From d012516c44dc6937e0b3eab5c3b6c5af6222da86 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Tue, 20 Nov 2018 15:56:49 +0000 Subject: openssl_1_1: 1.1.1 -> 1.1.1a CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734 CVE-2018-0735: https://www.openssl.org/news/vulnerabilities.html#2018-0735 --- .../libraries/openssl/1.1/nix-ssl-cert-file.patch | 15 +++++++++++++++ pkgs/development/libraries/openssl/default.nix | 6 +++--- .../development/libraries/openssl/nix-ssl-cert-file.patch | 14 -------------- 3 files changed, 18 insertions(+), 17 deletions(-) create mode 100644 pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch delete mode 100644 pkgs/development/libraries/openssl/nix-ssl-cert-file.patch (limited to 'pkgs/development/libraries/openssl') diff --git a/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch new file mode 100644 index 00000000000..9e871cfb1d3 --- /dev/null +++ b/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 244512c935..f0b70d7ea1 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -46,7 +46,9 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx, file, + X509_FILETYPE_PEM) != 0); diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 3e643807f1c..8efcbd58dd1 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -131,9 +131,9 @@ in { }; openssl_1_1 = common { - version = "1.1.1"; - sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8"; - patches = [ ./nix-ssl-cert-file.patch ]; + version = "1.1.1a"; + sha256 = "0hcz7znzznbibpy3iyyhvlqrq44y88plxwdj32wjzgbwic7i687w"; + patches = [ ./1.1/nix-ssl-cert-file.patch ]; }; } diff --git a/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch deleted file mode 100644 index 893fb3eb664..00000000000 --- a/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -ru -x '*~' openssl-1.0.2j-orig/crypto/x509/by_file.c openssl-1.0.2j/crypto/x509/by_file.c ---- openssl-1.0.2j-orig/crypto/x509/by_file.c 2016-09-26 11:49:07.000000000 +0200 -+++ openssl-1.0.2j/crypto/x509/by_file.c 2016-10-13 16:54:31.400288302 +0200 -@@ -97,7 +97,9 @@ - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { -- file = getenv(X509_get_default_cert_file_env()); -+ file = getenv("NIX_SSL_CERT_FILE"); -+ if (!file) -+ file = getenv(X509_get_default_cert_file_env()); - if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0); -- cgit 1.4.1