- Fixed NULL pointer deref in the GENERAL_NAME_cmp function, CVE-2020-1971
- In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path.
On OpenBSD, setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, ...) only allows
setting to 1 (which is the default anyway). Setting to 0 results in EINVAL.
This doesn't fix everything, there are still some other problems with binds
to v6 addresses with OpenSSL 1.1 on OpenBSD.
Detection succeeds on sparc64 where clang uses gas, but then build fails
because of a mix of -Wa,foobar unused argument warning and -Werror.
Just drop the use of --noexecstack, the stack is always marked
non-executable on OpenBSD.
ok sthen@ (maintainer)
build system to assume gcc/binutils compatible linker. There is autodetection
in detect_gnu_ld() for partially unknown build targets but it's broken
(it tries to run $config{CC} -Wl,-V before it sets up $config{CC}, and even
if that did work, the regex matching output doesn't match LLD's string).
Initial research by naddy@. Mucu further headscratching and deciding on a
not-too-horrible way to work around the problem by me.
Unbreaks i386.
was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a
result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null
pointer exception."
(not moved to 1.1.0 yet, so today's critical fix for CVE-2016-6309
doesn't apply).
*) Prevent padding oracle in AES-NI CBC MAC check
*) Fix EVP_EncodeUpdate overflow
*) Fix EVP_EncryptUpdate overflow
*) Prevent ASN.1 BIO excessive memory allocation
*) EBCDIC overread
*) Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
*) Remove LOW from the DEFAULT cipher list, removing single DES
from the default.
*) Only remove the SSLv2 methods with the no-ssl2-method option.
When the methods are enabled and ssl2 is disabled the methods return
NULL. (i.e. restore ABI compat with pre-1.0.2g cf. SSLv2_*_method)
