mirror of
git://slackware.nl/current.git
synced 2024-12-27 09:59:16 +01:00
4967f0e2be
a/elilo-3.16-x86_64-18.txz: Rebuilt.
eliloconfig: if we don't find initrd-generic.img, try to fall back on
/boot/initrd.gz. Thanks to rworkman.
a/kernel-firmware-20241022_e1d9577-noarch-1.txz: Upgraded.
a/kernel-generic-6.11.5-x86_64-1.txz: Upgraded.
a/less-668-x86_64-1.txz: Upgraded.
a/openssl11-solibs-1.1.1zb-x86_64-1.txz: Upgraded.
a/sysvinit-3.11-x86_64-1.txz: Upgraded.
a/usbutils-018-x86_64-1.txz: Upgraded.
d/kernel-headers-6.11.5-x86-1.txz: Upgraded.
d/parallel-20241022-noarch-1.txz: Upgraded.
d/swig-4.3.0-x86_64-1.txz: Upgraded.
k/kernel-source-6.11.5-noarch-1.txz: Upgraded.
l/libvisio-0.1.8-x86_64-1.txz: Upgraded.
l/python-trove-classifiers-2024.10.21.16-x86_64-1.txz: Upgraded.
n/openssl11-1.1.1zb-x86_64-1.txz: Upgraded.
Apply patch to fix a security issue:
Harden BN_GF2m_poly2arr against misuse.
This CVE was fixed by the 1.1.1zb release that is only available to
subscribers to OpenSSL's premium extended support. The patch was prepared
by backporting from the OpenSSL-3.0 repo. The reported version number has
been updated so that vulnerability scanners calm down.
Thanks to Ken Zalewski for the patch!
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-9143
(* Security fix *)
xap/gucharmap-16.0.2-x86_64-1.txz: Upgraded.
xap/mozilla-thunderbird-128.3.3esr-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/128.3.3esr/releasenotes/
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
249 lines
9.2 KiB
Bash
Executable file
249 lines
9.2 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2000 BSDi, Inc. Concord, CA, USA
|
|
# Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA
|
|
# Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2018, 2023, 2024 Patrick J. Volkerding, Sebeka, MN, USA
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use of this script, with or without modification, is
|
|
# permitted provided that the following conditions are met:
|
|
#
|
|
# 1. Redistributions of this script must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
|
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
# Set initial variables:
|
|
cd $(dirname $0) ; CWD=$(pwd)
|
|
TMP=${TMP:-/tmp}
|
|
|
|
PKGNAM=openssl11
|
|
VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
|
|
# Get the new version number from the latest patch:
|
|
PKGVER=$(grep "^+" $(/bin/ls -t 00*patch | head -n 1) | grep OPENSSL_VERSION_TEXT | cut -f 2 -d \" | cut -f 2 -d ' ')
|
|
BUILD=${BUILD:-1}
|
|
|
|
# Automatically determine the architecture we're building on:
|
|
if [ -z "$ARCH" ]; then
|
|
case "$( uname -m )" in
|
|
i?86) export ARCH=i686 ;;
|
|
arm*) export ARCH=arm ;;
|
|
# Unless $ARCH is already set, use uname -m for all other archs:
|
|
*) export ARCH=$( uname -m ) ;;
|
|
esac
|
|
fi
|
|
|
|
PKG1=$TMP/package-openssl11
|
|
PKG2=$TMP/package-ossllibs11
|
|
NAME1=openssl11-$PKGVER-$ARCH-$BUILD
|
|
NAME2=openssl11-solibs-$PKGVER-$ARCH-$BUILD
|
|
|
|
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
|
# the name of the created package would be, and then exit. This information
|
|
# could be useful to other scripts.
|
|
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
|
echo "${NAME1}.txz"
|
|
echo "${NAME2}.txz"
|
|
exit 0
|
|
fi
|
|
|
|
# Parallel build doesn't link properly.
|
|
#NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
|
|
|
|
# So that ls has the right field counts for parsing...
|
|
export LC_ALL=C
|
|
|
|
cd $TMP
|
|
rm -rf $PKG1 $PKG2 openssl-$VERSION
|
|
|
|
tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1
|
|
cd openssl-$VERSION
|
|
|
|
# Fix pod syntax errors which are fatal wih a newer perl:
|
|
find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \;
|
|
|
|
# Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
|
|
# were only available to subscribers to OpenSSL's premium extended support.
|
|
# These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
|
|
# Thanks to Ken Zalewski!
|
|
cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1
|
|
cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1
|
|
cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1
|
|
cat $CWD/0004-openssl-1.1.1zb_CVE_2024_9143.patch | patch -p1 --verbose || exit 1
|
|
|
|
## For openssl-1.1.x, don't try to change the soname.
|
|
## Use .so.1, not .so.1.0.0:
|
|
#sed -i "s/soname=\$\$SHLIB\$\$SHLIB_SOVER\$\$SHLIB_SUFFIX/soname=\$\$SHLIB.1/g" Makefile.shared
|
|
|
|
if [ "$ARCH" = "i586" ]; then
|
|
# Build with -march=i586 -mtune=i686:
|
|
sed -i "/linux-elf/s/fomit-frame-pointer/fomit-frame-pointer -march=i586 -mtune=i686/g" Configure
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "i686" ]; then
|
|
# Build with -march=pentium4 -mtune=generic:
|
|
sed -i "/linux-elf/s/fomit-frame-pointer/fomit-frame-pointer -march=pentium4 -mtune=generic/g" Configure
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "x86_64" ]; then
|
|
LIBDIRSUFFIX="64"
|
|
fi
|
|
|
|
# OpenSSL has a (nasty?) habit of bumping the internal version number with
|
|
# every release. This wouldn't be so bad, but some applications are so
|
|
# paranoid that they won't run against a different OpenSSL version than
|
|
# what they were compiled against, whether or not the ABI has changed.
|
|
#
|
|
# So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.1.1 unless ABI
|
|
# breakage forces it to change. Yes, we're finally using this old trick. :)
|
|
sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1010100fL (1.1.1) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1010100fL/g" include/openssl/opensslv.h || exit 1
|
|
|
|
chown -R root:root .
|
|
mkdir -p $PKG1/usr/doc/openssl-$PKGVER
|
|
cp -a ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \
|
|
LICENSE* NEWS NOTES* README* doc \
|
|
$PKG1/usr/doc/openssl-$PKGVER
|
|
# For this backported package, let's put the patches in the documentation since
|
|
# the CHANGES and other files are not up-to-date with the reported version.
|
|
# This'll make it more clear exactly what this package is.
|
|
cp -a $CWD/00* $PKG1/usr/doc/openssl-$PKGVER
|
|
chown root:root $PKG1/usr/doc/openssl-$PKGVER/00*
|
|
find $PKG1/usr/doc/openssl-$PKGVER -type d -exec chmod 755 {} \+
|
|
find $PKG1/usr/doc/openssl-$PKGVER -type f -exec chmod 644 {} \+
|
|
|
|
# If there's a CHANGES file, installing at least part of the recent history
|
|
# is useful, but don't let it get totally out of control:
|
|
if [ -r CHANGES ]; then
|
|
DOCSDIR=$(echo $PKG1/usr/doc/*-$PKGVER)
|
|
cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES
|
|
touch -r CHANGES $DOCSDIR/CHANGES
|
|
fi
|
|
|
|
# These are the known patent issues with OpenSSL:
|
|
# name # expires
|
|
# MDC-2: 4,908,861 2007-03-13, not included.
|
|
# IDEA: 5,214,703 2010-05-25, not included.
|
|
#
|
|
# Although all of the above are expired, it's still probably
|
|
# not a good idea to include them as there are better
|
|
# algorithms to use.
|
|
|
|
./config \
|
|
--prefix=/usr \
|
|
--openssldir=/etc/ssl \
|
|
--libdir=lib${LIBDIRSUFFIX}/openssl-1.1 \
|
|
zlib \
|
|
enable-camellia \
|
|
enable-seed \
|
|
enable-rfc3779 \
|
|
enable-cms \
|
|
enable-md2 \
|
|
enable-rc5 \
|
|
enable-ssl3 \
|
|
enable-ssl3-method \
|
|
no-weak-ssl-ciphers \
|
|
no-mdc2 \
|
|
no-ec2m \
|
|
no-idea \
|
|
no-sse2 \
|
|
shared
|
|
|
|
make $NUMJOBS depend || make depend || exit 1
|
|
|
|
make $NUMJOBS || make || exit 1
|
|
|
|
make install DESTDIR=$PKG1 || exit 1
|
|
|
|
# No thanks on static libraries:
|
|
rm -f $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/*.a
|
|
|
|
# Also no thanks on .pod versions of the already shipped manpages:
|
|
rm -rf $PKG1/usr/doc/openssl-*/doc/man*
|
|
|
|
# Move libraries, as they might be needed by programs that bring a network
|
|
# mounted /usr online:
|
|
|
|
mkdir $PKG1/lib${LIBDIRSUFFIX}
|
|
( cd $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1
|
|
for file in lib*.so.?.* ; do
|
|
mv $file ../../../lib${LIBDIRSUFFIX}
|
|
ln -sf ../../../lib${LIBDIRSUFFIX}/$file .
|
|
done
|
|
)
|
|
|
|
# Move include files:
|
|
mkdir -p $PKG1/usr/include/openssl-1.1
|
|
mv $PKG1/usr/include/openssl $PKG1/usr/include/openssl-1.1/openssl
|
|
|
|
# Edit .pc files to correct the includedir:
|
|
sed -e "s|/include$|/include/openssl-1.1|" -i $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/pkgconfig/*.pc
|
|
|
|
# Rename openssl binary:
|
|
mv $PKG1/usr/bin/openssl $PKG1/usr/bin/openssl-1.1
|
|
|
|
# Don't package these things:
|
|
rm -rf $PKG1/etc $PKG1/usr/bin/c_rehash
|
|
|
|
# Not needed in openssl11 compat package.
|
|
#
|
|
## Add a cron script to warn root if a certificate is going to expire soon:
|
|
#mkdir -p $PKG1/etc/cron.daily
|
|
#zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new
|
|
#chmod 755 $PKG1/etc/cron.daily/certwatch.new
|
|
|
|
#mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new
|
|
|
|
( cd $PKG1
|
|
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
|
|
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
|
|
)
|
|
|
|
# Remove the man pages and installed docs:
|
|
rm -r $PKG1/usr/share/{doc,man}
|
|
rmdir $PKG1/usr/share
|
|
|
|
cd $PKG1
|
|
#chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig
|
|
#sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc
|
|
mkdir -p install
|
|
cat $CWD/slack-desc.openssl11 > install/slack-desc
|
|
/sbin/makepkg -l y -c n $TMP/${NAME1}.txz
|
|
|
|
# Make runtime package:
|
|
mkdir -p $PKG2/lib${LIBDIRSUFFIX}
|
|
( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} )
|
|
mkdir -p $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1
|
|
cp -a $PKG1//usr/lib${LIBDIRSUFFIX}/openssl-1.1/engines-1.1 $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1
|
|
( cd $PKG2/lib${LIBDIRSUFFIX}
|
|
for file in lib*.so.?.? ; do
|
|
( cd $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 ; ln -sf ../../../lib${LIBDIRSUFFIX}/$file . )
|
|
done
|
|
)
|
|
#mkdir -p $PKG2/etc
|
|
#( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . )
|
|
mkdir -p $PKG2/usr/doc/openssl-$PKGVER
|
|
( cd $TMP/openssl-$VERSION
|
|
cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \
|
|
LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$PKGVER
|
|
# If there's a CHANGES file, installing at least part of the recent history
|
|
# is useful, but don't let it get totally out of control:
|
|
if [ -r CHANGES ]; then
|
|
DOCSDIR=$(echo $PKG2/usr/doc/*-$PKGVER)
|
|
cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES
|
|
touch -r CHANGES $DOCSDIR/CHANGES
|
|
fi
|
|
)
|
|
|
|
find $PKG2/usr/doc/openssl-$PKGVER -type d -exec chmod 755 {} \+
|
|
find $PKG2/usr/doc/openssl-$PKGVER -type f -exec chmod 644 {} \+
|
|
cd $PKG2
|
|
mkdir -p install
|
|
cat $CWD/slack-desc.openssl11-solibs > install/slack-desc
|
|
/sbin/makepkg -l y -c n $TMP/${NAME2}.txz
|