OBSOLETE Patch-ID# 151913-21
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security openssl 1.0.2 1.0.2zd
Synopsis: Obsoleted by: 151913-22 SunOS 5.10_x86: OpenSSL 1.0.2 patch
Date: Oct/17/2022
Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 151912
Topic: SunOS 5.10_x86: OpenSSL 1.0.2 patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 34134301 34309592 34345360
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch: 148072-19 (or greater)
Obsoleted by:
Files included with this patch:
/etc/openssl/openssl.cnf
/usr/bin/CA.pl
/usr/bin/amd64/openssl
/usr/bin/openssl
/usr/include/openssl/aes.h
/usr/include/openssl/asn1.h
/usr/include/openssl/asn1_mac.h
/usr/include/openssl/asn1t.h
/usr/include/openssl/bio.h
/usr/include/openssl/blowfish.h
/usr/include/openssl/bn.h
/usr/include/openssl/buffer.h
/usr/include/openssl/camellia.h
/usr/include/openssl/cast.h
/usr/include/openssl/cmac.h
/usr/include/openssl/cms.h
/usr/include/openssl/comp.h
/usr/include/openssl/conf.h
/usr/include/openssl/conf_api.h
/usr/include/openssl/crypto.h
/usr/include/openssl/des.h
/usr/include/openssl/des_old.h
/usr/include/openssl/dh.h
/usr/include/openssl/dsa.h
/usr/include/openssl/dso.h
/usr/include/openssl/dtls1.h
/usr/include/openssl/e_os2.h
/usr/include/openssl/ebcdic.h
/usr/include/openssl/engine.h
/usr/include/openssl/err.h
/usr/include/openssl/evp.h
/usr/include/openssl/hmac.h
/usr/include/openssl/krb5_asn.h
/usr/include/openssl/kssl.h
/usr/include/openssl/lhash.h
/usr/include/openssl/md2.h
/usr/include/openssl/md4.h
/usr/include/openssl/md5.h
/usr/include/openssl/modes.h
/usr/include/openssl/obj_mac.h
/usr/include/openssl/objects.h
/usr/include/openssl/ocsp.h
/usr/include/openssl/opensslconf.h
/usr/include/openssl/opensslv.h
/usr/include/openssl/ossl_typ.h
/usr/include/openssl/pem.h
/usr/include/openssl/pem2.h
/usr/include/openssl/pkcs12.h
/usr/include/openssl/pkcs7.h
/usr/include/openssl/pqueue.h
/usr/include/openssl/rand.h
/usr/include/openssl/rc2.h
/usr/include/openssl/rc4.h
/usr/include/openssl/ripemd.h
/usr/include/openssl/rsa.h
/usr/include/openssl/safestack.h
/usr/include/openssl/sha.h
/usr/include/openssl/srp.h
/usr/include/openssl/srtp.h
/usr/include/openssl/ssl.h
/usr/include/openssl/ssl2.h
/usr/include/openssl/ssl23.h
/usr/include/openssl/ssl3.h
/usr/include/openssl/stack.h
/usr/include/openssl/symhacks.h
/usr/include/openssl/tls1.h
/usr/include/openssl/ts.h
/usr/include/openssl/txt_db.h
/usr/include/openssl/ui.h
/usr/include/openssl/ui_compat.h
/usr/include/openssl/x509.h
/usr/include/openssl/x509_vfy.h
/usr/include/openssl/x509v3.h
/usr/lib/amd64/libcrypto.so
/usr/lib/amd64/libcrypto.so.1.0.0
/usr/lib/amd64/libssl.so
/usr/lib/amd64/libssl.so.1.0.0
/usr/lib/amd64/llib-lcrypto.ln
/usr/lib/amd64/llib-lssl.ln
/usr/lib/amd64/pkgconfig/libcrypto.pc
/usr/lib/amd64/pkgconfig/libssl.pc
/usr/lib/amd64/pkgconfig/openssl.pc
/usr/lib/libcrypto.so
/usr/lib/libcrypto.so.1.0.0
/usr/lib/libssl.so
/usr/lib/libssl.so.1.0.0
/usr/lib/llib-lcrypto
/usr/lib/llib-lcrypto.ln
/usr/lib/llib-lssl
/usr/lib/llib-lssl.ln
/usr/lib/openssl/engines/64
/usr/lib/openssl/engines/amd64/libpk11.so
/usr/lib/openssl/engines/amd64/libpk11.so.1.0.0
/usr/lib/openssl/engines/libpk11.so
/usr/lib/openssl/engines/libpk11.so.1.0.0
/usr/lib/pkgconfig/libcrypto.pc
/usr/lib/pkgconfig/libssl.pc
/usr/lib/pkgconfig/openssl.pc
Problem Description:
34134301 Problem with library/openssl
34309592 Problem with library/openssl
34345360 Upgrade to OpenSSL-1.0.2zf
(from 151913-20)
33952256 Problem with library/openssl
33997427 update openssl 1.0.2 to version 1.0.2zd
(from 151913-19)
33275951 Problem with library/openssl
33280648 Upgrade to OpenSSL-1.0.2za
(from 151913-18)
32639120 OpenSSL not upgraded to 1.0.2x in 151913-17
(from 151913-17)
31899422 Problem with library/openssl
32247243 Upgrade OpenSSL version to 1.0.2x
32247269 Problem with library/openssl
(from 151913-16)
30340729 Problem with library/openssl
30349566 Problem with library/openssl
30349577 Problem with library/openssl
30693740 Problem with library/openssl
31029800 Upgrade OpenSSL version to 1.0.2u
(from 151913-15)
29410573 Upgrade OpenSSL version to 1.0.2r
29410641 Problem with library/openssl
(from 151913-14)
28923463 Problem with library/openssl
28950950 Upgrade OpenSSL version to 1.0.2q
28951089 Problem with library/openssl
(from 151913-13)
27875935 Problem with library/openssl
28215279 Problem with library/openssl
28504229 Upgrade OpenSSL version to 1.0.2p
(from 151913-12)
27768225 Upgrade OpenSSL version to 1.0.2o
27768256 Problem with library/openssl
(from 151913-11)
27050760 Upgrade OpenSSL version to 1.0.2m
27063835 Problem with library/openssl
27233764 Upgrade OpenSSL version to 1.0.2n
27233786 Problem with library/openssl
27233809 Problem with library/openssl
(from 151913-10)
26864639 Upgrade OpenSSL version to 1.0.2l
26905630 openssl prompts for additional input after patch 151912-09
27001429 Problem with library/openssl
(from 151913-09)
20358335 memory leak in libcrypto
21849701 openssl(1) usage is wrong when the 'no-ssl2' compile option is specified
22021385 openssl ts sub-command dumps core
22021787 openssl s_client sub-command dumps core
23230454 use DES3 for pkcs12 certificate encryption
23285559 ssh libcrypto`solaris_locking_setup() atfork handler calls malloc()
24377801 solaris_dynlock_create() should check for a ret val of 0 from pthread_mutex_init
24784774 upgrade 11.3-SRU to OpenSSL 1.0.2
24943813 problem with OpenSSL
25078626 problem with OpenSSL
25455809 problem with OpenSSL
25455821 problem with OpenSSL
(from 151913-08)
24703800 problem with OpenSSL
24703856 problem with OpenSSL
24703866 problem with OpenSSL
24703911 problem with OpenSSL
24703934 problem with OpenSSL
24703939 problem with OpenSSL
24710405 upgrade OpenSSL version to 1.0.1u
24828976 lint libraries should use the OpenSSL headers from proto area, not from the O/S
(from 151913-07)
24394794 CRL conversions from DER to PEM format fail for large CRL files
24513545 XMPP element quoting confusion
24528111 problem with OpenSSL
(from 151913-06)
23598249 problem with OpenSSL
23599994 problem with OpenSSL
(from 151913-05)
23206902 problem with OpenSSL
23221238 upgrade OpenSSL version to 1.0.1t
(from 151913-04)
22307591 problem with OpenSSL
22309690 upgrade OpenSSL version to 1.0.1q
22603686 upgrade OpenSSL version to 1.0.1r
22829389 problem with OpenSSL
22829403 problem with OpenSSL
22829425 problem with OpenSSL
22852190 upgrade OpenSSL version to 1.0.1s
(from 151913-03)
22121569 PKCS#11 engine library is missing a symlink to libpk11.so.1
22305087 lint library info is not generated and shipped for OpenSSL 1.0.1 in Solaris 10
(from 151913-02)
22278885 symlinks missing in OpenSSL 1.0.1 patches
(from 151913-01)
15569223 32-bit openssl x86 performance can be greatly improved by enabling hand-crafted asm
15711910 move OpenSSL from SFW to Userland gate
15780866 OpenSSL for wanboot should not be built in a separate directory
15824598 T4 AES should be embedded in the OpenSSL upstream source
15824599 T4 hash should be embedded in the OpenSSL upstream source
15824600 T4 montmul should be embedded in the OpenSSL upstream source
16921388 T4 DES should be embedded in the OpenSSL upstream source
16922032 need X509_V_FLAG_PARTIAL_CHAIN - ability to trust a leaf certificate
17193314 ssh dumps core when using aes128-cbc cipher on T4
17283726 memory leak with EVP_CipherInit_ex
17799549 libcrypto openssl incorrect size for libcrypto.so.1.0.0`_sparcv9_random
17822462 svc:/network/sendmail-client:default (sendmail SMTP client queue runner) dumped core
20231102 problem with OpenSSL
20826468 enable internal tests for OpenSSL in the Userland gate
20992215 warnings about sparcv8+ ABI violation found in OpenSSL build logs
21059433 Solaris 10 specific patches for integrating OpenSSL 1.0.1
21059453 OpenSSL consumers should be initially built with current OpenSSL version 0.9.7d
21149030 segfault when a cleanup callback is called before cipher initialization
21179246 passing incompatible argument in crypto/evp/e_aes.c:861
21416447 upgrade OpenSSL version to 1.0.1p
21492687 PIN caching policy "mlocked-memory" does not work in the PKCS#11 engine
21822200 warning about unused variables in ssl_asn1.c with "no-psk"
21829045 OpenSSL 1.0.1 integrated into Solaris 10 must support export source builds
22253902 OpenSSL engine needs to live under /usr directory hierarchy
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Release Notes for Solaris 10 OpenSSL 1.0.1 on x86
OpenSSL.org has announced end of support for OpenSSL 0.9.8 at the
end of 2015. This will impact the ability to backport security
fixes into Solaris 10's 0.9.7d-based OpenSSL and, as a result,
OpenSSL version 1.0.1 is being provided for Solaris 10.
1. Deliverables
To get OpenSSL 1.0.1p for Solaris 10 (SPARC), please apply the
following patch:
151913-02 (or greater) OpenSSL 1.0.1 patch (this patch)
When this patch is installed on a Solaris 10 system, existing
SUNWopenssl* packages are enhanced with new OpenSSL deliverables
in the following locations:
- binaries in /usr/bin and /usr/bin/64
- libraries in /usr/lib and /usr/lib/64
- header files in /usr/include
- pkg-config(1) files in /usr/lib/pkgconfig and /usr/lib/64/pkgconfig
- configuration in /etc/openssl
2. Impact on existing old OpenSSL
The new OpenSSL 1.0.1 deliverables do not interfere with the
existing OpenSSL 0.9.7d (+ security fixes) already present on
your system. This means you can still use your existing commands
and applications built against the old OpenSSL 0.9.7d.
There is one exception here: pkg-config(1) files. pkg-config(1)
files relevant to the old OpenSSL 0.9.7d were moved:
- /usr/lib/pkgconfig/openssl.pc -> /usr/sfw/lib/pkgconfig/openssl.pc
- /usr/lib/64/pkgconfig/openssl.pc -> /usr/sfw/lib/64/pkgconfig/openssl.pc
3. Usage
How to use the new OpenSSL 1.0.1 after patch installation? Binary
openssl in /usr/bin works just as you would expect.
When building an application against new OpenSSL libraries, it
should just work out-of-the-box because header files and libraries
are installed in standard default locations searched by compilers.
If the application has a dependency on a header file or library
residing in /usr/sfw then use:
-I/usr/include -I/usr/sfw/include for search path of header files
-L/usr/lib -L/usr/sfw/lib for search path of libraries for linking
There is also one exception here: if you are building with gcc 3.4.3
shipped with Solaris 10 (package SUNWgcc), then there is a problem
with search order of header files and libraries for linking. That
is, gcc 3.4.3 hardcodes /usr/sfw/include at the beginning of its
search list of system header files. Similarly, gcc 3.4.3 hardcodes
/usr/sfw/lib at the beginning of its search list of libraries for
linking. This means that header files and libraries for linking
from the old OpenSSL 0.9.7d would be picked by default.
Unfortunately there is no single workaround for this problem. Here
is a list of recipes which you can try to work around this problem:
Recipe 1
Use special flags when the running configure script to reorder the
list of include paths to shift /usr/sfw/include to the end, and
specify the libraries directly when the configure script has a
means to do that. E.g. for the wget program the configure command
would be:
openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
CFLAGS="-nostdinc $openssl_includes" OPENSSL_LIBS="/usr/lib/libssl.so.1.0.0 /usr/lib/libcrypto.so.1.0.0" ./configure --with-ssl=openssl
Recipe 2
Use special flags when running the configure script to reorder the
list of include paths to shift /usr/sfw/include to the end, and do
so similarly with the list of library paths and /usr/sfw/lib. E.g.
for the curl program the configure command would be:
openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
openssl_libs=`/usr/sfw/bin/gld --verbose | grep ^SEARCH_DIR | sed -e 's/SEARCH_DIR("//g' -e 's/");//g' | tr ' ' '\n' | awk 'BEGIN {hold=""} $0 !~ /^\// {next}; $0 ~ /^\/usr\/sfw\/lib$/ {hold="-L/usr/sfw/lib"; next}; {printf "-L%s ", $0}; END {printf "%s\n", hold}'`
CPPFLAGS="-nostdinc $openssl_includes" LDFLAGS="-nodefaultlibs $openssl_libs" LIBS="-lc" ./configure
Recipe 3
If none of the previous recipes work, you can install the following
patch which removes OpenSSL 0.9.7d header files and libraries for
linking from your system:
151915-07 (or greater) OpenSSL 0.9.7 patch
(Bug 22504845: OpenSSL 0.9.7 removal from Solaris 10 - phase 1)
In particular, after that patch is installed:
- The directory /usr/sfw/include/openssl is empty
- Symlinks for linking /usr/sfw/lib/lib{crypto,ssl}.so and
/usr/sfw/lib/64/lib{crypto,ssl}.so do not exist
This means the patch will prevent compiling against OpenSSL 0.9.7d.
Existing programs linked against that version will continue working.
README -- Last modified date: Thursday, April 13, 2023