel
|
||||
%patch -P47 -p1 -b .ts-sha256-default
|
||||
%patch -P48 -p1 -b .fips-post-rand
|
||||
%patch -P49 -p1 -b .evp-kdf
|
||||
%patch -P50 -p1 -b .ssh-kdf
|
||||
%patch -P51 -p1 -b .intel-cet
|
||||
%patch -P52 -p1 -b .s390x-update
|
||||
%patch -P53 -p1 -b .crng-test
|
||||
%patch -P55 -p1 -b .arm-update
|
||||
%patch -P56 -p1 -b .s390x-ecc
|
||||
%patch -P60 -p1 -b .krb5-kdf
|
||||
%patch -P61 -p1 -b .edk2-build
|
||||
%patch -P62 -p1 -b .fips-curves
|
||||
%patch -P65 -p1 -b .drbg-selftest
|
||||
%patch -P66 -p1 -b .fips-dh
|
||||
%patch -P67 -p1 -b .kdf-selftest
|
||||
%patch -P69 -p1 -b .alpn-cb
|
||||
%patch -P70 -p1 -b .rewire-fips-drbg
|
||||
%patch -P74 -p1 -b .addrconfig
|
||||
%patch -P75 -p1 -b .tls13-curves
|
||||
%patch -P76 -p1 -b .cleanup-reneg
|
||||
%patch -P77 -p1 -b .s390x-aes
|
||||
%patch -P78 -p1 -b .addr-ipv6
|
||||
%patch -P79 -p1 -b .servername-cb
|
||||
%patch -P80 -p1 -b .s390x-test-aes
|
||||
%patch -P81 -p1 -b .read-buff
|
||||
%patch -P82 -p1 -b .cve-2022-0778
|
||||
%patch -P83 -p1 -b .replace-expired-certs
|
||||
%patch -P84 -p1 -b .cve-2022-1292
|
||||
%patch -P85 -p1 -b .cve-2022-2068
|
||||
%patch -P86 -p1 -b .cve-2022-2097
|
||||
%patch -P101 -p1 -b .cve-2022-4304
|
||||
%patch -P102 -p1 -b .cve-2022-4450
|
||||
%patch -P103 -p1 -b .cve-2023-0215
|
||||
%patch -P104 -p1 -b .cve-2023-0286
|
||||
%patch -P105 -p1 -b .cve-2023-3446
|
||||
%patch -P106 -p1 -b .cve-2023-3817
|
||||
%patch -P107 -p1 -b .cve-2023-5678
|
||||
%patch -P108 -p1 -b .pkcs15imprejection
|
||||
%patch -P109 -p1 -b .cve-2024-5535
|
||||
%patch -P110 -p1 -b .cve-2025-9230
|
||||
%patch -P111 -p1 -b .ticket_lifetime_hint
|
||||
%patch -P112 -p1 -b .cve-2025-69419-1
|
||||
%patch -P113 -p1 -b .cve-2025-69419-2
|
||||
%patch -P114 -p1 -b .cve-2026-45447
|
||||
%patch -P115 -p1 -b .cve-2024-4741
|
||||
%patch31 -p1 -b .conf-paths
|
||||
%patch32 -p1 -b .version-add-engines
|
||||
%patch33 -p1 -b .dgst
|
||||
%patch36 -p1 -b .no-brainpool
|
||||
%patch37 -p1 -b .curves
|
||||
%patch38 -p1 -b .no-weak-verify
|
||||
%patch40 -p1 -b .sslv3-abi
|
||||
%patch41 -p1 -b .system-cipherlist
|
||||
%patch42 -p1 -b .fips
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
%patch46 -p1 -b .seclevel
|
||||
%patch47 -p1 -b .ts-sha256-default
|
||||
%patch48 -p1 -b .fips-post-rand
|
||||
%patch49 -p1 -b .evp-kdf
|
||||
%patch50 -p1 -b .ssh-kdf
|
||||
%patch51 -p1 -b .intel-cet
|
||||
%patch52 -p1 -b .s390x-update
|
||||
%patch53 -p1 -b .crng-test
|
||||
%patch55 -p1 -b .arm-update
|
||||
%patch56 -p1 -b .s390x-ecc
|
||||
%patch60 -p1 -b .krb5-kdf
|
||||
%patch61 -p1 -b .edk2-build
|
||||
%patch62 -p1 -b .fips-curves
|
||||
%patch65 -p1 -b .drbg-selftest
|
||||
%patch66 -p1 -b .fips-dh
|
||||
%patch67 -p1 -b .kdf-selftest
|
||||
%patch69 -p1 -b .alpn-cb
|
||||
%patch70 -p1 -b .rewire-fips-drbg
|
||||
%patch74 -p1 -b .addrconfig
|
||||
%patch75 -p1 -b .tls13-curves
|
||||
%patch76 -p1 -b .cleanup-reneg
|
||||
%patch77 -p1 -b .s390x-aes
|
||||
%patch78 -p1 -b .addr-ipv6
|
||||
%patch79 -p1 -b .servername-cb
|
||||
%patch80 -p1 -b .s390x-test-aes
|
||||
%patch81 -p1 -b .read-buff
|
||||
%patch82 -p1 -b .cve-2022-0778
|
||||
%patch83 -p1 -b .replace-expired-certs
|
||||
%patch84 -p1 -b .cve-2022-1292
|
||||
%patch85 -p1 -b .cve-2022-2068
|
||||
%patch86 -p1 -b .cve-2022-2097
|
||||
%patch101 -p1 -b .cve-2022-4304
|
||||
%patch102 -p1 -b .cve-2022-4450
|
||||
%patch103 -p1 -b .cve-2023-0215
|
||||
%patch104 -p1 -b .cve-2023-0286
|
||||
%patch105 -p1 -b .cve-2023-3446
|
||||
%patch106 -p1 -b .cve-2023-3817
|
||||
%patch107 -p1 -b .cve-2023-5678
|
||||
%patch108 -p1 -b .pkcs15imprejection
|
||||
%patch109 -p1 -b .cve-2024-5535
|
||||
%patch110 -p1 -b .cve-2025-9230
|
||||
%patch111 -p1 -b .ticket_lifetime_hint
|
||||
%patch112 -p1 -b .cve-2025-69419-1
|
||||
%patch113 -p1 -b .cve-2025-69419-2
|
||||
%patch114 -p1 -b .cve-2026-45447
|
||||
%patch115 -p1 -b .cve-2024-4741
|
||||
%patch116 -p1 -b .cve-2026-28390
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
@ -533,69 +535,75 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Jul 02 2026 Otmar Sabela <osabela@redhat.com> - 1:1.1.1k-17
|
||||
- Fixes CVE-2026-28390: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
|
||||
Resolves: RHEL-165759
|
||||
|
||||
* Mon Jun 01 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-16
|
||||
- Fix CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify()
|
||||
Resolves: RHEL-180978
|
||||
Resolves: RHEL-179623
|
||||
- Fix CVE-2024-4741: Use After Free with SSL_free_buffers
|
||||
Resolves: RHEL-180983
|
||||
Resolves: RHEL-39119
|
||||
|
||||
* Thu Feb 12 2026 Antonio Vieiro <avieirov@redhat.com> - 1:1.1.1k-15
|
||||
- Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing
|
||||
ticket_lifetime_hint exceed 1 week in TLSv1.3 and breaks compliant clients
|
||||
Resolves: RHEL-149165
|
||||
Resolves: RHEL-142715
|
||||
Resolves: RHEL-142010
|
||||
|
||||
* Mon Dec 22 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14.1
|
||||
- Backport fix for openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
|
||||
* Mon Dec 08 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14
|
||||
- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap
|
||||
Fix CVE-2025-9230
|
||||
Resolves: RHEL-128615
|
||||
Resolves: RHEL-128613
|
||||
- Fix bug for ticket_lifetime_hint exceed issue
|
||||
Resolves: RHEL-119891
|
||||
|
||||
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
|
||||
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
||||
* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
|
||||
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
||||
Fix CVE-2024-5535
|
||||
Resolves: RHEL-45654
|
||||
|
||||
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
||||
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
||||
(a proper fix for CVE-2020-25659)
|
||||
Resolves: RHEL-17694
|
||||
Resolves: RHEL-17696
|
||||
|
||||
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
||||
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
||||
excessively long X9.42 DH keys or parameters may be very slow
|
||||
Resolves: RHEL-16536
|
||||
Resolves: RHEL-16538
|
||||
|
||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
||||
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
||||
Resolves: RHEL-14243
|
||||
Resolves: RHEL-14245
|
||||
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
||||
Resolves: RHEL-14237
|
||||
Resolves: RHEL-14239
|
||||
|
||||
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||
- Fixed Timing Oracle in RSA Decryption
|
||||
Resolves: CVE-2022-4304
|
||||
- Fixed Double free after calling PEM_read_bio_ex
|
||||
Resolves: CVE-2022-4450
|
||||
- Fixed Use-after-free following BIO_new_NDEF
|
||||
Resolves: CVE-2023-0215
|
||||
|
||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||
- Fixed X.400 address type confusion in X.509 GeneralName
|
||||
Resolves: CVE-2023-0286
|
||||
|
||||
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||
- Fix no-ec build
|
||||
Resolves: rhbz#2071020
|
||||
|
||||
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
||||
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
||||
Resolves: CVE-2022-2097
|
||||
- Update expired certificates used in the testsuite
|
||||
Resolves: rhbz#2100554
|
||||
Resolves: rhbz#2092462
|
||||
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
||||
Resolves: rhbz#2090371
|
||||
Resolves: rhbz#2090372
|
||||
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
||||
Resolves: rhbz#2098278
|
||||
Resolves: rhbz#2098279
|
||||
|
||||
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||
- Resolves: rhbz#2067145
|
||||
- Resolves: rhbz#2067146
|
||||
|
||||
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
||||
|
||||
Loading…
Reference in New Issue
Block a user