openssl: security update to 1.0.2g

see https://www.openssl.org/news/secadv/20160503.txt for details

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/lfs/openssl b/lfs/openssl
index eb7352f8cb222fd8672156d68be8ed6bd05eb2a9..0a0b2cffdaa125c06e9b384efb79074dc89e9e55 100644 (file)
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.0.2g
+VER        = 1.0.2h
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -53,7 +53,7 @@ CONFIGURE_OPTIONS = \
        zlib-dynamic \
        enable-camellia \
        enable-md2 \
-       enable-ssl2 \
+       disable-ssl2 \
        enable-seed \
        enable-tlsext \
        enable-rfc3779 \
@@ -87,7 +87,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = f3c710c045cdee5fd114feb69feba7aa
+$(DL_FILE)_MD5 = 9392e65072ce4b614c1392eefc1f23d0
 
 install : $(TARGET)
 
@@ -119,7 +119,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
 
        # i586 specific patches

diff --git a/src/patches/openssl-1.0.1m-weak-ciphers.patch b/src/patches/openssl-1.0.1m-weak-ciphers.patch
deleted file mode 100644 (file)
index f57b978..0000000
--- a/src/patches/openssl-1.0.1m-weak-ciphers.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openssl-1.0.1m/ssl/ssl.h.old       2015-03-19 15:25:20.646533583 +0100
-+++ openssl-1.0.1m/ssl/ssl.h   2015-03-19 15:25:31.229875691 +0100
-@@ -334,7 +334,7 @@
-  * The following cipher list is used by default. It also is substituted when
-  * an application-defined cipher list string starts with 'DEFAULT'.
-  */
--# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
-+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
- /*
-  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
-  * starts with a reasonable order, and all we have to do for DEFAULT is

diff --git a/src/patches/openssl-1.0.2h-weak-ciphers.patch b/src/patches/openssl-1.0.2h-weak-ciphers.patch
new file mode 100644 (file)
index 0000000..d1ec6a2
--- /dev/null
+++ b/src/patches/openssl-1.0.2h-weak-ciphers.patch
@@ -0,0 +1,12 @@
+diff -Naur openssl-1.0.2h.org/ssl/ssl.h openssl-1.0.2h/ssl/ssl.h
+--- openssl-1.0.2h.org/ssl/ssl.h       2016-05-03 15:44:42.000000000 +0200
++++ openssl-1.0.2h/ssl/ssl.h   2016-05-03 18:49:10.393302264 +0200
+@@ -338,7 +338,7 @@
+  * The following cipher list is used by default. It also is substituted when
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
+ /*
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is