Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-04-26 17:01:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-04-18 11:07:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-26 17:01:46.000000000 +0200 @@ -1,0 +2,47 @@ +Sun Apr 20 00:53:34 UTC 2014 - [email protected] + +- Build everything with full RELRO (-Wl,-z,relro,-z,now) +- Remove -fstack-protector from the hardcoded build options + it is already in RPM_OPT_FLAGS and is replaced by + -fstack-protector-strong with gcc 4.9 + +------------------------------------------------------------------- +Sun Apr 20 00:49:25 UTC 2014 - [email protected] + +- Remove the "gmp" and "capi" shared engines, nobody noticed + but they are just dummies that do nothing. + +------------------------------------------------------------------- +Sat Apr 19 22:29:10 UTC 2014 - [email protected] + +- Use enable-rfc3779 to allow projects such as rpki.net + to work in openSUSE and match the functionality + available in Debian/Fedora/etc + +------------------------------------------------------------------- +Sat Apr 19 22:22:01 UTC 2014 - [email protected] + +- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix + CVE-2010-5298 and disable the internal BUF_FREELISTS + functionality. it hides bugs like heartbleed and is + there only for systems on which malloc() free() are slow. + +- ensure we export MALLOC_CHECK and PERTURB during the test + suite, now that the freelist functionality is disabled it + will help to catch bugs before they hit users. + +------------------------------------------------------------------- +Sat Apr 19 03:45:20 UTC 2014 - [email protected] + +- openssl-libssl-noweakciphers.patch do not offer "export" + or "low" quality ciphers by default. using such ciphers + is not forbidden but requires an explicit request + +------------------------------------------------------------------- +Fri Apr 18 14:07:47 UTC 2014 - [email protected] + +- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does + not return memory of "num * old_num" but only "num" size + fortunately this function is currently unused. + +------------------------------------------------------------------- New: ---- openssl-buffreelistbug-aka-CVE-2010-5298.patch openssl-libssl-noweakciphers.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.Nrfoy5/_old 2014-04-26 17:01:47.000000000 +0200 +++ /var/tmp/diff_new_pack.Nrfoy5/_new 2014-04-26 17:01:47.000000000 +0200 @@ -65,6 +65,8 @@ Patch17: openssl-1.0.1e-fips-ctor.patch Patch18: openssl-1.0.1e-new-fips-reqs.patch Patch19: openssl-gcc-attributes.patch +Patch20: openssl-buffreelistbug-aka-CVE-2010-5298.patch +Patch21: openssl-libssl-noweakciphers.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -171,6 +173,8 @@ %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 +%patch21 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -220,6 +224,7 @@ fips \ %if 0%{suse_version} > 1310 no-ssl2 \ +enable-rfc3779 \ %endif %ifarch x86_64 enable-ec_nistp_64_gcc_128 \ @@ -232,18 +237,16 @@ --openssldir=%{ssletcdir} \ $RPM_OPT_FLAGS -O3 -std=gnu99 \ -Wa,--noexecstack \ +-Wl,-z,relro,-z,now \ -fomit-frame-pointer \ -DTERMIO \ -DPURIFY \ -DSSL_FORBID_ENULL \ -D_GNU_SOURCE \ +-DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -%ifnarch hppa aarch64 --Wall \ --fstack-protector " -%else -Wall " -%endif + # #%{!?do_profiling:%define do_profiling 0} #%if %do_profiling @@ -278,7 +281,8 @@ # These files are just there for the make test below... crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac - +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB="" %ifnarch armv4l LD_LIBRARY_PATH=`pwd` make test @@ -401,7 +405,7 @@ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so -for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do +for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do rm %{buildroot}/%{_lib}/engines/lib$engine.so done ++++++ openssl-buffreelistbug-aka-CVE-2010-5298.patch ++++++ --- openssl-1.0.1g.orig/ssl/s3_pkt.c +++ openssl-1.0.1g/ssl/s3_pkt.c @@ -1055,8 +1055,8 @@ start: { s->rstate=SSL_ST_READ_HEADER; rr->off=0; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) - ssl3_release_read_buffer(s); + if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) + ssl3_release_read_buffer(s); } } return(n); ++++++ openssl-gcc-attributes.patch ++++++ --- /var/tmp/diff_new_pack.Nrfoy5/_old 2014-04-26 17:01:47.000000000 +0200 +++ /var/tmp/diff_new_pack.Nrfoy5/_new 2014-04-26 17:01:47.000000000 +0200 @@ -27,7 +27,7 @@ void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, - int line); -void *CRYPTO_remalloc(void *addr,int num, const char *file, int line); -+ int line) __attribute__((alloc_size(2, 3))); ++ int line) __attribute__((alloc_size(3))); +void *CRYPTO_remalloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2))); void OPENSSL_cleanse(void *ptr, size_t len); ++++++ openssl-libssl-noweakciphers.patch ++++++ --- openssl-1.0.1g.orig/ssl/ssl.h +++ openssl-1.0.1g/ssl/ssl.h @@ -331,7 +331,7 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is * throwing out anonymous and unencrypted ciphersuites! -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
