OBSOLETE Patch-ID# 151913-04


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security openssl 1.0.1
Synopsis: Obsoleted by: 151913-05 SunOS 5.10_x86: OpenSSL 1.0.1 patch
Date: Apr/18/2016


Install Requirements: NA

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 151912

Topic: SunOS 5.10_x86: OpenSSL 1.0.1 patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
685071315569223
703991015711910
715608615780866
720615015824598
720615115824599
720615215824600
16921388
16922032
17193314
17283726
17799549
17822462
20231102
20826468
20992215
21059433
21059453
21149030
21179246
21416447
21492687
21822200
21829045
22121569
22253902
22278885
22305087
22307591
22309690
22603686
22829389
22829403
22829425
22852190


Changes incorporated in this version: 22307591 22309690 22603686 22829389 22829403 22829425 22852190

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch: 148072-19 (or greater)

Obsoleted by:

Files included with this patch:

/etc/openssl/openssl.cnf
/usr/bin/CA.pl
/usr/bin/amd64/openssl
/usr/bin/openssl
/usr/include/openssl/aes.h
/usr/include/openssl/asn1.h
/usr/include/openssl/asn1_mac.h
/usr/include/openssl/asn1t.h
/usr/include/openssl/bio.h
/usr/include/openssl/blowfish.h
/usr/include/openssl/bn.h
/usr/include/openssl/buffer.h
/usr/include/openssl/camellia.h
/usr/include/openssl/cast.h
/usr/include/openssl/cmac.h
/usr/include/openssl/cms.h
/usr/include/openssl/comp.h
/usr/include/openssl/conf.h
/usr/include/openssl/conf_api.h
/usr/include/openssl/crypto.h
/usr/include/openssl/des.h
/usr/include/openssl/des_old.h
/usr/include/openssl/dh.h
/usr/include/openssl/dsa.h
/usr/include/openssl/dso.h
/usr/include/openssl/dtls1.h
/usr/include/openssl/e_os2.h
/usr/include/openssl/ebcdic.h
/usr/include/openssl/engine.h
/usr/include/openssl/err.h
/usr/include/openssl/evp.h
/usr/include/openssl/hmac.h
/usr/include/openssl/krb5_asn.h
/usr/include/openssl/kssl.h
/usr/include/openssl/lhash.h
/usr/include/openssl/md2.h
/usr/include/openssl/md4.h
/usr/include/openssl/md5.h
/usr/include/openssl/modes.h
/usr/include/openssl/obj_mac.h
/usr/include/openssl/objects.h
/usr/include/openssl/ocsp.h
/usr/include/openssl/opensslconf.h
/usr/include/openssl/opensslv.h
/usr/include/openssl/ossl_typ.h
/usr/include/openssl/pem.h
/usr/include/openssl/pem2.h
/usr/include/openssl/pkcs12.h
/usr/include/openssl/pkcs7.h
/usr/include/openssl/pqueue.h
/usr/include/openssl/rand.h
/usr/include/openssl/rc2.h
/usr/include/openssl/rc4.h
/usr/include/openssl/ripemd.h
/usr/include/openssl/rsa.h
/usr/include/openssl/safestack.h
/usr/include/openssl/sha.h
/usr/include/openssl/srp.h
/usr/include/openssl/srtp.h
/usr/include/openssl/ssl.h
/usr/include/openssl/ssl2.h
/usr/include/openssl/ssl23.h
/usr/include/openssl/ssl3.h
/usr/include/openssl/stack.h
/usr/include/openssl/symhacks.h
/usr/include/openssl/tls1.h
/usr/include/openssl/ts.h
/usr/include/openssl/txt_db.h
/usr/include/openssl/ui.h
/usr/include/openssl/ui_compat.h
/usr/include/openssl/x509.h
/usr/include/openssl/x509_vfy.h
/usr/include/openssl/x509v3.h
/usr/lib/amd64/libcrypto.so
/usr/lib/amd64/libcrypto.so.1.0.0
/usr/lib/amd64/libssl.so
/usr/lib/amd64/libssl.so.1.0.0
/usr/lib/amd64/llib-lcrypto.ln
/usr/lib/amd64/llib-lssl.ln
/usr/lib/amd64/pkgconfig/libcrypto.pc
/usr/lib/amd64/pkgconfig/libssl.pc
/usr/lib/amd64/pkgconfig/openssl.pc
/usr/lib/libcrypto.so
/usr/lib/libcrypto.so.1.0.0
/usr/lib/libssl.so
/usr/lib/libssl.so.1.0.0
/usr/lib/llib-lcrypto
/usr/lib/llib-lcrypto.ln
/usr/lib/llib-lssl
/usr/lib/llib-lssl.ln
/usr/lib/openssl/engines/64
/usr/lib/openssl/engines/amd64/libpk11.so
/usr/lib/openssl/engines/amd64/libpk11.so.1.0.0
/usr/lib/openssl/engines/libpk11.so
/usr/lib/openssl/engines/libpk11.so.1.0.0
/usr/lib/pkgconfig/libcrypto.pc
/usr/lib/pkgconfig/libssl.pc
/usr/lib/pkgconfig/openssl.pc

Problem Description:

22307591 problem with OpenSSL
22309690 upgrade OpenSSL version to 1.0.1q
22603686 upgrade OpenSSL version to 1.0.1r
22829389 problem with OpenSSL
22829403 problem with OpenSSL
22829425 problem with OpenSSL
22852190 upgrade OpenSSL version to 1.0.1s
 
(from 151913-03)
 
22121569 PKCS#11 engine library is missing a symlink to libpk11.so.1
22305087 lint library info is not generated and shipped for OpenSSL 1.0.1 in Solaris 10
 
(from 151913-02)
 
22278885 symlinks missing in OpenSSL 1.0.1 patches
 
(from 151913-01)
 
15569223 32-bit openssl x86 performance can be greatly improved by enabling hand-crafted asm
15711910 move OpenSSL from SFW to Userland gate
15780866 OpenSSL for wanboot should not be built in a separate directory
15824598 T4 AES should be embedded in the OpenSSL upstream source
15824599 T4 hash should be embedded in the OpenSSL upstream source
15824600 T4 montmul should be embedded in the OpenSSL upstream source
16921388 T4 DES should be embedded in the OpenSSL upstream source
16922032 need X509_V_FLAG_PARTIAL_CHAIN - ability to trust a leaf certificate
17193314 ssh dumps core when using aes128-cbc cipher on T4
17283726 memory leak with EVP_CipherInit_ex
17799549 libcrypto openssl incorrect size for libcrypto.so.1.0.0`_sparcv9_random
17822462 svc:/network/sendmail-client:default (sendmail SMTP client queue runner) dumped core
20231102 problem with OpenSSL
20826468 enable internal tests for OpenSSL in the Userland gate
20992215 warnings about sparcv8+ ABI violation found in OpenSSL build logs
21059433 Solaris 10 specific patches for integrating OpenSSL 1.0.1
21059453 OpenSSL consumers should be initially built with current OpenSSL version 0.9.7d
21149030 segfault when a cleanup callback is called before cipher initialization
21179246 passing incompatible argument in crypto/evp/e_aes.c:861
21416447 upgrade OpenSSL version to 1.0.1p
21492687 PIN caching policy "mlocked-memory" does not work in the PKCS#11 engine
21822200 warning about unused variables in ssl_asn1.c with "no-psk"
21829045 OpenSSL 1.0.1 integrated into Solaris 10 must support export source builds
22253902 OpenSSL engine needs to live under /usr directory hierarchy


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Release Notes for Solaris 10 OpenSSL 1.0.1 on x86
 
         OpenSSL.org has announced end of support for OpenSSL 0.9.8 at the
         end of 2015.  This will impact the ability to backport security
         fixes into Solaris 10's 0.9.7d-based OpenSSL and, as a result,
         OpenSSL version 1.0.1 is being provided for Solaris 10.
 
         1. Deliverables
 
         To get OpenSSL 1.0.1p for Solaris 10 (SPARC), please apply the
         following patch:
 
         151913-02 (or greater)  OpenSSL 1.0.1 patch  (this patch)
 
         When this patch is installed on a Solaris 10 system, existing
         SUNWopenssl* packages are enhanced with new OpenSSL deliverables
         in the following locations:
 
         - binaries in /usr/bin and /usr/bin/64
         - libraries in /usr/lib and /usr/lib/64
         - header files in /usr/include
         - pkg-config(1) files in /usr/lib/pkgconfig and /usr/lib/64/pkgconfig
         - configuration in /etc/openssl
 
         2. Impact on existing old OpenSSL
 
         The new OpenSSL 1.0.1 deliverables do not interfere with the
         existing OpenSSL 0.9.7d (+ security fixes) already present on
         your system. This means you can still use your existing commands
         and applications built against the old OpenSSL 0.9.7d.
 
         There is one exception here: pkg-config(1) files.  pkg-config(1)
         files relevant to the old OpenSSL 0.9.7d were moved:
 
         - /usr/lib/pkgconfig/openssl.pc -> /usr/sfw/lib/pkgconfig/openssl.pc
         - /usr/lib/64/pkgconfig/openssl.pc -> /usr/sfw/lib/64/pkgconfig/openssl.pc
 
         3. Usage
 
         How to use the new OpenSSL 1.0.1 after patch installation?  Binary
         openssl in /usr/bin works just as you would expect.
 
         When building an application against new OpenSSL libraries, it
         should just work out-of-the-box because header files and libraries
         are installed in standard default locations searched by compilers.
 
         If the application has a dependency on a header file or library
         residing in /usr/sfw then use:
 
         -I/usr/include -I/usr/sfw/include for search path of header files
         -L/usr/lib -L/usr/sfw/lib for search path of libraries for linking
 
         There is also one exception here: if you are building with gcc 3.4.3
         shipped with Solaris 10 (package SUNWgcc), then there is a problem
         with search order of header files and libraries for linking.  That
         is, gcc 3.4.3 hardcodes /usr/sfw/include at the beginning of its
         search list of system header files.  Similarly, gcc 3.4.3 hardcodes
         /usr/sfw/lib at the beginning of its search list of libraries for
         linking. This means that header files and libraries for linking
         from the old OpenSSL 0.9.7d would be picked by default.
 
         Unfortunately there is no single workaround for this problem. Here
         is a list of recipes which you can try to work around this problem:
 
         Recipe 1
 
         Use special flags when the running configure script to reorder the
         list of include paths to shift /usr/sfw/include to the end, and
         specify the libraries directly when the configure script has a
         means to do that.  E.g. for the wget program the configure command
         would be:
 
         openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
 
         CFLAGS="-nostdinc $openssl_includes" OPENSSL_LIBS="/usr/lib/libssl.so.1.0.0 /usr/lib/libcrypto.so.1.0.0" ./configure --with-ssl=openssl
 
         Recipe 2
 
         Use special flags when running the configure script to reorder the
         list of include paths to shift /usr/sfw/include to the end, and do
         so similarly with the list of library paths and /usr/sfw/lib.  E.g.
         for the curl program the configure command would be:
 
         openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
 
         openssl_libs=`/usr/sfw/bin/gld --verbose | grep ^SEARCH_DIR | sed -e 's/SEARCH_DIR("//g' -e 's/");//g' | tr ' ' '\n' | awk 'BEGIN {hold=""} $0 !~ /^\// {next}; $0 ~ /^\/usr\/sfw\/lib$/ {hold="-L/usr/sfw/lib"; next}; {printf "-L%s ", $0}; END {printf "%s\n", hold}'`
 
         CPPFLAGS="-nostdinc $openssl_includes" LDFLAGS="-nodefaultlibs $openssl_libs" LIBS="-lc" ./configure
 
         Recipe 3
 
         If none of the previous recipes work, you can install the following
         supplementary IDR for SPARC which removes OpenSSL 0.9.7d header files
         and libraries for linking from your system:
 
         IDR152033-03  Upgrade OpenSSL version to 1.0.1m
 
         In particular, after this supplementary IDR is installed:
 
         - The directory /usr/sfw/include/openssl is empty
         - Symlinks for linking /usr/sfw/lib/lib{crypto,ssl}.so and
           /usr/sfw/lib/64/lib{crypto,ssl}.so do not exist
 
         This means the supplementary IDR will prevent compiling against
         OpenSSL 0.9.7d.  Existing programs linked against this version
         will continue working.
 
         When the IDR is backed out, the previous state is restored.  It
         is possible to install the supplementary IDR on top of the main
         patch, but not vice versa.


README -- Last modified date: Tuesday, May 31, 2016