Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cjose for openSUSE:Factory checked in at 2023-07-18 22:08:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cjose (Old) and /work/SRC/openSUSE:Factory/.cjose.new.3193 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cjose" Tue Jul 18 22:08:36 2023 rev:5 rq:1099228 version:0.6.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/cjose/cjose.changes 2023-02-07 18:50:53.431713891 +0100 +++ /work/SRC/openSUSE:Factory/.cjose.new.3193/cjose.changes 2023-07-18 22:08:59.899282147 +0200 @@ -1,0 +2,34 @@ +Tue Jul 18 08:40:48 UTC 2023 - Danilo Spinella <[email protected]> + +- Switch to OpenIDC fork of cjose +- Update to 0.6.2.2: + * use fixed authentication tag length of 16 octets in AES GCM decryption + * avoid use of assert + * fix make on srcdir != builddir +- Update to 0.6.2.1: + * preserve key order in cjose_header_get_raw as well + * fix a memory leak in cjose_jws_import() for invalid JWS + * don't use STACK_ALLOC in cjose_concatkdf_derive +- Update to 0.6.2.0: + * add support for A128GCM and A192GCM encryption + * extract cjose_jwe_encrypt_iv to allow explicit IV + * allow compilation against OpenSSL 3 with #define OPENSSL_API_COMPAT 0x10000000L + * cleanup some warnings about \param lines in header files + * preserve key order in order to be able to compare serialized JWTs + * minor updates for conformance + * check that JWE object has any CEK at all, return error if it doesn't + * fix double free on decrypt ek rsa padding failure + * replace calls to free() with cjose_get_dealloc() in _cjose_jws_build_hdr + * fix buffer overflow in test_cjose_jwe_multiple_recipients + * use fixed size of IV size of 16 bytes for AES-CBC + * fix memory leak already addressed in cjose_jws_build_dig_sha when a JWS is reused for validation + * compile against older versions of check + * rename free() to free_func() in struct key_fntable for memory leak detectors + * check result of cek = cjose_get_alloc()(cek_len) in jwe.c +- Fix CVE-2023-37464, AES GCM decryption routine incorrectly uses the Tag + length from the actual Authentication Tag, bsc#1213385 +- Remove unneeded patches: + * cjose-0.6.1-concatkdf.patch + * cjose-ck_assert_bin_eq.patch + +------------------------------------------------------------------- Old: ---- 0.6.1.tar.gz cjose-0.6.1-concatkdf.patch cjose-ck_assert_bin_eq.patch New: ---- cjose-0.6.2.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cjose.spec ++++++ --- /var/tmp/diff_new_pack.o0hvsR/_old 2023-07-18 22:09:00.599286060 +0200 +++ /var/tmp/diff_new_pack.o0hvsR/_new 2023-07-18 22:09:00.607286104 +0200 @@ -17,15 +17,13 @@ Name: cjose -Version: 0.6.1 +Version: 0.6.2.2 Release: 0 Summary: C library implementing the Javascript Object Signing and Encryption (JOSE) License: MIT Group: Development/Libraries/C and C++ -URL: https://github.com/cisco/cjose -Source: https://github.com/cisco/cjose/archive/%{version}.tar.gz -Patch0: cjose-ck_assert_bin_eq.patch -Patch1: cjose-0.6.1-concatkdf.patch +URL: https://github.com/OpenIDC/cjose +Source: https://github.com/OpenIDC/cjose/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(check) >= 0.9.4
