Mon Oct 21 21:23:46 UTC 2024

patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded. Apply patch to fix a security issue: Harden BN_GF2m_poly2arr against misuse. This CVE was fixed by the 1.1.1zb release that is only available to subscribers to OpenSSL's premium extended support. The patch was prepared by backporting from the OpenSSL-3.0 repo. The reported version number has been updated so that vulnerability scanners calm down. Thanks to Ken Zalewski for the patch! For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-9143 (* Security fix *) patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
2024-12-26 09:58:59 +01:00 · 2024-10-21 21:23:46 +00:00 · 2024-10-21 21:23:46 +00:00 · af81c69cb8
commit af81c69cb8
parent 72f412a04a
7 changed files with 414 additions and 31 deletions
--- a/ChangeLog.rss
+++ b/ChangeLog.rss
@ -11,9 +11,31 @@
      <description>Tracking Slackware development in git.</description>
      <language>en-us</language>
      <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
-      <pubDate>Sun, 20 Oct 2024 23:42:23 GMT</pubDate>
-      <lastBuildDate>Mon, 21 Oct 2024 11:30:25 GMT</lastBuildDate>
+      <pubDate>Mon, 21 Oct 2024 21:23:46 GMT</pubDate>
+      <lastBuildDate>Tue, 22 Oct 2024 11:30:25 GMT</lastBuildDate>
      <generator>maintain_current_git.sh v 1.17</generator>
+      <item>
+         <title>Mon, 21 Oct 2024 21:23:46 GMT</title>
+         <pubDate>Mon, 21 Oct 2024 21:23:46 GMT</pubDate>
+         <link>https://git.slackware.nl/current/tag/?h=20241021212346</link>
+         <guid isPermaLink="false">20241021212346</guid>
+         <description>
+           <![CDATA[<pre>
+patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
+  Apply patch to fix a security issue:
+  Harden BN_GF2m_poly2arr against misuse.
+  This CVE was fixed by the 1.1.1zb release that is only available to
+  subscribers to OpenSSL's premium extended support. The patch was prepared
+  by backporting from the OpenSSL-3.0 repo. The reported version number has
+  been updated so that vulnerability scanners calm down.
+  Thanks to Ken Zalewski for the patch!
+  For more information, see:
+    https://www.cve.org/CVERecord?id=CVE-2024-9143
+  (* Security fix *)
+patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
+           </pre>]]>
+         </description>
+      </item>
      <item>
         <title>Sun, 20 Oct 2024 23:42:23 GMT</title>
         <pubDate>Sun, 20 Oct 2024 23:42:23 GMT</pubDate>
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -1,3 +1,17 @@
+Mon Oct 21 21:23:46 UTC 2024
+patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
+  Apply patch to fix a security issue:
+  Harden BN_GF2m_poly2arr against misuse.
+  This CVE was fixed by the 1.1.1zb release that is only available to
+  subscribers to OpenSSL's premium extended support. The patch was prepared
+  by backporting from the OpenSSL-3.0 repo. The reported version number has
+  been updated so that vulnerability scanners calm down.
+  Thanks to Ken Zalewski for the patch!
+  For more information, see:
+    https://www.cve.org/CVERecord?id=CVE-2024-9143
+  (* Security fix *)
+patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
+--------------------------+
 Sun Oct 20 23:42:23 UTC 2024
 testing/packages/rust-1.82.0-x86_64-1_slack15.0.txz:  Upgraded.
 +--------------------------+
--- a/FILELIST.TXT
+++ b/FILELIST.TXT
@ -1,20 +1,20 @@
-Sun Oct 20 23:44:19 UTC 2024
+Mon Oct 21 21:24:52 UTC 2024

 Here is the file list for this directory.  If you are using a 
 mirror site and find missing or extra files in the disk 
 subdirectories, please have the archive administrator refresh
 the mirror.

-drwxr-xr-x  12 root root      4096 2024-10-20 23:42 .
+drwxr-xr-x  12 root root      4096 2024-10-21 21:23 .
 -rw-r--r--   1 root root      5767 2022-02-02 22:44 ./ANNOUNCE.15.0
 -rw-r--r--   1 root root     16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT
-rw-r--r--   1 root root   1268302 2024-10-18 22:54 ./CHECKSUMS.md5
-rw-r--r--   1 root root       195 2024-10-18 22:54 ./CHECKSUMS.md5.asc
+-rw-r--r--   1 root root   1268302 2024-10-20 23:44 ./CHECKSUMS.md5
+-rw-r--r--   1 root root       195 2024-10-20 23:44 ./CHECKSUMS.md5.asc
 -rw-r--r--   1 root root     17976 1994-06-10 02:28 ./COPYING
 -rw-r--r--   1 root root     35147 2007-06-30 04:21 ./COPYING3
 -rw-r--r--   1 root root     19573 2016-06-23 20:08 ./COPYRIGHT.TXT
 -rw-r--r--   1 root root       616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
-rw-r--r--   1 root root   2167435 2024-10-20 23:42 ./ChangeLog.txt
+-rw-r--r--   1 root root   2168137 2024-10-21 21:23 ./ChangeLog.txt
 drwxr-xr-x   3 root root      4096 2013-03-20 22:17 ./EFI
 drwxr-xr-x   2 root root      4096 2022-02-02 08:21 ./EFI/BOOT
 -rw-r--r--   1 root root   1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi
@ -25,7 +25,7 @@ drwxr-xr-x   2 root root      4096 2022-02-02 08:21 ./EFI/BOOT
 -rwxr-xr-x   1 root root      2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh
 -rw-r--r--   1 root root     10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg
 -rw-r--r--   1 root root      1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
-rw-r--r--   1 root root   1662688 2024-10-18 22:54 ./FILELIST.TXT
+-rw-r--r--   1 root root   1662688 2024-10-20 23:44 ./FILELIST.TXT
 -rw-r--r--   1 root root      1572 2012-08-29 18:27 ./GPG-KEY
 -rw-r--r--   1 root root    864745 2022-02-02 08:25 ./PACKAGES.TXT
 -rw-r--r--   1 root root      8034 2022-02-02 03:36 ./README.TXT
@ -832,13 +832,13 @@ drwxr-xr-x   2 root root      4096 2022-12-17 19:52 ./pasture/source/samba
 -rw-r--r--   1 root root      7921 2018-04-29 17:31 ./pasture/source/samba/smb.conf.default
 -rw-r--r--   1 root root      7933 2018-01-14 20:41 ./pasture/source/samba/smb.conf.default.orig
 -rw-r--r--   1 root root       536 2017-03-23 19:18 ./pasture/source/samba/smb.conf.diff.gz
-drwxr-xr-x   4 root root      4096 2024-10-16 19:15 ./patches
-rw-r--r--   1 root root    141120 2024-10-16 19:15 ./patches/CHECKSUMS.md5
-rw-r--r--   1 root root       195 2024-10-16 19:15 ./patches/CHECKSUMS.md5.asc
-rw-r--r--   1 root root    194584 2024-10-16 19:15 ./patches/FILE_LIST
-rw-r--r--   1 root root  18279603 2024-10-16 19:15 ./patches/MANIFEST.bz2
-rw-r--r--   1 root root     99128 2024-10-16 19:15 ./patches/PACKAGES.TXT
-drwxr-xr-x   7 root root     32768 2024-10-16 19:15 ./patches/packages
+drwxr-xr-x   4 root root      4096 2024-10-21 21:24 ./patches
+-rw-r--r--   1 root root    141212 2024-10-21 21:24 ./patches/CHECKSUMS.md5
+-rw-r--r--   1 root root       195 2024-10-21 21:24 ./patches/CHECKSUMS.md5.asc
+-rw-r--r--   1 root root    194694 2024-10-21 21:24 ./patches/FILE_LIST
+-rw-r--r--   1 root root  18272184 2024-10-21 21:24 ./patches/MANIFEST.bz2
+-rw-r--r--   1 root root     99128 2024-10-21 21:24 ./patches/PACKAGES.TXT
+drwxr-xr-x   7 root root     32768 2024-10-21 21:24 ./patches/packages
 -rw-r--r--   1 root root       360 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txt
 -rw-r--r--   1 root root   2389564 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txz
 -rw-r--r--   1 root root       163 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txz.asc
@ -1174,12 +1174,12 @@ drwxr-xr-x   2 root root      4096 2024-06-08 19:45 ./patches/packages/old-linux
 -rw-r--r--   1 root root       672 2024-10-13 19:31 ./patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txt
 -rw-r--r--   1 root root   1133060 2024-10-13 19:31 ./patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz
 -rw-r--r--   1 root root       195 2024-10-13 19:31 ./patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz.asc
-rw-r--r--   1 root root       559 2024-07-17 19:13 ./patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txt
-rw-r--r--   1 root root   3614628 2024-07-17 19:13 ./patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz
-rw-r--r--   1 root root       195 2024-07-17 19:13 ./patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz.asc
-rw-r--r--   1 root root       623 2024-07-17 19:13 ./patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txt
-rw-r--r--   1 root root   1370412 2024-07-17 19:13 ./patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz
-rw-r--r--   1 root root       195 2024-07-17 19:13 ./patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz.asc
+-rw-r--r--   1 root root       559 2024-10-21 21:10 ./patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txt
+-rw-r--r--   1 root root   3612768 2024-10-21 21:10 ./patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz
+-rw-r--r--   1 root root       195 2024-10-21 21:10 ./patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz.asc
+-rw-r--r--   1 root root       623 2024-10-21 21:10 ./patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txt
+-rw-r--r--   1 root root   1371192 2024-10-21 21:10 ./patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz
+-rw-r--r--   1 root root       195 2024-10-21 21:10 ./patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz.asc
 -rw-r--r--   1 root root       422 2024-01-26 20:40 ./patches/packages/pam-1.6.0-x86_64-1_slack15.0.txt
 -rw-r--r--   1 root root    448944 2024-01-26 20:40 ./patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz
 -rw-r--r--   1 root root       163 2024-01-26 20:40 ./patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz.asc
@ -1324,7 +1324,7 @@ drwxr-xr-x   2 root root      4096 2024-06-08 19:45 ./patches/packages/old-linux
 -rw-r--r--   1 root root       463 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txt
 -rw-r--r--   1 root root    459652 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz
 -rw-r--r--   1 root root       163 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz.asc
-drwxr-xr-x 134 root root      4096 2024-10-16 18:35 ./patches/source
+drwxr-xr-x 134 root root      4096 2024-10-21 21:18 ./patches/source
 drwxr-xr-x   2 root root      4096 2023-09-26 19:22 ./patches/source/Cython
 -rw-r--r--   1 root root   1623580 2023-07-04 19:24 ./patches/source/Cython/Cython-0.29.36.tar.lz
 -rwxr-xr-x   1 root root      3041 2023-09-26 19:23 ./patches/source/Cython/Cython.SlackBuild
@ -2234,17 +2234,18 @@ drwxr-xr-x   2 root root      4096 2024-10-13 19:28 ./patches/source/openssh
 -rw-r--r--   1 root root       482 2024-07-07 17:43 ./patches/source/openssh/sshd.default
 -rw-r--r--   1 root root      1228 2021-09-29 19:00 ./patches/source/openssh/sshd.pam
 -rw-r--r--   1 root root       271 2021-08-21 03:23 ./patches/source/openssh/sshd_config-pam.diff.gz
-drwxr-xr-x   2 root root      4096 2024-07-17 17:54 ./patches/source/openssl
+drwxr-xr-x   2 root root      4096 2024-10-21 21:02 ./patches/source/openssl
 -rw-rw-r--   1 root root     10175 2024-06-04 14:27 ./patches/source/openssl/0000-patch-license.txt
 -rw-r--r--   1 root root     11910 2024-07-16 21:01 ./patches/source/openssl/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch
 -rw-r--r--   1 root root      6816 2024-07-16 21:02 ./patches/source/openssl/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch
 -rw-r--r--   1 root root      4085 2024-07-16 21:03 ./patches/source/openssl/0003-openssl-1.1.1za_CVE-2024-5535.patch
+-rw-r--r--   1 root root     12842 2024-10-21 21:00 ./patches/source/openssl/0004-openssl-1.1.1zb_CVE_2024_9143.patch
 -rw-r--r--   1 root root      1791 2023-08-12 19:52 ./patches/source/openssl/certwatch.gz
 -rw-r--r--   1 root root       281 2007-06-13 17:20 ./patches/source/openssl/doinst.sh-openssl-solibs.gz
 -rw-r--r--   1 root root       501 2012-07-12 16:21 ./patches/source/openssl/doinst.sh-openssl.gz
 -rw-r--r--   1 root root   9893384 2023-09-11 14:46 ./patches/source/openssl/openssl-1.1.1w.tar.gz
 -rw-r--r--   1 root root       833 2023-09-11 14:46 ./patches/source/openssl/openssl-1.1.1w.tar.gz.asc
-rwxr-xr-x   1 root root     10277 2024-07-17 19:10 ./patches/source/openssl/openssl.SlackBuild
+-rwxr-xr-x   1 root root     10359 2024-10-21 21:02 ./patches/source/openssl/openssl.SlackBuild
 -rw-r--r--   1 root root      1014 2018-02-27 06:13 ./patches/source/openssl/slack-desc.openssl
 -rw-r--r--   1 root root      1085 2018-02-27 06:13 ./patches/source/openssl/slack-desc.openssl-solibs
 drwxr-xr-x   4 root root      4096 2024-01-26 20:39 ./patches/source/pam
@ -2597,7 +2598,7 @@ drwxr-xr-x   2 root root      4096 2023-03-22 07:06 ./patches/source/texlive/pre
 drwxr-xr-x   4 root root      4096 2024-03-28 19:00 ./patches/source/util-linux
 -rw-rw-r--   1 root root      2652 2024-03-22 12:24 ./patches/source/util-linux/CVE-2024-28085-pre1.patch.gz
 -rw-rw-r--   1 root root      1948 2024-03-22 12:24 ./patches/source/util-linux/CVE-2024-28085-pre2.patch.gz
-rw-rw-r--   1 root root      2908 2024-03-22 12:24 ./patches/source/util-linux/CVE-2024-28085-pre3.patch.gz
+-rw-rw-r--  1 root root      2908 2024-03-22 12:24 ./patches/source/util-linux/CVE-2024-28085-pre3.patch.gz
 -rw-rw-r--  1 root root       464 2024-03-22 12:24 ./patches/source/util-linux/CVE-2024-28085.patch.gz
 -rw-r--r--  1 root root     53236 2011-07-12 20:47 ./patches/source/util-linux/adjtimex_1.29-2.2.diff.gz
 -rw-r--r--  1 root root     85551 2010-04-17 03:32 ./patches/source/util-linux/adjtimex_1.29.orig.tar.gz
@ -5326,8 +5327,8 @@ drwxr-xr-x  2 root root     69632 2022-02-02 04:20 ./slackware64/l
 -rw-r--r--  1 root root     73516 2021-11-03 00:56 ./slackware64/l/libcap-ng-0.8.2-x86_64-5.txz
 -rw-r--r--  1 root root       163 2021-11-03 00:56 ./slackware64/l/libcap-ng-0.8.2-x86_64-5.txz.asc
 -rw-r--r--  1 root root       327 2021-02-13 06:58 ./slackware64/l/libcddb-1.3.2-x86_64-8.txt
-rw-r--r--  1 root root     70308 2021-02-13 06:58 ./slackware64/l/libcddb-1.3.2-x86_64-8.txz
-rw-r--r--  1 root root       163 2021-02-13 06:58 ./slackware64/l/libcddb-1.3.2-x86_64-8.txz.asc
+-rw-r--r--   1 root root    70308 2021-02-13 06:58 ./slackware64/l/libcddb-1.3.2-x86_64-8.txz
+-rw-r--r--   1 root root      163 2021-02-13 06:58 ./slackware64/l/libcddb-1.3.2-x86_64-8.txz.asc
 -rw-r--r--   1 root root      552 2021-02-13 06:58 ./slackware64/l/libcdio-2.1.0-x86_64-3.txt
 -rw-r--r--   1 root root   281960 2021-02-13 06:58 ./slackware64/l/libcdio-2.1.0-x86_64-3.txz
 -rw-r--r--   1 root root      163 2021-02-13 06:58 ./slackware64/l/libcdio-2.1.0-x86_64-3.txz.asc
@ -8178,7 +8179,7 @@ drwxr-xr-x   2 root root     4096 2019-03-01 19:26 ./source/a/infozip/unzip-patc
 -rw-r--r--   1 root root     1649 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-caseinsensitive.patch.gz
 -rw-r--r--   1 root root     1934 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-close.patch.gz
 -rw-r--r--   1 root root      245 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-configure.patch.gz
-rw-r--r--   1 root root     1339 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-cve-2014-8139.patch.gz
+-rw-r--r--  1 root root      1339 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-cve-2014-8139.patch.gz
 -rw-r--r--  1 root root       614 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-cve-2014-8140.patch.gz
 -rw-r--r--  1 root root      1737 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-cve-2014-8141.patch.gz
 -rw-r--r--  1 root root       694 2019-02-03 10:53 ./source/a/infozip/unzip-patches/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch.gz
@ -11408,7 +11409,7 @@ drwxr-xr-x  2 root root      4096 2022-01-31 20:02 ./source/kde/kde/src/applicat
 -rw-r--r--  1 root root       833 2022-01-04 09:53 ./source/kde/kde/src/applications/ksirk-21.12.1.tar.xz.sig
 -rw-r--r--  1 root root     47776 2022-01-04 09:53 ./source/kde/kde/src/applications/ksmtp-21.12.1.tar.xz
 -rw-r--r--  1 root root       833 2022-01-04 09:53 ./source/kde/kde/src/applications/ksmtp-21.12.1.tar.xz.sig
-rw-r--r--  1 root root    603564 2022-01-04 09:53 ./source/kde/kde/src/applications/ksnakeduel-21.12.1.tar.xz
+-rw-r--r--   1 root root    603564 2022-01-04 09:53 ./source/kde/kde/src/applications/ksnakeduel-21.12.1.tar.xz
 -rw-r--r--   1 root root       833 2022-01-04 09:53 ./source/kde/kde/src/applications/ksnakeduel-21.12.1.tar.xz.sig
 -rw-r--r--   1 root root    649048 2022-01-04 09:53 ./source/kde/kde/src/applications/kspaceduel-21.12.1.tar.xz
 -rw-r--r--   1 root root       833 2022-01-04 09:53 ./source/kde/kde/src/applications/kspaceduel-21.12.1.tar.xz.sig
@ -14627,8 +14628,8 @@ drwxr-xr-x   2 root root      4096 2021-02-13 05:32 ./source/n/newspost
 -rwxr-xr-x   1 root root      2834 2021-02-13 05:32 ./source/n/newspost/newspost.SlackBuild
 -rw-r--r--   1 root root       641 2018-02-02 22:17 ./source/n/newspost/newspost.getline.diff.gz
 -rw-r--r--   1 root root       964 2018-02-27 06:13 ./source/n/newspost/slack-desc
-drwxr-xr-x   2 root root      4096 2021-02-13 05:32 ./source/n/nfacct
-rw-r--r--   1 root root    217604 2016-08-22 11:40 ./source/n/nfacct/nfacct-1.0.2.tar.xz
+drwxr-xr-x  2 root root      4096 2021-02-13 05:32 ./source/n/nfacct
+-rw-r--r--  1 root root    217604 2016-08-22 11:40 ./source/n/nfacct/nfacct-1.0.2.tar.xz
 -rwxr-xr-x  1 root root      3405 2021-02-13 05:32 ./source/n/nfacct/nfacct.SlackBuild
 -rw-r--r--  1 root root       942 2018-02-27 06:13 ./source/n/nfacct/slack-desc
 drwxr-xr-x  2 root root      4096 2021-06-15 18:36 ./source/n/nfs-utils
--- a/patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txt
+++ b/patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txt
--- a/patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txt
+++ b/patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txt
--- a/patches/source/openssl/0004-openssl-1.1.1zb_CVE_2024_9143.patch
+++ b/patches/source/openssl/0004-openssl-1.1.1zb_CVE_2024_9143.patch
@ -0,0 +1,345 @@
+From 9ad69b994ae7c73ba06d9f75efd2625102de814c Mon Sep 17 00:00:00 2001
+From: Ken Zalewski <ken.zalewski@gmail.com>
+Date: Mon, 21 Oct 2024 16:24:47 -0400
+Subject: [PATCH] Patch to openssl-1.1.1zb.  This version addresses one
+ vulnerability:  CVE-2024-9143
+
+---
+ CHANGES                    | 134 +++++++++++++++++++++++++++++++++++++
+ NEWS                       |  18 +++++
+ README                     |   2 +-
+ crypto/bn/bn_gf2m.c        |  28 +++++---
+ include/openssl/opensslv.h |   4 +-
+ test/ec_internal_test.c    |  51 ++++++++++++++
+ 6 files changed, 226 insertions(+), 11 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index c440948..7d82f7a 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -7,6 +7,140 @@
+  https://github.com/openssl/openssl/commits/ and pick the appropriate
+  release branch.
+ 
+ Changes between 1.1.1za and 1.1.1zb [16 Oct 2024]
+
+ *) Harden BN_GF2m_poly2arr against misuse
+
+    The BN_GF2m_poly2arr() function converts characteristic-2 field
+    (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+    to a compact array with just the exponents of the non-zero terms.
+
+    These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+    reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+    polynomial must have a non-zero constant term (i.e. the array has `0` as
+    its final element).
+
+    Internally, callers of BN_GF2m_poly2arr() did not verify that
+    precondition, and binary EC curve parameters with an invalid polynomial
+    could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+    The precondition is always true for polynomials that arise from the
+    standard form of EC parameters for characteristic-two fields (X9.62).
+    See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+    The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+    basis X9.62 forms.
+
+    This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+    the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+    Additionally, the return value is made unambiguous when there is not
+    enough space to also pad the array with a final `-1` sentinel value.
+    The return value is now always the number of elements (including the
+    final `-1`) that would be filled when the output array is sufficiently
+    large.  Previously the same count was returned both when the array has
+    just enough room for the final `-1` and when it had only enough space
+    for non-sentinel values.
+
+    Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+    degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+    CPU exhausition attacks via excessively large inputs.
+
+    The above issues do not arise in processing X.509 certificates.  These
+    generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+    disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+    constraint only after the certificate is decoded, but, even if explicit
+    parameters are specified, they are in X9.62 form, which cannot represent
+    problem values as noted above.
+
+    (CVE-2024-9143)
+    [Viktor Dukhovni]
+
+
+ Changes between 1.1.1y and 1.1.1za [26 Jun 2024]
+
+ *) Fix SSL_select_next_proto
+
+    Ensure that the provided client list is non-NULL and starts with a valid
+    entry. When called from the ALPN callback the client list should already
+    have been validated by OpenSSL so this should not cause a problem. When
+    called from the NPN callback the client list is locally configured and
+    will not have already been validated. Therefore SSL_select_next_proto
+    should not assume that it is correctly formatted.
+
+    We implement stricter checking of the client protocol list. We also do the
+    same for the server list while we are about it.
+
+    (CVE-2024-5535)
+    [Matt Caswell]
+
+
+ Changes between 1.1.1x and 1.1.1y [27 May 2024]
+
+ *) Only free the read buffers if we're not using them
+
+    If we're part way through processing a record, or the application has
+    not released all the records then we should not free our buffer because
+    they are still needed.
+
+    (CVE-2024-4741)
+    [Matt Caswell]
+    [Watson Ladd]
+
+ *) Fix unconstrained session cache growth in TLSv1.3
+
+    In TLSv1.3 we create a new session object for each ticket that we send.
+    We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+    use then the new session will be added to the session cache. However, if
+    early data is not in use (and therefore anti-replay protection is being
+    used), then multiple threads could be resuming from the same session
+    simultaneously. If this happens and a problem occurs on one of the threads,
+    then the original session object could be marked as not_resumable. When we
+    duplicate the session object this not_resumable status gets copied into the
+    new session object. The new session object is then added to the session
+    cache even though it is not_resumable.
+
+    Subsequently, another bug means that the session_id_length is set to 0 for
+    sessions that are marked as not_resumable - even though that session is
+    still in the cache. Once this happens the session can never be removed from
+    the cache. When that object gets to be the session cache tail object the
+    cache never shrinks again and grows indefinitely.
+
+    (CVE-2024-2511)
+    [Matt Caswell]
+
+
+ Changes between 1.1.1w and 1.1.1x [25 Jan 2024]
+
+ *) Add NULL checks where ContentInfo data can be NULL
+
+    PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+    optional and can be NULL even if the "type" is a valid value. OpenSSL
+    was not properly accounting for this and a NULL dereference can occur
+    causing a crash.
+
+    (CVE-2024-0727)
+    [Matt Caswell]
+
+ *) Make DH_check_pub_key() and DH_generate_key() safer yet
+
+    We already check for an excessively large P in DH_generate_key(), but not in
+    DH_check_pub_key(), and none of them check for an excessively large Q.
+
+    This change adds all the missing excessive size checks of P and Q.
+
+    It's to be noted that behaviours surrounding excessively sized P and Q
+    differ.  DH_check() raises an error on the excessively sized P, but only
+    sets a flag for the excessively sized Q.  This behaviour is mimicked in
+    DH_check_pub_key().
+
+    (CVE-2024-5678)
+    [Richard Levitte]
+    [Hugo Landau]
+
+
+  Changes between 1.1.1v and 1.1.1w [11 Sep 2023]
+ 
+  *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+diff --git a/NEWS b/NEWS
+index 1b849cd..7810ece 100644
+--- a/NEWS
+++ b/NEWS
+@@ -5,6 +5,24 @@
+   This file gives a brief overview of the major changes between each OpenSSL
+   release. For more details please read the CHANGES file.
+ 
+  Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024]
+
+      o Harden BN_GF2m_poly2arr against misuse
+
+  Major changes between OpenSSL 1.1.1y and OpenSSL 1.1.1za [26 Jun 2024]
+
+      o Fix SSL_select_next_proto
+
+  Major changes between OpenSSL 1.1.1x and OpenSSL 1.1.1y [27 May 2024]
+
+      o Only free the read buffers if we're not using them
+      o Fix unconstrained session cache growth in TLSv1.3
+
+  Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [25 Jan 2024]
+
+      o Add NULL checks where ContentInfo data can be NULL
+      o Make DH_check_pub_key() and DH_generate_key() safer yet
+
+   Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]
+ 
+       o Fix POLY1305 MAC implementation corrupting XMM registers on Windows
+diff --git a/README b/README
+index e924e15..6612eb0 100644
+--- a/README
+++ b/README
+@@ -1,5 +1,5 @@
+ 
+- OpenSSL 1.1.1w 11 Sep 2023
+ OpenSSL 1.1.1zb 16 Oct 2024
+ 
+  Copyright (c) 1998-2023 The OpenSSL Project
+  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index a2ea867..6709471 100644
+--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
+#include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1109,16 +1110,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
+ * coefficient.  The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1.  Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
+    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1136,12 +1147,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+        return 0;
+
+    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
+    return k + 1;
+ }
+ 
+ /*
+diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
+index a1a5d07..ddf42b6 100644
+--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
+@@ -39,8 +39,8 @@ extern "C" {
+  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+  *  major minor fix final patch/beta)
+  */
+-# define OPENSSL_VERSION_NUMBER  0x101011afL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1za  26 Jun 2024"
+# define OPENSSL_VERSION_NUMBER  0x101011bfL
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1zb  16 Oct 2024"
+ 
+ /*-
+  * The macros below are to be used for shared library (.so, .dll, ...)
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 390f41f..1590a18 100644
+--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
+@@ -150,6 +150,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+    int ret = 0;
+    BN_CTX *ctx = BN_CTX_new();
+    BIGNUM *p, *a, *b;
+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+    TEST_info("Testing GF2m hardening\n");
+
+    BN_CTX_start(ctx);
+    p = BN_CTX_get(ctx);
+    a = BN_CTX_get(ctx);
+    if (!TEST_ptr(b = BN_CTX_get(ctx))
+        || !TEST_true(BN_one(a))
+        || !TEST_true(BN_one(b)))
+        goto out;
+
+    /* Even pentanomial value should be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf2)))
+        goto out;
+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Zero constant term accepted in GF2m polynomial");
+
+    /* Odd hexanomial should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf3)))
+        goto out;
+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Hexanomial accepted as GF2m polynomial");
+
+    /* Excessive polynomial degree should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0x71))
+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+        goto out;
+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("GF2m polynomial degree > %d accepted",
+                   OPENSSL_ECC_MAX_FIELD_BITS);
+
+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+    EC_GROUP_free(group1);
+    EC_GROUP_free(group2);
+    EC_GROUP_free(group3);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+
+    return ret;
+}
+
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -367,6 +417,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
+    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
--- a/patches/source/openssl/openssl.SlackBuild
+++ b/patches/source/openssl/openssl.SlackBuild
@ -78,6 +78,7 @@ find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g"
 cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1
 cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1
 cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1
+cat $CWD/0004-openssl-1.1.1zb_CVE_2024_9143.patch | patch -p1 --verbose || exit 1

 ## For openssl-1.1.x, don't try to change the soname.
 ## Use .so.1, not .so.1.0.0: