build - Remove openssl from base (is now permanently replaced by ressl) * Remove openssl and related code that previous commits by John Marino replaced with libressl. Remove build hooks, base now only uses libressl. * Remove crypto/openssl. This has been replaced by the openssl implementation from ressl. * Remove lib/libcrypto. This has been replaced by lib/librecrypto which generates a private_crypo library only used by base. * Remove lib/libssl. This has been replaced by lib/libressl which generates a private_ssl library only used by base. * NOTE: In addition, John has been working on updating dports to ensure that only the ports-based libssl and libcrypto (both nominally implemented via ressl and not openssl), and that dports packages no longer have any chance of using the private versions of these libraries from base.
Import OpenSSL-1.0.2h.
Import OpenSSL 1.0.1t. * Fix CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176, CVE-2016-0702 For a more detailed list of changes, see crypto/openssl/CHANGES.
Import OpenSSL 1.0.1s. * Fix CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. For a more detailed list of changes, see crypto/openssl/CHANGES.
Import OpenSSL 1.0.1r. * Protection for DH small subgroup attacks * Fix CVE-2015-3197 (SSLv2 doesn't block disabled ciphers) * Reject DH handshakes with parameters shorter than 1024 bits
Import OpenSSL 1.0.1q. * Certificate verify crash with missing PSS parameter (CVE-2015-3194) * X509_ATTRIBUTE memory leak (CVE-2015-3195) * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs * In DSA_generate_parameters_ex, if the provided seed is too short, return an error
Import OpenSSL 1.0.1n. Fixes CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, and CVE-2015-1792. Rejects DH handshakes with parameters shorter than 768 bits.
Import OpenSSL 1.0.1m. Fixes CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, and CVE-2015-0288.
Import OpenSSL-1.0.1l. * Fixes for CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275 and CVE-2014-3570. * Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. * Do not resume sessions on the server if the negotiated protocol version does not match the session's version. * Tighten handling of the ChangeCipherSpec (CCS) message. * Tighten client-side session ticket handling during renegotiation. Also, while here, remove the doc/ subdirectory on the vendor branch. We don't need to distribute it in contrib/.
Import OpenSSL-1.0.1j. * Fixes for CVE-2014-3513, CVE-2014-3566, CVE-2014-3567 and CVE-2014-3568. * Additional DigestInfo checks.
Import OpenSSL-1.0.1i.
Import OpenSSL-1.0.1h. * Fixes for CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470 * Harmonize version and its documentation * Fix eckey_priv_encode so it immediately returns an error upon a failure in i2d_ECPrivateKey * Fix some double frees. These are not thought to be exploitable. See also http://www.openssl.org/news/secadv_20140605.txt Submitted-by: Robin Hahling <robin.hahling@gw-computing.net>
Import OpenSSL-1.0.1g. o Fix for CVE-2014-0160 o Add TLS padding extension workaround for broken servers. o Fix for CVE-2014-0076 o Don't include gmt_unix_time in TLS server and client random values o Fix for TLS record tampering bug CVE-2013-4353 o Fix for TLS version checking bug CVE-2013-6449 o Fix for DTLS retransmission bug CVE-2013-6450
Import OpenSSL-1.0.1e. o Corrected fix for CVE-2013-0169.
Import OpenSSL-1.0.1d. o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. o Fix OCSP bad key DoS attack CVE-2013-0166 o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 o Fix for TLS AESNI record handling flaw CVE-2012-2686