Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory
checked in at 2023-06-29 17:27:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old)
and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.13546 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_0_0"
Thu Jun 29 17:27:52 2023 rev:38 rq:1095763 version:1.0.2u
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes
2023-06-28 10:21:36.228132248 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.13546/openssl-1_0_0.changes
2023-06-29 17:28:12.966219859 +0200
@@ -1,0 +2,21 @@
+Tue Jun 20 15:18:56 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Improve cross-package provides/conflicts [boo#1210313]
+ * Remove Conflicts: ssl
+ * Add Conflicts: openssl(cli)
+
+-------------------------------------------------------------------
+Wed Jun 14 09:34:20 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Security Fix: [bsc#1207534, CVE-2022-4304]
+ * Reworked the Fix for the Timing Oracle in RSA Decryption
+ The previous fix for this timing side channel turned out to cause
+ a severe 2-3x performance regression in the typical use case
+ compared to 1.1.1s.
+ * Reworked openssl-CVE-2022-4304.patch
+ * Refreshed patches:
+ - openssl-CVE-2023-0286.patch
+ - openssl-CVE-2023-0464.patch
+ - openssl-CVE-2023-0465.patch
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-1_0_0.spec ++++++
--- /var/tmp/diff_new_pack.Va8a9h/_old 2023-06-29 17:28:14.278227544 +0200
+++ /var/tmp/diff_new_pack.Va8a9h/_new 2023-06-29 17:28:14.282227568 +0200
@@ -136,8 +136,8 @@
BuildRequires: ed
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
-Conflicts: ssl
Provides: ssl
+Conflicts: openssl(cli)
Provides: openssl(cli)
%description
@@ -148,7 +148,6 @@
%package -n libopenssl1_0_0
Summary: Secure Sockets and Transport Layer Security
-License: OpenSSL
Group: Productivity/Networking/Security
Recommends: ca-certificates-mozilla
# Merge back the hmac files bsc#1185116
@@ -163,7 +162,6 @@
%package -n libopenssl10
Summary: Secure Sockets and Transport Layer Security
-License: OpenSSL
Group: Productivity/Networking/Security
%description -n libopenssl10
@@ -178,7 +176,6 @@
%package -n libopenssl1_0_0-steam
Summary: Secure Sockets and Transport Layer Security for steam
-License: OpenSSL
Group: Productivity/Networking/Security
%description -n libopenssl1_0_0-steam
@@ -191,7 +188,6 @@
%package -n libopenssl-1_0_0-devel
Summary: Development files for OpenSSL
-License: OpenSSL
Group: Development/Libraries/C and C++
Requires: libopenssl1_0_0 = %{version}
Requires: pkgconfig(zlib)
@@ -208,7 +204,6 @@
%package doc
Summary: Additional Package Documentation
-License: OpenSSL
Group: Productivity/Networking/Security
Conflicts: openssl-doc
Provides: openssl-doc = %{version}
@@ -221,7 +216,6 @@
%package cavs
Summary: CAVS testing framework and utilities
-License: OpenSSL
Group: Productivity/Networking/Security
Requires: libopenssl1_0_0 = %{version}-%{release}
++++++ openssl-CVE-2022-4304.patch ++++++
++++ 1307 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-CVE-2022-4304.patch
++++ and
/work/SRC/openSUSE:Factory/.openssl-1_0_0.new.13546/openssl-CVE-2022-4304.patch
++++++ openssl-CVE-2023-0286.patch ++++++
--- /var/tmp/diff_new_pack.Va8a9h/_old 2023-06-29 17:28:14.478228716 +0200
+++ /var/tmp/diff_new_pack.Va8a9h/_new 2023-06-29 17:28:14.482228739 +0200
@@ -14,7 +14,7 @@
+++ b/CHANGES
@@ -9,6 +9,24 @@
- Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
+ Changes between 1.0.2t and 1.0.2u [20 Dec 2019]
+ *) Fixed a type confusion vulnerability relating to X.400 address processing
+ inside an X.509 GeneralName. X.400 addresses were parsed as an
ASN1_STRING
@@ -34,9 +34,9 @@
+
+ [Hugo Landau]
+
- *) Client DoS due to large DH parameter
-
- During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
+ used in exponentiation with 512-bit moduli. No EC algorithms are
+ affected. Analysis suggests that attacks against 2-prime RSA1024,
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -148,7 +148,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE
++++++ openssl-CVE-2023-0464.patch ++++++
--- /var/tmp/diff_new_pack.Va8a9h/_old 2023-06-29 17:28:14.494228810 +0200
+++ /var/tmp/diff_new_pack.Va8a9h/_new 2023-06-29 17:28:14.498228833 +0200
@@ -27,7 +27,7 @@
+++ b/CHANGES
@@ -9,6 +9,14 @@
- Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
+ Changes between 1.0.2t and 1.0.2u [20 Dec 2019]
+ *) Limited the number of nodes created in a policy tree to mitigate
+ against CVE-2023-0464. The default limit is set to 1000 nodes, which
++++++ openssl-CVE-2023-0465.patch ++++++
--- /var/tmp/diff_new_pack.Va8a9h/_old 2023-06-29 17:28:14.510228903 +0200
+++ /var/tmp/diff_new_pack.Va8a9h/_new 2023-06-29 17:28:14.514228927 +0200
@@ -30,9 +30,9 @@
+ certificate altogether. (CVE-2023-0465)
+ [Matt Caswell]
+
- *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
- used in exponentiation with 512-bit moduli. No EC algorithms are
- affected. Analysis suggests that attacks against 2-prime RSA1024,
+ *) Limited the number of nodes created in a policy tree to mitigate
+ against CVE-2023-0464. The default limit is set to 1000 nodes, which
+ should be sufficient for most installations. If required, the limit
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,9 @@
