From 1df4f5c919937b60bfb21ac2a60d8f0a6737c421 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 2 Nov 2017 22:11:25 +0100
Subject: gnu: openssl@1.0: Replace with 1.0.2m [fixes CVE-2017-3735,
 CVE-2017-2736].

* gnu/packages/tls.scm (openssl)[replacement]: New field.
(openssl-1.0.2m): New public variable.
---
 gnu/packages/tls.scm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'gnu/packages/tls.scm')

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 075ea7a1c2..7611d4ec35 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -245,6 +245,7 @@ required structures.")
   (package
    (name "openssl")
    (version "1.0.2l")
+   (replacement openssl-1.0.2m)
    (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -387,6 +388,25 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
+;; Fixes CVE-2017-3735 and CVE-2017-3736.
+;; See <https://www.openssl.org/news/cl102.txt>.
+(define-public openssl-1.0.2m
+  (package
+    (inherit openssl)
+    (version "1.0.2m")
+    (source (origin
+              (inherit (package-source openssl))
+              (uri (list (string-append "https://www.openssl.org/source/openssl-"
+                                        version ".tar.gz")
+                         (string-append "ftp://ftp.openssl.org/source/openssl-"
+                                        version ".tar.gz")
+                         (string-append "ftp://ftp.openssl.org/source/old/"
+                                        (string-trim-right version char-set:letter)
+                                        "/openssl-" version ".tar.gz")))
+              (sha256
+               (base32
+                "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc"))))))
+
 (define-public openssl-next
   (package
     (inherit openssl)
-- 
cgit v1.2.3


From 77576be41f3b94c0f47457d338ddbbc8bf870ba9 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 2 Nov 2017 22:14:06 +0100
Subject: gnu: openssl@1.1: Update to 1.1.0g [fixes CVE-2017-3735,
 CVE-2017-2736].

* gnu/packages/tls.scm (openssl-next): Update to 1.1.0g.
[source]: Add HTTPS mirror.
---
 gnu/packages/tls.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'gnu/packages/tls.scm')

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 7611d4ec35..840b0a7733 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -411,10 +411,12 @@ required structures.")
   (package
     (inherit openssl)
     (name "openssl")
-    (version "1.1.0f")
+    (version "1.1.0g")
     (source (origin
              (method url-fetch)
-             (uri (list (string-append "ftp://ftp.openssl.org/source/"
+             (uri (list (string-append "https://www.openssl.org/source/openssl-"
+                                       version ".tar.gz")
+                        (string-append "ftp://ftp.openssl.org/source/"
                                        name "-" version ".tar.gz")
                         (string-append "ftp://ftp.openssl.org/source/old/"
                                        (string-trim-right version char-set:letter)
@@ -422,7 +424,7 @@ required structures.")
               (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
               (sha256
                (base32
-                "0r97n4n552ns571diz54qsgarihrxvbn7kvyv8wjyfs9ybrldxqj"))))
+                "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
     (outputs '("out"
                "doc"        ;1.3MiB of man3 pages
                "static"))   ; 5.5MiB of .a files
-- 
cgit v1.2.3