Hello community, here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory checked in at 2017-12-09 20:26:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_0_0" Sat Dec 9 20:26:48 2017 rev:12 rq:555246 version:1.0.2n Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes 2017-12-03 10:08:04.286659385 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new/openssl-1_0_0.changes 2017-12-09 20:26:57.151079410 +0100 @@ -1,0 +2,15 @@ +Fri Dec 8 11:55:06 UTC 2017 - [email protected] + +- update to 1.0.2n + OpenSSL Security Advisory [07 Dec 2017] + * Read/write after SSL object in error state + (CVE-2017-3737, bsc#1071905) + * rsaz_1024_mul_avx2 overflow bug on x86_64 + (CVE-2017-3738, bsc#1071906) +- refreshed patches: + * openssl-rsakeygen-minimum-distance.patch + * openssl-fipslocking.patch + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + * openssl-1.0.2i-fips.patch + +------------------------------------------------------------------- Old: ---- openssl-1.0.2m.tar.gz openssl-1.0.2m.tar.gz.asc New: ---- openssl-1.0.2n.tar.gz openssl-1.0.2n.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_0_0.spec ++++++ --- /var/tmp/diff_new_pack.rA7mNB/_old 2017-12-09 20:26:58.902995964 +0100 +++ /var/tmp/diff_new_pack.rA7mNB/_new 2017-12-09 20:26:58.906995774 +0100 @@ -26,7 +26,7 @@ %define num_version 1.0.0 %define _rname openssl Name: openssl-1_0_0 -Version: 1.0.2m +Version: 1.0.2n Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ --- /var/tmp/diff_new_pack.rA7mNB/_old 2017-12-09 20:26:58.950993679 +0100 +++ /var/tmp/diff_new_pack.rA7mNB/_new 2017-12-09 20:26:58.950993679 +0100 @@ -4,10 +4,10 @@ Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.0.2l/crypto/bio/b_print.c +Index: openssl-1.0.2n/crypto/bio/b_print.c =================================================================== ---- openssl-1.0.2l.orig/crypto/bio/b_print.c 2017-05-25 14:54:38.000000000 +0200 -+++ openssl-1.0.2l/crypto/bio/b_print.c 2017-05-29 11:40:13.460583126 +0200 +--- openssl-1.0.2n.orig/crypto/bio/b_print.c 2017-12-07 14:16:38.000000000 +0100 ++++ openssl-1.0.2n/crypto/bio/b_print.c 2017-12-08 12:58:57.592927209 +0100 @@ -56,17 +56,10 @@ * [including the GNU Public Licence.] */ @@ -338,7 +338,7 @@ - if (cflags == DP_C_SHORT) { - short int *num; - num = va_arg(args, short int *); -- *num = currlen; +- *num = (short int)currlen; - } else if (cflags == DP_C_LONG) { /* XXX */ - long int *num; - num = va_arg(args, long int *); @@ -455,7 +455,7 @@ - if (!(flags & DP_F_UNSIGNED)) { - if (value < 0) { - signvalue = '-'; -- uvalue = -(unsigned LLONG)value; +- uvalue = 0 - (unsigned LLONG)value; - } else if (flags & DP_F_PLUS) - signvalue = '+'; - else if (flags & DP_F_SPACE) ++++++ openssl-1.0.2i-fips.patch ++++++ ++++ 1293 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1.0.2i-fips.patch ++++ and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new/openssl-1.0.2i-fips.patch ++++++ openssl-fipslocking.patch ++++++ --- /var/tmp/diff_new_pack.rA7mNB/_old 2017-12-09 20:26:59.094986820 +0100 +++ /var/tmp/diff_new_pack.rA7mNB/_new 2017-12-09 20:26:59.094986820 +0100 @@ -1,7 +1,7 @@ -Index: openssl-1.0.2l/crypto/fips/fips_drbg_rand.c +Index: openssl-1.0.2n/crypto/fips/fips_drbg_rand.c =================================================================== ---- openssl-1.0.2l.orig/crypto/fips/fips_drbg_rand.c 2017-05-29 11:40:40.964991552 +0200 -+++ openssl-1.0.2l/crypto/fips/fips_drbg_rand.c 2017-05-29 11:40:47.861093955 +0200 +--- openssl-1.0.2n.orig/crypto/fips/fips_drbg_rand.c 2017-12-08 13:31:56.267746606 +0100 ++++ openssl-1.0.2n/crypto/fips/fips_drbg_rand.c 2017-12-08 13:31:56.307747247 +0100 @@ -82,7 +82,8 @@ static int fips_drbg_bytes(unsigned char if (count > dctx->min_entropy) RAND_load_file("/dev/urandom", count - dctx->min_entropy); @@ -81,10 +81,10 @@ } static const RAND_METHOD rand_drbg_meth = { -Index: openssl-1.0.2l/crypto/rand/md_rand.c +Index: openssl-1.0.2n/crypto/rand/md_rand.c =================================================================== ---- openssl-1.0.2l.orig/crypto/rand/md_rand.c 2017-05-29 11:40:40.916990839 +0200 -+++ openssl-1.0.2l/crypto/rand/md_rand.c 2017-05-29 11:42:43.786815359 +0200 +--- openssl-1.0.2n.orig/crypto/rand/md_rand.c 2017-12-08 13:31:56.267746606 +0100 ++++ openssl-1.0.2n/crypto/rand/md_rand.c 2017-12-08 13:31:56.311747311 +0100 @@ -144,13 +144,6 @@ static long md_count[2] = { 0, 0 }; static double entropy = 0; static int initialized = 0; @@ -267,10 +267,10 @@ return ret; } -Index: openssl-1.0.2l/crypto/rand/rand.h +Index: openssl-1.0.2n/crypto/rand/rand.h =================================================================== ---- openssl-1.0.2l.orig/crypto/rand/rand.h 2017-05-29 11:40:40.964991552 +0200 -+++ openssl-1.0.2l/crypto/rand/rand.h 2017-05-29 11:40:47.861093955 +0200 +--- openssl-1.0.2n.orig/crypto/rand/rand.h 2017-12-08 13:31:56.143744621 +0100 ++++ openssl-1.0.2n/crypto/rand/rand.h 2017-12-08 13:31:56.311747311 +0100 @@ -123,6 +123,8 @@ void RAND_set_fips_drbg_type(int type, i int RAND_init_fips(void); # endif @@ -280,10 +280,10 @@ /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes -Index: openssl-1.0.2l/crypto/rand/rand_lib.c +Index: openssl-1.0.2n/crypto/rand/rand_lib.c =================================================================== ---- openssl-1.0.2l.orig/crypto/rand/rand_lib.c 2017-05-29 11:40:40.968991611 +0200 -+++ openssl-1.0.2l/crypto/rand/rand_lib.c 2017-05-29 11:40:47.861093955 +0200 +--- openssl-1.0.2n.orig/crypto/rand/rand_lib.c 2017-12-08 13:31:56.267746606 +0100 ++++ openssl-1.0.2n/crypto/rand/rand_lib.c 2017-12-08 13:32:55.968702015 +0100 @@ -176,6 +176,41 @@ int RAND_status(void) return 0; } ++++++ openssl-rsakeygen-minimum-distance.patch ++++++ --- /var/tmp/diff_new_pack.rA7mNB/_old 2017-12-09 20:26:59.142984534 +0100 +++ /var/tmp/diff_new_pack.rA7mNB/_new 2017-12-09 20:26:59.142984534 +0100 @@ -1,8 +1,8 @@ -Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +Index: openssl-1.0.2n/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-13 15:18:47.520016582 +0200 -+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-13 15:36:32.309233030 +0200 -@@ -465,6 +465,19 @@ static int rsa_builtin_keygen(RSA *rsa, +--- openssl-1.0.2n.orig/crypto/rsa/rsa_gen.c 2017-12-08 13:33:38.057375249 +0100 ++++ openssl-1.0.2n/crypto/rsa/rsa_gen.c 2017-12-08 13:35:47.875450121 +0100 +@@ -466,6 +466,19 @@ static int rsa_builtin_keygen(RSA *rsa, bitsp = (bits + 1) / 2; bitsq = bits - bitsp; @@ -22,7 +22,7 @@ /* We need the RSA components non-NULL */ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) goto err; -@@ -489,6 +502,8 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -491,6 +504,8 @@ static int rsa_builtin_keygen(RSA *rsa, for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; @@ -31,23 +31,14 @@ if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) -@@ -501,21 +516,17 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -503,10 +518,17 @@ static int rsa_builtin_keygen(RSA *rsa, if (!BN_GENCB_call(cb, 3, 0)) goto err; for (;;) { -- /* -- * When generating ridiculously small keys, we can get stuck -- * continually regenerating the same prime values. Check for this and -- * bail if it happens 3 times. -- */ -- unsigned int degenerate = 0; - do { - if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) - goto err; -- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); -- if (degenerate == 3) { -- ok = 0; /* we set our own err */ -- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); +- } while (BN_cmp(rsa->p, rsa->q) == 0); + /* This function will take care of setting the topmost bit via BN_rand(..,1,1), so + * the maximum distance between p and q is less than 2^bitsq */ + if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) @@ -56,8 +47,7 @@ + continue; + /* check for minimum distance between p and q, 2^(bitsp-100) */ + if (!BN_sub(r2, rsa->q, rsa->p)) - goto err; -- } ++ goto err; + if (BN_ucmp(r2, r3) <= 0) + continue; if (!BN_sub(r2, rsa->q, BN_value_one()))
