From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue, 3 May 2016 19:28:28 +0000 (+0200)
Subject: openssl: security update to 1.0.2g
X-Git-Tag: v2.19-core102~1
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=d25d7bfccf37fd008af43021ec5a18f135894699

openssl: security update to 1.0.2g

see https://www.openssl.org/news/secadv/20160503.txt for details

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/lfs/openssl b/lfs/openssl
index eb7352f8cb..0a0b2cffda 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.0.2g
+VER        = 1.0.2h
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -53,7 +53,7 @@ CONFIGURE_OPTIONS = \
 	zlib-dynamic \
 	enable-camellia \
 	enable-md2 \
-	enable-ssl2 \
+	disable-ssl2 \
 	enable-seed \
 	enable-tlsext \
 	enable-rfc3779 \
@@ -87,7 +87,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = f3c710c045cdee5fd114feb69feba7aa
+$(DL_FILE)_MD5 = 9392e65072ce4b614c1392eefc1f23d0
 
 install : $(TARGET)
 
@@ -119,7 +119,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
 
 	# i586 specific patches
diff --git a/src/patches/openssl-1.0.1m-weak-ciphers.patch b/src/patches/openssl-1.0.1m-weak-ciphers.patch
deleted file mode 100644
index f57b97811d..0000000000
--- a/src/patches/openssl-1.0.1m-weak-ciphers.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openssl-1.0.1m/ssl/ssl.h.old	2015-03-19 15:25:20.646533583 +0100
-+++ openssl-1.0.1m/ssl/ssl.h	2015-03-19 15:25:31.229875691 +0100
-@@ -334,7 +334,7 @@
-  * The following cipher list is used by default. It also is substituted when
-  * an application-defined cipher list string starts with 'DEFAULT'.
-  */
--# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
-+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
- /*
-  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
-  * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/src/patches/openssl-1.0.2h-weak-ciphers.patch b/src/patches/openssl-1.0.2h-weak-ciphers.patch
new file mode 100644
index 0000000000..d1ec6a2afc
--- /dev/null
+++ b/src/patches/openssl-1.0.2h-weak-ciphers.patch
@@ -0,0 +1,12 @@
+diff -Naur openssl-1.0.2h.org/ssl/ssl.h openssl-1.0.2h/ssl/ssl.h
+--- openssl-1.0.2h.org/ssl/ssl.h	2016-05-03 15:44:42.000000000 +0200
++++ openssl-1.0.2h/ssl/ssl.h	2016-05-03 18:49:10.393302264 +0200
+@@ -338,7 +338,7 @@
+  * The following cipher list is used by default. It also is substituted when
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
+ /*
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is