From 12433a216c0d56f492086df5d54763dfa5782689 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Sun, 14 Aug 2016 15:31:54 -0400 Subject: gnu: libtasn1: Update to 4.9. * gnu/packages/tls.scm (libtasn1): Update to 4.9. --- gnu/packages/tls.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b87150615..a10299672a 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -4,7 +4,7 @@ ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net> ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015 David Thompson <davet@gnu.org> -;;; Copyright © 2015 Leo Famulari <leo@famulari.name> +;;; Copyright © 2015, 2016 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is> ;;; @@ -48,7 +48,7 @@ (define-public libtasn1 (package (name "libtasn1") - (version "4.8") + (version "4.9") (source (origin (method url-fetch) @@ -56,7 +56,7 @@ version ".tar.gz")) (sha256 (base32 - "04y5m29pqmvkfdbppmsdifyx89v8xclxzklpfc7a1fkr9p4jz07s")))) + "0869cp6jx7cajgv6cnddsh3vc7bimmdkdjn80y1jpb4iss7plvsg")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) (home-page "http://www.gnu.org/software/libtasn1/") -- cgit 1.4.1 From 2b11b9ab428cd8c1a20c53841761a33d74226014 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Sun, 14 Aug 2016 15:35:52 -0400 Subject: gnu: p11-kit: Update to 0.23.2. * gnu/packages/tls.scm (p11-kit): Update to 0.23.2. --- gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index a10299672a..b6d8e4e823 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -71,7 +71,7 @@ specifications.") (define-public p11-kit (package (name "p11-kit") - (version "0.23.1") + (version "0.23.2") (source (origin (method url-fetch) @@ -79,7 +79,7 @@ specifications.") version ".tar.gz")) (sha256 (base32 - "1i3a1wdpagm0p3y1bwaz5x5rjhcpqbcrnhkcp10p259vkxk72wz5")) + "1w7szm190phlkg7qx05ychlj2dbvkgkhx9gw6dx4d5rw62l6wwms")) (modules '((guix build utils))) ; for substitute* (snippet '(begin -- cgit 1.4.1 From 9715953080d3d9144cb7e27c6bcde3077b6f4645 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Sun, 14 Aug 2016 15:39:10 -0400 Subject: gnu: gnutls: Update to 3.5.3. * gnu/packages/tls.scm (gnutls): Update to 3.5.3. --- gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index b6d8e4e823..5409214f2c 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -109,7 +109,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.5.2") + (version "3.5.3") (source (origin (method url-fetch) (uri @@ -120,7 +120,7 @@ living in the same process.") "/gnutls-" version ".tar.xz")) (sha256 (base32 - "10l5pv7qc5c850aamih3pdkbqpc4v2a6g164dzd7c7fjpxffji9b")))) + "1vqzvcdqhx5fbrds6myrk259vw9khgmaxvzbk59bk88hkacvri4j")))) (build-system gnu-build-system) (arguments '(#:configure-flags -- cgit 1.4.1 From 5c838ec9cd121e7e80587648e3d76347932436c0 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Tue, 6 Sep 2016 13:37:23 -0400 Subject: gnu: openssl: Delete leftover man3 directory. * gnu/packages/tls.scm (openssl)[arguments]: Delete empty directory in 'move-man3-pages' phase. --- gnu/packages/tls.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 5409214f2c..dcc4c4854a 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -286,6 +286,7 @@ required structures.") (string-append target "/" (basename file)))) (find-files man3)) + (delete-file-recursively man3) #t))) (add-before 'patch-source-shebangs 'patch-tests -- cgit 1.4.1 From ce0b822e05d1a4fadf1f00411deab2a5d7842df8 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Sat, 10 Sep 2016 15:53:49 -0400 Subject: gnu: gnutls: Update to 3.5.4. * gnu/packages/tls.scm (gnutls): Update to 3.5.4. --- gnu/packages/tls.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/tls.scm') diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index dcc4c4854a..5578e489b3 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -109,7 +109,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.5.3") + (version "3.5.4") (source (origin (method url-fetch) (uri @@ -120,7 +120,7 @@ living in the same process.") "/gnutls-" version ".tar.xz")) (sha256 (base32 - "1vqzvcdqhx5fbrds6myrk259vw9khgmaxvzbk59bk88hkacvri4j")))) + "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))) (build-system gnu-build-system) (arguments '(#:configure-flags -- cgit 1.4.1 From 1d8de185b80958cbb0c10621e1dd790aa327064b Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Mon, 3 Oct 2016 17:00:06 -0400 Subject: gnu: openssl: Update to 1.0.2j. * gnu/packages/tls.scm (openssl): Update to 1.0.2j. [replacement]: Remove field [source]: Remove 'openssl-CVE-2016-2177.patch' and 'openssl-CVE-2016-2178.patch'. (openssl-1.0.2j): Remove variable. (openssl-next)[replacement]: Remove field. * gnu/packages/patches/openssl-CVE-2016-2177.patch, gnu/packages/patches/openssl-CVE-2016-2178.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 2 - gnu/packages/patches/openssl-CVE-2016-2177.patch | 286 ----------------------- gnu/packages/patches/openssl-CVE-2016-2178.patch | 112 --------- gnu/packages/tls.scm | 28 +-- 4 files changed, 3 insertions(+), 425 deletions(-) delete mode 100644 gnu/packages/patches/openssl-CVE-2016-2177.patch delete mode 100644 gnu/packages/patches/openssl-CVE-2016-2178.patch (limited to 'gnu/packages/tls.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 4a1a0ec382..6b509637e6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -725,8 +725,6 @@ dist_patch_DATA = \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ - %D%/packages/patches/openssl-CVE-2016-2177.patch \ - %D%/packages/patches/openssl-CVE-2016-2178.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ %D%/packages/patches/ots-no-include-missing-file.patch \ %D%/packages/patches/p7zip-remove-unused-code.patch \ diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch deleted file mode 100644 index f6465aeaa7..0000000000 --- a/gnu/packages/patches/openssl-CVE-2016-2177.patch +++ /dev/null @@ -1,286 +0,0 @@ -Fix CVE-2016-2177. - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177> - -Source: -<https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7> - -From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Thu, 5 May 2016 11:10:26 +0100 -Subject: [PATCH] Avoid some undefined pointer arithmetic - -A common idiom in the codebase is: - -if (p + len > limit) -{ - return; /* Too long */ -} - -Where "p" points to some malloc'd data of SIZE bytes and -limit == p + SIZE - -"len" here could be from some externally supplied data (e.g. from a TLS -message). - -The rules of C pointer arithmetic are such that "p + len" is only well -defined where len <= SIZE. Therefore the above idiom is actually -undefined behaviour. - -For example this could cause problems if some malloc implementation -provides an address for "p" such that "p + len" actually overflows for -values of len that are too big and therefore p + len < limit! - -Issue reported by Guido Vranken. - -CVE-2016-2177 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - ssl/s3_srvr.c | 14 +++++++------- - ssl/ssl_sess.c | 2 +- - ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- - 3 files changed, 38 insertions(+), 34 deletions(-) - -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index ab28702..ab7f690 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) - } - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index b182998..54ee783 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fb64607..cdac011 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, - if (s->hit || s->cert->srv_ext.meths_count == 0) - return 1; - -- if (data >= limit - 2) -+ if (limit - data <= 2) - return 1; - n2s(data, len); - -- if (data > limit - len) -+ if (limit - data < len) - return 1; - -- while (data <= limit - 4) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > limit) -+ if (limit - data < size) - return 1; - if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) - return 0; -@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -2.8.4 - diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch deleted file mode 100644 index 37cf2763af..0000000000 --- a/gnu/packages/patches/openssl-CVE-2016-2178.patch +++ /dev/null @@ -1,112 +0,0 @@ -Fix CVE-2016-2178. - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178> - -Source: -<https://git.openssl.org/?p=openssl.git;a=commit;h=621eaf49a289bfac26d4cbcdb7396e796784c534> -<https://git.openssl.org/?p=openssl.git;a=commit;h=b7d0f2834e139a20560d64c73e2565e93715ce2b> - -From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001 -From: Cesar Pereida <cesar.pereida@aalto.fi> -Date: Mon, 23 May 2016 12:45:25 +0300 -Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME - -Operations in the DSA signing algorithm should run in constant time in -order to avoid side channel attacks. A flaw in the OpenSSL DSA -implementation means that a non-constant time codepath is followed for -certain operations. This has been demonstrated through a cache-timing -attack to be sufficient for an attacker to recover the private DSA key. - -CVE-2016-2178 - -Reviewed-by: Richard Levitte <levitte@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> ---- - crypto/dsa/dsa_ossl.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index efc4f1b..b29eb4b 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - if (!BN_rand_range(&k, dsa->q)) - goto err; - while (BN_is_zero(&k)) ; -- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -- BN_set_flags(&k, BN_FLG_CONSTTIME); -- } - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - } - - K = &kq; -+ -+ BN_set_flags(K, BN_FLG_CONSTTIME); - } else { - K = &k; - } -+ - DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, - dsa->method_mont_p); - if (!BN_mod(r, r, dsa->q, ctx)) --- -2.8.4 - -From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Tue, 7 Jun 2016 09:12:51 +0100 -Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME - -The previous "fix" still left "k" exposed to constant time problems in -the later BN_mod_inverse() call. Ensure both k and kq have the -BN_FLG_CONSTTIME flag set at the earliest opportunity after creation. - -CVE-2016-2178 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - crypto/dsa/dsa_ossl.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index b29eb4b..58013a4 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - do - if (!BN_rand_range(&k, dsa->q)) - goto err; -- while (BN_is_zero(&k)) ; -+ while (BN_is_zero(&k)); -+ -+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -+ BN_set_flags(&k, BN_FLG_CONSTTIME); -+ } -+ - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - if (!BN_copy(&kq, &k)) - goto err; - -+ BN_set_flags(&kq, BN_FLG_CONSTTIME); -+ - /* - * We do not want timing information to leak the length of k, so we - * compute g^k using an equivalent exponent of fixed length. (This -@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - } - - K = &kq; -- -- BN_set_flags(K, BN_FLG_CONSTTIME); - } else { - K = &k; - } --- -2.8.4 - diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 8e9c9287fa..2e3a11b51b 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -214,8 +214,7 @@ required structures.") (define-public openssl (package (name "openssl") - (replacement openssl-1.0.2j) - (version "1.0.2h") + (version "1.0.2j") (source (origin (method url-fetch) (uri (list (string-append "ftp://ftp.openssl.org/source/" @@ -225,11 +224,9 @@ required structures.") "/" name "-" version ".tar.gz"))) (sha256 (base32 - "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x")) + "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7")) (patches (search-patches "openssl-runpath.patch" - "openssl-c-rehash-in.patch" - "openssl-CVE-2016-2177.patch" - "openssl-CVE-2016-2178.patch")))) + "openssl-c-rehash-in.patch")))) (build-system gnu-build-system) (outputs '("out" "doc" ;1.5MiB of man3 pages @@ -354,29 +351,10 @@ required structures.") (license license:openssl) (home-page "http://www.openssl.org/"))) -(define openssl-1.0.2j - (package - (inherit openssl) - (name "openssl") - (version "1.0.2j") - (source (origin - (method url-fetch) - (uri (list (string-append "ftp://ftp.openssl.org/source/" - name "-" version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/old/" - (string-trim-right version char-set:letter) - "/" name "-" version ".tar.gz"))) - (sha256 - (base32 - "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7")) - (patches (search-patches "openssl-runpath.patch" - "openssl-c-rehash-in.patch")))))) - (define-public openssl-next (package (inherit openssl) (name "openssl") - (replacement #f) (version "1.1.0b") (source (origin (method url-fetch) -- cgit 1.4.1