Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2016-09-28 15:03:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-05-08 10:38:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-09-28 15:03:35.000000000 +0200 @@ -1,0 +2,39 @@ +Tue Sep 27 06:20:03 UTC 2016 - [email protected] + +- update to openssl-1.0.2j + * Missing CRL sanity check (CVE-2016-7052 bsc#1001148) + +------------------------------------------------------------------- +Fri Sep 23 08:22:01 UTC 2016 - [email protected] + +- OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) + Severity: High + * OCSP Status Request extension unbounded memory growth + (CVE-2016-6304) (bsc#999666) + Severity: Low + * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575) + * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249) + * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844) + * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419) + * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749) + * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819) + * Birthday attack against 64-bit block ciphers (SWEET32) + (CVE-2016-2183) (bsc#995359) + * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324) + * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377) + * Certificate message OOB reads (CVE-2016-6306) (bsc#999668) +- update to openssl-1.0.2i + * remove patches: + openssl-1.0.2a-new-fips-reqs.patch + openssl-1.0.2e-fips.patch + * add patches: + openssl-1.0.2i-fips.patch + openssl-1.0.2i-new-fips-reqs.patch + +------------------------------------------------------------------- +Wed Aug 3 12:41:41 UTC 2016 - [email protected] + +- fix crash in print_notice (bsc#998190) + * add openssl-print_notice-NULL_crash.patch + +------------------------------------------------------------------- Old: ---- openssl-1.0.2a-new-fips-reqs.patch openssl-1.0.2e-fips.patch openssl-1.0.2h.tar.gz openssl-1.0.2h.tar.gz.asc New: ---- openssl-1.0.2i-fips.patch openssl-1.0.2i-new-fips-reqs.patch openssl-1.0.2j.tar.gz openssl-1.0.2j.tar.gz.asc openssl-print_notice-NULL_crash.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.aOxkbB/_old 2016-09-28 15:03:37.000000000 +0200 +++ /var/tmp/diff_new_pack.aOxkbB/_new 2016-09-28 15:03:37.000000000 +0200 @@ -29,7 +29,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version: 1.0.2h +Version: 1.0.2j Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -62,10 +62,10 @@ Patch13: openssl-1.0.2a-ipv6-apps.patch Patch14: 0001-libcrypto-Hide-library-private-symbols.patch # FIPS patches: -Patch15: openssl-1.0.2e-fips.patch +Patch15: openssl-1.0.2i-fips.patch Patch16: openssl-1.0.2a-fips-ec.patch Patch17: openssl-1.0.2a-fips-ctor.patch -Patch18: openssl-1.0.2a-new-fips-reqs.patch +Patch18: openssl-1.0.2i-new-fips-reqs.patch Patch19: openssl-gcc-attributes.patch Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch Patch33: openssl-no-egd.patch @@ -85,6 +85,8 @@ Patch58: openssl-fips-clearerror.patch Patch59: openssl-fips-dont-fall-back-to-default-digest.patch +Patch60: openssl-print_notice-NULL_crash.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -204,6 +206,7 @@ %patch57 -p1 %patch58 -p1 %patch59 -p1 +%patch60 -p1 %if 0%{?suse_version} >= 1120 %patch3 %endif ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ --- /var/tmp/diff_new_pack.aOxkbB/_old 2016-09-28 15:03:37.000000000 +0200 +++ /var/tmp/diff_new_pack.aOxkbB/_new 2016-09-28 15:03:37.000000000 +0200 @@ -4,10 +4,10 @@ Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.0.2g/crypto/bio/b_print.c +Index: openssl-1.0.2i/crypto/bio/b_print.c =================================================================== ---- openssl-1.0.2g.orig/crypto/bio/b_print.c 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/bio/b_print.c 2016-03-01 15:26:55.597307479 +0100 +--- openssl-1.0.2i.orig/crypto/bio/b_print.c 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/bio/b_print.c 2016-09-23 10:18:39.805097010 +0200 @@ -56,17 +56,10 @@ * [including the GNU Public Licence.] */ @@ -28,7 +28,7 @@ #include <stdio.h> #include <string.h> #include <ctype.h> -@@ -79,708 +72,6 @@ +@@ -79,714 +72,6 @@ #include <openssl/bn.h> /* To get BN_LLONG properly defined */ #include <openssl/bio.h> @@ -376,9 +376,15 @@ - break; - } - } -- *truncated = (currlen > *maxlen - 1); -- if (*truncated) -- currlen = *maxlen - 1; +- /* +- * We have to truncate if there is no dynamic buffer and we have filled the +- * static buffer. +- */ +- if (buffer == NULL) { +- *truncated = (currlen > *maxlen - 1); +- if (*truncated) +- currlen = *maxlen - 1; +- } - if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0')) - return 0; - *retlen = currlen - 1; @@ -737,7 +743,7 @@ int BIO_printf(BIO *bio, const char *format, ...) { va_list args; -@@ -794,32 +85,36 @@ int BIO_printf(BIO *bio, const char *for +@@ -800,32 +85,36 @@ int BIO_printf(BIO *bio, const char *for return (ret); } @@ -797,7 +803,7 @@ return (ret); } -@@ -835,29 +130,21 @@ int BIO_snprintf(char *buf, size_t n, co +@@ -841,29 +130,21 @@ int BIO_snprintf(char *buf, size_t n, co int ret; va_start(args, format); ++++++ 0001-libcrypto-Hide-library-private-symbols.patch ++++++ ++++ 721 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl/0001-libcrypto-Hide-library-private-symbols.patch ++++ and /work/SRC/openSUSE:Factory/.openssl.new/0001-libcrypto-Hide-library-private-symbols.patch ++++++ openssl-1.0.2i-fips.patch ++++++ ++++ 13705 lines (skipped) ++++++ openssl-1.0.2i-new-fips-reqs.patch ++++++ ++++ 1365 lines (skipped) ++++++ openssl-fips-dont-fall-back-to-default-digest.patch ++++++ --- /var/tmp/diff_new_pack.aOxkbB/_old 2016-09-28 15:03:37.000000000 +0200 +++ /var/tmp/diff_new_pack.aOxkbB/_new 2016-09-28 15:03:37.000000000 +0200 @@ -1,7 +1,7 @@ -Index: openssl-1.0.2g/apps/dgst.c +Index: openssl-1.0.2i/apps/dgst.c =================================================================== ---- openssl-1.0.2g.orig/apps/dgst.c 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/apps/dgst.c 2016-04-14 11:04:21.706558132 +0200 +--- openssl-1.0.2i.orig/apps/dgst.c 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/dgst.c 2016-09-23 10:20:02.162323196 +0200 @@ -147,7 +147,7 @@ int MAIN(int argc, char **argv) /* first check the program name */ program_name(argv[0], pname, sizeof pname); @@ -20,12 +20,12 @@ md = m; else break; -Index: openssl-1.0.2g/apps/apps.c +Index: openssl-1.0.2i/apps/apps.c =================================================================== ---- openssl-1.0.2g.orig/apps/apps.c 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/apps/apps.c 2016-04-14 11:04:21.707558145 +0200 -@@ -3226,3 +3226,45 @@ int raw_write_stdout(const void *buf, in - return write(fileno(stdout), buf, siz); +--- openssl-1.0.2i.orig/apps/apps.c 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/apps.c 2016-09-23 10:20:02.162323196 +0200 +@@ -3266,3 +3266,45 @@ int raw_write_stdout(const void *buf, in + return write(fileno_stdout(), buf, siz); } #endif + @@ -70,10 +70,10 @@ + return ciph; + } + -Index: openssl-1.0.2g/apps/apps.h +Index: openssl-1.0.2i/apps/apps.h =================================================================== ---- openssl-1.0.2g.orig/apps/apps.h 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/apps/apps.h 2016-04-14 11:04:21.707558145 +0200 +--- openssl-1.0.2i.orig/apps/apps.h 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/apps.h 2016-09-23 10:20:02.162323196 +0200 @@ -348,6 +348,9 @@ void print_cert_checks(BIO *bio, X509 *x void store_setup_crl_download(X509_STORE *st); @@ -84,10 +84,10 @@ # define FORMAT_UNDEF 0 # define FORMAT_ASN1 1 # define FORMAT_TEXT 2 -Index: openssl-1.0.2g/apps/enc.c +Index: openssl-1.0.2i/apps/enc.c =================================================================== ---- openssl-1.0.2g.orig/apps/enc.c 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/apps/enc.c 2016-04-15 13:57:22.782628623 +0200 +--- openssl-1.0.2i.orig/apps/enc.c 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/enc.c 2016-09-23 10:20:02.162323196 +0200 @@ -150,7 +150,7 @@ int MAIN(int argc, char **argv) do_zlib = 1; #endif ++++++ openssl-print_notice-NULL_crash.patch ++++++ Index: openssl-1.0.2i/crypto/x509v3/v3_cpols.c =================================================================== --- openssl-1.0.2i.orig/crypto/x509v3/v3_cpols.c 2016-09-23 11:35:30.509972948 +0200 +++ openssl-1.0.2i/crypto/x509v3/v3_cpols.c 2016-09-23 11:36:16.742667963 +0200 @@ -459,6 +459,8 @@ static void print_notice(BIO *out, USERN if (i) BIO_puts(out, ", "); tmp = i2s_ASN1_INTEGER(NULL, num); + if (tmp == NULL) + return; BIO_puts(out, tmp); OPENSSL_free(tmp); }
