[Buildroot] [git commit branch/2021.11.x] package/libopenssl: security bump version to 1.1.1n

Peter Korsgaard peter at korsgaard.com
Sun Mar 20 21:37:09 UTC 2022 

commit: https://git.buildroot.net/buildroot/commit/?id=bf9a6bc55c04533849dc33ac625ada5965781e5a
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.11.x

Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
     for non-prime moduli.

     Internally this function is used when parsing certificates that contain
     elliptic curve public keys in compressed form or explicit elliptic curve
     parameters with a base point encoded in compressed form.

     It is possible to trigger the infinite loop by crafting a certificate that
     has invalid explicit curve parameters.

     Since certificate parsing happens prior to verification of the certificate
     signature, any process that parses an externally supplied certificate may
     thus be subject to a denial of service attack. The infinite loop can also
     be reached when parsing crafted private keys as they can contain explicit
     elliptic curve parameters.

     Thus vulnerable situations include:

      - TLS clients consuming server certificates
      - TLS servers consuming client certificates
      - Hosting providers taking certificates or private keys from customers
      - Certificate authorities parsing certification requests from subscribers
      - Anything else which parses ASN.1 elliptic curve parameters

     Also any other applications that use the BN_mod_sqrt() where the attacker
     can control the parameter values are vulnerable to this DoS issue.
     (CVE-2022-0778)
     [Tomáš Mráz]

  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
     to the list of ciphersuites providing Perfect Forward Secrecy as
     required by SECLEVEL >= 3.

     [Dmitry Belyavskiy, Nicola Tuveri]

Signed-off-by: Peter Seiderer <ps.report at gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
(cherry picked from commit 66868e9fab2806686fd08850a3e56185ef00b127)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/libopenssl/libopenssl.hash | 4 ++--
 package/libopenssl/libopenssl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index a055cbc270..22bb365bcc 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.1.1m.tar.gz.sha256
-sha256  f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96  openssl-1.1.1m.tar.gz
+# From https://www.openssl.org/source/openssl-1.1.1n.tar.gz.sha256
+sha256  40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a  openssl-1.1.1n.tar.gz
 
 # License files
 sha256  c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c  LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index bd8ef6141a..ae6658ed40 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBOPENSSL_VERSION = 1.1.1m
+LIBOPENSSL_VERSION = 1.1.1n
 LIBOPENSSL_SITE = https://www.openssl.org/source
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = OpenSSL or SSLeay

More information about the buildroot mailing list