package/openssl: security bump to version 1.0.2m

Fixes the following CVEs:
bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Release notes: https://www.openssl.org/news/secadv/20171102.txt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 63023c407fe601d7c349fbff1ef1fbb246b1e288)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/openssl/openssl.hash b/package/openssl/openssl.hash
index da911c5ce95c54872a998408b13c6c4479a5e8b1..c6226c302fb1872c66196e87a79a311c3fa4b840 100644 (file)
--- a/package/openssl/openssl.hash
+++ b/package/openssl/openssl.hash
@@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-1.0.2l.tar.gz.sha256
-sha256 ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c        openssl-1.0.2l.tar.gz
+# From https://www.openssl.org/source/openssl-1.0.2m.tar.gz.sha256
+sha256 8c6ff15ec6b319b50788f42c7abc2890c08ba5a1cdcd3810eb9092deada37b0f        openssl-1.0.2m.tar.gz
 # Locally computed
 sha256 eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9        openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
 sha256 147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f        openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d

diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk
index 5f56b445abaef03dccf11c1e8559de35ab9183e4..c7ff59f061dbf77390cc6c85c9d8d028aef2b05e 100644 (file)
--- a/package/openssl/openssl.mk
+++ b/package/openssl/openssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-OPENSSL_VERSION = 1.0.2l
+OPENSSL_VERSION = 1.0.2m
 OPENSSL_SITE = http://www.openssl.org/source
 OPENSSL_LICENSE = OpenSSL or SSLeay
 OPENSSL_LICENSE_FILES = LICENSE