Skip to content

Commit 94d062b

Browse files
committedAug 14, 2024
deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1
PR-URL: #54336 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
1 parent 53c5322 commit 94d062b

File tree

158 files changed

+2303
-800
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

158 files changed

+2303
-800
lines changed
 

‎deps/openssl/openssl/CHANGES.md

+70-1
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,78 @@ breaking changes, and mappings for the large list of deprecated functions.
2828

2929
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
3030

31-
### Changes between 3.0.13 and 3.0.13+quic [30 Jan 2024]
31+
### Changes between 3.0.14 and 3.0.14+quic [7 Jun 2024]
3232

3333
* Add QUIC API support from BoringSSL
3434

3535
*Todd Short*
3636

37+
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
38+
39+
* Fixed potential use after free after SSL_free_buffers() is called.
40+
41+
The SSL_free_buffers function is used to free the internal OpenSSL
42+
buffer used when processing an incoming record from the network.
43+
The call is only expected to succeed if the buffer is not currently
44+
in use. However, two scenarios have been identified where the buffer
45+
is freed even when still in use.
46+
47+
The first scenario occurs where a record header has been received
48+
from the network and processed by OpenSSL, but the full record body
49+
has not yet arrived. In this case calling SSL_free_buffers will succeed
50+
even though a record has only been partially processed and the buffer
51+
is still in use.
52+
53+
The second scenario occurs where a full record containing application
54+
data has been received and processed by OpenSSL but the application has
55+
only read part of this data. Again a call to SSL_free_buffers will
56+
succeed even though the buffer is still in use.
57+
58+
([CVE-2024-4741])
59+
60+
*Matt Caswell*
61+
62+
* Fixed an issue where checking excessively long DSA keys or parameters may
63+
be very slow.
64+
65+
Applications that use the functions EVP_PKEY_param_check() or
66+
EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
67+
experience long delays. Where the key or parameters that are being checked
68+
have been obtained from an untrusted source this may lead to a Denial of
69+
Service.
70+
71+
To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
72+
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
73+
reason.
74+
75+
([CVE-2024-4603])
76+
77+
*Tomáš Mráz*
78+
79+
* Fixed an issue where some non-default TLS server configurations can cause
80+
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
81+
exploit certain server configurations to trigger unbounded memory growth that
82+
would lead to a Denial of Service
83+
84+
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
85+
is being used (but not if early_data is also configured and the default
86+
anti-replay protection is in use). In this case, under certain conditions,
87+
the session cache can get into an incorrect state and it will fail to flush
88+
properly as it fills. The session cache will continue to grow in an unbounded
89+
manner. A malicious client could deliberately create the scenario for this
90+
failure to force a Denial of Service. It may also happen by accident in
91+
normal operation.
92+
93+
([CVE-2024-2511])
94+
95+
*Matt Caswell*
96+
97+
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
98+
is registered when libcrypto is unloaded. This can be used on platforms
99+
where using atexit() from shared libraries causes crashes on exit.
100+
101+
*Randall S. Becker*
102+
37103
### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
38104

39105
* A file in PKCS12 format can contain certificates and keys and may come from
@@ -19830,6 +19896,9 @@ ndif
1983019896

1983119897
<!-- Links -->
1983219898

19899+
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19900+
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19901+
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
1983319902
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
1983419903
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
1983519904
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129

‎deps/openssl/openssl/CONTRIBUTING.md

+4-2
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository.
99

1010
[openssl/openssl]: <https://github.com/openssl/openssl>
1111

12-
To request new a feature, ask a question, or report a bug,
12+
To request a new feature, ask a question, or report a bug,
1313
please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
1414

1515
To submit a patch or implement a new feature, please open a
@@ -67,7 +67,8 @@ guidelines:
6767
often. We do not accept merge commits, you will have to remove them
6868
(usually by rebasing) before it will be acceptable.
6969
70-
4. Code provided should follow our [coding style] and compile without warnings.
70+
4. Code provided should follow our [coding style] and [documentation policy]
71+
and compile without warnings.
7172
There is a [Perl tool](util/check-format.pl) that helps
7273
finding code formatting mistakes and other coding style nits.
7374
Where `gcc` or `clang` is available, you should use the
@@ -77,6 +78,7 @@ guidelines:
7778
whenever a PR is created or updated by committers.
7879
7980
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
81+
[documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
8082
8183
5. When at all possible, code contributions should include tests. These can
8284
either be added to an existing test, or completely new. Please see

0 commit comments

Comments
 (0)