openssl updates
Michal Jaegermann
michal at harddata.com
Sat Sep 30 19:13:41 UTC 2006
On Sat, Sep 30, 2006 at 10:47:34AM -0700, Florin Andrei wrote:
> On Fri, 2006-09-29 at 15:08 -0400, Matthew Miller wrote:
> > Anything?
>
> >From Thomas Mraz (quoted without asking for permission but hopefully
> that's ok):
>
> > I'd like to generate updated OpenSSL RPM packages for Fedora 4 and
> > hopefully post it to Fedora Legacy
At least for openssl-0.9.7f this is already done and I posted
where to find it (ftp://ftp.harddata.com/pub/Legacy_srpms/).
> The correct way to patch
> the recent openssl CVEs is to add the patches from RHEL4 srpm
That source rpm available above was done by adding to
openssl-0.9.7f-7.10.src.rpm later patches from RHEL4.
FC4 also supplied openssl097a-0.9.7a-3.1.src.rpm, for
back compatibility, but none of installations I have handy
was using that so I did not bother. Likely the same work
is needed for openssl097a too. It should be "automatic"
or nearly so.
> (however the current CVE-2006-2940 patch is broken because the
> 'goto err;' in dh_key patch must be replaced with 'return -1;').
You mean on line 185 in a patched crypto/dh/dh_key.c? Looking at
this code you are definitely right. The other way to fix it would
be to explicitely initialize ctx to NULL due to a way in which
BN_CTX_end() and BN_CTX_free() operate. But in such case probably
all released updates for RHEL and FC5 and rawhide are affected too
even if compiled binaries do pass through a series of checks. Is
there any bugzilla report for that?
In any case fixing that seems quite trivial.
Michal
More information about the fedora-legacy-list
mailing list