pyrox.dev / nixpkgs
lol
fork atom

openssl_3_5: 3.5.0 -> 3.5.1; openssl_3: 3.0.16 -> 3.0.17 (#421531)

authored by Martin Weinelt and committed by GitHub 36030ba7 5d646485

+4 -103
unified split
-61
pkgs/development/libraries/openssl/3.5/CVE-2025-4575.patch
··· 1 - From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001 2 - From: Tomas Mraz <tomas@openssl.org> 3 - Date: Tue, 20 May 2025 16:34:10 +0200 4 - Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead 5 - of rejection 6 - 7 - Fixes CVE-2025-4575 8 - 9 - Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> 10 - Reviewed-by: Paul Dale <ppzgs1@gmail.com> 11 - (Merged from https://github.com/openssl/openssl/pull/27672) 12 - 13 - (cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac) 14 - --- 15 - apps/x509.c | 2 +- 16 - test/recipes/25-test_x509.t | 12 +++++++++++- 17 - 2 files changed, 12 insertions(+), 2 deletions(-) 18 - 19 - diff --git a/apps/x509.c b/apps/x509.c 20 - index fdae8f383a667..0c340c15b321a 100644 21 - --- a/apps/x509.c 22 - +++ b/apps/x509.c 23 - @@ -465,7 +465,7 @@ int x509_main(int argc, char **argv) 24 - prog, opt_arg()); 25 - goto opthelp; 26 - } 27 - - if (!sk_ASN1_OBJECT_push(trust, objtmp)) 28 - + if (!sk_ASN1_OBJECT_push(reject, objtmp)) 29 - goto end; 30 - trustout = 1; 31 - break; 32 - diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t 33 - index 09b61708ff8a5..dfa0a428f5f0c 100644 34 - --- a/test/recipes/25-test_x509.t 35 - +++ b/test/recipes/25-test_x509.t 36 - @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; 37 - 38 - setup("test_x509"); 39 - 40 - -plan tests => 134; 41 - +plan tests => 138; 42 - 43 - # Prevent MSys2 filename munging for arguments that look like file paths but 44 - # aren't 45 - @@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE", 46 - && run(app(["openssl", "verify", "-no_check_time", 47 - "-trusted", $ca, "-partial_chain", $caout]))); 48 - 49 - +# test trust decoration 50 - +ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection", 51 - + "-out", "ca-trusted.pem"]))); 52 - +cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection", 53 - + 1, 'trusted use - E-mail Protection'); 54 - +ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection", 55 - + "-out", "ca-rejected.pem"]))); 56 - +cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection", 57 - + 1, 'rejected use - E-mail Protection'); 58 - + 59 - subtest 'x509 -- x.509 v1 certificate' => sub { 60 - tconversion( -type => 'x509', -prefix => 'x509v1', 61 - -in => srctop_file("test", "testx509.pem") );
···
-32
pkgs/development/libraries/openssl/3.5/quic_accept.patch
··· 1 - From 38bf6f3036d1baddbe4618a219aaf17d460091d9 Mon Sep 17 00:00:00 2001 2 - From: Matt Caswell <matt@openssl.org> 3 - Date: Mon, 7 Apr 2025 09:58:30 +0100 4 - Subject: [PATCH] Fix SSL_accept() 5 - MIME-Version: 1.0 6 - Content-Type: text/plain; charset=UTF-8 7 - Content-Transfer-Encoding: 8bit 8 - 9 - If you have a QUIC server SSL connection object, you should be able to 10 - call SSL_accept() on it. 11 - 12 - Fixes #27282 13 - 14 - Reviewed-by: Neil Horman <nhorman@openssl.org> 15 - Reviewed-by: Saša Nedvědický <sashan@openssl.org> 16 - (Merged from https://github.com/openssl/openssl/pull/27283) 17 - --- 18 - ssl/quic/quic_method.c | 4 ++-- 19 - 1 file changed, 2 insertions(+), 2 deletions(-) 20 - 21 - diff --git a/ssl/quic/quic_method.c b/ssl/quic/quic_method.c 22 - index 0de2bca47e6bb..8092855efc61a 100644 23 - --- a/ssl/quic/quic_method.c 24 - +++ b/ssl/quic/quic_method.c 25 - @@ -23,5 +23,5 @@ IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION, 26 - 27 - IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION, 28 - OSSL_QUIC_server_method, 29 - - ssl_undefined_function, 30 - - ossl_quic_connect, ssl3_undef_enc_method) 31 - + ossl_quic_accept, 32 - + ssl_undefined_function, ssl3_undef_enc_method)
···
+4 -10
pkgs/development/libraries/openssl/default.nix
··· 365 }; 366 367 openssl_3 = common { 368 - version = "3.0.16"; 369 - hash = "sha256-V+A8UP6rXTGxUq8rdk8QN5rs2O6S8WyYWYPOSpn374Y="; 370 371 patches = [ 372 ./3.0/nix-ssl-cert-file.patch ··· 388 }; 389 390 openssl_3_5 = common { 391 - version = "3.5.0"; 392 - hash = "sha256-NE0KefGpsIApsHROLMQBpD+ckKzRBE0JpTC0iFqOn8A="; 393 394 patches = [ 395 ./3.0/nix-ssl-cert-file.patch ··· 404 else 405 ./3.5/use-etc-ssl-certs.patch 406 ) 407 - 408 - # can be dropped again with 3.5.1, see: https://github.com/openssl/openssl/issues/27282 409 - ./3.5/quic_accept.patch 410 - 411 - # can be dropped again with 3.5.1 412 - ./3.5/CVE-2025-4575.patch 413 ]; 414 415 withDocs = true;
··· 365 }; 366 367 openssl_3 = common { 368 + version = "3.0.17"; 369 + hash = "sha256-39135OobV/86bb3msL3D8x21rJnn/dTq+eH7tuwtuM4="; 370 371 patches = [ 372 ./3.0/nix-ssl-cert-file.patch ··· 388 }; 389 390 openssl_3_5 = common { 391 + version = "3.5.1"; 392 + hash = "sha256-UpBDsVz/pfNgd6TQr4Pz3jmYBxgdYHRB1zQZbYibZB8="; 393 394 patches = [ 395 ./3.0/nix-ssl-cert-file.patch ··· 404 else 405 ./3.5/use-etc-ssl-certs.patch 406 ) 407 ]; 408 409 withDocs = true;