commit openssl-1_1 for openSUSE:Leap:15.2:Update
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2:Update checked in at 2020-10-16 00:22:47 Comparing /work/SRC/openSUSE:Leap:15.2:Update/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.openssl-1_1.new.3486 (New) Package is "openssl-1_1" Fri Oct 16 00:22:47 2020 rev:2 rq:841362 version:unknown Changes: New Changes file: NO CHANGES FILE!!! Other differences: -- ++ _link ++ --- /var/tmp/diff_new_pack.OCbww2/_old 2020-10-16 00:22:48.771977601 +0200 +++ /var/tmp/diff_new_pack.OCbww2/_new 2020-10-16 00:22:48.771977601 +0200 @@ -1 +1 @@ - +
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2
checked in at 2020-05-04 08:22:19
Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old)
and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.2738 (New)
Package is "openssl-1_1"
Mon May 4 08:22:19 2020 rev:35 rq:797524 version:1.1.1d
Changes:
--- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes
2020-03-24 19:05:16.821440358 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.2738/openssl-1_1.changes
2020-05-04 08:22:19.884322595 +0200
@@ -1,0 +2,14 @@
+Mon Apr 20 14:48:22 UTC 2020 - Pedro Monreal Gonzalez
+
+- Security fix: [bsc#1169407, CVE-2020-1967]
+ * Segmentation fault in SSL_check_chain: Server applications that
+call the SSL_check_chain() function during or after a TLS handshake
+may crash due to a NULL pointer dereference as a result of incorrect
+handling of the signature_algorithms_cert TLS extension.
+- Add patches:
+ * openssl-CVE-2020-1967.patch
+ * openssl-CVE-2020-1967-test1.patch
+ * openssl-CVE-2020-1967-test2.patch
+ * openssl-CVE-2020-1967-test3.patch
+
+---
New:
openssl-CVE-2020-1967-test1.patch
openssl-CVE-2020-1967-test2.patch
openssl-CVE-2020-1967-test3.patch
openssl-CVE-2020-1967.patch
Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.UvjxHO/_old 2020-05-04 08:22:21.100325201 +0200
+++ /var/tmp/diff_new_pack.UvjxHO/_new 2020-05-04 08:22:21.100325201 +0200
@@ -89,6 +89,11 @@
# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2
(crypto)
Patch50:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
Patch51:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+# PATCH-FIX-UPSTREAM bsc#1169407 CVE-2020-1967 Segmentation fault in
SSL_check_chain
+Patch52:openssl-CVE-2020-1967.patch
+Patch53:openssl-CVE-2020-1967-test1.patch
+Patch54:openssl-CVE-2020-1967-test2.patch
+Patch55:openssl-CVE-2020-1967-test3.patch
BuildRequires: pkgconfig
Conflicts: ssl
Provides: ssl
++ openssl-CVE-2020-1967-test1.patch ++
@@ -, +, @@
---
test/recipes/70-test_sslsigalgs.t | 66 +--
1 file changed, 64 insertions(+), 2 deletions(-)
Index: openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t
===
--- openssl-1.1.1d.orig/test/recipes/70-test_sslsigalgs.t
+++ openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t
@@ -44,7 +44,9 @@ use constant {
COMPAT_SIGALGS => 6,
SIGALGS_CERT_ALL => 7,
SIGALGS_CERT_PKCS => 8,
-SIGALGS_CERT_INVALID => 9
+SIGALGS_CERT_INVALID => 9,
+UNRECOGNIZED_SIGALGS_CERT => 4,
+UNRECOGNIZED_SIGALG => 5
};
#Note: Throughout this test we override the default ciphersuites where TLSv1.2
@@ -53,7 +55,7 @@ use constant {
#Test 1: Default sig algs should succeed
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 22;
+plan tests => 24;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
@@ -261,6 +263,39 @@ SKIP: {
ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
}
+SKIP: {
+skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
+#Test 25: Send an unrecognized signature_algorithms_cert
+#We should be able to skip over the unrecognized value and use a
+#valid one that appears later in the list.
+$proxy->clear();
+$proxy->filter(\_unrecognized_sigalg);
+$proxy->clientflags("-tls1_3");
+# Use -xcert to get SSL_check_chain() to run in the cert_cb. This is
+# needed to trigger (e.g.) CVE-2020-1967
+$proxy->serverflags("" .
+" -xcert " . srctop_file("test", "certs", "servercert.pem") .
+" -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+" -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+$testtype = UNRECOGNIZED_SIGALGS_CERT;
+$proxy->start();
+ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in
ClientHello");
+
+#Test 26: Send an unrecognized signature_algorithms
+#We should be able to skip over the unrecognized value and use a
+#valid one that appears later in the list.
+$proxy->clear();
+$proxy->filter(\_unrecognized_sigalg);
+$proxy->clientflags("-tls1_3");
+$proxy->serverflags("" .
+" -xcert " . srctop_file("test", "certs", "servercert.pem") .
+" -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+" -xchain " . srctop_file("test",
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community,
here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2
checked in at 2020-03-24 19:05:13
Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old)
and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160 (New)
Package is "openssl-1_1"
Tue Mar 24 19:05:13 2020 rev:34 rq:787245 version:1.1.1d
Changes:
--- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes
2020-03-20 05:52:30.420047520 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160/openssl-1_1.changes
2020-03-24 19:05:16.821440358 +0100
@@ -1,0 +2,7 @@
+Fri Mar 20 10:22:27 UTC 2020 - Vítězslav Čížek
+
+- openssl dgst: default to SHA256 only when called without a digest,
+ not when it couldn't be found (bsc#1166189)
+ * add openssl-unknown_dgst.patch
+
+---
New:
openssl-unknown_dgst.patch
Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.BidTSR/_old 2020-03-24 19:05:19.145441919 +0100
+++ /var/tmp/diff_new_pack.BidTSR/_new 2020-03-24 19:05:19.145441919 +0100
@@ -85,6 +85,7 @@
Patch44:openssl-fips_fix_selftests_return_value.patch
Patch45:openssl-fips-add-SHA3-selftest.patch
Patch46:openssl-fips_selftest_upstream_drbg.patch
+Patch47:openssl-unknown_dgst.patch
# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2
(crypto)
Patch50:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
Patch51:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
++ openssl-unknown_dgst.patch ++
Index: openssl-1.1.1d/apps/dgst.c
===
--- openssl-1.1.1d.orig/apps/dgst.c 2019-09-10 15:13:07.0 +0200
+++ openssl-1.1.1d/apps/dgst.c 2020-03-20 11:20:27.618536409 +0100
@@ -95,6 +95,10 @@ int dgst_main(int argc, char **argv)
prog = opt_progname(argv[0]);
buf = app_malloc(BUFSIZE, "I/O buffer");
md = EVP_get_digestbyname(prog);
+if (md == NULL && strcmp(prog, "dgst") != 0) {
+BIO_printf(bio_err, "%s is not a known digest\n", prog);
+goto end;
+}
prog = opt_init(argc, argv, dgst_options);
while ((o = opt_next()) != OPT_EOF) {
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-03-20 05:52:26 Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160 (New) Package is "openssl-1_1" Fri Mar 20 05:52:26 2020 rev:33 rq:782184 version:1.1.1d Changes: --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-01-19 15:47:02.249686658 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160/openssl-1_1.changes 2020-03-20 05:52:30.420047520 +0100 @@ -1,0 +2,77 @@ +Wed Mar 4 08:23:23 UTC 2020 - Vítězslav Čížek + +- Limit the DRBG selftests to not deplete entropy (bsc#1165274) + * update openssl-fips_selftest_upstream_drbg.patch + +--- +Wed Feb 26 13:28:14 UTC 2020 - Vítězslav Čížek + +- Run FIPS DRBG selftests against the crypto/rand DRBG implementation + (bsc#1164557) + * add openssl-fips_selftest_upstream_drbg.patch + +--- +Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek + +- Use the newly build libcrypto shared library when computing the hmac + checksums in order to avoid a bootstrapping issue by BuildRequiring + libopenssl1_1 (bsc#1164102) + +--- +Thu Feb 13 10:57:45 UTC 2020 - Vítězslav Čížek + +- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) + * add openssl-fips_fix_selftests_return_value.patch + +--- +Wed Feb 12 21:14:27 UTC 2020 - Jason Sikes + +- Added SHA3 FIPS self-tests bsc#1155345 + * openssl-fips-add-SHA3-selftest.patch + +--- +Tue Jan 28 12:14:59 UTC 2020 - Pedro Monreal Gonzalez + +- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403] +- Add patches: + * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch + * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch + +--- +Thu Jan 23 14:32:28 UTC 2020 - Vítězslav Čížek + +- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our + layered FIPS initialization (bsc#1161789) + * openssl-fips-ignore_broken_atexit_test.patch + +--- +Wed Jan 22 13:59:15 UTC 2020 - Vítězslav Čížek + +- Import FIPS patches from SLE-15 + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips_mode.patch + * openssl-ship_fips_standalone_hmac.patch + * openssl-fips-clearerror.patch + * openssl-fips-selftests_in_nonfips_mode.patch + +--- +Tue Jan 21 16:08:21 UTC 2020 - Vítězslav Čížek + +- Don't run FIPS power-up self-tests when the checksum files aren't + installed (bsc#1042392) + * add openssl-fips-run_selftests_only_when_module_is_complete.patch + +--- +Tue Jan 21 11:10:42 UTC 2020 - Vítězslav Čížek + +- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) + * openssl-1.1.1-fips-crng-test.patch + * openssl-1.1.1-fips-post-rand.patch + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch +- keep EVP_KDF functions at version 1.1.1d for backward compatibility + * add openssl-keep_EVP_KDF_functions_version.patch + +--- Old: openssl-jsc-SLE-8789-backport_KDF.patch New: openssl-1.1.0-issuer-hash.patch openssl-1.1.1-evp-kdf.patch openssl-1.1.1-fips-crng-test.patch openssl-1.1.1-fips-post-rand.patch openssl-1.1.1-fips.patch openssl-1.1.1-ssh-kdf.patch openssl-fips-add-SHA3-selftest.patch openssl-fips-clearerror.patch openssl-fips-dont_run_FIPS_module_installed.patch openssl-fips-ignore_broken_atexit_test.patch openssl-fips-run_selftests_only_when_module_is_complete.patch openssl-fips-selftests_in_nonfips_mode.patch openssl-fips_fix_selftests_return_value.patch openssl-fips_mode.patch openssl-fips_selftest_upstream_drbg.patch openssl-keep_EVP_KDF_functions_version.patch openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch openssl-ship_fips_standalone_hmac.patch Other differences: -- ++ openssl-1_1.spec ++ --- /var/tmp/diff_new_pack.W4dEKE/_old 2020-03-20 05:52:32.324048789
commit openssl-1_1 for openSUSE:Leap:15.2
Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-01-19 15:46:55 Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.26092 (New) Package is "openssl-1_1" Sun Jan 19 15:46:55 2020 rev:32 rq:762782 version:1.1.1d Changes: --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-01-15 15:37:19.503023442 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.26092/openssl-1_1.changes 2020-01-19 15:47:02.249686658 +0100 @@ -1,0 +2,25 @@ +Fri Dec 20 13:44:06 UTC 2019 - Pedro Monreal Gonzalez + +- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] +- Add patches: + * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch + * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch + * openssl-s390xcpuid.pl-fix-comment.patch + * openssl-assembly-pack-accelerate-scalar-multiplication.patch + * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch + * openssl-s390x-assembly-pack-accelerate-ECDSA.patch + * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch + * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch + * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch + * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch + * openssl-Fix-9bf682f-which-broke-nistp224_method.patch + +--- +Wed Dec 18 16:29:46 UTC 2019 - Vítězslav Čížek + +- Obsolete libopenssl-1_0_0-devel and libopenssl-1_0_0-hmac in order + to avoid conflict upon upgrade from SLE-12 (bsc#1158499) + +--- New: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch openssl-Fix-9bf682f-which-broke-nistp224_method.patch openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch openssl-assembly-pack-accelerate-scalar-multiplication.patch openssl-s390x-assembly-pack-accelerate-ECDSA.patch openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch openssl-s390xcpuid.pl-fix-comment.patch Other differences: -- ++ openssl-1_1.spec ++ --- /var/tmp/diff_new_pack.OYaKON/_old 2020-01-19 15:47:04.469687974 +0100 +++ /var/tmp/diff_new_pack.OYaKON/_new 2020-01-19 15:47:04.473687977 +0100 @@ -54,6 +54,20 @@ # OpenSSL Security Advisory [6 December 2019] bsc#1158809 CVE-2019-1551 # PATCH-FIX-UPSTREAM Integer overflow in RSAZ modular exponentiation on x86_64 Patch15:openssl-1_1-CVE-2019-1551.patch +# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto) +Patch16: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch +Patch17: openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch +Patch18:openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch +Patch19:openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch +Patch20:openssl-s390xcpuid.pl-fix-comment.patch +Patch21:openssl-assembly-pack-accelerate-scalar-multiplication.patch +Patch22: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch +Patch23:openssl-s390x-assembly-pack-accelerate-ECDSA.patch +Patch24:openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch +Patch25:openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch +Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch +Patch27:openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch +Patch28:openssl-Fix-9bf682f-which-broke-nistp224_method.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl @@ -96,6 +110,8 @@ Provides: ssl-devel # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl-1_1_0-devel +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-devel %description -n libopenssl-1_1-devel This subpackage contains header files for developing applications @@ -108,6 +124,8 @@ Requires:
