279264 |
25-Feb-2015 |
delphij |
Fix integer overflow in IGMP protocol. [SA-15:04]
Fix vt(4) crash with improper ioctl parameters. [EN-15:01]
Updated base system OpenSSL to 1.0.1l. [EN-15:02]
Fix freebsd-update libraries update ordering issue. [EN-15:03]
Approved by: so |
277195 |
14-Jan-2015 |
delphij |
Fix multiple vulnerabilities in OpenSSL. [SA-15:01]
Approved by: so |
271304 |
09-Sep-2014 |
delphij |
Fix multiple OpenSSL vulnerabilities:
The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506]
The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507]
A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510]
If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. [CVE-2014-3509]
A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. [CVE-2014-3511]
A malicious client or server can send invalid SRP parameters and overrun an internal buffer. [CVE-2014-3512]
A malicious server can crash the client with a NULL pointer dereference by specifying a SRP ciphersuite even though it was not properly negotiated with the client. [CVE-2014-5139]
Security: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510, CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139 Security: FreeBSD-SA-14:18.openssl Approved by: so |
264267 |
08-Apr-2014 |
delphij |
Fix NFS deadlock vulnerability. [SA-14:05]
Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel Attack in OpenSSL. [SA-14:06]
Approved by: so |
259065 |
07-Dec-2013 |
gjb |
- Copy stable/10 (r259064) to releng/10.0 as part of the 10.0-RELEASE cycle. - Update __FreeBSD_version [1] - Set branch name to -RC1
[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so start releng/10.0 at '100' so the branch is started with a value ending in zero.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
246772 |
13-Feb-2013 |
jkim |
Merge OpenSSL 1.0.1e.
Approved by: secteam (simon), benl (silence)
|
245952 |
26-Jan-2013 |
pfg |
Clean some 'svn:executable' properties in the tree.
Submitted by: Christoph Mallon MFC after: 3 days
|
244975 |
02-Jan-2013 |
delphij |
Indicate that we are using OpenSSL with some local modifications.
X-MFC after: with r244974
|
244974 |
02-Jan-2013 |
delphij |
MFV r244973:
Integrate OpenSSL changeset 22950 (appro):
bn_word.c: fix overflow bug in BN_add_word.
MFC after: 2 weeks
|
243933 |
06-Dec-2012 |
eadler |
Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS in share/mk/sys.mk instead.
This is part of a medium term project to permit deterministic builds of FreeBSD.
Submitted by: Erik Cederstrand <erik@cederstrand.dk> Reviewed by: imp, toolchain@ Approved by: cperciva MFC after: 2 weeks
|
243715 |
30-Nov-2012 |
pjd |
Allow OpenSSL to use arc4random(3) on FreeBSD. arc4random(3) was modified some time ago to use sysctl instead of /dev/random to get random data, so is now much better choice, especially for sandboxed processes that have no direct access to /dev/random.
Approved by: benl MFC after: 2 weeks
|
240339 |
11-Sep-2012 |
avg |
openssl: change SHLIB_VERSION_NUMBER to reflect the reality
Note: I timed out waiting for an exp-run for this change but I survived having it locally for quite a long time.
MFC after: 1 month X-MFC note: SHLIB_MAJOR is 6 in stable/8 and stable/9
|
238405 |
12-Jul-2012 |
jkim |
Merge OpenSSL 1.0.1c.
Approved by: benl (maintainer)
|
237657 |
27-Jun-2012 |
jkim |
Merge OpenSSL 0.9.8x.
Reviewed by: stas Approved by: benl (maintainer) MFC after: 3 days
|
236304 |
30-May-2012 |
bz |
Update the previous openssl fix. [12:01]
Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02]
Security: FreeBSD-SA-12:01.openssl (revised) Security: FreeBSD-SA-12:02.crypt Approved by: so (bz, simon)
|
234954 |
03-May-2012 |
bz |
Fix multiple OpenSSL vulnerabilities.
Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109 Security: CVE-2012-0884, CVE-2012-2110 Security: FreeBSD-SA-12:01.openssl Approved by: so (bz,simon)
|
216166 |
03-Dec-2010 |
simon |
Merge OpenSSL 0.9.8q into head.
Security: CVE-2010-4180 Security: http://www.openssl.org/news/secadv_20101202.txt MFC after: 3 days
|
215697 |
22-Nov-2010 |
simon |
Merge OpenSSL 0.9.8p into head.
Security: CVE-2010-3864 Security: http://www.openssl.org/news/secadv_20101116.txt
|
212961 |
21-Sep-2010 |
rpaulo |
Bring in OpenSSL checkin 19821:
Make inline assembler clang-friendly [from HEAD].
openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2 openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1
Approved by: simon
|
206046 |
01-Apr-2010 |
simon |
Merge OpenSSL 0.9.8n into head.
This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m) but not -STABLE branches.
I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD. This will be investigated further.
Security: CVE-2010-0433, CVE-2010-0740 Security: http://www.openssl.org/news/secadv_20100324.txt
|
205601 |
24-Mar-2010 |
ed |
Prune empty directories.
|
205128 |
13-Mar-2010 |
simon |
Merge OpenSSL 0.9.8m into head.
This also "reverts" some FreeBSD local changes so we should now be back to using entirely stock OpenSSL. The local changes were simple $FreeBSD$ lines additions, which were required in the CVS days, and the patch for FreeBSD-SA-09:15.ssl which has been superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation extension' support.
MFC after: 3 weeks
|
196474 |
23-Aug-2009 |
simon |
Merge DTLS fixes from vendor-crypto/openssl/dist:
- Fix memory consumption bug with "future epoch" DTLS records. - Fix fragment handling memory leak. - Do not access freed data structure. - Fix DTLS fragment bug - out-of-sequence message handling which could result in NULL pointer dereference in dtls1_process_out_of_seq_message().
Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL.
MFC after: 1 week Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387
|
194206 |
14-Jun-2009 |
simon |
Merge OpenSSL 0.9.8k into head.
Approved by: re
|
191381 |
22-Apr-2009 |
cperciva |
Don't leak information via uninitialized space in db(3) records. [09:07]
Sanity-check string lengths in order to stop OpenSSL crashing when printing corrupt BMPString or UniversalString objects. [09:08]
Security: FreeBSD-SA-09:07.libc Security: FreeBSD-SA-09:08.openssl Security: CVE-2009-0590 Approved by: re (kensmith) Approved by: so (cperciva)
|
175292 |
13-Jan-2008 |
simon |
Unbreak detection of cryptodev support for FreeBSD which was broken with OpenSSL 0.9.8 import.
Note that this does not enable cryptodev by default, as it was the case with OpenSSL 0.9.7 in FreeBSD base, but this change makes it possible to enable cryptodev at all.
This has been submitted upstream as: http://rt.openssl.org/Ticket/Display.html?id=1624
Submitted by: nork
|
169883 |
22-May-2007 |
simon |
Fix runtime crash in OpenSSL with "Illegal instruction" by making some casts a bit less evil.
This was e.g. seen when using portsnap as:
Fetching snapshot tag from portsnap3.FreeBSD.org... Illegal instruction
Note the patch is slightly different from kan's original patch to match style in the OpenSSL source files a bit better.
Submitted by: kan Tested by: many
|
167618 |
15-Mar-2007 |
simon |
This commit was generated by cvs2svn to compensate for changes in r167617, which included commits to RCS files with non-trunk default branches.
|
167615 |
15-Mar-2007 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8e.
|
167613 |
15-Mar-2007 |
simon |
This commit was generated by cvs2svn to compensate for changes in r167612, which included commits to RCS files with non-trunk default branches.
|
162917 |
01-Oct-2006 |
simon |
This commit was generated by cvs2svn to compensate for changes in r162916, which included commits to RCS files with non-trunk default branches.
|
162914 |
01-Oct-2006 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8d.
|
162912 |
01-Oct-2006 |
simon |
This commit was generated by cvs2svn to compensate for changes in r162911, which included commits to RCS files with non-trunk default branches.
|
162207 |
10-Sep-2006 |
simon |
Correct incorrect PKCS#1 v1.5 padding validation in crypto(3).
Obtained from: OpenSSL project Security: FreeBSD-SA-06:19.openssl
|
160837 |
30-Jul-2006 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8b.
This was missed the first time around since eng_padlock.c was not part of OpenSSL 0.9.7e and therefor did not have the v0_9_7e CVS tag used during original resolve of conflicts.
Noticed by: Antoine Brodin <antoine.brodin@laposte.net>
|
160817 |
29-Jul-2006 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8b.
|
160815 |
29-Jul-2006 |
simon |
This commit was generated by cvs2svn to compensate for changes in r160814, which included commits to RCS files with non-trunk default branches.
|
142432 |
25-Feb-2005 |
nectar |
File removed in update from OpenSSL 0.9.7d -> 0.9.7e.
|
142431 |
25-Feb-2005 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r142430, which included commits to RCS files with non-trunk default branches.
|
142428 |
25-Feb-2005 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.7e.
|
142426 |
25-Feb-2005 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r142425, which included commits to RCS files with non-trunk default branches.
|
133718 |
14-Aug-2004 |
markm |
Add support for C3 Nehemiah ACE ("Padlock") AES crypto. This comes from OpenSSL 0.9.5 (yet to be released), and is pretty complete.
|
133666 |
13-Aug-2004 |
markm |
This commit was generated by cvs2svn to compensate for changes in r133665, which included commits to RCS files with non-trunk default branches.
|
127905 |
05-Apr-2004 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r127904, which included commits to RCS files with non-trunk default branches.
|
127134 |
17-Mar-2004 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.7d.
|
127129 |
17-Mar-2004 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r127128, which included commits to RCS files with non-trunk default branches.
|
120636 |
01-Oct-2003 |
nectar |
Remove files no longer included with OpenSSL as of version 0.9.7c.
|
120635 |
01-Oct-2003 |
nectar |
Merge conflicts after import of OpenSSL 0.9.7c.
|
120632 |
01-Oct-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120631, which included commits to RCS files with non-trunk default branches.
|
112446 |
20-Mar-2003 |
jedgar |
Merge conflicts
|
111150 |
19-Feb-2003 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.7a.
|
111148 |
19-Feb-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r111147, which included commits to RCS files with non-trunk default branches.
|
110049 |
29-Jan-2003 |
nectar |
Background: When libdes was replaced with OpenSSL's libcrypto, there were a few interfaces that the former implemented but the latter did not. Because some software in the base system still depended upon these interfaces, we simply included them in our libcrypto (rnd_keys.c).
Now, finally get around to removing the dependencies on these interfaces. There were basically two cases:
des_new_random_key -- This is just a wrapper for des_random_key, and these calls were replaced.
des_init_random_number_generator et. al. -- A few functions were used by the application to seed libdes's PRNG. These are not necessary when using libcrypto, as OpenSSL internally seeds the PRNG from /dev/random. These calls were simply removed.
Again, some of the Kerberos 4 files have been taken off the vendor branch. I do not expect there to be future imports of KTH Kerberos 4.
|
110019 |
29-Jan-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r110018, which included commits to RCS files with non-trunk default branches.
|
110007 |
28-Jan-2003 |
markm |
Merge conflicts. This is cunning doublespeak for "use vendor code".
|
110006 |
28-Jan-2003 |
markm |
Remove files no longer on OpenSSL 0.9.7. crypto/des/rnd_keys.c is retained as it is still used.
|
109999 |
28-Jan-2003 |
markm |
This commit was generated by cvs2svn to compensate for changes in r109998, which included commits to RCS files with non-trunk default branches.
|
101619 |
10-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101618, which included commits to RCS files with non-trunk default branches.
|
101614 |
10-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101613, which included commits to RCS files with non-trunk default branches.
|
101387 |
05-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101386, which included commits to RCS files with non-trunk default branches.
|
100943 |
30-Jul-2002 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.6e.
|
100937 |
30-Jul-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r100936, which included commits to RCS files with non-trunk default branches.
|
100934 |
30-Jul-2002 |
nectar |
This man page has not been referenced by anything for a while, and is not part of the OpenSSL distribution. Remove it.
|
100932 |
30-Jul-2002 |
nectar |
Remove many obsolete files. The majority of these are simply no longer included as part of the OpenSSL distribution. However, a few we just don't need and are explicitly excluded in FREEBSD-Xlist.
|
100931 |
30-Jul-2002 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.6d.
|
100929 |
30-Jul-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r100928, which included commits to RCS files with non-trunk default branches.
|
89840 |
27-Jan-2002 |
kris |
Resolve conflicts.
|
89838 |
27-Jan-2002 |
kris |
This commit was generated by cvs2svn to compensate for changes in r89837, which included commits to RCS files with non-trunk default branches.
|
87174 |
01-Dec-2001 |
markm |
Protect names that are used elsewhere. This fixes WARNS=2 breakage in crypto telnet.
|
80001 |
19-Jul-2001 |
kris |
Resolve conflicts
|
79999 |
19-Jul-2001 |
kris |
This commit was generated by cvs2svn to compensate for changes in r79998, which included commits to RCS files with non-trunk default branches.
|
76870 |
20-May-2001 |
kris |
Resolve conflicts
|
76867 |
20-May-2001 |
kris |
This commit was generated by cvs2svn to compensate for changes in r76866, which included commits to RCS files with non-trunk default branches.
|
72616 |
18-Feb-2001 |
kris |
Resolve conflicts
|
72614 |
18-Feb-2001 |
kris |
This commit was generated by cvs2svn to compensate for changes in r72613, which included commits to RCS files with non-trunk default branches.
|
68654 |
13-Nov-2000 |
kris |
Resolve conflicts, and garbage collect some local changes that are no longer required
|
68652 |
13-Nov-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r68651, which included commits to RCS files with non-trunk default branches.
|
65653 |
10-Sep-2000 |
kris |
Nuke RSAREF support from orbit.
It's the only way to be sure.
|
62030 |
24-Jun-2000 |
markm |
MFI. This is a documentation-only, diffreducing patch, that if invoked will cause breakage. US Users - DO NOT try to turn on IDEA - the sources are not included.
|
61828 |
19-Jun-2000 |
markm |
Grrr. I hate CVS. These were supposed to be committed when I did the IDEA fix earlier today.
Bring back IDEA from the dead (but not compiled by default).
|
61821 |
19-Jun-2000 |
markm |
Re-add IDEA. This is not actually built unless asked for by the user. (To avoid patent hassles).
|
59402 |
19-Apr-2000 |
markm |
MFF: catch up with FreeFall
|
59354 |
18-Apr-2000 |
kris |
If stderr is closed, report the error message about missing libraries via syslog instead.
Reviewed by: jkh
|
59282 |
16-Apr-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r59281, which included commits to RCS files with non-trunk default branches.
|
59194 |
13-Apr-2000 |
kris |
Resolve conflicts.
|
59192 |
13-Apr-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r59191, which included commits to RCS files with non-trunk default branches.
|
59027 |
05-Apr-2000 |
kris |
Correct a typo and interchanged library names
Submitted by: Ben Rosengart <ben@narcissus.net> Matthew D. Fuller <fullermd@futuresouth.com>
|
58549 |
25-Mar-2000 |
kris |
Don't refer to the openssl handbook chapter by name - the doc guys keep jamming new chapters in front of it :)
|
57971 |
13-Mar-2000 |
kris |
Add a new function stub to libcrypto() which resolves to a symbol in the librsa* library and reports which version of the library (OpenSSL/RSAREF) is being used.
This is then used in openssh to detect the failure case of RSAREF and a RSA key >1024 bits, to print a more helpful error message than 'rsa_public_encrypt() fai led.'
This is a 4.0-RELEASE candidate.
|
57683 |
02-Mar-2000 |
kris |
Update the wording on the error message when libcrypto.so can't find an RSA library.
Reviewed by: peter, jkh
|
57518 |
26-Feb-2000 |
peter |
Sync with internat.freebsd.org; weak symbols vs static libs == trouble
|
57514 |
26-Feb-2000 |
peter |
Merge from internat.freebsd.org; move VERBOSE_STUBS to a better spot.
|
57513 |
26-Feb-2000 |
peter |
Merge from internat.freebsd.org repo, minus change to rsa_eay.c (missing)
Reorganize and unify libcrypto's interface so that the RSA implementation is chosen at runtime via dlopen().
This is a checkpoint and may require more tweaks still.
|
57511 |
26-Feb-2000 |
peter |
Merge from internat.freebsd.org repo, minus change to rsa_eay.c (missing)
Reorganize and unify libcrypto's interface so that the RSA implementation is chosen at runtime via dlopen().
This is a checkpoint and may require more tweaks still.
|
57510 |
26-Feb-2000 |
peter |
At great personal risk (to my already fragile sanity), reorganize the rsa stubs for libcrypto. libcrypto.so now uses dlopen() to implement the backends for either the native or rsaref implemented RSA code. This involves: - unifying the libcrypto and openssl(1) source so there is no #ifdef RSAref variations. - using weak symbols and dlopen()/dlsym() routines to access the rsa method vectors.
Releases will enable the user to choose International, US (rsaref) or no RSA code at install time. 'make world' will DTRT depending on whether you have the international or US source. For US users, you must either install rsaref (the port or package) or (if you don't fear RSA Inc) use the (superior) International rsa_eay.c code.
This has been discussed at great length by the affected folks and even we have a great deal of confusion. This is a checkpoint so we can tune the results. This works for me in all permutations I can think of and should result in a CD/ftp 'release' just about doing the right thing now.
|
57427 |
24-Feb-2000 |
markm |
Oops; forgot to add this.
|
57426 |
24-Feb-2000 |
markm |
Get this to the same level of functionality as old libdes.
|
56084 |
16-Jan-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r56083, which included commits to RCS files with non-trunk default branches.
|
55719 |
10-Jan-2000 |
kris |
Zap NO_IDEA
|
55715 |
10-Jan-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r55714, which included commits to RCS files with non-trunk default branches.
|
55709 |
10-Jan-2000 |
kris |
Zap the IDEA stuff - it's patented internationally (at least in some places), and we don't want people to get in trouble just for having it.
|
55100 |
25-Dec-1999 |
kris |
This commit was generated by cvs2svn to compensate for changes in r55099, which included commits to RCS files with non-trunk default branches.
|