OBSOLETE Patch-ID# 151913-11


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security openssl 1.0.2
Synopsis: Obsoleted by: 151913-12 SunOS 5.10_x86: OpenSSL 1.0.2 patch
Date: Jan/16/2018


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 151912

Topic: SunOS 5.10_x86: OpenSSL 1.0.2 patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
685071315569223
703991015711910
715608615780866
720615015824598
720615115824599
720615215824600
16921388
16922032
17193314
17283726
17799549
17822462
20231102
20358335
20826468
20992215
21059433
21059453
21149030
21179246
21416447
21492687
21822200
21829045
21849701
22021385
22021787
22121569
22253902
22278885
22305087
22307591
22309690
22603686
22829389
22829403
22829425
22852190
23206902
23221238
23230454
23285559
23598249
23599994
24377801
24394794
24513545
24528111
24703800
24703856
24703866
24703911
24703934
24703939
24710405
24784774
24828976
24943813
25078626
25455809
25455821
26864639
26905630
27001429
27050760
27063835
27233764
27233786
27233809


Changes incorporated in this version: 27050760 27063835 27233764 27233786 27233809

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch: 148072-19 (or greater)

Obsoleted by:

Files included with this patch:

/etc/openssl/openssl.cnf
/usr/bin/CA.pl
/usr/bin/amd64/openssl
/usr/bin/openssl
/usr/include/openssl/aes.h
/usr/include/openssl/asn1.h
/usr/include/openssl/asn1_mac.h
/usr/include/openssl/asn1t.h
/usr/include/openssl/bio.h
/usr/include/openssl/blowfish.h
/usr/include/openssl/bn.h
/usr/include/openssl/buffer.h
/usr/include/openssl/camellia.h
/usr/include/openssl/cast.h
/usr/include/openssl/cmac.h
/usr/include/openssl/cms.h
/usr/include/openssl/comp.h
/usr/include/openssl/conf.h
/usr/include/openssl/conf_api.h
/usr/include/openssl/crypto.h
/usr/include/openssl/des.h
/usr/include/openssl/des_old.h
/usr/include/openssl/dh.h
/usr/include/openssl/dsa.h
/usr/include/openssl/dso.h
/usr/include/openssl/dtls1.h
/usr/include/openssl/e_os2.h
/usr/include/openssl/ebcdic.h
/usr/include/openssl/engine.h
/usr/include/openssl/err.h
/usr/include/openssl/evp.h
/usr/include/openssl/hmac.h
/usr/include/openssl/krb5_asn.h
/usr/include/openssl/kssl.h
/usr/include/openssl/lhash.h
/usr/include/openssl/md2.h
/usr/include/openssl/md4.h
/usr/include/openssl/md5.h
/usr/include/openssl/modes.h
/usr/include/openssl/obj_mac.h
/usr/include/openssl/objects.h
/usr/include/openssl/ocsp.h
/usr/include/openssl/opensslconf.h
/usr/include/openssl/opensslv.h
/usr/include/openssl/ossl_typ.h
/usr/include/openssl/pem.h
/usr/include/openssl/pem2.h
/usr/include/openssl/pkcs12.h
/usr/include/openssl/pkcs7.h
/usr/include/openssl/pqueue.h
/usr/include/openssl/rand.h
/usr/include/openssl/rc2.h
/usr/include/openssl/rc4.h
/usr/include/openssl/ripemd.h
/usr/include/openssl/rsa.h
/usr/include/openssl/safestack.h
/usr/include/openssl/sha.h
/usr/include/openssl/srp.h
/usr/include/openssl/srtp.h
/usr/include/openssl/ssl.h
/usr/include/openssl/ssl2.h
/usr/include/openssl/ssl23.h
/usr/include/openssl/ssl3.h
/usr/include/openssl/stack.h
/usr/include/openssl/symhacks.h
/usr/include/openssl/tls1.h
/usr/include/openssl/ts.h
/usr/include/openssl/txt_db.h
/usr/include/openssl/ui.h
/usr/include/openssl/ui_compat.h
/usr/include/openssl/x509.h
/usr/include/openssl/x509_vfy.h
/usr/include/openssl/x509v3.h
/usr/lib/amd64/libcrypto.so
/usr/lib/amd64/libcrypto.so.1.0.0
/usr/lib/amd64/libssl.so
/usr/lib/amd64/libssl.so.1.0.0
/usr/lib/amd64/llib-lcrypto.ln
/usr/lib/amd64/llib-lssl.ln
/usr/lib/amd64/pkgconfig/libcrypto.pc
/usr/lib/amd64/pkgconfig/libssl.pc
/usr/lib/amd64/pkgconfig/openssl.pc
/usr/lib/libcrypto.so
/usr/lib/libcrypto.so.1.0.0
/usr/lib/libssl.so
/usr/lib/libssl.so.1.0.0
/usr/lib/llib-lcrypto
/usr/lib/llib-lcrypto.ln
/usr/lib/llib-lssl
/usr/lib/llib-lssl.ln
/usr/lib/openssl/engines/64
/usr/lib/openssl/engines/amd64/libpk11.so
/usr/lib/openssl/engines/amd64/libpk11.so.1.0.0
/usr/lib/openssl/engines/libpk11.so
/usr/lib/openssl/engines/libpk11.so.1.0.0
/usr/lib/pkgconfig/libcrypto.pc
/usr/lib/pkgconfig/libssl.pc
/usr/lib/pkgconfig/openssl.pc

Problem Description:

27050760 Upgrade OpenSSL version to 1.0.2m
27063835 Problem with library/openssl
27233764 Upgrade OpenSSL version to 1.0.2n
27233786 Problem with library/openssl
27233809 Problem with library/openssl
 
(from 151913-10)
 
26864639 Upgrade OpenSSL version to 1.0.2l
26905630 openssl prompts for additional input after patch 151912-09
27001429 Problem with library/openssl
 
(from 151913-09)
 
20358335 memory leak in libcrypto
21849701 openssl(1) usage is wrong when the 'no-ssl2' compile option is specified
22021385 openssl ts sub-command dumps core
22021787 openssl s_client sub-command dumps core
23230454 use DES3 for pkcs12 certificate encryption
23285559 ssh libcrypto`solaris_locking_setup() atfork handler calls malloc()
24377801 solaris_dynlock_create() should check for a ret val of 0 from pthread_mutex_init
24784774 upgrade 11.3-SRU to OpenSSL 1.0.2
24943813 problem with OpenSSL
25078626 problem with OpenSSL
25455809 problem with OpenSSL
25455821 problem with OpenSSL
 
(from 151913-08)
 
24703800 problem with OpenSSL
24703856 problem with OpenSSL
24703866 problem with OpenSSL
24703911 problem with OpenSSL
24703934 problem with OpenSSL
24703939 problem with OpenSSL
24710405 upgrade OpenSSL version to 1.0.1u
24828976 lint libraries should use the OpenSSL headers from proto area, not from the O/S
 
(from 151913-07)
 
24394794 CRL conversions from DER to PEM format fail for large CRL files
24513545 XMPP element quoting confusion
24528111 problem with OpenSSL
 
(from 151913-06)
 
23598249 problem with OpenSSL
23599994 problem with OpenSSL
 
(from 151913-05)
 
23206902 problem with OpenSSL
23221238 upgrade OpenSSL version to 1.0.1t
 
(from 151913-04)
 
22307591 problem with OpenSSL
22309690 upgrade OpenSSL version to 1.0.1q
22603686 upgrade OpenSSL version to 1.0.1r
22829389 problem with OpenSSL
22829403 problem with OpenSSL
22829425 problem with OpenSSL
22852190 upgrade OpenSSL version to 1.0.1s
 
(from 151913-03)
 
22121569 PKCS#11 engine library is missing a symlink to libpk11.so.1
22305087 lint library info is not generated and shipped for OpenSSL 1.0.1 in Solaris 10
 
(from 151913-02)
 
22278885 symlinks missing in OpenSSL 1.0.1 patches
 
(from 151913-01)
 
15569223 32-bit openssl x86 performance can be greatly improved by enabling hand-crafted asm
15711910 move OpenSSL from SFW to Userland gate
15780866 OpenSSL for wanboot should not be built in a separate directory
15824598 T4 AES should be embedded in the OpenSSL upstream source
15824599 T4 hash should be embedded in the OpenSSL upstream source
15824600 T4 montmul should be embedded in the OpenSSL upstream source
16921388 T4 DES should be embedded in the OpenSSL upstream source
16922032 need X509_V_FLAG_PARTIAL_CHAIN - ability to trust a leaf certificate
17193314 ssh dumps core when using aes128-cbc cipher on T4
17283726 memory leak with EVP_CipherInit_ex
17799549 libcrypto openssl incorrect size for libcrypto.so.1.0.0`_sparcv9_random
17822462 svc:/network/sendmail-client:default (sendmail SMTP client queue runner) dumped core
20231102 problem with OpenSSL
20826468 enable internal tests for OpenSSL in the Userland gate
20992215 warnings about sparcv8+ ABI violation found in OpenSSL build logs
21059433 Solaris 10 specific patches for integrating OpenSSL 1.0.1
21059453 OpenSSL consumers should be initially built with current OpenSSL version 0.9.7d
21149030 segfault when a cleanup callback is called before cipher initialization
21179246 passing incompatible argument in crypto/evp/e_aes.c:861
21416447 upgrade OpenSSL version to 1.0.1p
21492687 PIN caching policy "mlocked-memory" does not work in the PKCS#11 engine
21822200 warning about unused variables in ssl_asn1.c with "no-psk"
21829045 OpenSSL 1.0.1 integrated into Solaris 10 must support export source builds
22253902 OpenSSL engine needs to live under /usr directory hierarchy


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Release Notes for Solaris 10 OpenSSL 1.0.1 on x86
 
         OpenSSL.org has announced end of support for OpenSSL 0.9.8 at the
         end of 2015.  This will impact the ability to backport security
         fixes into Solaris 10's 0.9.7d-based OpenSSL and, as a result,
         OpenSSL version 1.0.1 is being provided for Solaris 10.
 
         1. Deliverables
 
         To get OpenSSL 1.0.1p for Solaris 10 (SPARC), please apply the
         following patch:
 
         151913-02 (or greater)  OpenSSL 1.0.1 patch  (this patch)
 
         When this patch is installed on a Solaris 10 system, existing
         SUNWopenssl* packages are enhanced with new OpenSSL deliverables
         in the following locations:
 
         - binaries in /usr/bin and /usr/bin/64
         - libraries in /usr/lib and /usr/lib/64
         - header files in /usr/include
         - pkg-config(1) files in /usr/lib/pkgconfig and /usr/lib/64/pkgconfig
         - configuration in /etc/openssl
 
         2. Impact on existing old OpenSSL
 
         The new OpenSSL 1.0.1 deliverables do not interfere with the
         existing OpenSSL 0.9.7d (+ security fixes) already present on
         your system. This means you can still use your existing commands
         and applications built against the old OpenSSL 0.9.7d.
 
         There is one exception here: pkg-config(1) files.  pkg-config(1)
         files relevant to the old OpenSSL 0.9.7d were moved:
 
         - /usr/lib/pkgconfig/openssl.pc -> /usr/sfw/lib/pkgconfig/openssl.pc
         - /usr/lib/64/pkgconfig/openssl.pc -> /usr/sfw/lib/64/pkgconfig/openssl.pc
 
         3. Usage
 
         How to use the new OpenSSL 1.0.1 after patch installation?  Binary
         openssl in /usr/bin works just as you would expect.
 
         When building an application against new OpenSSL libraries, it
         should just work out-of-the-box because header files and libraries
         are installed in standard default locations searched by compilers.
 
         If the application has a dependency on a header file or library
         residing in /usr/sfw then use:
 
         -I/usr/include -I/usr/sfw/include for search path of header files
         -L/usr/lib -L/usr/sfw/lib for search path of libraries for linking
 
         There is also one exception here: if you are building with gcc 3.4.3
         shipped with Solaris 10 (package SUNWgcc), then there is a problem
         with search order of header files and libraries for linking.  That
         is, gcc 3.4.3 hardcodes /usr/sfw/include at the beginning of its
         search list of system header files.  Similarly, gcc 3.4.3 hardcodes
         /usr/sfw/lib at the beginning of its search list of libraries for
         linking. This means that header files and libraries for linking
         from the old OpenSSL 0.9.7d would be picked by default.
 
         Unfortunately there is no single workaround for this problem. Here
         is a list of recipes which you can try to work around this problem:
 
         Recipe 1
 
         Use special flags when the running configure script to reorder the
         list of include paths to shift /usr/sfw/include to the end, and
         specify the libraries directly when the configure script has a
         means to do that.  E.g. for the wget program the configure command
         would be:
 
         openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
 
         CFLAGS="-nostdinc $openssl_includes" OPENSSL_LIBS="/usr/lib/libssl.so.1.0.0 /usr/lib/libcrypto.so.1.0.0" ./configure --with-ssl=openssl
 
         Recipe 2
 
         Use special flags when running the configure script to reorder the
         list of include paths to shift /usr/sfw/include to the end, and do
         so similarly with the list of library paths and /usr/sfw/lib.  E.g.
         for the curl program the configure command would be:
 
         openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
 
         openssl_libs=`/usr/sfw/bin/gld --verbose | grep ^SEARCH_DIR | sed -e 's/SEARCH_DIR("//g' -e 's/");//g' | tr ' ' '\n' | awk 'BEGIN {hold=""} $0 !~ /^\// {next}; $0 ~ /^\/usr\/sfw\/lib$/ {hold="-L/usr/sfw/lib"; next}; {printf "-L%s ", $0}; END {printf "%s\n", hold}'`
 
         CPPFLAGS="-nostdinc $openssl_includes" LDFLAGS="-nodefaultlibs $openssl_libs" LIBS="-lc" ./configure
 
         Recipe 3
 
         If none of the previous recipes work, you can install the following
         patch which removes OpenSSL 0.9.7d header files and libraries for
         linking from your system:
 
         151915-07 (or greater)  OpenSSL 0.9.7 patch
 
         (Bug 22504845: OpenSSL 0.9.7 removal from Solaris 10 - phase 1)
 
         In particular, after that patch is installed:
 
         - The directory /usr/sfw/include/openssl is empty
         - Symlinks for linking /usr/sfw/lib/lib{crypto,ssl}.so and
           /usr/sfw/lib/64/lib{crypto,ssl}.so do not exist
 
         This means the patch will prevent compiling against OpenSSL 0.9.7d.
         Existing programs linked against that version will continue working.


README -- Last modified date: Thursday, July 12, 2018