openssl: Update to 1.0.1m
Fixes various "Moderate" / "Low" CVEs: http://openssl.org/news/secadv_20150319.txt
This commit is contained in:
parent
e73933da9c
commit
2fe351c7e3
@ -1,6 +1,6 @@
|
||||
diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
|
||||
--- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000 +0200
|
||||
+++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609 +0200
|
||||
diff -ru openssl-1.0.1m-orig/crypto/x509/x509_def.c openssl-1.0.1m/crypto/x509/x509_def.c
|
||||
--- openssl-1.0.1m-orig/crypto/x509/x509_def.c 2015-03-19 14:19:00.000000000 +0100
|
||||
+++ openssl-1.0.1m/crypto/x509/x509_def.c 2015-03-19 15:50:44.676683616 +0100
|
||||
@@ -57,6 +57,10 @@
|
||||
*/
|
||||
|
||||
@ -12,30 +12,28 @@ diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypt
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/x509.h>
|
||||
@@ -71,7 +75,25 @@
|
||||
{ return(X509_CERT_DIR); }
|
||||
@@ -78,7 +82,23 @@
|
||||
|
||||
const char *X509_get_default_cert_file(void)
|
||||
- { return(X509_CERT_FILE); }
|
||||
+ {
|
||||
+ static char buf[PATH_MAX] = X509_CERT_FILE;
|
||||
+ static int init = 0;
|
||||
+ if (!init) {
|
||||
+ init = 1;
|
||||
+ char * s = getenv("OPENSSL_X509_CERT_FILE");
|
||||
+ if (s) {
|
||||
{
|
||||
- return (X509_CERT_FILE);
|
||||
+ static char buf[PATH_MAX] = X509_CERT_FILE;
|
||||
+ static int init = 0;
|
||||
+ if (!init) {
|
||||
+ init = 1;
|
||||
+ char * s = getenv("OPENSSL_X509_CERT_FILE");
|
||||
+ if (s) {
|
||||
+#ifndef OPENSSL_SYS_WINDOWS
|
||||
+ if (getuid() == geteuid()) {
|
||||
+ if (getuid() == geteuid()) {
|
||||
+#endif
|
||||
+ strncpy(buf, s, sizeof(buf));
|
||||
+ buf[sizeof(buf) - 1] = 0;
|
||||
+ strncpy(buf, s, sizeof(buf));
|
||||
+ buf[sizeof(buf) - 1] = 0;
|
||||
+#ifndef OPENSSL_SYS_WINDOWS
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+ }
|
||||
+ return buf;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return buf;
|
||||
}
|
||||
|
||||
const char *X509_get_default_cert_dir_env(void)
|
||||
{ return(X509_CERT_DIR_EVP); }
|
||||
|
@ -2,7 +2,7 @@
|
||||
, withCryptodev ? false, cryptodevHeaders }:
|
||||
|
||||
let
|
||||
name = "openssl-1.0.1l";
|
||||
name = "openssl-1.0.1m";
|
||||
|
||||
opensslCrossSystem = stdenv.lib.attrByPath [ "openssl" "system" ]
|
||||
(throw "openssl needs its platform name cross building" null)
|
||||
@ -18,6 +18,8 @@ let
|
||||
# hardcoding something like /etc/ssl/cert.pem is impure and
|
||||
# cannot be overriden per-process. For security, the
|
||||
# environment variable is ignored for setuid binaries.
|
||||
# FIXME: drop this patch; it really isn't necessary, because
|
||||
# OpenSSL already supports a ‘SSL_CERT_FILE’ variable.
|
||||
./cert-file.patch
|
||||
]
|
||||
|
||||
@ -43,7 +45,7 @@ stdenv.mkDerivation {
|
||||
"http://www.openssl.org/source/${name}.tar.gz"
|
||||
"http://openssl.linux-mirror.org/source/${name}.tar.gz"
|
||||
];
|
||||
sha256 = "1m6i80y9c9g7h4303bqbxnsk5wm6jd0n57hwqr0g4jaxzr44vkxj";
|
||||
sha256 = "0x7gvyybmqm4lv62mlhlm80f1rn7il2qh8224rahqv0i15xhnpq9";
|
||||
};
|
||||
|
||||
patches = patchesCross false;
|
||||
|
Loading…
Reference in New Issue
Block a user