24528111 problem in LIBRARY/OPENSSL
24394794 CRL conversions from DER to PEM format fail for large CRL files.
24513545 XMPP element quoting confusion
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/052-CVE-2016-6302.patch Mon Aug 29 13:44:04 2016 -0700
@@ -0,0 +1,30 @@
+# The patch is based on the following commit from the upstream:
+# https://github.com/openssl/openssl/commit/baaabfd8fdcec04a691695fad9a664bea43202b6
+# The fix is patched until the new version becomes available
+# from the upstream.
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -3401,9 +3401,7 @@
+ HMAC_CTX hctx;
+ EVP_CIPHER_CTX ctx;
+ SSL_CTX *tctx = s->initial_ctx;
+- /* Need at least keyname + iv + some encrypted data */
+- if (eticklen < 48)
+- return 2;
++
+ /* Initialize session ticket encryption and HMAC contexts */
+ HMAC_CTX_init(&hctx);
+ EVP_CIPHER_CTX_init(&ctx);
+@@ -3437,6 +3435,12 @@
+ if (mlen < 0) {
+ goto err;
+ }
++ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
++ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
++ HMAC_CTX_cleanup(&hctx);
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return 2;
++ }
+ eticklen -= mlen;
+ /* Check HMAC of encrypted ticket */
+ if (HMAC_Update(&hctx, etick, eticklen) <= 0
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/053-large-crl.patch Mon Aug 29 13:44:04 2016 -0700
@@ -0,0 +1,19 @@
+# The patch is based on the following commit from the upstream:
+# https://github.com/openssl/openssl/commit/a1eef756cc1948e
+# The fix is patched until the new version becomes available
+# from the upstream.
+--- a/crypto/asn1/x_name.c
++++ b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+ int i, j, ret;
+ STACK_OF(X509_NAME_ENTRY) *entries;
+ X509_NAME_ENTRY *entry;
+- if (len > X509_NAME_MAX) {
+- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+- return 0;
+- }
++ if (len > X509_NAME_MAX)
++ len = X509_NAME_MAX;
+ q = p;
+
+ /* Get internal representation of Name */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/054-xmpp-detection.patch Mon Aug 29 13:44:04 2016 -0700
@@ -0,0 +1,17 @@
+# The patch is based on the following commit from the upstream:
+# https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9
+# The fix is patched until the new version becomes available
+# from the upstream.
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -1640,8 +1640,8 @@
+ "xmlns='jabber:client' to='%s' version='1.0'>", host);
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
+ mbuf[seen] = 0;
+- while (!strstr
+- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
++ while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
++ !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
+ if (strstr(mbuf, "/stream:features>"))
+ goto shut;
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);