Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2016-05-08 10:38:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-04-22
16:17:18.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-05-08
10:38:50.000000000 +0200
@@ -1,0 +2,39 @@
+Tue May 3 14:43:47 UTC 2016 - vci...@suse.com
+
+- OpenSSL Security Advisory [3rd May 2016]
+- update to 1.0.2h (boo#977584, boo#977663)
+ * Prevent padding oracle in AES-NI CBC MAC check
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+ (CVE-2016-2107, boo#977616)
+ * Fix EVP_EncodeUpdate overflow
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very
large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+ (CVE-2016-2105, boo#977614)
+ * Fix EVP_EncryptUpdate overflow
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call
to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption.
+ (CVE-2016-2106, boo#977615)
+ * Prevent ASN.1 BIO excessive memory allocation
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+ (CVE-2016-2109, boo#976942)
+ * EBCDIC overread
+ ASN1 Strings that are over 1024 bytes can cause an overread in
applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could
result
+ in arbitrary stack data being returned in the buffer.
+ (CVE-2016-2176, boo#978224)
+ * Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ * Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ * Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+
+-------------------------------------------------------------------
Old:
----
openssl-1.0.2g.tar.gz
openssl-1.0.2g.tar.gz.asc
New:
----
openssl-1.0.2h.tar.gz
openssl-1.0.2h.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.RBup3R/_old 2016-05-08 10:38:52.000000000 +0200
+++ /var/tmp/diff_new_pack.RBup3R/_new 2016-05-08 10:38:52.000000000 +0200
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version: 1.0.2g
+Version: 1.0.2h
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
++++++ openssl-1.0.1e-add-suse-default-cipher.patch ++++++
--- /var/tmp/diff_new_pack.RBup3R/_old 2016-05-08 10:38:52.000000000 +0200
+++ /var/tmp/diff_new_pack.RBup3R/_new 2016-05-08 10:38:52.000000000 +0200
@@ -1,8 +1,8 @@
-Index: openssl-1.0.2a/ssl/ssl_ciph.c
+Index: openssl-1.0.2h/ssl/ssl_ciph.c
===================================================================
---- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-05-24 14:26:18.132243785 +0200
-+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-05-24 14:26:18.229245199 +0200
-@@ -1604,7 +1604,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+--- openssl-1.0.2h.orig/ssl/ssl_ciph.c 2016-05-03 16:36:50.482900040 +0200
++++ openssl-1.0.2h/ssl/ssl_ciph.c 2016-05-03 16:36:51.951922883 +0200
+@@ -1608,7 +1608,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
@@ -18,21 +18,20 @@
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
&head, &tail, ca_list);
rule_p += 7;
-Index: openssl-1.0.2a/ssl/ssl.h
+Index: openssl-1.0.2h/ssl/ssl.h
===================================================================
---- openssl-1.0.2a.orig/ssl/ssl.h 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/ssl/ssl.h 2015-05-24 14:31:25.801726491 +0200
-@@ -338,7 +338,12 @@ extern "C" {
+--- openssl-1.0.2h.orig/ssl/ssl.h 2016-05-03 16:36:51.951922883 +0200
++++ openssl-1.0.2h/ssl/ssl.h 2016-05-03 16:41:00.024781841 +0200
+@@ -338,7 +338,11 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
--# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
-+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST
"ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
+
+# define SSL_DEFAULT_SUSE_CIPHER_LIST
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+
"DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+
"AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
-+
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
++++++ openssl-1.0.2e-fips.patch ++++++
++++ 1330 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssl/openssl-1.0.2e-fips.patch
++++ and /work/SRC/openSUSE:Factory/.openssl.new/openssl-1.0.2e-fips.patch
