commit openssl-1_1 for openSUSE:Leap:15.2:Update
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2:Update checked in at 2020-10-16 00:22:47 Comparing /work/SRC/openSUSE:Leap:15.2:Update/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.openssl-1_1.new.3486 (New) Package is "openssl-1_1" Fri Oct 16 00:22:47 2020 rev:2 rq:841362 version:unknown Changes: New Changes file: NO CHANGES FILE!!! Other differences: -- ++ _link ++ --- /var/tmp/diff_new_pack.OCbww2/_old 2020-10-16 00:22:48.771977601 +0200 +++ /var/tmp/diff_new_pack.OCbww2/_new 2020-10-16 00:22:48.771977601 +0200 @@ -1 +1 @@ - +
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-05-04 08:22:19 Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.2738 (New) Package is "openssl-1_1" Mon May 4 08:22:19 2020 rev:35 rq:797524 version:1.1.1d Changes: --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-03-24 19:05:16.821440358 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.2738/openssl-1_1.changes 2020-05-04 08:22:19.884322595 +0200 @@ -1,0 +2,14 @@ +Mon Apr 20 14:48:22 UTC 2020 - Pedro Monreal Gonzalez + +- Security fix: [bsc#1169407, CVE-2020-1967] + * Segmentation fault in SSL_check_chain: Server applications that +call the SSL_check_chain() function during or after a TLS handshake +may crash due to a NULL pointer dereference as a result of incorrect +handling of the signature_algorithms_cert TLS extension. +- Add patches: + * openssl-CVE-2020-1967.patch + * openssl-CVE-2020-1967-test1.patch + * openssl-CVE-2020-1967-test2.patch + * openssl-CVE-2020-1967-test3.patch + +--- New: openssl-CVE-2020-1967-test1.patch openssl-CVE-2020-1967-test2.patch openssl-CVE-2020-1967-test3.patch openssl-CVE-2020-1967.patch Other differences: -- ++ openssl-1_1.spec ++ --- /var/tmp/diff_new_pack.UvjxHO/_old 2020-05-04 08:22:21.100325201 +0200 +++ /var/tmp/diff_new_pack.UvjxHO/_new 2020-05-04 08:22:21.100325201 +0200 @@ -89,6 +89,11 @@ # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch +# PATCH-FIX-UPSTREAM bsc#1169407 CVE-2020-1967 Segmentation fault in SSL_check_chain +Patch52:openssl-CVE-2020-1967.patch +Patch53:openssl-CVE-2020-1967-test1.patch +Patch54:openssl-CVE-2020-1967-test2.patch +Patch55:openssl-CVE-2020-1967-test3.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl ++ openssl-CVE-2020-1967-test1.patch ++ @@ -, +, @@ --- test/recipes/70-test_sslsigalgs.t | 66 +-- 1 file changed, 64 insertions(+), 2 deletions(-) Index: openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t === --- openssl-1.1.1d.orig/test/recipes/70-test_sslsigalgs.t +++ openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t @@ -44,7 +44,9 @@ use constant { COMPAT_SIGALGS => 6, SIGALGS_CERT_ALL => 7, SIGALGS_CERT_PKCS => 8, -SIGALGS_CERT_INVALID => 9 +SIGALGS_CERT_INVALID => 9, +UNRECOGNIZED_SIGALGS_CERT => 4, +UNRECOGNIZED_SIGALG => 5 }; #Note: Throughout this test we override the default ciphersuites where TLSv1.2 @@ -53,7 +55,7 @@ use constant { #Test 1: Default sig algs should succeed $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 22; +plan tests => 24; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; @@ -261,6 +263,39 @@ SKIP: { ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); } +SKIP: { +skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); +#Test 25: Send an unrecognized signature_algorithms_cert +#We should be able to skip over the unrecognized value and use a +#valid one that appears later in the list. +$proxy->clear(); +$proxy->filter(\_unrecognized_sigalg); +$proxy->clientflags("-tls1_3"); +# Use -xcert to get SSL_check_chain() to run in the cert_cb. This is +# needed to trigger (e.g.) CVE-2020-1967 +$proxy->serverflags("" . +" -xcert " . srctop_file("test", "certs", "servercert.pem") . +" -xkey " . srctop_file("test", "certs", "serverkey.pem") . +" -xchain " . srctop_file("test", "certs", "rootcert.pem")); +$testtype = UNRECOGNIZED_SIGALGS_CERT; +$proxy->start(); +ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); + +#Test 26: Send an unrecognized signature_algorithms +#We should be able to skip over the unrecognized value and use a +#valid one that appears later in the list. +$proxy->clear(); +$proxy->filter(\_unrecognized_sigalg); +$proxy->clientflags("-tls1_3"); +$proxy->serverflags("" . +" -xcert " . srctop_file("test", "certs", "servercert.pem") . +" -xkey " . srctop_file("test", "certs", "serverkey.pem") . +" -xchain " . srctop_file("test",
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-03-24 19:05:13 Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160 (New) Package is "openssl-1_1" Tue Mar 24 19:05:13 2020 rev:34 rq:787245 version:1.1.1d Changes: --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-03-20 05:52:30.420047520 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160/openssl-1_1.changes 2020-03-24 19:05:16.821440358 +0100 @@ -1,0 +2,7 @@ +Fri Mar 20 10:22:27 UTC 2020 - Vítězslav Čížek + +- openssl dgst: default to SHA256 only when called without a digest, + not when it couldn't be found (bsc#1166189) + * add openssl-unknown_dgst.patch + +--- New: openssl-unknown_dgst.patch Other differences: -- ++ openssl-1_1.spec ++ --- /var/tmp/diff_new_pack.BidTSR/_old 2020-03-24 19:05:19.145441919 +0100 +++ /var/tmp/diff_new_pack.BidTSR/_new 2020-03-24 19:05:19.145441919 +0100 @@ -85,6 +85,7 @@ Patch44:openssl-fips_fix_selftests_return_value.patch Patch45:openssl-fips-add-SHA3-selftest.patch Patch46:openssl-fips_selftest_upstream_drbg.patch +Patch47:openssl-unknown_dgst.patch # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch ++ openssl-unknown_dgst.patch ++ Index: openssl-1.1.1d/apps/dgst.c === --- openssl-1.1.1d.orig/apps/dgst.c 2019-09-10 15:13:07.0 +0200 +++ openssl-1.1.1d/apps/dgst.c 2020-03-20 11:20:27.618536409 +0100 @@ -95,6 +95,10 @@ int dgst_main(int argc, char **argv) prog = opt_progname(argv[0]); buf = app_malloc(BUFSIZE, "I/O buffer"); md = EVP_get_digestbyname(prog); +if (md == NULL && strcmp(prog, "dgst") != 0) { +BIO_printf(bio_err, "%s is not a known digest\n", prog); +goto end; +} prog = opt_init(argc, argv, dgst_options); while ((o = opt_next()) != OPT_EOF) {
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-03-20 05:52:26 Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160 (New) Package is "openssl-1_1" Fri Mar 20 05:52:26 2020 rev:33 rq:782184 version:1.1.1d Changes: --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-01-19 15:47:02.249686658 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160/openssl-1_1.changes 2020-03-20 05:52:30.420047520 +0100 @@ -1,0 +2,77 @@ +Wed Mar 4 08:23:23 UTC 2020 - Vítězslav Čížek + +- Limit the DRBG selftests to not deplete entropy (bsc#1165274) + * update openssl-fips_selftest_upstream_drbg.patch + +--- +Wed Feb 26 13:28:14 UTC 2020 - Vítězslav Čížek + +- Run FIPS DRBG selftests against the crypto/rand DRBG implementation + (bsc#1164557) + * add openssl-fips_selftest_upstream_drbg.patch + +--- +Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek + +- Use the newly build libcrypto shared library when computing the hmac + checksums in order to avoid a bootstrapping issue by BuildRequiring + libopenssl1_1 (bsc#1164102) + +--- +Thu Feb 13 10:57:45 UTC 2020 - Vítězslav Čížek + +- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) + * add openssl-fips_fix_selftests_return_value.patch + +--- +Wed Feb 12 21:14:27 UTC 2020 - Jason Sikes + +- Added SHA3 FIPS self-tests bsc#1155345 + * openssl-fips-add-SHA3-selftest.patch + +--- +Tue Jan 28 12:14:59 UTC 2020 - Pedro Monreal Gonzalez + +- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403] +- Add patches: + * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch + * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch + +--- +Thu Jan 23 14:32:28 UTC 2020 - Vítězslav Čížek + +- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our + layered FIPS initialization (bsc#1161789) + * openssl-fips-ignore_broken_atexit_test.patch + +--- +Wed Jan 22 13:59:15 UTC 2020 - Vítězslav Čížek + +- Import FIPS patches from SLE-15 + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips_mode.patch + * openssl-ship_fips_standalone_hmac.patch + * openssl-fips-clearerror.patch + * openssl-fips-selftests_in_nonfips_mode.patch + +--- +Tue Jan 21 16:08:21 UTC 2020 - Vítězslav Čížek + +- Don't run FIPS power-up self-tests when the checksum files aren't + installed (bsc#1042392) + * add openssl-fips-run_selftests_only_when_module_is_complete.patch + +--- +Tue Jan 21 11:10:42 UTC 2020 - Vítězslav Čížek + +- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) + * openssl-1.1.1-fips-crng-test.patch + * openssl-1.1.1-fips-post-rand.patch + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch +- keep EVP_KDF functions at version 1.1.1d for backward compatibility + * add openssl-keep_EVP_KDF_functions_version.patch + +--- Old: openssl-jsc-SLE-8789-backport_KDF.patch New: openssl-1.1.0-issuer-hash.patch openssl-1.1.1-evp-kdf.patch openssl-1.1.1-fips-crng-test.patch openssl-1.1.1-fips-post-rand.patch openssl-1.1.1-fips.patch openssl-1.1.1-ssh-kdf.patch openssl-fips-add-SHA3-selftest.patch openssl-fips-clearerror.patch openssl-fips-dont_run_FIPS_module_installed.patch openssl-fips-ignore_broken_atexit_test.patch openssl-fips-run_selftests_only_when_module_is_complete.patch openssl-fips-selftests_in_nonfips_mode.patch openssl-fips_fix_selftests_return_value.patch openssl-fips_mode.patch openssl-fips_selftest_upstream_drbg.patch openssl-keep_EVP_KDF_functions_version.patch openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch openssl-ship_fips_standalone_hmac.patch Other differences: -- ++ openssl-1_1.spec ++ --- /var/tmp/diff_new_pack.W4dEKE/_old 2020-03-20 05:52:32.324048789
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-01-19 15:46:55 Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.26092 (New) Package is "openssl-1_1" Sun Jan 19 15:46:55 2020 rev:32 rq:762782 version:1.1.1d Changes: --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-01-15 15:37:19.503023442 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.26092/openssl-1_1.changes 2020-01-19 15:47:02.249686658 +0100 @@ -1,0 +2,25 @@ +Fri Dec 20 13:44:06 UTC 2019 - Pedro Monreal Gonzalez + +- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] +- Add patches: + * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch + * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch + * openssl-s390xcpuid.pl-fix-comment.patch + * openssl-assembly-pack-accelerate-scalar-multiplication.patch + * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch + * openssl-s390x-assembly-pack-accelerate-ECDSA.patch + * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch + * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch + * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch + * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch + * openssl-Fix-9bf682f-which-broke-nistp224_method.patch + +--- +Wed Dec 18 16:29:46 UTC 2019 - Vítězslav Čížek + +- Obsolete libopenssl-1_0_0-devel and libopenssl-1_0_0-hmac in order + to avoid conflict upon upgrade from SLE-12 (bsc#1158499) + +--- New: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch openssl-Fix-9bf682f-which-broke-nistp224_method.patch openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch openssl-assembly-pack-accelerate-scalar-multiplication.patch openssl-s390x-assembly-pack-accelerate-ECDSA.patch openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch openssl-s390xcpuid.pl-fix-comment.patch Other differences: -- ++ openssl-1_1.spec ++ --- /var/tmp/diff_new_pack.OYaKON/_old 2020-01-19 15:47:04.469687974 +0100 +++ /var/tmp/diff_new_pack.OYaKON/_new 2020-01-19 15:47:04.473687977 +0100 @@ -54,6 +54,20 @@ # OpenSSL Security Advisory [6 December 2019] bsc#1158809 CVE-2019-1551 # PATCH-FIX-UPSTREAM Integer overflow in RSAZ modular exponentiation on x86_64 Patch15:openssl-1_1-CVE-2019-1551.patch +# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto) +Patch16: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch +Patch17: openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch +Patch18:openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch +Patch19:openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch +Patch20:openssl-s390xcpuid.pl-fix-comment.patch +Patch21:openssl-assembly-pack-accelerate-scalar-multiplication.patch +Patch22: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch +Patch23:openssl-s390x-assembly-pack-accelerate-ECDSA.patch +Patch24:openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch +Patch25:openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch +Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch +Patch27:openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch +Patch28:openssl-Fix-9bf682f-which-broke-nistp224_method.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl @@ -96,6 +110,8 @@ Provides: ssl-devel # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl-1_1_0-devel +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-devel %description -n libopenssl-1_1-devel This subpackage contains header files for developing applications @@ -108,6 +124,8 @@ Requires: