Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CAN-2004-0975). 2005-0109 effects all legacy distributions, the 2nd issue I believe is in all of them, but may not effect fc2. See https://rhn.redhat.com/errata/RHSA-2005-476.html
Removing CAN-2004-0975, as this was already fixed in our update back in March 2005.
Pekka, thanks, I missed that update. I'm working on packages for CAN-2005-0109 now.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created updated packages for fc2. I'll try to get the rest done tomorrow. I included the patch for CAN-2004-0975 in the fc2 openssl-0.9.7a package since I didn't see a legacy release for FC2. Also, I added a zlib-devel as a buildreq for the 0.9.6b package. 1691e826aaef08cc7de8941816251dfd434b034a openssl096b-0.9.6b-20.1.legacy.src.rpm 5d3d66198319e105a8a1b58158599e0fb2e5a889 openssl-0.9.7a-35.1.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/openssl/fc2/openssl096b-0.9.6b-20.1.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/openssl/fc2/openssl-0.9.7a-35.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDEgXZKe7MLJjUbNMRApJ3AKCue6GBpB7zfvbiVB10PH7wxtgpxgCfacvT zDvqHhYAENGGjic7bJlVysU= =CayB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The rest of the packages can be found here: http://www.cs.ucsb.edu/~jeff/legacy/openssl/ e4e22e5c40cdfef577120f280a433f52afb88bb0 rh73/openssl095a-0.9.5a-24.7.4.legacy.src.rpm 2b69cfe7bd67bb6d05e0131e4a0968bca5efabff rh73/openssl096-0.9.6-25.8.legacy.src.rpm c5a724dcb9498d2f8f714be2d49cc2228dd6cee2 rh73/openssl-0.9.6b-39.8.legacy.src.rpm 70e2c532c3fa1c7931320de9adb07ec9e2aca5d5 rh9/openssl096-0.9.6-25.10.legacy.src.rpm fc4926cdb258e906e853cdb506464d857c647fc1 rh9/openssl096b-0.9.6b-15.1.legacy.src.rpm 5a58272c283908ec8bfa22585de4a50ac8ae1466 rh9/openssl-0.9.7a-20.5.legacy.src.rpm 09265056469ef25ef5e5474dd91e9b237fed06d2 fc1/openssl096-0.9.6-26.1.legacy.src.rpm 8d08166d9e724bf5521be1eb0bb172bfbc4fe74c fc1/openssl096b-0.9.6b-18.1.legacy.src.rpm c67d07931d188adebad6e5a4c788fee04370e2f0 fc1/openssl-0.9.7a-33.12.legacy.src.rpm They're all patched for CAN-2005-0109, and a few of them also were missing the zlib-devel build requirement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDE2pIKe7MLJjUbNMRAuP3AKCF7AjMx4jmNaL9Wmu2sMlYkAqs2gCfTiXV pSnpZWii+rNu5pfv2KEAQBs= =b8WU -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - spec file changes minimal - source integrity verified - all the patches verified to be identical to RHEL. +PUBLISH RHL73, RHL9, FC1, FC2 e4e22e5c40cdfef577120f280a433f52afb88bb0 openssl095a-0.9.5a-24.7.4.legacy.src.rpm 70e2c532c3fa1c7931320de9adb07ec9e2aca5d5 openssl096-0.9.6-25.10.legacy.src.rpm 2b69cfe7bd67bb6d05e0131e4a0968bca5efabff openssl096-0.9.6-25.8.legacy.src.rpm 09265056469ef25ef5e5474dd91e9b237fed06d2 openssl096-0.9.6-26.1.legacy.src.rpm fc4926cdb258e906e853cdb506464d857c647fc1 openssl096b-0.9.6b-15.1.legacy.src.rpm 8d08166d9e724bf5521be1eb0bb172bfbc4fe74c openssl096b-0.9.6b-18.1.legacy.src.rpm 1691e826aaef08cc7de8941816251dfd434b034a openssl096b-0.9.6b-20.1.legacy.src.rpm c5a724dcb9498d2f8f714be2d49cc2228dd6cee2 openssl-0.9.6b-39.8.legacy.src.rpm 5a58272c283908ec8bfa22585de4a50ac8ae1466 openssl-0.9.7a-20.5.legacy.src.rpm c67d07931d188adebad6e5a4c788fee04370e2f0 openssl-0.9.7a-33.12.legacy.src.rpm 5d3d66198319e105a8a1b58158599e0fb2e5a889 openssl-0.9.7a-35.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDE+4eGHbTkzxSL7QRAuPHAJ4n1GXeJDnDzgUuIXGuF7bybaJZCACgp1yx NKFuXbz+tLgQFjqe1BHzikY= =tZ9G -----END PGP SIGNATURE-----
We need to start these ones over. The CAN-2005-0109 patch we used from RHEL is broken. Red Hat have released a fixed patch in advisory https://rhn.redhat.com/errata/RHSA-2005-800.html. We must also fix CAN-2005-2969.
Hi Marc, I'll put together updated packages to fix CAN-2005-2969, but I don't see any difference in the patch for CAN-2005-0109 from what was released previously. What has changed in that patch?
Of course I will realize the difference right after I post :) Looks like a dsa-consttime.patch has been added. I'll incorporate that into the new packages.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, let's give these a try: http://www.cs.ucsb.edu/~jeff/legacy/openssl/ rh73: d1e76bfc67af1b0ae1b0149f08ff7d4265f3d62e openssl095a-0.9.5a-24.7.5.legacy.src.rpm 65756a2c9a8de124d8d70045aa999b6fa770cdcb openssl096-0.9.6-25.9.legacy.src.rpm 0b96c2812f483e0c600942a1e07253381b1e832d openssl-0.9.6b-39.9.legacy.src.rpm rh9: 4fe95f01576af9f3a89c233c01f876500e417e42 openssl096-0.9.6-25.11.legacy.src.rpm f8c301ebc2bf4306f9c1e9bed75eafb60d4ae756 openssl096b-0.9.6b-15.2.legacy.src.rpm 6a6d3c0f0388875d39cbee2e000b117f3702ea6e openssl-0.9.7a-20.6.legacy.src.rpm fc1: 33b780ffe851ad8cbc17e72dccf82d568fc19dce openssl096-0.9.6-26.2.legacy.src.rpm f085cdf15a7b6aee72f225f4344767ee530d6286 openssl096b-0.9.6b-18.2.legacy.src.rpm 26d97acb02c8f38ceced2799d7ca9eb74c9fb661 openssl-0.9.7a-33.13.legacy.src.rpm fc2: ab8e656a7c59e4dddbe9aa2f2c013e71aa603260 openssl096b-0.9.6b-20.2.legacy.src.rpm b8b7e3eb4cd7a52597fc71c581cdd2165bff1d19 openssl-0.9.7a-35.2.legacy.src.rpm Added the extra patch for CAN-2005-0109 and patch for CAN-2005-2969. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDWnXAKe7MLJjUbNMRAg0eAJ0QSXFxxuLmS8ITxwbruYjKRbFT4gCgzAPj eNVUWiKZZaLELOs6CZow6Fw= =lo4X -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity OK - spec file changes minimal - patches verified to come from various RHEL packages +PUBLISH RHL73, RHL9, FC1, FC2 d1e76bfc67af1b0ae1b0149f08ff7d4265f3d62e openssl095a-0.9.5a-24.7.5.legacy.src.rpm 4fe95f01576af9f3a89c233c01f876500e417e42 openssl096-0.9.6-25.11.legacy.src.rpm 65756a2c9a8de124d8d70045aa999b6fa770cdcb openssl096-0.9.6-25.9.legacy.src.rpm 33b780ffe851ad8cbc17e72dccf82d568fc19dce openssl096-0.9.6-26.2.legacy.src.rpm f8c301ebc2bf4306f9c1e9bed75eafb60d4ae756 openssl096b-0.9.6b-15.2.legacy.src.rpm f085cdf15a7b6aee72f225f4344767ee530d6286 openssl096b-0.9.6b-18.2.legacy.src.rpm ab8e656a7c59e4dddbe9aa2f2c013e71aa603260 openssl096b-0.9.6b-20.2.legacy.src.rpm 0b96c2812f483e0c600942a1e07253381b1e832d openssl-0.9.6b-39.9.legacy.src.rpm 6a6d3c0f0388875d39cbee2e000b117f3702ea6e openssl-0.9.7a-20.6.legacy.src.rpm 26d97acb02c8f38ceced2799d7ca9eb74c9fb661 openssl-0.9.7a-33.13.legacy.src.rpm b8b7e3eb4cd7a52597fc71c581cdd2165bff1d19 openssl-0.9.7a-35.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDXLAmGHbTkzxSL7QRAjaWAKCJ93UO5aDwKzOZyLOqMwm2af8NTwCcCHrK xESMMrW8233la2oEtTiGsUw= =BHcS -----END PGP SIGNATURE-----
Whoops, wrong flags :)
RHEL and other distributions simply dropped a long obsolete 'der_chop' perl program which is no longer available in openssl CVS too. Instead of that we are adding, at least to openssl-0.9.6b-39.9.legacy.src.rpm, a patch openssl-0.9.7c-tempfile.patch to cover CAN-2004-0975 (bug #136302). Maybe it is a good time to follow example of others and also drop 'der_chop'? If some other problems show up in it there are not likely be reported. OTOH chances that somebody is really using that script seem to be extremely remote.
I don't see any reason not to drop der_chop, but I wouldn't want to respin the packages now to do that.
Packages were moved to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e97a1fb8963711a2c97e298173d30fe64abd7a3f openssl-0.9.7a-20.6.legacy.i686.rpm dca80e912b43137b71e966cdc956b50324fd59fc openssl-devel-0.9.7a-20.6.legacy.i386.rpm installed fine. openssl still works at CLI (openssl s_client -connect www.teaparty.net:443), apache stops and starts fine (is dependent on libssl). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDZewnePtvKV31zw4RAq/hAKCiBwCV/U4pdOfKHJMjmQqte/UUsACeJUaL eewN7ac/VpxuTeWYHf6TucU= =06lo -----END PGP SIGNATURE-----
Marc, when these get pushed to updates, I think we need something like the following in the announcement: "Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system."
Does this CVE-2004-0079 issue affect us as well on the (OpenSSL 0.9.6b) we're updating here? Red Hat today issued * RHSA-2005:829-00 <http://rhn.redhat.com/errata/RHSA-2005-829.html> * RHSA-2005:830-00 <http://rhn.redhat.com/errata/RHSA-2005-830.html> and to fix CVE-2004-0079 for OpenSSL 0.9.6b for RHEL 2.1 and RHEL 3 & 4 : "The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library. (OpenSSL 0.9.6b libraries are provided for Red Hat Enterprise Linux 3 and 4 to allow compatibility with legacy applications.) "Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079) "This issue was reported as not affecting OpenSSL versions prior to 0.9.6c, and testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as shipped as a compatibility library with Red Hat Enterprise Linux 3 and 4 did not crash. However, an alternative reproducer has been written which shows that this issue does affect versions of OpenSSL prior to 0.9.6c." Only in RHSA-2005:829: "Users of OpenSSL are advised to upgrade to these updated packages, which contain a patch provided by the OpenSSL group that protects against this issue. "NOTE: Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or restart their systems after installing these updates." Only in RHSA-2005:830: "Note that Red Hat does not ship any applications with Red Hat Enterprise Linux 3 or 4 that use these compatibility libraries."
yep..it affects us...we need updated packages. :(
The openssl-0.9.7a packages don't need the fix for CVE-2004-0079. That issue has been fixed for these packages.** Since we appear to have two different families of OpenSSL packages, the 1) openssl(xxx)-0.9.6...legacy.rpm's, which are vulnerable to this CVE, and 2) openssl-0.9.7a...legacy.rpm's, which aren't -- why don't we split off this newly-discovered CVE-2004-0079 issue into a new bug ticket that just fixes the older 0.9.6{,a,b} packages? If we do that, all that will remain to do in this ticket will be VERIFY QA's for: * RH 9: only openssl-0.9.7a-20.6.legacy binaries (which don't need this fix, and we already have one VERIFY QA for these); * FC1: only openssl-0.9.7a-33.13.legacy binaries (which don't need this fix); * FC2: only openssl-0.9.7a-35.2.legacy binaries (which don't need this fix). and we will have to work with in the new ticket: * For RH 7.3: - (potentially) openssl095a-0.9.5a-24.7.5.legacy.src.rpm - openssl096-0.9.6-25.10.legacy.src.rpm - openssl-0.9.6b-39.9.legacy.src.rpm * For RH 9: - openssl096-0.9.6-25.11.legacy.src.rpm - openssl096b-0.9.6b-15.2.legacy.src.rpm * For FC1: - openssl096-0.9.6-26.2.legacy.src.rpm - openssl096b-0.9.6b-18.2.legacy.src.rpm * and for FC2: - openssl096b-0.9.6b-20.2.legacy.src.rpm That way we can continue the VERIFY testing for RH9 (already verified), FC1 and FC2 for their newer openssl's (which are what those distros' other packages use by default anyway) and close this bug sooner. I'll be happy to open a new bug report for just the 0.9.6's and CVE-2004-0079. Let me know? ----- ** For openssl-0.9.7a packages for CVE-2004-0079: * RH7.3 doesn't have 0.9.7a packages; * RH9 was fixed by RHSA-2004:121-01: <http://www.redhat.com/archives/redhat-watch-list/2004-March/msg00005.html>; * FC1 had a fix issued in Update Notification FEDORA-2004-095: <http://www.redhat.com/archives/fedora-announce-list/2004-March/msg00020.html>; * FC2 should have been issued with this patch in place.
Let's just keep it simple and keep it all here. If you can make new 0.9.6 packages, I'll check them out myself and push them to updates-testing ASAP.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VERIFY QA for openssl for FC1 in updates-testing: 620c574712782b4e349ed1392d1d674507a146cc openssl-0.9.7a-33.13.legacy.i386.rpm 5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a openssl-devel-0.9.7a-33.13.legacy.i386.rpm * Packages installed fine. * Packages work well with all openssl-linked applications * Like Tom Yates, can run openssl fine from the command-line. * Am using openssl-devel in compiling ethereal. No problems encountered. VERIFY++ FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDcXQyxou1V/j9XZwRAjFzAKCeneIQuovPm8wYAfe82CmAsAZZbACguvMU OnQtZQi+d/ITLy/kqBO7Q5w= =5GZD -----END PGP SIGNATURE-----
Re: comment 20 After talking on IRC, I agree, it would be simpler to keep it all in this bug report. It was a bad idea to split it up. Am in the process of downloading the source rpm's for the vulnerable versions of openssl (0.9.5, 0.9.6, 0.9.6b) to apply appropriate patches & submit updated .src.rpm's.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are source packages for RH7.3 to review for the newly-discovered CVE-2004-0079 issue in openssl-0.9.6b and earlier versions of openssl. (Am continuing to work on producing such packages for our other 3 distros and will submit them in a separate comment.) ===========_SHA1SUM_====================__==============_RPM_===================== ccfd84dbf258db5a2999552d5bb9591150810caf__openssl095a-0.9.5a-24.7.6.legacy.src.rpm a8d4c4da25012293e70079e464820f2c19b3a46b__openssl096-0.9.6-25.11.legacy.src.rpm fe65e479e1a578f0f766de98259df40feb982f94__openssl-0.9.6b-39.10.legacy.src.rpm RH7.3 Changelogs: (n.b.: I've munged email addresses here; they're fine in the rpms.) openssl095a-0.9.5a-24.7.6.legacy ================================ * Mon Nov 14 2005 David Eisenstein <deisenst@...> 0.9.5a-24.7.6.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). * Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.5a-24.7.5.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.5a-24.7.4.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) - - add missing buildreq: zlib-devel openssl096-0.9.6-25.11.legacy ============================= * Mon Nov 14 2005 David Eisenstein <deisenst@...> 0.9.6-25.11.legacy - - Add RPM_OPT_FLAGS to the compile of openssl-thread-test, as RHEL21 has. - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). * Wed Oct 26 2005 Marc Deslauriers <marcdeslauriers@...> 0.9.6-25.10.legacy - - Added missing zlib-devel BuildPrereq * Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.9.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.8.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) openssl-0.9.6b-39.10.legacy =========================== * Tue Nov 15 2005 David Eisenstein <deisenst@...> 0.9.6b-39.10.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). - - remove deprecated der_chop, as upstream cvs has done (CAN-2004-0975, #136302), per Michal Jaegermann in #166939 comment 12 and Nalin Dahyabhai in RHEL2.1's 0.9.6b-37. Replaces patch34 (openssl-0.9.7c-tempfile.patch) with a new patch34 (openssl-0.9.7a-no-der_chop.patch). - - replaced add-luna patch with new one with right license, per Tomas Mraz in RHEL 2.1's 0.9.6b-39 (#158061). * Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.6b-39.9.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.6b-39.8.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDerbzxou1V/j9XZwRAnJsAJwP/a2yz+rVz7q3sM45yNiHM+mMkgCeP98X 4Z+WoVwCQaEjqKUn7Z6R4UE= =K3CP -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I suppose it would help to indicate, for comment #23, where one can download those RH7.3 packages for testing. http://fedoralegacy.org/contrib/openssl/openssl095a-0.9.5a-24.7.6.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-25.11.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl-0.9.6b-39.10.legacy.src.rpm Been a long day. :^) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDerwUxou1V/j9XZwRAnt/AKDGAMF2HaVYmjnV+jvscAiv6nokZQCeIHUm D6ejS+XVMHhjnFNRZqhxFCk= =KkZd -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are source packages for RH9. Please review and comment. ===========_SHA1SUM_====================__==============_RPM_================ b4d1011200561a6b1714a6a6435fad4956b64c7a__openssl096-0.9.6-25.12.legacy.src.rpm 67249e038c2853d011c1075983c335eec9df7bac__openssl096b-0.9.6b-15.3.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-25.12.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-15.3.legacy.src.rpm RH 9 Changelogs: openssl096-0.9.6-25.12.legacy ============================= * Tue Nov 15 2005 David Eisenstein <deisenst@...> 0.9.6-25.12.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). * Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.11.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.10.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) - - add missing buildreq: zlib-devel openssl096b-0.9.6b-15.3.legacy ============================== * Fri Nov 18 2005 David Eisenstein <deisenst> 0.9.6b-15.3.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - As per RHEL3, add security fix for CVE-2003-0851 (deep recursion patch) to sync with RHEL 2.1AS (or RH7.3, in our case). - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). - - Replaced add-luna patch with new one with right license, per Tomas Mraz in RHEL 3's 0.9.6b-16.22.3 (#158061). * Sat Oct 22 2005 Jeff Sheltren <sheltren.edu> 0.9.6b-15.2.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren.edu> 0.9.6b-15.1.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) - - add missing buildreq: zlib-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDgEx1xou1V/j9XZwRArDHAKD+uOvBjJhmCYz7MaPKnYtKfXgIBACgjDmA ldMdqJOczrf22QKdvliXpDM= =SAb4 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are source packages for FC1. Please review and comment. ===========_SHA1SUM_====================__==============_RPM_================ 2d520186611573b11141733314a812fb709df1e9__openssl096-0.9.6-26.3.legacy.src.rpm 7a909692a98cffe23bb07042a589922af56ed157__openssl096-0.9.6-26.3.legacy.i386.rpm 5d0d6eb6153468239b95b7d5f370704927be2630__openssl096b-0.9.6b-18.3.legacy.src.rpm f781bffc92535095778a4767d91f8fc2a217b118__openssl096b-0.9.6b-18.3.legacy.i386.rpm http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-26.3.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-26.3.legacy.i386.rpm http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-18.3.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-18.3.legacy.i386.rpm FC1 Changelogs: openssl096-0.9.6-26.3.legacy ============================ * Mon Nov 14 2005 David Eisenstein <deisenst> 0.9.6-26.3.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). * Sat Oct 22 2005 Jeff Sheltren <sheltren.edu> 0.9.6-26.2.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren.edu> 0.9.6-26.1.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) - - add missing buildreq: zlib-devel openssl096b-0.9.6b-18.3.legacy ============================== * Sat Nov 19 2005 David Eisenstein <deisenst> 0.9.6b-18.3.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - As per RHEL3, add security fix for CVE-2003-0851 (deep recursion patch) to sync with RHEL 2.1AS (or RH7.3, in our case). - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). - - Replaced add-luna patch with new one with right license, per Tomas Mraz in RHEL 3's 0.9.6b-16.22.3 (#158061). * Sat Oct 22 2005 Jeff Sheltren <sheltren.edu> 0.9.6b-18.2.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren.edu> 0.9.6b-18.1.legacy - - patch for cache timing exploit CAN-2005-0109 (#166939) - - add missing buildreq: zlib-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDgFP1xou1V/j9XZwRApMRAJ9vIcUsK/cETN0LXLyzRJCP0tzujQCeOMEy aDSkDTm7ob1qDRKCNAwj3PM= =nPgd -----END PGP SIGNATURE-----
Only FC2 missing and we're done at last.. :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And finally, here is the source package for FC2. Please review and comment. ===========_SHA1SUM_====================__==============_RPM_=================== 2055d5a4a2743b2a031f704ca5b79819b5be89fc openssl096b-0.9.6b-20.3.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-20.3.legacy.src.rpm FC2 Changelogs: * Sat Nov 19 2005 David Eisenstein <deisenst> 0.9.6b-20.3.legacy - - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - - As per RHEL3, add security fix for CVE-2003-0851 (deep recursion patch) to sync with RHEL 2.1AS (or RH7.3, in our case). - - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). - - Replaced add-luna patch with new one with right license, per Tomas Mraz in RHEL 3's 0.9.6b-16.22.3 (#158061). * Sat Oct 22 2005 Jeff Sheltren <sheltren.edu> 0.9.6b-20.2.legacy - - Add extra patch to fix CAN-2005-0109 - - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Sun Aug 28 2005 Jeff Sheltren <sheltren.edu> 0.9.6b-20.1.legacy - - Patch for cache timing, CAN-2005-0109 (#166939) - - Add missing buildreq: zlib-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDgP7Axou1V/j9XZwRAsMkAKCZ1bTNgM66JRoFGMcLJUBiX1O8kwCfUn3E TC18PZw+2T65cHoO9wsP6Qc= =Bsj5 -----END PGP SIGNATURE-----
Created attachment 121284 [details] Original comment 25. Due to limitations in Bugzilla's web interface, comment 25 was corrupted in transmission and does not properly verify. Attached is the original comment 25 (submission of RH9 source packages for openssl096 and openssl096b).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - recursion and 0079 patches identical to RHEL, and exist in all versions; other patches just cleanups. +PUBLISH RHL73, RHL9, FC1, FC2 fe65e479e1a578f0f766de98259df40feb982f94 openssl-0.9.6b-39.10.legacy.src.rpm ccfd84dbf258db5a2999552d5bb9591150810caf openssl095a-0.9.5a-24.7.6.legacy.src.rpm a8d4c4da25012293e70079e464820f2c19b3a46b openssl096-0.9.6-25.11.legacy.src.rpm b4d1011200561a6b1714a6a6435fad4956b64c7a openssl096-0.9.6-25.12.legacy.src.rpm 67249e038c2853d011c1075983c335eec9df7bac openssl096b-0.9.6b-15.3.legacy.src.rpm 2d520186611573b11141733314a812fb709df1e9 openssl096-0.9.6-26.3.legacy.src.rpm 5d0d6eb6153468239b95b7d5f370704927be2630 openssl096b-0.9.6b-18.3.legacy.src.rpm 2055d5a4a2743b2a031f704ca5b79819b5be89fc openssl096b-0.9.6b-20.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDgcmrGHbTkzxSL7QRAt5QAJ41AS7ILauwgRxrLSpYPrkB6JU/vACg1kMr vMCYJVFUSCOA5eB+uyg/FCg= =GfZ8 -----END PGP SIGNATURE-----
Updated packages were pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73 and RHL9: - signatures OK - upgrades went fine - restarted a couple of daemons using openssl (new and old libs), continued to work fine. +VERIFY RHL73,RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDi0qvGHbTkzxSL7QRAgRwAJ9ReybKzHopJTXuE7kM2Wqgax7qKACeOOcr YJeQ0RxyNmVs7bWhBROAWhI= =yq7x -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFIED RH73 Works well in production systems using https and sshd. 1c00535c2fd6314aba666132c49b62850387fa2e openssl-0.9.6b-39.10.legacy.i386.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDk63oCgSTzgd8+fwRAmbYAJsH+LsbvpKbBeg+WhwvbFOmvHuBeACgsjLf CwT6pYMtF4Ugk0f9kaKrsww= =gb4x -----END PGP SIGNATURE-----
Timeout over.
Packages were released.