src/crypto, branch releng/14.2

src/crypto, branch releng/14.2 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.2 2025-09-30T15:31:54Z Fix multiple security issues in OpenSSL. 2025-09-30T15:31:54Z Gordon Tetlow gordon@FreeBSD.org 2025-09-30T15:27:08Z urn:sha1:6a0d914d9c3ebd8c150b7f90e79616d16efefee8 Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) Obtained from: OpenSSL Approved by: so Security: FreeBSD-SA-25:08.openssl Security: CVE-2025-9230 Security: CVE-2025-9232 (cherry picked from commit 270158508d7c55a0737c2a9915cd4afc8fabdaf0) openssl: Import OpenSSL 3.0.16 2025-04-10T14:38:58Z Enji Cooper ngie@FreeBSD.org 2025-03-14T06:40:59Z urn:sha1:862cd6b8fa9df7057bad47d01ccaf36a959e9166 This release incorporates the following bug fixes and mitigations: - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Approved by: so Security: FreeBSD-EN-25:07.openssl Differential Revision: https://reviews.freebsd.org/D49296 Differential Revision: https://reviews.freebsd.org/D49297 (cherry picked from commit 0d0c8621fd181e507f0fb50ffcca606faf66a8c2) (cherry picked from commit cb29db243bd09d16604435639ae43ef7af0ea254) (cherry picked from commit d2a55e6a9348bb55038dbc6b727ab041085f22db) (cherry picked from commit 0d61082e3c64a43f52ec5f1bf3d85671d97d9514) ssh: Bump VersionAddendum for CVE fixes 2025-02-21T02:45:50Z Ed Maste emaste@FreeBSD.org 2025-02-19T14:00:42Z urn:sha1:4b8a2f716588e58ddb39ccdb60189e8c57239457 Security: FreeBSD-SA-25:05.openssh Approved by: so Sponsored by: The FreeBSD Foundation (cherry picked from commit 62df41ae0a71e77ccb1e8fae06d82eec5dff441a) (cherry picked from commit 24ce323f020fb1ee1b463e524a7a6c15f47ec2a4) ssh: Fix cases where error codes were not correctly set 2025-02-21T02:35:04Z Ed Maste emaste@FreeBSD.org 2025-02-19T03:03:26Z urn:sha1:1920babc310ab8ebaa76188decf1aa5ed88e9d84 Obtained from: OpenSSH 38df39ecf278 Security: CVE-2025-26465 Security: FreeBSD-SA-25:05.openssh Approved by: so Sponsored by: The FreeBSD Foundation (cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd) (cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404) ssh: Don't reply to PING in preauth phase or during KEX 2025-02-21T02:34:15Z Ed Maste emaste@FreeBSD.org 2025-02-19T03:00:45Z urn:sha1:3ae196925d2915e95e549dbc1687c75845ce87a9 Obtained from: OpenSSH 5e07dee272c3 Security: CVE-2025-26466 Security: FreeBSD-SA-25:05.openssh Approved by: so Sponsored by: The FreeBSD Foundation (cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192) (cherry picked from commit 34798cb576bbd2064ab8da372112482bf8e2a7e6) openssl: Import OpenSSL 3.0.15. 2024-09-28T03:50:47Z Enji Cooper ngie@FreeBSD.org 2024-09-08T04:30:17Z urn:sha1:cc43f991ab3e46ec16f3f1395160805f01bf932e This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Co-authored-by: gordon MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46602 Merge commit '108164cf95d9594884c2dcccba2691335e6f221b' (cherry picked from commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09) Update config/build info for OpenSSL 3.0.15 This is a companion commit to the OpenSSL 3.0.15 update. `opensslv.h` was regenerated via the following process: ``` cd crypto/openssl ./config git reset --hard gmake include/openssl/opensslv.h ``` `Makefile.inc` has been updated to match. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 Differential Revision: https://reviews.freebsd.org/D46603 (cherry picked from commit cc717b574d7faa2e0b2de1a985076286cef74187) sys/crypto/openssl: update powerpc* ASM This change updates the crypto powerpc* ASM via the prescribed process documented in `crypto/openssl/FREEBSD-upgrade`. This change syncs the ASM with 3.0.15's generated ASM. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 MFC with: cc717b574d7faa2e0b2de1a985076286cef74187 Differential Revision: https://reviews.freebsd.org/D46604 (cherry picked from commit 77864b545b0aaa91bc78b1156c477825007a6233) openssl: Avoid type errors in EAI-related name check logic. 2024-09-03T17:07:59Z Viktor Dukhovni viktor@openssl.org 2024-06-19T11:04:11Z urn:sha1:5946b0c6cbc77e6c5f62f5f7e635c6036e14f4d0 The incorrectly typed data is read only, used in a compare operation, so neither remote code execution, nor memory content disclosure were possible. However, applications performing certificate name checks were vulnerable to denial of service. The GENERAL_TYPE data type is a union, and we must take care to access the correct member, based on `gen->type`, not all the member fields have the same structure, and a segfault is possible if the wrong member field is read. The code in question was lightly refactored with the intent to make it more obviously correct. Security: CVE-2024-6119 Obtained from: OpenSSL Project (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1) sshd: remove blacklist call from grace_alarm_timer 2024-08-06T19:39:40Z Ed Maste emaste@FreeBSD.org 2024-08-01T00:04:46Z urn:sha1:73466449a9bf1888147c53d622236cebc0aa591b Under certain circumstances it may call log(3), which is not async- signal-safe. For now just remove the blacklist integration from this path, which means that blacklistd will not detect and firewall hosts that establish a connection but do nothing further. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46203 (cherry picked from commit 2739a6845031e69be7c03461a9335d8bbb9f59bd) (cherry picked from commit 3d3bae9b95388169d396adc8007585699c5a23e0) Approved by: so Fix enum warning in heimdal 2024-08-04T10:21:02Z Dimitry Andric dim@FreeBSD.org 2024-07-30T18:31:47Z urn:sha1:e656c69b8d50ab13a08d315d49f289287b97f83a This fixes a clang 19 warning: crypto/heimdal/lib/krb5/deprecated.c:75:17: error: comparison of different enumeration types ('krb5_keytype' (aka 'enum ENCTYPE') and 'enum krb5_keytype_old') [-Werror,-Wenum-compare] 75 | if (keytype != KEYTYPE_DES || context->etypes_des == NULL) | ~~~~~~~ ^ ~~~~~~~~~~~ In https://github.com/heimdal/heimdal/commit/3bebbe5323 this was solved by adding a cast. That commit is rather large, so I'm only applying the one-liner here. MFC after: 3 days (cherry picked from commit 6f25b46721a18cf4f036d041e7e5d275800a00b3) openssh: use '' instead of `' in config.h 2024-07-15T18:45:16Z Ed Maste emaste@FreeBSD.org 2024-07-01T14:45:43Z urn:sha1:60f78f8ed14d5e66ce689532e18282a09a1a4e72 Autoconf 2.72 uses '' rather tha `' in comments in config.h, from autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead of `like this'"). Switch quoting style now to minimize diffs on the next OpenSSH update and config.h regen. Reviewed by: gordon, philip Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45840 (cherry picked from commit 94416c6939f431b29286a71bb2797e749df9645c)