Hello community, here is the log from the commit of package mailx for openSUSE:Factory checked in at 2018-11-18 23:19:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mailx (Old) and /work/SRC/openSUSE:Factory/.mailx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mailx" Sun Nov 18 23:19:38 2018 rev:40 rq:648674 version:12.5 Changes: -------- --- /work/SRC/openSUSE:Factory/mailx/mailx.changes 2018-06-15 14:35:17.740439181 +0200 +++ /work/SRC/openSUSE:Factory/.mailx.new/mailx.changes 2018-11-18 23:19:52.638363075 +0100 @@ -1,0 +2,17 @@ +Wed Oct 31 18:30:32 UTC 2018 - Cristian RodrÃguez <[email protected]> + +- Updates to mailx-12.5-openssl-1.1.0f.patch + * If the openssl RNG is already + seeded (on linux it always is) skip snake-oil reeseeding from + file. Update man page accordingly. + * Update man page with information that ssl2 and ssl3 are + not only deprecated but currently unavailable and that + tls1 forces TLS 1.0 but not later versions. + * RAND_EGD is also unavailable, not just unused. + * set SSL_OP_NO_TICKET, many servers accept session + tickets, but almost never rotate them properly, TLS 1.3 + session tickets are not affected by this flag. + * When using client certificates, check if the cert and key + match each other. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mailx.spec ++++++ --- /var/tmp/diff_new_pack.FKQvSD/_old 2018-11-18 23:19:54.342361217 +0100 +++ /var/tmp/diff_new_pack.FKQvSD/_new 2018-11-18 23:19:54.346361212 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,7 +20,6 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: man -BuildRequires: openssl-devel BuildRequires: pcre BuildRequires: pkg-config BuildRequires: postfix ++++++ mailx-12.5-openssl-1.1.0f.patch ++++++ --- /var/tmp/diff_new_pack.FKQvSD/_old 2018-11-18 23:19:54.394361161 +0100 +++ /var/tmp/diff_new_pack.FKQvSD/_new 2018-11-18 23:19:54.394361161 +0100 @@ -3,30 +3,57 @@ openssl.c | 29 ++++++++++++++++++++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) ---- mailx.1 -+++ mailx.1 2017-06-13 10:10:21.024015088 +0000 +Index: mailx.1 +=================================================================== +--- mailx.1.orig ++++ mailx.1 @@ -2723,6 +2723,8 @@ Only applicable if SSL/TLS support is bu Accept SSLv2 connections. These are normally not allowed because this protocol version is insecure. +.br -+.B WARNING: on modern systems SSLv2 as well as SSLv3 are deprecated! ++.B WARNING: on modern systems SSLv2 as well as SSLv3 are unavailable! .TP .B stealthmua Inhibits the generation of -@@ -3609,6 +3611,9 @@ for a specific account. +@@ -3599,6 +3601,8 @@ Selects a SSL/TLS protocol version; + valid values are `ssl2', `ssl3', and `tls1'. + If unset, the method is selected automatically, + if possible. ++.br ++.B WARNING: Do not use this option. 'ssl2', 'ssl3' are no longer available and 'tls1' forces use of TLS 1.0 + .TP + \fBssl-method-\fIuser\fB@\fIhost\fR + Overrides +@@ -3609,6 +3613,8 @@ for a specific account. Gives the pathname to an entropy daemon socket, see .IR RAND_egd (3). +.br -+.B WARNING: On Linux this API is ignored, use the string option -+.B ssl-rand-file. ++.B WARNING: On Linux this API is unavailable. .TP .B ssl-rand-file Gives the pathname to a file with entropy data, ---- openssl.c -+++ openssl.c 2017-06-13 10:05:15.133697760 +0000 -@@ -138,7 +138,12 @@ ssl_rand_init(void) +@@ -3617,6 +3623,8 @@ see + If the file is a regular file writable by the invoking user, + new data is written to it after it has been loaded. + Only applicable if SSL/TLS support is built using OpenSSL. ++.br ++.B WARNING: On linux the CSPRNG is seeded automatically and this option has no effect. + .TP + .B ssl-verify + Sets the action to be performed if an error occurs +Index: openssl.c +=================================================================== +--- openssl.c.orig ++++ openssl.c +@@ -135,10 +135,18 @@ ssl_rand_init(void) + { + char *cp; + int state = 0; ++ ++ if(RAND_status()) ++ return 1; if ((cp = value("ssl-rand-egd")) != NULL) { cp = expand(cp); @@ -40,7 +67,7 @@ fprintf(stderr, catgets(catd, CATSET, 245, "entropy daemon at \"%s\" not available\n"), cp); -@@ -221,12 +226,13 @@ ssl_select_method(const char *uhp) +@@ -221,12 +229,13 @@ ssl_select_method(const char *uhp) cp = ssl_method_string(uhp); if (cp != NULL) { @@ -56,7 +83,7 @@ method = SSLv3_client_method(); else if (equal(cp, "tls1")) method = TLSv1_client_method(); -@@ -235,8 +241,25 @@ ssl_select_method(const char *uhp) +@@ -235,8 +244,25 @@ ssl_select_method(const char *uhp) "Invalid SSL method \"%s\"\n"), cp); method = SSLv23_client_method(); } @@ -82,3 +109,21 @@ return method; } +@@ -307,6 +333,8 @@ ssl_certificate(struct sock *sp, const c + "cannot load private key from file %s\n"), + key); + ac_free(keyvar); ++ if(SSL_CTX_check_private_key(sp->s_ctx) != 1) ++ fprintf(stderr, "certificate/key mismatch"); + } else + fprintf(stderr, catgets(catd, CATSET, 239, + "cannot load certificate from file %s\n"), +@@ -383,7 +411,7 @@ ssl_open(const char *server, struct sock + /* available with OpenSSL 0.9.6 or later */ + SSL_CTX_set_mode(sp->s_ctx, SSL_MODE_AUTO_RETRY); + #endif /* SSL_MODE_AUTO_RETRY */ +- options = SSL_OP_ALL; ++ options = SSL_OP_ALL|SSL_OP_NO_TICKET; + if (value("ssl-v2-allow") == NULL) + options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_options(sp->s_ctx, options);
