Started by timer533504ac3e867db3637a6dd386947ebd31b217036bc704ac3e867db3637a6dd386947ebd31b217036bc7refs/remotes/origin/oi/hipster04ac3e867db3637a6dd386947ebd31b217036bc704ac3e867db3637a6dd386947ebd31b217036bc7refs/remotes/origin/oi/hipster38975751b2ff5ccd4825400f4a37a10c38da4a0f23f35751b2ff5ccd4825400f4a37a10c38da4a0f23f3origin/oi/hipster5751b2ff5ccd4825400f4a37a10c38da4a0f23f35751b2ff5ccd4825400f4a37a10c38da4a0f23f3origin/oi/hipster04ac3e867db3637a6dd386947ebd31b217036bc704ac3e867db3637a6dd386947ebd31b217036bc7refs/remotes/origin/oi/hipstergit://github.com/OpenIndiana/oi-userland.gitfalse#53357051502642343illumos-gate #53355335falsefalse53352315SUCCESS1535328300330https://hipster.openindiana.org/jenkins/job/illumos-gate/5335/components/library/openssl/openssl-1.0.2/Makefilecomponents/library/openssl/openssl-1.0.2/manifests/sample-manifest.p5mcomponents/library/openssl/openssl-1.0.2/patches/CVE-2018-0732.patchcomponents/library/openssl/openssl-1.0.2/openssl-1.0.2.p5mcomponents/library/openssl/openssl-1.0.2/patches/CVE-2018-0737.patch211606ddc8f2c04cb15f6567345ccfea77fcec9d1535273146000https://hipster.openindiana.org/jenkins/user/wackiAndreas WacknitzA.Wacknitz@gmx.deOpenSSL 1.0.2p Notes: https://www.openssl.org/news/openssl-1.0.2-notes.html Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p: * Client DoS due to large DH parameter (CVE-2018-0732) * Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) ABI compatible: https://abi-laboratory.pro/index.php?view=objects_report&l=openssl&v1=1.0.2o&v2=1.0.2p Test suite runs looked good. 2018-08-26 10:45:46 +0200211606ddc8f2c04cb15f6567345ccfea77fcec9dOpenSSL 1.0.2pdeletecomponents/library/openssl/openssl-1.0.2/patches/CVE-2018-0737.patcheditcomponents/library/openssl/openssl-1.0.2/Makefiledeletecomponents/library/openssl/openssl-1.0.2/patches/CVE-2018-0732.patcheditcomponents/library/openssl/openssl-1.0.2/manifests/sample-manifest.p5meditcomponents/library/openssl/openssl-1.0.2/openssl-1.0.2.p5mcomponents/network/openssh/Makefilecomponents/network/openssh/patches/CVE-2018-15473.patch43616c8731a48eff82ca79506d41e2b1e3f90baf1535276343000https://hipster.openindiana.org/jenkins/user/wackiAndreas WacknitzA.Wacknitz@gmx.deOpenSSH: fix CVE-2018-15473 (username enumeration) Fix from OpenSSH 7.8p1 (https://www.openssh.com/releasenotes.html): ``` * sshd(8): add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret. ``` Debian patch: https://sources.debian.org/patches/openssh/1:7.4p1-10+deb9u4/upstream-delay-bailout-for-invalid-authenticating-user.patch/ **Testing (exploit: https://www.exploit-db.com/exploits/45210/)** Affected: ``` $ python 45210.py 192.168.1.12 root [+] Valid username $ python 45210.py 192.168.1.12 thisisinvalid [*] Invalid username ``` Fixed: ``` $ python 45210.py 192.168.1.181 root [+] Valid username $ python 45210.py 192.168.1.181 thisisinvalid [+] Valid username ``` 2018-08-26 11:39:03 +020043616c8731a48eff82ca79506d41e2b1e3f90bafOpenSSH: fix CVE-2018-15473 (username enumeration)addcomponents/network/openssh/patches/CVE-2018-15473.patcheditcomponents/network/openssh/Makefilecomponents/library/libexpat/expat.p5mcomponents/library/libexpat/manifests/sample-manifest.p5mcomponents/library/libexpat/Makefilecomponents/library/libexpat/test/results-all.master04ac3e867db3637a6dd386947ebd31b217036bc71535295895000https://hipster.openindiana.org/jenkins/user/wackiAndreas WacknitzA.Wacknitz@gmx.deexpat 2.2.6 Changes: https://github.com/libexpat/libexpat/blob/R_2_2_6/expat/Changes Notably, fixes UTF-8 bug required for Python 2.7.15 test suite to pass. Test suite now seems to have a different output. 2018-08-26 17:04:55 +020004ac3e867db3637a6dd386947ebd31b217036bc7expat 2.2.6editcomponents/library/libexpat/expat.p5meditcomponents/library/libexpat/manifests/sample-manifest.p5meditcomponents/library/libexpat/Makefileeditcomponents/library/libexpat/test/results-all.mastergithttps://hipster.openindiana.org/jenkins/user/a.wacknitzA.Wacknitz