mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
23e53133e2
- Update from 3.3.0 to 3.3.1
- Update of rootfile not required
- This version has 2 CVE fixes both of which are classified as Low Severity so looks like
they can wait for CU189
- Changelog
3.3.1
* Fixed potential use after free after SSL_free_buffers() is called.
The SSL_free_buffers function is used to free the internal OpenSSL
buffer used when processing an incoming record from the network.
The call is only expected to succeed if the buffer is not currently
in use. However, two scenarios have been identified where the buffer
is freed even when still in use.
The first scenario occurs where a record header has been received
from the network and processed by OpenSSL, but the full record body
has not yet arrived. In this case calling SSL_free_buffers will succeed
even though a record has only been partially processed and the buffer
is still in use.
The second scenario occurs where a full record containing application
data has been received and processed by OpenSSL but the application has
only read part of this data. Again a call to SSL_free_buffers will
succeed even though the buffer is still in use.
([CVE-2024-4741])
* Fixed an issue where checking excessively long DSA keys or parameters may
be very slow.
Applications that use the functions EVP_PKEY_param_check() or
EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
experience long delays. Where the key or parameters that are being checked
have been obtained from an untrusted source this may lead to a Denial of
Service.
To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
reason.
([CVE-2024-4603])
* Improved EC/DSA nonce generation routines to avoid bias and timing
side channel leaks.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
128 lines
4.1 KiB
Plaintext
128 lines
4.1 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 3.3.1
|
|
|
|
THISAPP = openssl-$(VER)
|
|
DL_FILE = $(THISAPP).tar.gz
|
|
DL_FROM = $(URL_IPFIRE)
|
|
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
|
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
CFLAGS += -DPURIFY -Wa,--noexecstack
|
|
|
|
export RPM_OPT_FLAGS = $(CFLAGS)
|
|
|
|
CONFIGURE_OPTIONS = \
|
|
--prefix=/usr \
|
|
--openssldir=/etc/ssl \
|
|
shared \
|
|
zlib-dynamic \
|
|
enable-camellia \
|
|
enable-seed \
|
|
enable-rfc3779 \
|
|
no-idea \
|
|
no-mdc2 \
|
|
no-rc5 \
|
|
no-srp \
|
|
no-aria \
|
|
$(OPENSSL_ARCH)
|
|
|
|
ifeq "$(BUILD_ARCH)" "aarch64"
|
|
OPENSSL_ARCH = linux-aarch64
|
|
endif
|
|
|
|
ifeq "$(BUILD_ARCH)" "riscv64"
|
|
OPENSSL_ARCH = linux64-riscv64
|
|
endif
|
|
|
|
ifeq "$(BUILD_ARCH)" "x86_64"
|
|
OPENSSL_ARCH = linux-x86_64
|
|
endif
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_BLAKE2 = b09bbe94f49c33015fbcee5f578a20c0da33c289791bf33292170d5d3de44ea2e22144ee11067947aef2733e979c0fded875a4ec92d81468285837053447e68e
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
b2 : $(subst %,%_BLAKE2,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, b2sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_BLAKE2,$(objects)) :
|
|
@$(B2SUM)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
|
|
|
|
# Apply our CFLAGS
|
|
cd $(DIR_APP) && sed -i Configure \
|
|
-e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g"
|
|
|
|
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
|
|
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
|
|
|
|
cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS) \
|
|
$(CFLAGS) $(LDFLAGS)
|
|
|
|
cd $(DIR_APP) && make depend
|
|
cd $(DIR_APP) && make $(MAKETUNING)
|
|
|
|
# Install everything
|
|
cd $(DIR_APP) && make install
|
|
install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
|
|
|
|
# Install RFC 7919 defined standard group ffdhe4096
|
|
install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|