Hello community, here is the log from the commit of package xmltooling for openSUSE:Factory checked in at 2015-09-08 17:45:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xmltooling (Old) and /work/SRC/openSUSE:Factory/.xmltooling.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xmltooling" Changes: -------- --- /work/SRC/openSUSE:Factory/xmltooling/xmltooling.changes 2015-08-29 20:04:22.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xmltooling.new/xmltooling.changes 2015-09-08 18:06:50.000000000 +0200 @@ -1,0 +2,13 @@ +Mon Sep 7 14:39:36 UTC 2015 - [email protected] + +- update to xmltooling 1.5.6 + * [CPPXT-105] - PKIX revocation checking calls OpenSSL's + X509_verify_cert in an unsupported way (breaks with OpenSSL + 1.0.1p/1.0.2d and later) + +------------------------------------------------------------------- +Wed Aug 5 18:04:11 UTC 2015 - [email protected] + +- Add gpg signature + +------------------------------------------------------------------- Old: ---- xmltooling-1.5.5.tar.bz2 New: ---- xmltooling-1.5.6.tar.bz2 xmltooling-1.5.6.tar.bz2.asc xmltooling.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xmltooling.spec ++++++ --- /var/tmp/diff_new_pack.HpoNH6/_old 2015-09-08 18:06:52.000000000 +0200 +++ /var/tmp/diff_new_pack.HpoNH6/_new 2015-09-08 18:06:52.000000000 +0200 @@ -18,13 +18,15 @@ %define pkgdocdir %{_docdir}/%{name} Name: xmltooling -Version: 1.5.5 +Version: 1.5.6 Release: 0 Summary: OpenSAML XML library License: Apache-2.0 Group: Development/Libraries/C and C++ Url: https://wiki.shibboleth.net/confluence/display/OpenSAML/XMLTooling-C -Source: http://shibboleth.net/downloads/c++-opensaml/2.5.5/%{name}-%{version}.tar.bz2 +Source0: http://shibboleth.net/downloads/c++-opensaml/2.5.5/%{name}-%{version}.tar.bz2 +Source1: http://shibboleth.net/downloads/c++-opensaml/2.5.5/%{name}-%{version}.tar.bz2.asc +Source2: %{name}.keyring Patch0: xmltooling-1.5.5-doxygen_timestamp.patch BuildRequires: boost-devel >= 1.32.0 BuildRequires: curl-devel >= 7.10.6 ++++++ xmltooling-1.5.5.tar.bz2 -> xmltooling-1.5.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/config_win32.h new/xmltooling-1.5.6/config_win32.h --- old/xmltooling-1.5.5/config_win32.h 2015-07-09 17:16:13.000000000 +0200 +++ new/xmltooling-1.5.6/config_win32.h 2015-08-04 15:46:59.000000000 +0200 @@ -114,13 +114,13 @@ #define PACKAGE_NAME "xmltooling" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "xmltooling 1.5.5" +#define PACKAGE_STRING "xmltooling 1.5.6" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "xmltooling" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.5.5" +#define PACKAGE_VERSION "1.5.6" /* Define to the necessary symbol if this constant uses a non-standard name on your system. */ @@ -133,7 +133,7 @@ /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "1.5.5" +#define VERSION "1.5.6" /* Define if you wish to disable XML-Security-dependent features. */ /* #undef XMLTOOLING_NO_XMLSEC */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/configure new/xmltooling-1.5.6/configure --- old/xmltooling-1.5.5/configure 2015-07-09 17:28:23.000000000 +0200 +++ new/xmltooling-1.5.6/configure 2015-08-04 15:47:20.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for xmltooling 1.5.5. +# Generated by GNU Autoconf 2.69 for xmltooling 1.5.6. # # Report bugs to <https://issues.shibboleth.net/>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='xmltooling' PACKAGE_TARNAME='xmltooling' -PACKAGE_VERSION='1.5.5' -PACKAGE_STRING='xmltooling 1.5.5' +PACKAGE_VERSION='1.5.6' +PACKAGE_STRING='xmltooling 1.5.6' PACKAGE_BUGREPORT='https://issues.shibboleth.net/' PACKAGE_URL='' @@ -1413,7 +1413,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xmltooling 1.5.5 to adapt to many kinds of systems. +\`configure' configures xmltooling 1.5.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1483,7 +1483,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of xmltooling 1.5.5:";; + short | recursive ) echo "Configuration of xmltooling 1.5.6:";; esac cat <<\_ACEOF @@ -1619,7 +1619,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xmltooling configure 1.5.5 +xmltooling configure 1.5.6 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2354,7 +2354,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xmltooling $as_me 1.5.5, which was +It was created by xmltooling $as_me 1.5.6, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3219,7 +3219,7 @@ # Define the identity of the package. PACKAGE='xmltooling' - VERSION='1.5.5' + VERSION='1.5.6' cat >>confdefs.h <<_ACEOF @@ -21680,7 +21680,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xmltooling $as_me 1.5.5, which was +This file was extended by xmltooling $as_me 1.5.6, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21746,7 +21746,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -xmltooling config.status 1.5.5 +xmltooling config.status 1.5.6 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/configure.ac new/xmltooling-1.5.6/configure.ac --- old/xmltooling-1.5.5/configure.ac 2015-07-09 17:16:13.000000000 +0200 +++ new/xmltooling-1.5.6/configure.ac 2015-08-04 15:46:59.000000000 +0200 @@ -1,6 +1,6 @@ # Process this file with autoreconf AC_PREREQ([2.50]) -AC_INIT([xmltooling],[1.5.5],[https://issues.shibboleth.net/],[xmltooling]) +AC_INIT([xmltooling],[1.5.6],[https://issues.shibboleth.net/],[xmltooling]) AC_CONFIG_SRCDIR(xmltooling) AC_CONFIG_AUX_DIR(build-aux) AC_CONFIG_MACRO_DIR(m4) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/xmltooling/Makefile.am new/xmltooling-1.5.6/xmltooling/Makefile.am --- old/xmltooling-1.5.5/xmltooling/Makefile.am 2015-07-09 17:16:13.000000000 +0200 +++ new/xmltooling-1.5.6/xmltooling/Makefile.am 2015-08-04 15:46:59.000000000 +0200 @@ -204,13 +204,13 @@ libxmltooling_lite_la_SOURCES = \ ${common_sources} libxmltooling_lite_la_CPPFLAGS = -DXMLTOOLING_LITE -libxmltooling_lite_la_LDFLAGS = -version-info 6:5:0 +libxmltooling_lite_la_LDFLAGS = -version-info 6:6:0 if BUILD_XMLSEC libxmltooling_la_SOURCES = \ ${common_sources} \ ${xmlsec_sources} -libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 6:5:0 +libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 6:6:0 endif install-exec-hook: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/xmltooling/Makefile.in new/xmltooling-1.5.6/xmltooling/Makefile.in --- old/xmltooling-1.5.5/xmltooling/Makefile.in 2015-07-09 17:16:42.000000000 +0200 +++ new/xmltooling-1.5.6/xmltooling/Makefile.in 2015-08-04 15:47:21.000000000 +0200 @@ -704,12 +704,12 @@ ${common_sources} libxmltooling_lite_la_CPPFLAGS = -DXMLTOOLING_LITE -libxmltooling_lite_la_LDFLAGS = -version-info 6:5:0 +libxmltooling_lite_la_LDFLAGS = -version-info 6:6:0 @BUILD_XMLSEC_TRUE@libxmltooling_la_SOURCES = \ @BUILD_XMLSEC_TRUE@ ${common_sources} \ @BUILD_XMLSEC_TRUE@ ${xmlsec_sources} -@BUILD_XMLSEC_TRUE@libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 6:5:0 +@BUILD_XMLSEC_TRUE@libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 6:6:0 EXTRA_DIST = \ xmltooling.vcxproj \ xmltooling-lite.vcxproj \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/xmltooling/security/impl/PKIXPathValidator.cpp new/xmltooling-1.5.6/xmltooling/security/impl/PKIXPathValidator.cpp --- old/xmltooling-1.5.5/xmltooling/security/impl/PKIXPathValidator.cpp 2015-07-09 17:16:13.000000000 +0200 +++ new/xmltooling-1.5.6/xmltooling/security/impl/PKIXPathValidator.cpp 2015-08-04 15:46:59.000000000 +0200 @@ -291,7 +291,7 @@ // AFAICT, EE and untrusted are passed in but not owned by the ctx. #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - if (X509_STORE_CTX_init(&ctx,store,EE,untrusted)!=1) { + if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) { log_openssl(); m_log.error("unable to initialize X509_STORE_CTX"); X509_STORE_free(store); @@ -317,8 +317,8 @@ X509_STORE_CTX_set_verify_cb(&ctx,error_callback); // Do a first pass verify. If CRLs aren't used, this is the only pass. - int ret=X509_verify_cert(&ctx); - if (ret==1) { + int ret = X509_verify_cert(&ctx); + if (ret == 1) { // Now see if the depth was acceptable by counting the number of intermediates. int depth=sk_X509_num(ctx.chain)-2; if (pkixParams->getVerificationDepth() < depth) { @@ -327,12 +327,17 @@ (depth==-1) ? 0 : depth, pkixParams->getVerificationDepth() ); - ret=0; + ret = 0; } } - if (pkixParams->getRevocationChecking() != PKIXPathValidatorParams::REVOCATION_OFF) { + // If the first pass succeeded, check to see if we need a second with CRLs. + if (ret == 1 && pkixParams->getRevocationChecking() != PKIXPathValidatorParams::REVOCATION_OFF) { #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) + // After the first X509_verify_cert call, the ctx can no longer be used + // (subsequent calls will fail with OpenSSL 1.0.1p / 1.0.2d or later). + X509_STORE_CTX_cleanup(&ctx); + // When we add CRLs, we have to be sure the nextUpdate hasn't passed, because OpenSSL won't accept // the CRL in that case. If we end up not adding a CRL for a particular link in the chain, the // validation will fail (if the fullChain option was set). @@ -391,12 +396,27 @@ } } - // Do a second pass verify with CRLs in place. - if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN) - X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); - else - X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK); - ret=X509_verify_cert(&ctx); + // Do a second pass verify with CRLs in place. Reinitialize ctx, see + // https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=aae41f8c54257d9fa6904d3a9aa09c5db6cefd0d +#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) + if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) { + log_openssl(); + m_log.error("unable to initialize X509_STORE_CTX"); + ret = 0; + } +#else + X509_STORE_CTX_init(&ctx,store,EE,untrusted); +#endif + if (ret != 0) { + X509_STORE_CTX_trusted_stack(&ctx,CAstack); + X509_STORE_CTX_set_depth(&ctx,100); // already checked above + X509_STORE_CTX_set_verify_cb(&ctx,error_callback); + if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN) + X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + else + X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK); + ret = X509_verify_cert(&ctx); + } #else m_log.warn("CRL checking is enabled, but OpenSSL version is too old"); ret = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/xmltooling/version.h new/xmltooling-1.5.6/xmltooling/version.h --- old/xmltooling-1.5.5/xmltooling/version.h 2015-07-09 17:16:13.000000000 +0200 +++ new/xmltooling-1.5.6/xmltooling/version.h 2015-08-04 15:46:59.000000000 +0200 @@ -44,7 +44,7 @@ #define XMLTOOLING_VERSION_MAJOR 1 #define XMLTOOLING_VERSION_MINOR 5 -#define XMLTOOLING_VERSION_REVISION 5 +#define XMLTOOLING_VERSION_REVISION 6 /** DO NOT MODIFY BELOW THIS LINE */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/xmltooling/xmltooling.rc new/xmltooling-1.5.6/xmltooling/xmltooling.rc --- old/xmltooling-1.5.5/xmltooling/xmltooling.rc 2015-07-09 17:16:13.000000000 +0200 +++ new/xmltooling-1.5.6/xmltooling/xmltooling.rc 2015-08-04 15:46:59.000000000 +0200 @@ -28,7 +28,7 @@ // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,5,5,0 + FILEVERSION 1,5,6,0 PRODUCTVERSION 2,5,5,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG @@ -51,7 +51,7 @@ #else VALUE "FileDescription", "OpenSAML XMLTooling Library\0" #endif - VALUE "FileVersion", "1, 5, 5, 0\0" + VALUE "FileVersion", "1, 5, 6, 0\0" #ifdef XMLTOOLING_LITE #ifdef _DEBUG VALUE "InternalName", "xmltooling-lite1_5D\0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.5.5/xmltooling.spec new/xmltooling-1.5.6/xmltooling.spec --- old/xmltooling-1.5.5/xmltooling.spec 2015-07-20 19:07:17.000000000 +0200 +++ new/xmltooling-1.5.6/xmltooling.spec 2015-08-04 15:47:45.000000000 +0200 @@ -1,5 +1,5 @@ Name: xmltooling -Version: 1.5.5 +Version: 1.5.6 Release: 1 Summary: OpenSAML XMLTooling library Group: Development/Libraries/C and C++
