Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package osslsigncode for openSUSE:Factory checked in at 2022-04-14 17:25:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/osslsigncode (Old) and /work/SRC/openSUSE:Factory/.osslsigncode.new.1941 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "osslsigncode" Thu Apr 14 17:25:45 2022 rev:8 rq:970103 version:2.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/osslsigncode/osslsigncode.changes 2018-12-04 20:56:16.508722902 +0100 +++ /work/SRC/openSUSE:Factory/.osslsigncode.new.1941/osslsigncode.changes 2022-04-14 17:26:22.879327616 +0200 @@ -1,0 +2,35 @@ +Sun Apr 10 15:30:02 UTC 2022 - Dirk M??ller <[email protected]> + +- update to 2.3.0: + * This release fixes several critical memory corruption vulnerabilities. + A malicious attacker could create a file, which, when processed with + osslsigncode, triggers arbitrary code execution. Any previous version + of osslsigncode should be immediately upgraded if the tool is used for + processing of untrusted files. + * fixed non-interactive PVK (MSBLOB) key decryption + * added a bash completion script + * added CA bundle path auto-detection + * CAT files support (thanks to James McKenzie) + * MSI support rewritten without libgsf dependency, which allows + * for handling of all the needed MSI metadata, such as dates + * "-untrusted" option renamed to "-TSA-CAfile" + * "-CRLuntrusted" option renamed to "-TSA-CRLfile" + * numerous bug fixes and improvements + * certificate chain verification support + * timestamp verification support + * CRL verification support ("-CRLfile" option) + * improved CAB signature support + * nested signatures support + * user-specified signing time ("-st" option) by vszakats + * added more tests + * fixed numerous bugs + * dropped OpenSSL 1.1.0 support + * orphaned project adopted by Micha?? Trojnara + * ported to OpenSSL 1.1.x + * ported to SoftHSM2 + * add support for pkcs11-based hardware tokens + * improved error reporting of timestamping errors +- drop 0001-Make-code-work-with-OpenSSL-1.1.patch (obsolete) +- add gpg validation + +------------------------------------------------------------------- Old: ---- 0001-Make-code-work-with-OpenSSL-1.1.patch osslsigncode-1.7.1.tar.gz New: ---- COPYING.txt LICENSE.txt osslsigncode-2.3.0.tar.gz osslsigncode-2.3.0.tar.gz.asc osslsigncode.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ osslsigncode.spec ++++++ --- /var/tmp/diff_new_pack.so0X9q/_old 2022-04-14 17:26:23.447328279 +0200 +++ /var/tmp/diff_new_pack.so0X9q/_new 2022-04-14 17:26:23.451328284 +0200 @@ -1,7 +1,7 @@ # # spec file for package osslsigncode # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,25 +12,28 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # -Summary: Platform-independent tool for Authenticode signing of EXE/CAB files -License: GPL-3.0 -Group: Productivity/Security -Url: http://osslsigncode.sourceforge.net/ Name: osslsigncode -Version: 1.7.1 +Version: 2.3.0 Release: 0 -Source0: http://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-%{version}.tar.gz +Summary: Platform-independent tool for Authenticode signing of EXE/CAB files +License: GPL-3.0-only +Group: Productivity/Security +URL: http://osslsigncode.sourceforge.net/ +Source0: https://github.com/mtrojnar/osslsigncode/releases/download/2.3/osslsigncode-%{version}.tar.gz +Source1: https://github.com/mtrojnar/osslsigncode/releases/download/2.3/osslsigncode-%{version}.tar.gz.asc +Source2: https://raw.githubusercontent.com/mtrojnar/osslsigncode/master/LICENSE.txt +Source3: https://raw.githubusercontent.com/mtrojnar/osslsigncode/master/COPYING.txt +Source99: %{name}.keyring BuildRequires: autoconf BuildRequires: automake BuildRequires: libgsf-devel -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: pkgconfig(libcrypto) >= 1.1 BuildRequires: pkgconfig(libcurl) -Patch0: 0001-Make-code-work-with-OpenSSL-1.1.patch %description osslsigncode is a small utility for placing signatures on Microsoft cabinate @@ -38,18 +41,18 @@ %prep %setup -q -%patch0 -p1 + %build +cp -p %{SOURCE2} %{SOURCE3} . %configure -make +%make_build %install %make_install %files -%defattr(-, root, root) -%license COPYING -%doc README -%{_bindir}/* +%license COPYING.txt LICENSE.txt +%{_bindir}/%{name} +%{_datadir}/bash-completion/completions/%{name}.bash %changelog ++++++ COPYING.txt ++++++ ++++ 675 lines (skipped) ++++++ LICENSE.txt ++++++ OpenSSL based Authenticode signing for PE/MSI/Java CAB files. Copyright (C) 2005-2014 Per Allansson <[email protected]> Copyright (C) 2018-2019 Micha?? Trojnara <[email protected]> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. ++++++ osslsigncode-1.7.1.tar.gz -> osslsigncode-2.3.0.tar.gz ++++++ ++++ 13930 lines of diff (skipped)
