src/secure, branch releng/12.3

src/secure, branch releng/12.3 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F12.3 2023-02-16T18:00:54Z Fix multiple OpenSSL vulnerabilities. 2023-02-16T18:00:54Z Gordon Tetlow gordon@FreeBSD.org 2023-02-16T17:25:39Z urn:sha1:afb60ed7d8a1e91163200fbf0d85b27a1237ea48 Approved by: so Security: FreeBSD-SA-23:03.openssl Security: CVE-2023-0286 Security: CVE-2023-0215 Security: CVE-2022-4450 Security: CVE-2022-4304 caroot: cumulative cert update 2021-09-04T07:39:03Z Kyle Evans kevans@FreeBSD.org 2021-03-30T02:56:40Z urn:sha1:534d1019aa53e2ee3ce673d58cabe4a8ca85ee35 This adds a note in all existing certs that they are explicitly trusted for server auth, and also: - Seven (7) added - Nineteen (19) removed (cherry picked from commit 446169e0b6f04b96960540784539c218f5a14c86) (cherry picked from commit 3016c5c2bf68d8c6ebf303939f20092478e7a4ca) (cherry picked from commit fac832b27105d926d9f8728d7147adb547b937d8) (cherry picked from commit 76461921dac18b300489e326ba3df61d2809f364) caroot: update CA bundle processor 2021-09-04T07:39:00Z Kyle Evans kevans@FreeBSD.org 2021-03-30T03:05:38Z urn:sha1:0ef0442fcf63392502e4d2a645807a723562de0f Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER. Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot. (cherry picked from commit c3510c941c0dddd09389915a9395e6f059088bab) OpenSSL: Reduce diff with the upstream 2021-09-03T18:14:57Z Jung-uk Kim jkim@FreeBSD.org 2021-09-01T04:10:59Z urn:sha1:06eebd2278649ec12fdf0f56f5afbb6c8c2cfbab (cherry picked from commit 649ccdd753790069623e192185d133fd26a03bf9) OpenSSL: Regen manual pages for 1.1.1l 2021-09-03T18:12:06Z Jung-uk Kim jkim@FreeBSD.org 2021-09-03T18:12:06Z urn:sha1:8440bc1742ffe92c1aedd52bcaf4f2f863e24603 libcrypto: Add symbol versions for symbols added since 1.1.1d. 2021-06-09T21:54:13Z John Baldwin jhb@FreeBSD.org 2021-05-28T22:18:15Z urn:sha1:f29f5cc6f2d390b1ae4a6c526271e37233aafc70 While here, trim a spurious local: I missed when added SSL_sendfile. PR: 255277 Reported by: yuri Reviewed by: jkim Differential Revision: https://reviews.freebsd.org/D30483 (cherry picked from commit 7ad70d22c667173586c04fc13dd315995d78fbbf) OpenSSL: Regen manual pages for 1.1.1k 2021-03-25T17:13:25Z Jung-uk Kim jkim@FreeBSD.org 2021-03-25T16:17:52Z urn:sha1:2225c9780afa0f02f02a69b78f9e9bc2f0ac18bc (cherry picked from commit 7595394130a163b7ff53d9ef3f28fcb87f629d17) OpenSSL: Regen assembly files and manual pages for OpenSSL 1.1.1j 2021-02-17T05:07:24Z Jung-uk Kim jkim@FreeBSD.org 2021-02-17T05:07:24Z urn:sha1:bc702228ee23e93eea1b0651436a54586e33275a caroot: drop $FreeBSD$ expansion from root bundle 2021-01-02T05:40:03Z Kyle Evans kevans@FreeBSD.org 2020-12-28T03:47:41Z urn:sha1:f182d0c7e87a5164c3b4f4940c0882dc58481de5 This debatably could have waited until the next update would have taken place, but it's easier to see what changes if we get it out of the way now. (cherry picked from commit f20c0e3319524d51ab474608851bc705d57a7482) MFC r368555: caroot: update bundle 2020-12-15T21:50:05Z Kyle Evans kevans@FreeBSD.org 2020-12-15T21:50:05Z urn:sha1:e4e8ecaf63ba6f2767680a7b4666461243d88749 Summary: - One (1) added - Ten (10) removed