| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1j.
This is part of an upcoming FreeBSD security advisory.
Approved by: re (so@ blanket)
Notes:
svn path=/releng/10.1/; revision=273399
|
| |
|
|
|
|
|
|
|
|
|
| |
Include the gssapi_krb5 library in KRB5_LDFLAGS.
PR: 156245
Approved by: re (marius)
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/stable/10/; revision=271473
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.0.1i.
Notes:
svn path=/stable/10/; revision=269686
|
| |
|
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1h.
Approved by: so (delphij)
Notes:
svn path=/stable/10/; revision=267258
|
| |
|
|
|
|
|
|
|
| |
Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224,
CVE-2014-3470
Security: SA-14:14.openssl
Notes:
svn path=/stable/10/; revision=267103
|
| |
|
|
|
|
|
|
|
| |
Obtained from: OpenBSD
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2014-0198
Notes:
svn path=/stable/10/; revision=265986
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix OpenSSL use-after-free vulnerability.
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
Notes:
svn path=/stable/10/; revision=265122
|
| |
|
|
| |
Notes:
svn path=/stable/10/; revision=264692
|
| |
|
|
|
|
|
| |
MFH (r264308): restore p level in debugging output
Notes:
svn path=/stable/10/; revision=264377
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.0.1f and 1.0.1g.
Notes:
svn path=/stable/10/; revision=264331
|
| |
|
|
|
|
|
|
| |
Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel
Attack in OpenSSL. [SA-14:06]
Notes:
svn path=/stable/10/; revision=264266
|
| |
|
|
|
|
|
| |
Fix installations that use kernels without CAPABILITIES support.
Notes:
svn path=/stable/10/; revision=262718
|
| |
|
|
|
|
|
| |
MFH (r261340): enable sandboxing by default
Notes:
svn path=/stable/10/; revision=262566
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply vendor commits:
197e0ea Fix for TLS record tampering bug. (CVE-2013-4353).
3462896 For DTLS we might need to retransmit messages from the
previous session so keep a copy of write context in DTLS
retransmission buffers instead of replacing it after
sending CCS. (CVE-2013-6450).
ca98926 When deciding whether to use TLS 1.2 PRF and record hash
algorithms use the version number in the corresponding
SSL_METHOD structure instead of the SSL structure. The
SSL structure version is sometimes inaccurate.
Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449).
Security: CVE-2013-4353
Security: CVE-2013-6449
Security: CVE-2013-6450
Notes:
svn path=/stable/10/; revision=260404
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply patch from upstream Heimdal for encoding fix
RFC 4402 specifies the implementation of the gss_pseudo_random()
function for the krb5 mechanism (and the C bindings therein).
The implementation uses a PRF+ function that concatenates the output
of individual krb5 pseudo-random operations produced with a counter
and seed. The original implementation of this function in Heimdal
incorrectly encoded the counter as a little-endian integer, but the
RFC specifies the counter encoding as big-endian. The implementation
initializes the counter to zero, so the first block of output (16 octets,
for the modern AES enctypes 17 and 18) is unchanged. (RFC 4402 specifies
that the counter should begin at 1, but both existing implementations
begin with zero and it looks like the standard will be re-issued, with
test vectors, to begin at zero.)
This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6,
from 13 October, 2013:
% Fix krb5's gss_pseudo_random() (n is big-endian)
%
% The first enctype RFC3961 prf output length's bytes are correct because
% the little- and big-endian representations of unsigned zero are the
% same. The second block of output was wrong because the counter was not
% being encoded as big-endian.
%
% This change could break applications. But those applications would not
% have been interoperating with other implementations anyways (in
% particular: MIT's).
Bump __FreeBSD_version accordingly and add a note in UPDATING.
Approved by: hrs (mentor, src committer)
Notes:
svn path=/stable/10/; revision=259447
|
| |
|
|
|
|
|
| |
Approved by: re (kib)
Notes:
svn path=/stable/10/; revision=258343
|
| |
|
|
|
|
|
|
|
| |
Security: CVE-2013-4548
Security: FreeBSD-SA-13:14.openssh
Approved by: re (implicit)
Notes:
svn path=/stable/10/; revision=258335
|
| |
|
|
|
|
|
|
|
|
|
|
| |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
Notes:
svn path=/head/; revision=255829
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
didn't use them. This will make future merges from the vendor tree much
easier.
Approved by: re (gjb)
Notes:
svn path=/head/; revision=255774
|
| |\|
| |
| |
| |
| |
| |
| | |
Approved by: re (gjb)
Notes:
svn path=/head/; revision=255767
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
Notes:
svn path=/head/; revision=255461
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
branch but never merged to head. They were inadvertantly left out when
6.1p1 was merged to head. It didn't make any difference at the time,
because they were unused, but one of them is required for DNS-based host
key verification.
Approved by: re (blanket)
Notes:
svn path=/head/; revision=255422
|
| |\|
| |
| |
| |
| |
| |
| | |
MFC after: 3 days
Notes:
svn path=/head/; revision=254278
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.
Requested by: zi
Approved by: benl
Notes:
svn path=/head/; revision=254107
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reviewed by: dfr
Notes:
svn path=/head/; revision=252409
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
"sandbox" to "yes", but did not update the documentation to match.
Notes:
svn path=/head/; revision=252338
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"sandbox" instead of "yes". In sandbox mode, the privsep child is unable
to load additional libraries and will therefore crash when trying to take
advantage of crypto offloading on CPUs that support it.
Notes:
svn path=/head/; revision=251088
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
socket to allow propagation of changes to a Heimdal Kerberos database
from the KDC master to the slave(s) work on IPv6 as well.
Update the stats logging to also handle IPv6 addresses.
Reported by: peter (found on FreeBSD cluster)
X-to-be-tested-by: peter
MFC after: 3 weeks
Notes:
svn path=/head/; revision=250782
|
| |\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | | |
the issues that affected us.
Notes:
svn path=/head/; revision=250739
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
and the update to 6.1 added SSH_BUG_DYNAMIC_RPORT with the
same value.
Fix the HPN SSH_BUG_LARGEWINDOW bit so it is unique.
Approved by: des
MFC after: 2 weeks
Notes:
svn path=/head/; revision=250595
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | | |
PR: bin/178060
Notes:
svn path=/head/; revision=249839
|
| |\| |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=249475
|
| |\| |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=249016
|
| | | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=249015
|
| | | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=248975
|
| | | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=248648
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | | |
for a key revocation list and more fine-grained authentication control.
Notes:
svn path=/head/; revision=248619
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
has been deprecated for a while, some people still use it and were
unpleasantly surprised by this change.
I may revert this commit at a later date if I can come up with a way
to give users who still have authorized_keys2 files sufficient advance
warning.
MFC after: ASAP
Notes:
svn path=/head/; revision=248465
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
own umask setting (from ~/.login.conf) unless running with the user's UID.
Therefore, we need to call it again with LOGIN_SETUMASK after changing UID.
PR: bin/176740
Submitted by: John Marshall <john.marshall@riverwillow.com.au>
MFC after: 1 week
Notes:
svn path=/head/; revision=248231
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
behave the way OpenSSH expects.
Notes:
svn path=/head/; revision=247916
|
| | | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=247904
|
| | | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=247892
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
heimdal:
fix sizeof(uuid)
Found by: clang ToT
Reviewed by: stas
Notes:
svn path=/head/; revision=247002
|
| |\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | | |
Approved by: secteam (simon), benl (silence)
Notes:
svn path=/head/; revision=246772
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Approved by: secteam (delphij, simon), benl (silence)
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=246769
svn path=/vendor-crypto/openssl/1.0.1e/; revision=246770; tag=vendor/openssl/1.0.1e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
r237658.
Approved by: benl (maintainer, implicit)
Notes:
svn path=/head/; revision=246771
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Submitted by: Christoph Mallon
MFC after: 3 days
Notes:
svn path=/head/; revision=245952
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
X-MFC after: with r244974
Notes:
svn path=/head/; revision=244975
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Integrate OpenSSL changeset 22950 (appro):
bn_word.c: fix overflow bug in BN_add_word.
MFC after: 2 weeks
Notes:
svn path=/head/; revision=244974
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
bn_word.c: fix overflow bug in BN_add_word.
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=244973
|
