Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2022-11-05 14:46:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls" Sat Nov 5 14:46:57 2022 rev:34 rq:1033622 version:2.28.1 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2022-01-19 00:35:37.982309228 +0100 +++ /work/SRC/openSUSE:Factory/.mbedtls.new.2275/mbedtls.changes 2022-11-05 14:47:02.606689868 +0100 @@ -1,0 +2,121 @@ +Fri Nov 4 16:53:36 UTC 2022 - Mia Herkt <m...@0x0.st> + +- Update to 2.28.1: (CVE-2022-35409) + Default behavior changes + + * mbedtls_cipher_set_iv will now fail with ChaCha20 and + ChaCha20+Poly1305 for IV lengths other than 12. The library was + silently overwriting this length with 12, but did not inform + the caller about it. + gh#Mbed-TLS/mbedtls#4301 + + Features + * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA + crypto feature requirements in the file named by the new macro + MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default + psa/crypto_config.h. Furthermore you may name an additional + file to include after the main file with the macro + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE. + + Security + * Zeroize dynamically-allocated buffers used by the PSA Crypto + key storage module before freeing them. These buffers contain + secret key material, and could thus potentially leak the key + through freed heap. + * Fix a potential heap buffer overread in TLS 1.2 server-side + when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created + with mbedtls_pk_setup_opaque()) is provisioned, and a static + ECDH ciphersuite is selected. This may result in an application + crash or potentially an information leak. + * Fix a buffer overread in DTLS ClientHello parsing in servers + with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. + An unauthenticated client or a man-in-the-middle could cause a + DTLS server to read up to 255 bytes after the end of the SSL + input buffer. The buffer overread only happens when + MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that + depends on the exact configuration: 258 bytes if using + mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with + a custom cookie check function. + Reported by the Cybeats PSI Team. + + Bugfix + * Fix a memory leak if mbedtls_ssl_config_defaults() is called + twice. + * Fix several bugs (warnings, compiler and linker errors, test + failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO + is enabled. + * Fix a bug in (D)TLS curve negotiation: when + MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or + ECDHE-RSA key exchange was used, the client would fail to check + that the curve selected by the server for ECDHE was indeed one + that was offered. As a result, the client would accept any + curve that it supported, even if that curve was not allowed + according to its configuration. + gh#Mbed-TLS/mbedtls#5291 + * Fix unit tests that used 0 as the file UID. This failed on some + implementations of PSA ITS. + gh#Mbed-TLS/mbedtls#3838 + * Fix API violation in mbedtls_md_process() test by adding a call + to mbedtls_md_starts(). + gh#Mbed-TLS/mbedtls#2227 + * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. + Add tests to catch bad uses of time.h. + * Fix bug in the alert sending function + mbedtls_ssl_send_alert_message() potentially leading to + corrupted alert messages being sent in case the function needs + to be re-called after initially returning + MBEDTLS_SSL_WANT_WRITE. + gh#Mbed-TLS/mbedtls#1916 + * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled + but none of MBEDTLS_SSL_HW_RECORD_ACCEL, + MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes + using CID would crash due to a null pointer dereference. + Fix this. + gh#Mbed-TLS/mbedtls#3998 + * Fix incorrect documentation of mbedtls_x509_crt_profile. The + previous documentation stated that the allowed_pks field + applies to signatures only, but in fact it does apply to the + public key type of the end entity certificate, too. + gh#Mbed-TLS/mbedtls#1992 + * Fix PSA cipher multipart operations using ARC4. Previously, an + IV was required but discarded. Now, an IV is rejected, as it + should be. + * Fix undefined behavior in mbedtls_asn1_find_named_data(), where + val is not NULL and val_len is zero. psa_raw_key_agreement() + now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable. + gh#Mbed-TLS/mbedtls#5735 + * Fix a bug in the x25519 example program where the removal of + MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. + gh#Mbed-TLS/mbedtls#4901 + gh#Mbed-TLS/mbedtls#3191 + * Encode X.509 dates before 1/1/2000 as UTCTime rather than + GeneralizedTime. + gh#Mbed-TLS/mbedtls#5465 + * Fix order value of curve x448. + * Fix string representation of DNs when outputting values + containing commas and other special characters, conforming to + RFC 1779. + gh#Mbed-TLS/mbedtls#769 + * Silence a warning from GCC 12 in the selftest program. + gh#Mbed-TLS/mbedtls#5974 + * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of + 0. + * Fix resource leaks in mbedtls_pk_parse_public_key() in low + memory conditions. + * Fix server connection identifier setting for outgoing encrypted + records on DTLS 1.2 session resumption. After DTLS 1.2 session + resumption with connection identifier, the Mbed TLS client now + properly sends the server connection identifier in encrypted + record headers. + gh#Mbed-TLS/mbedtls#5872 + * Fix a null pointer dereference when performing some operations + on zero represented with 0 limbs (specifically + mbedtls_mpi_mod_int() dividing by 2, and + mbedtls_mpi_write_string() in base 2). + * Fix record sizes larger than 16384 being sometimes accepted + despite being non-compliant. This could not lead to a buffer + overflow. In particular, application data size was already + checked correctly. + + +------------------------------------------------------------------- Old: ---- mbedtls-2.28.0.tar.gz New: ---- mbedtls-2.28.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.qyMG8M/_old 2022-11-05 14:47:03.150693041 +0100 +++ /var/tmp/diff_new_pack.qyMG8M/_new 2022-11-05 14:47:03.154693064 +0100 @@ -1,7 +1,7 @@ # # spec file for package mbedtls # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto7 %define lib_x509 libmbedx509-1 Name: mbedtls -Version: 2.28.0 +Version: 2.28.1 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 ++++++ mbedtls-2.28.0.tar.gz -> mbedtls-2.28.1.tar.gz ++++++ ++++ 73214 lines of diff (skipped)
