commit openssl for openSUSE:11.4:Update
Hello community, here is the log from the commit of package openssl for openSUSE:11.4:Update checked in at 2012-04-23 11:05:34 Comparing /work/SRC/openSUSE:11.4:Update/openssl (Old) and /work/SRC/openSUSE:11.4:Update/.openssl.new (New) Package is openssl, Maintainer is g...@suse.com Changes: New Changes file: NO CHANGES FILE!!! Other differences: -- ++ _link ++ --- /var/tmp/diff_new_pack.whQefs/_old 2012-04-23 11:05:38.0 +0200 +++ /var/tmp/diff_new_pack.whQefs/_new 2012-04-23 11:05:38.0 +0200 @@ -1 +1 @@ -link package='openssl.410' cicount='copy' / +link package='openssl.444' cicount='copy' / -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:11.4:Update:Test
Hello community, here is the log from the commit of package openssl for openSUSE:11.4:Update:Test checked in at 2012-03-26 15:43:13 Comparing /work/SRC/openSUSE:11.4:Update:Test/openssl (Old) and /work/SRC/openSUSE:11.4:Update:Test/.openssl.new (New) Package is openssl, Maintainer is g...@suse.com Changes: --- /work/SRC/openSUSE:11.4:Update:Test/openssl/openssl.changes 2012-03-19 17:47:06.0 +0100 +++ /work/SRC/openSUSE:11.4:Update:Test/.openssl.new/openssl.changes 2012-03-26 15:43:15.0 +0200 @@ -1,0 +2,12 @@ +Thu Mar 22 04:54:58 UTC 2012 - g...@suse.com + +- fix Bug[bnc#751946] - S/MIME verification may erroneously fail + CVE-2012-1165 + +--- +Wed Mar 21 03:00:20 UTC 2012 - g...@suse.com + +- fix bug[bnc#749213]-Free headers after use in error message + and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt + +--- @@ -5,0 +18 @@ + CVE-2006-7250 New: CVE-2012-1165.patch bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch bug749213-Free-headers-after-use.patch Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.k8MudA/_old 2012-03-26 15:43:15.0 +0200 +++ /var/tmp/diff_new_pack.k8MudA/_new 2012-03-26 15:43:15.0 +0200 @@ -57,6 +57,9 @@ Patch25:CVE-2012-0027.patch Patch26:CVE-2012-0050.patch Patch27:Bug748738_Tolerate_bad_MIME_headers.patch +Patch28:bug749213-Free-headers-after-use.patch +Patch29:bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch +Patch30:CVE-2012-1165.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -201,6 +204,9 @@ %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 cp -p %{S:10} . echo adding/overwriting some entries in the 'table' hash in Configure # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++ CVE-2012-1165.patch ++ Index: openssl-1.0.0g/crypto/asn1/asn_mime.c === --- openssl-1.0.0g.orig/crypto/asn1/asn_mime.c +++ openssl-1.0.0g/crypto/asn1/asn_mime.c @@ -858,9 +858,8 @@ static int mime_hdr_addparam(MIME_HEADER static int mime_hdr_cmp(const MIME_HEADER * const *a, const MIME_HEADER * const *b) { - if ((*a)-name == NULL || (*b)-name == NULL) - return (*a)-name - (*b)-name 0 ? -1 : - (*a)-name - (*b)-name 0 ? 1 : 0; + if (!(*a)-name || !(*b)-name) + return !!(*a)-name - !!(*b)-name; return(strcmp((*a)-name, (*b)-name)); } @@ -868,6 +867,8 @@ static int mime_hdr_cmp(const MIME_HEADE static int mime_param_cmp(const MIME_PARAM * const *a, const MIME_PARAM * const *b) { + if (!(*a)-param_name || !(*b)-param_name) + return !!(*a)-param_name - !!(*b)-param_name; return(strcmp((*a)-param_name, (*b)-param_name)); } ++ bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch ++ Index: openssl-1.0.0g/crypto/pkcs7/pk7_smime.c === --- openssl-1.0.0g.orig/crypto/pkcs7/pk7_smime.c +++ openssl-1.0.0g/crypto/pkcs7/pk7_smime.c @@ -573,15 +573,30 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *p return 0; } ret = SMIME_text(bread, data); + if (ret 0 BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) + { + if (!BIO_get_cipher_status(tmpmem)) + ret = 0; + } BIO_free_all(bread); return ret; } else { for(;;) { i = BIO_read(tmpmem, buf, sizeof(buf)); - if(i = 0) break; + if(i = 0) + { + ret = 1; + if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) + { + if (!BIO_get_cipher_status(tmpmem)) + ret = 0; + } + + break; + } BIO_write(data, buf, i); } BIO_free_all(tmpmem); - return 1; + return ret; } } ++ bug749213-Free-headers-after-use.patch ++ Index: openssl-1.0.0g/crypto/asn1/asn_mime.c === ---
commit openssl for openSUSE:11.4
Hello community, here is the log from the commit of package openssl for openSUSE:11.4 checked in at Fri Feb 24 16:01:00 CET 2012. --- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2012-02-02 08:23:19.0 +0100 +++ 11.4/openssl/openssl.changes2012-02-24 04:12:14.0 +0100 @@ -1,0 +2,6 @@ +Fri Feb 24 02:52:14 UTC 2012 - g...@suse.com + +- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's + asn1 parser. + +--- calling whatdependson for 11.4-i586 New: Bug748738_Tolerate_bad_MIME_headers.patch Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.MiHKcT/_old 2012-02-24 16:00:34.0 +0100 +++ /var/tmp/diff_new_pack.MiHKcT/_new 2012-02-24 16:00:34.0 +0100 @@ -31,7 +31,7 @@ Obsoletes: openssl-64bit %endif Version:1.0.0c -Release:18.RELEASE25 +Release:18.RELEASE27 Summary:Secure Sockets and Transport Layer Security Url:http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -56,6 +56,7 @@ Patch24:CVE-2011-4619.patch Patch25:CVE-2012-0027.patch Patch26:CVE-2012-0050.patch +Patch27:Bug748738_Tolerate_bad_MIME_headers.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -199,6 +200,7 @@ %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 cp -p %{S:10} . echo adding/overwriting some entries in the 'table' hash in Configure # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++ Bug748738_Tolerate_bad_MIME_headers.patch ++ Index: openssl-1.0.0g/crypto/asn1/asn_mime.c === --- openssl-1.0.0g.orig/crypto/asn1/asn_mime.c +++ openssl-1.0.0g/crypto/asn1/asn_mime.c @@ -858,6 +858,10 @@ static int mime_hdr_addparam(MIME_HEADER static int mime_hdr_cmp(const MIME_HEADER * const *a, const MIME_HEADER * const *b) { + if ((*a)-name == NULL || (*b)-name == NULL) + return (*a)-name - (*b)-name 0 ? -1 : + (*a)-name - (*b)-name 0 ? 1 : 0; + return(strcmp((*a)-name, (*b)-name)); } continue with q... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:11.4
Hello community, here is the log from the commit of package openssl for openSUSE:11.4 checked in at Mon Feb 6 16:15:58 CET 2012. --- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2012-01-11 08:18:04.0 +0100 +++ 11.4/openssl/openssl.changes2012-02-02 08:23:19.0 +0100 @@ -1,0 +2,6 @@ +Thu Feb 2 07:22:17 UTC 2012 - g...@suse.com + +- fix security bug [bnc#742821] - DTLS DoS Attack + CVE-2012-0050 + +--- calling whatdependson for 11.4-i586 New: CVE-2012-0050.patch Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.VLWWs2/_old 2012-02-06 16:15:44.0 +0100 +++ /var/tmp/diff_new_pack.VLWWs2/_new 2012-02-06 16:15:44.0 +0100 @@ -31,7 +31,7 @@ Obsoletes: openssl-64bit %endif Version:1.0.0c -Release:18.RELEASE23 +Release:18.RELEASE25 Summary:Secure Sockets and Transport Layer Security Url:http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -55,6 +55,7 @@ Patch23:CVE-2011-4577.patch Patch24:CVE-2011-4619.patch Patch25:CVE-2012-0027.patch +Patch26:CVE-2012-0050.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -197,6 +198,7 @@ %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 cp -p %{S:10} . echo adding/overwriting some entries in the 'table' hash in Configure # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++ CVE-2012-0050.patch ++ Index: openssl-1.0.0e/ssl/d1_pkt.c === --- openssl-1.0.0e.orig/ssl/d1_pkt.c +++ openssl-1.0.0e/ssl/d1_pkt.c @@ -376,6 +376,7 @@ dtls1_process_record(SSL *s) unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= (s-s3-rrec); @@ -447,19 +448,15 @@ printf(\n); #endif } /* check the MAC for rr-input (it's in mac_size bytes at the tail) */ - if (rr-length mac_size) + if (rr-length = mac_size) { -#if 0 /* OK only for stream ciphers */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; -#else - decryption_failed_or_bad_record_mac = 1; -#endif + rr-length -= mac_size; + mac = rr-data[rr-length]; } - rr-length-=mac_size; + else + rr-length = 0; i=s-method-ssl3_enc-mac(s,md,0); - if (i 0 || memcmp(md,(rr-data[rr-length]),mac_size) != 0) + if (i 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; } continue with q... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:11.4
Hello community, here is the log from the commit of package openssl for openSUSE:11.4 checked in at Tue Sep 20 12:06:29 CEST 2011. --- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2011-05-31 09:28:35.0 +0200 +++ 11.4/openssl/openssl.changes2011-09-20 10:48:32.0 +0200 @@ -1,0 +2,13 @@ +Tue Sep 20 08:47:15 UTC 2011 - g...@suse.com + +- fix bug[bnc#716144] - VUL-0: openssl ECDH crash. + CVE-2011-3210 + +--- +Tue Sep 13 03:05:41 UTC 2011 - g...@suse.com + +- Fix bug[bnc#716143].Fix bug where CRLs with nextUpdate + in the past are sometimes accepted by initialising + X509_STORE_CTX properly. (CVE-2011-3207) + +--- calling whatdependson for 11.4-i586 New: CVE-2011-3207.patch CVE-2011-3210.patch Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.f8BAhE/_old 2011-09-20 12:06:10.0 +0200 +++ /var/tmp/diff_new_pack.f8BAhE/_new 2011-09-20 12:06:10.0 +0200 @@ -30,10 +30,8 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -# -#Version:1.0.0 Version:1.0.0c -Release:18.RELEASE19 +Release:18.RELEASE21 Summary:Secure Sockets and Transport Layer Security Url:http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -50,6 +48,8 @@ #Patch6: CVE-2010-3864.patch Patch7: openssl-1.0.0b-aesni.patch Patch8: ECDSA_signatures_timing_attack.patch +Patch9: CVE-2011-3207.patch +Patch10:CVE-2011-3210.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -185,6 +185,8 @@ #%patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 cp -p %{S:10} . echo adding/overwriting some entries in the 'table' hash in Configure # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++ CVE-2011-3207.patch ++ Index: openssl-1.0.0c/crypto/x509/x509_vfy.c === --- openssl-1.0.0c.orig/crypto/x509/x509_vfy.c +++ openssl-1.0.0c/crypto/x509/x509_vfy.c @@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ct x = sk_X509_value(ctx-chain, cnum); ctx-current_cert = x; ctx-current_issuer = NULL; + ctx-current_crl_score = 0; ctx-current_reasons = 0; while (ctx-current_reasons != CRLDP_ALL_REASONS) { @@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX * ctx-error_depth=0; ctx-current_cert=NULL; ctx-current_issuer=NULL; + ctx-current_crl=NULL; + ctx-current_crl_score=0; + ctx-current_reasons=0; ctx-tree = NULL; ctx-parent = NULL; ++ CVE-2011-3210.patch ++ Index: openssl-1.0.0c/ssl/d1_srvr.c === --- openssl-1.0.0c.orig/ssl/d1_srvr.c +++ openssl-1.0.0c/ssl/d1_srvr.c @@ -1017,12 +1017,11 @@ int dtls1_send_server_key_exchange(SSL * SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - if (!EC_KEY_up_ref(ecdhp)) + if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - ecdh = ecdhp; s-s3-tmp.ecdh=ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || Index: openssl-1.0.0c/ssl/s3_lib.c === --- openssl-1.0.0c.orig/ssl/s3_lib.c +++ openssl-1.0.0c/ssl/s3_lib.c @@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s) } #ifndef OPENSSL_NO_DH if (s-s3-tmp.dh != NULL) + { DH_free(s-s3-tmp.dh); + s-s3-tmp.dh = NULL; + } #endif #ifndef OPENSSL_NO_ECDH if (s-s3-tmp.ecdh != NULL) + { EC_KEY_free(s-s3-tmp.ecdh); + s-s3-tmp.ecdh = NULL; + } #endif rp = s-s3-rbuf.buf; Index: openssl-1.0.0c/ssl/s3_srvr.c === --- openssl-1.0.0c.orig/ssl/s3_srvr.c +++ openssl-1.0.0c/ssl/s3_srvr.c @@ -778,6 +778,13 @@ int ssl3_check_client_hello(SSL *s) s-s3-tmp.dh = NULL; } #endif +#ifndef OPENSSL_NO_ECDH + if (s-s3-tmp.ecdh != NULL) + { + EC_KEY_free(s-s3-tmp.ecdh); + s-s3-tmp.ecdh = NULL; + }
commit openssl for openSUSE:11.4
Hello community, here is the log from the commit of package openssl for openSUSE:11.4 checked in at Mon Jun 6 21:56:06 CEST 2011. --- old-versions/11.4/all/openssl/openssl.changes 2011-01-15 21:02:09.0 +0100 +++ 11.4/openssl/openssl.changes2011-05-31 09:28:35.0 +0200 @@ -1,0 +2,9 @@ +Tue May 31 07:27:46 UTC 2011 - g...@novell.com + +- fix bug[bnc#693027]. + Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + http://eprint.iacr.org/2011/232.pdf + [Billy Bob Brumley and Nicola Tuveri] + +--- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/openssl Destination is old-versions/11.4/UPDATES/all/openssl calling whatdependson for 11.4-i586 New: ECDSA_signatures_timing_attack.patch Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.3SCpCG/_old 2011-06-06 21:52:30.0 +0200 +++ /var/tmp/diff_new_pack.3SCpCG/_new 2011-06-06 21:52:30.0 +0200 @@ -33,7 +33,7 @@ # #Version:1.0.0 Version:1.0.0c -Release:3 +Release:18.RELEASE19 Summary:Secure Sockets and Transport Layer Security Url:http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -49,6 +49,7 @@ #Patch5: CVE-2010-2939.patch #Patch6: CVE-2010-3864.patch Patch7: openssl-1.0.0b-aesni.patch +Patch8: ECDSA_signatures_timing_attack.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -183,6 +184,7 @@ #%patch5 -p1 #%patch6 -p1 %patch7 -p1 +%patch8 -p1 cp -p %{S:10} . echo adding/overwriting some entries in the 'table' hash in Configure # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++ ECDSA_signatures_timing_attack.patch ++ Index: openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c === --- openssl-1.0.0c.orig/crypto/ecdsa/ecs_ossl.c +++ openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c @@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke } while (BN_is_zero(k)); +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME + /* We do not want timing information to leak the length of k, +* so we compute G*k using an equivalent scalar of fixed +* bit-length. */ + + if (!BN_add(k, k, order)) goto err; + if (BN_num_bits(k) = BN_num_bits(order)) + if (!BN_add(k, k, order)) goto err; +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { Index: openssl-1.0.0c/crypto/ocsp/ocsp_lib.c === --- openssl-1.0.0c.orig/crypto/ocsp/ocsp_lib.c +++ openssl-1.0.0c/crypto/ocsp/ocsp_lib.c @@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho char *host, *port; + *phost = NULL; + *pport = NULL; + *ppath = NULL; + /* dup the buffer since we are going to mess with it */ buf = BUF_strdup(url); if (!buf) goto mem_err; - *phost = NULL; - *pport = NULL; - *ppath = NULL; /* Check for initial colon */ p = strchr(buf, ':'); Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org