diff --git a/SOURCES/openssl-1.0.1e-cve-2015-7575.patch b/SOURCES/openssl-1.0.1e-cve-2015-7575.patch new file mode 100644 index 0000000..dc86361 --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2015-7575.patch @@ -0,0 +1,38 @@ +diff -up openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls 2015-12-04 09:51:39.000000000 +0100 ++++ openssl-1.0.1e/ssl/t1_lib.c 2015-12-21 14:09:35.239084727 +0100 +@@ -390,19 +390,11 @@ static unsigned char tls12_sigalgs[] = { + #ifndef OPENSSL_NO_SHA + tlsext_sigalg(TLSEXT_hash_sha1) + #endif +-#ifndef OPENSSL_NO_MD5 +- tlsext_sigalg_rsa(TLSEXT_hash_md5) +-#endif + }; + + int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + { + size_t slen = sizeof(tls12_sigalgs); +-#ifdef OPENSSL_FIPS +- /* If FIPS mode don't include MD5 which is last */ +- if (FIPS_mode()) +- slen -= 2; +-#endif + if (p) + memcpy(p, tls12_sigalgs, slen); + return (int)slen; +@@ -2413,14 +2405,6 @@ const EVP_MD *tls12_get_hash(unsigned ch + { + switch(hash_alg) + { +-#ifndef OPENSSL_NO_MD5 +- case TLSEXT_hash_md5: +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return NULL; +-#endif +- return EVP_md5(); +-#endif + #ifndef OPENSSL_NO_SHA + case TLSEXT_hash_sha1: + return EVP_sha1(); diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 47dd240..3dbd5c5 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 51%{?dist}.1 +Release: 51%{?dist}.2 Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -143,6 +143,7 @@ Patch134: openssl-1.0.1e-cve-2015-1792.patch Patch135: openssl-1.0.1e-cve-2015-3194.patch Patch136: openssl-1.0.1e-cve-2015-3195.patch Patch137: openssl-1.0.1e-cve-2015-3196.patch +Patch138: openssl-1.0.1e-cve-2015-7575.patch License: OpenSSL Group: System Environment/Libraries @@ -316,6 +317,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch135 -p1 -b .pss-check %patch136 -p1 -b .combine-leak %patch137 -p1 -b .psk-identity +%patch138 -p1 -b .no-md5-tls sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -582,6 +584,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Mon Dec 21 2015 Tomáš Mráz 1.0.1e-51.2 +- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2 + * Fri Dec 4 2015 Tomáš Mráz 1.0.1e-51.1 - fix CVE-2015-3194 - certificate verify crash with missing PSS parameter - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak