commit openssl for openSUSE:11.4:Update
Hello community, here is the log from the commit of package openssl for openSUSE:11.4:Update checked in at 2012-04-23 11:05:34 Comparing /work/SRC/openSUSE:11.4:Update/openssl (Old) and /work/SRC/openSUSE:11.4:Update/.openssl.new (New) Package is openssl, Maintainer is g...@suse.com Changes: New Changes file: NO CHANGES FILE!!! Other differences: -- ++ _link ++ --- /var/tmp/diff_new_pack.whQefs/_old 2012-04-23 11:05:38.0 +0200 +++ /var/tmp/diff_new_pack.whQefs/_new 2012-04-23 11:05:38.0 +0200 @@ -1 +1 @@ -link package='openssl.410' cicount='copy' / +link package='openssl.444' cicount='copy' / -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:11.4:Update:Test
Hello community,
here is the log from the commit of package openssl for
openSUSE:11.4:Update:Test checked in at 2012-03-26 15:43:13
Comparing /work/SRC/openSUSE:11.4:Update:Test/openssl (Old)
and /work/SRC/openSUSE:11.4:Update:Test/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:11.4:Update:Test/openssl/openssl.changes 2012-03-19
17:47:06.0 +0100
+++ /work/SRC/openSUSE:11.4:Update:Test/.openssl.new/openssl.changes
2012-03-26 15:43:15.0 +0200
@@ -1,0 +2,12 @@
+Thu Mar 22 04:54:58 UTC 2012 - g...@suse.com
+
+- fix Bug[bnc#751946] - S/MIME verification may erroneously fail
+ CVE-2012-1165
+
+---
+Wed Mar 21 03:00:20 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#749213]-Free headers after use in error message
+ and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt
+
+---
@@ -5,0 +18 @@
+ CVE-2006-7250
New:
CVE-2012-1165.patch
bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
bug749213-Free-headers-after-use.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.k8MudA/_old 2012-03-26 15:43:15.0 +0200
+++ /var/tmp/diff_new_pack.k8MudA/_new 2012-03-26 15:43:15.0 +0200
@@ -57,6 +57,9 @@
Patch25:CVE-2012-0027.patch
Patch26:CVE-2012-0050.patch
Patch27:Bug748738_Tolerate_bad_MIME_headers.patch
+Patch28:bug749213-Free-headers-after-use.patch
+Patch29:bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+Patch30:CVE-2012-1165.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -201,6 +204,9 @@
%patch25 -p1
%patch26 -p1
%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2012-1165.patch ++
Index: openssl-1.0.0g/crypto/asn1/asn_mime.c
===
--- openssl-1.0.0g.orig/crypto/asn1/asn_mime.c
+++ openssl-1.0.0g/crypto/asn1/asn_mime.c
@@ -858,9 +858,8 @@ static int mime_hdr_addparam(MIME_HEADER
static int mime_hdr_cmp(const MIME_HEADER * const *a,
const MIME_HEADER * const *b)
{
- if ((*a)-name == NULL || (*b)-name == NULL)
- return (*a)-name - (*b)-name 0 ? -1 :
- (*a)-name - (*b)-name 0 ? 1 : 0;
+ if (!(*a)-name || !(*b)-name)
+ return !!(*a)-name - !!(*b)-name;
return(strcmp((*a)-name, (*b)-name));
}
@@ -868,6 +867,8 @@ static int mime_hdr_cmp(const MIME_HEADE
static int mime_param_cmp(const MIME_PARAM * const *a,
const MIME_PARAM * const *b)
{
+ if (!(*a)-param_name || !(*b)-param_name)
+ return !!(*a)-param_name - !!(*b)-param_name;
return(strcmp((*a)-param_name, (*b)-param_name));
}
++ bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch ++
Index: openssl-1.0.0g/crypto/pkcs7/pk7_smime.c
===
--- openssl-1.0.0g.orig/crypto/pkcs7/pk7_smime.c
+++ openssl-1.0.0g/crypto/pkcs7/pk7_smime.c
@@ -573,15 +573,30 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *p
return 0;
}
ret = SMIME_text(bread, data);
+ if (ret 0 BIO_method_type(tmpmem) == BIO_TYPE_CIPHER)
+ {
+ if (!BIO_get_cipher_status(tmpmem))
+ ret = 0;
+ }
BIO_free_all(bread);
return ret;
} else {
for(;;) {
i = BIO_read(tmpmem, buf, sizeof(buf));
- if(i = 0) break;
+ if(i = 0)
+ {
+ ret = 1;
+ if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER)
+ {
+ if (!BIO_get_cipher_status(tmpmem))
+ ret = 0;
+ }
+
+ break;
+ }
BIO_write(data, buf, i);
}
BIO_free_all(tmpmem);
- return 1;
+ return ret;
}
}
++ bug749213-Free-headers-after-use.patch ++
Index: openssl-1.0.0g/crypto/asn1/asn_mime.c
===
---
commit openssl for openSUSE:11.4
Hello community,
here is the log from the commit of package openssl for openSUSE:11.4
checked in at Fri Feb 24 16:01:00 CET 2012.
--- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2012-02-02
08:23:19.0 +0100
+++ 11.4/openssl/openssl.changes2012-02-24 04:12:14.0 +0100
@@ -1,0 +2,6 @@
+Fri Feb 24 02:52:14 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+ asn1 parser.
+
+---
calling whatdependson for 11.4-i586
New:
Bug748738_Tolerate_bad_MIME_headers.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.MiHKcT/_old 2012-02-24 16:00:34.0 +0100
+++ /var/tmp/diff_new_pack.MiHKcT/_new 2012-02-24 16:00:34.0 +0100
@@ -31,7 +31,7 @@
Obsoletes: openssl-64bit
%endif
Version:1.0.0c
-Release:18.RELEASE25
+Release:18.RELEASE27
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -56,6 +56,7 @@
Patch24:CVE-2011-4619.patch
Patch25:CVE-2012-0027.patch
Patch26:CVE-2012-0050.patch
+Patch27:Bug748738_Tolerate_bad_MIME_headers.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -199,6 +200,7 @@
%patch24 -p1
%patch25 -p1
%patch26 -p1
+%patch27 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ Bug748738_Tolerate_bad_MIME_headers.patch ++
Index: openssl-1.0.0g/crypto/asn1/asn_mime.c
===
--- openssl-1.0.0g.orig/crypto/asn1/asn_mime.c
+++ openssl-1.0.0g/crypto/asn1/asn_mime.c
@@ -858,6 +858,10 @@ static int mime_hdr_addparam(MIME_HEADER
static int mime_hdr_cmp(const MIME_HEADER * const *a,
const MIME_HEADER * const *b)
{
+ if ((*a)-name == NULL || (*b)-name == NULL)
+ return (*a)-name - (*b)-name 0 ? -1 :
+ (*a)-name - (*b)-name 0 ? 1 : 0;
+
return(strcmp((*a)-name, (*b)-name));
}
continue with q...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:11.4
Hello community,
here is the log from the commit of package openssl for openSUSE:11.4
checked in at Mon Feb 6 16:15:58 CET 2012.
--- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2012-01-11
08:18:04.0 +0100
+++ 11.4/openssl/openssl.changes2012-02-02 08:23:19.0 +0100
@@ -1,0 +2,6 @@
+Thu Feb 2 07:22:17 UTC 2012 - g...@suse.com
+
+- fix security bug [bnc#742821] - DTLS DoS Attack
+ CVE-2012-0050
+
+---
calling whatdependson for 11.4-i586
New:
CVE-2012-0050.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.VLWWs2/_old 2012-02-06 16:15:44.0 +0100
+++ /var/tmp/diff_new_pack.VLWWs2/_new 2012-02-06 16:15:44.0 +0100
@@ -31,7 +31,7 @@
Obsoletes: openssl-64bit
%endif
Version:1.0.0c
-Release:18.RELEASE23
+Release:18.RELEASE25
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -55,6 +55,7 @@
Patch23:CVE-2011-4577.patch
Patch24:CVE-2011-4619.patch
Patch25:CVE-2012-0027.patch
+Patch26:CVE-2012-0050.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -197,6 +198,7 @@
%patch23 -p1
%patch24 -p1
%patch25 -p1
+%patch26 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2012-0050.patch ++
Index: openssl-1.0.0e/ssl/d1_pkt.c
===
--- openssl-1.0.0e.orig/ssl/d1_pkt.c
+++ openssl-1.0.0e/ssl/d1_pkt.c
@@ -376,6 +376,7 @@ dtls1_process_record(SSL *s)
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
int decryption_failed_or_bad_record_mac = 0;
+ unsigned char *mac = NULL;
rr= (s-s3-rrec);
@@ -447,19 +448,15 @@ printf(\n);
#endif
}
/* check the MAC for rr-input (it's in mac_size bytes at the
tail) */
- if (rr-length mac_size)
+ if (rr-length = mac_size)
{
-#if 0 /* OK only for stream ciphers */
- al=SSL_AD_DECODE_ERROR;
-
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-#else
- decryption_failed_or_bad_record_mac = 1;
-#endif
+ rr-length -= mac_size;
+ mac = rr-data[rr-length];
}
- rr-length-=mac_size;
+ else
+ rr-length = 0;
i=s-method-ssl3_enc-mac(s,md,0);
- if (i 0 || memcmp(md,(rr-data[rr-length]),mac_size) != 0)
+ if (i 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
{
decryption_failed_or_bad_record_mac = 1;
}
continue with q...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:11.4
Hello community,
here is the log from the commit of package openssl for openSUSE:11.4
checked in at Tue Sep 20 12:06:29 CEST 2011.
--- old-versions/11.4/UPDATES/all/openssl/openssl.changes 2011-05-31
09:28:35.0 +0200
+++ 11.4/openssl/openssl.changes2011-09-20 10:48:32.0 +0200
@@ -1,0 +2,13 @@
+Tue Sep 20 08:47:15 UTC 2011 - g...@suse.com
+
+- fix bug[bnc#716144] - VUL-0: openssl ECDH crash.
+ CVE-2011-3210
+
+---
+Tue Sep 13 03:05:41 UTC 2011 - g...@suse.com
+
+- Fix bug[bnc#716143].Fix bug where CRLs with nextUpdate
+ in the past are sometimes accepted by initialising
+ X509_STORE_CTX properly. (CVE-2011-3207)
+
+---
calling whatdependson for 11.4-i586
New:
CVE-2011-3207.patch
CVE-2011-3210.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.f8BAhE/_old 2011-09-20 12:06:10.0 +0200
+++ /var/tmp/diff_new_pack.f8BAhE/_new 2011-09-20 12:06:10.0 +0200
@@ -30,10 +30,8 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-#
-#Version:1.0.0
Version:1.0.0c
-Release:18.RELEASE19
+Release:18.RELEASE21
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -50,6 +48,8 @@
#Patch6: CVE-2010-3864.patch
Patch7: openssl-1.0.0b-aesni.patch
Patch8: ECDSA_signatures_timing_attack.patch
+Patch9: CVE-2011-3207.patch
+Patch10:CVE-2011-3210.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -185,6 +185,8 @@
#%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
+%patch10 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2011-3207.patch ++
Index: openssl-1.0.0c/crypto/x509/x509_vfy.c
===
--- openssl-1.0.0c.orig/crypto/x509/x509_vfy.c
+++ openssl-1.0.0c/crypto/x509/x509_vfy.c
@@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ct
x = sk_X509_value(ctx-chain, cnum);
ctx-current_cert = x;
ctx-current_issuer = NULL;
+ ctx-current_crl_score = 0;
ctx-current_reasons = 0;
while (ctx-current_reasons != CRLDP_ALL_REASONS)
{
@@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *
ctx-error_depth=0;
ctx-current_cert=NULL;
ctx-current_issuer=NULL;
+ ctx-current_crl=NULL;
+ ctx-current_crl_score=0;
+ ctx-current_reasons=0;
ctx-tree = NULL;
ctx-parent = NULL;
++ CVE-2011-3210.patch ++
Index: openssl-1.0.0c/ssl/d1_srvr.c
===
--- openssl-1.0.0c.orig/ssl/d1_srvr.c
+++ openssl-1.0.0c/ssl/d1_srvr.c
@@ -1017,12 +1017,11 @@ int dtls1_send_server_key_exchange(SSL *
SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
goto err;
}
- if (!EC_KEY_up_ref(ecdhp))
+ if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
{
SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
goto err;
}
- ecdh = ecdhp;
s-s3-tmp.ecdh=ecdh;
if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
Index: openssl-1.0.0c/ssl/s3_lib.c
===
--- openssl-1.0.0c.orig/ssl/s3_lib.c
+++ openssl-1.0.0c/ssl/s3_lib.c
@@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s)
}
#ifndef OPENSSL_NO_DH
if (s-s3-tmp.dh != NULL)
+ {
DH_free(s-s3-tmp.dh);
+ s-s3-tmp.dh = NULL;
+ }
#endif
#ifndef OPENSSL_NO_ECDH
if (s-s3-tmp.ecdh != NULL)
+ {
EC_KEY_free(s-s3-tmp.ecdh);
+ s-s3-tmp.ecdh = NULL;
+ }
#endif
rp = s-s3-rbuf.buf;
Index: openssl-1.0.0c/ssl/s3_srvr.c
===
--- openssl-1.0.0c.orig/ssl/s3_srvr.c
+++ openssl-1.0.0c/ssl/s3_srvr.c
@@ -778,6 +778,13 @@ int ssl3_check_client_hello(SSL *s)
s-s3-tmp.dh = NULL;
}
#endif
+#ifndef OPENSSL_NO_ECDH
+ if (s-s3-tmp.ecdh != NULL)
+ {
+ EC_KEY_free(s-s3-tmp.ecdh);
+ s-s3-tmp.ecdh = NULL;
+ }
commit openssl for openSUSE:11.4
Hello community,
here is the log from the commit of package openssl for openSUSE:11.4
checked in at Mon Jun 6 21:56:06 CEST 2011.
--- old-versions/11.4/all/openssl/openssl.changes 2011-01-15
21:02:09.0 +0100
+++ 11.4/openssl/openssl.changes2011-05-31 09:28:35.0 +0200
@@ -1,0 +2,9 @@
+Tue May 31 07:27:46 UTC 2011 - g...@novell.com
+
+- fix bug[bnc#693027].
+ Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+ http://eprint.iacr.org/2011/232.pdf
+ [Billy Bob Brumley and Nicola Tuveri]
+
+---
Package does not exist at destination yet. Using Fallback
old-versions/11.4/all/openssl
Destination is old-versions/11.4/UPDATES/all/openssl
calling whatdependson for 11.4-i586
New:
ECDSA_signatures_timing_attack.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.3SCpCG/_old 2011-06-06 21:52:30.0 +0200
+++ /var/tmp/diff_new_pack.3SCpCG/_new 2011-06-06 21:52:30.0 +0200
@@ -33,7 +33,7 @@
#
#Version:1.0.0
Version:1.0.0c
-Release:3
+Release:18.RELEASE19
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -49,6 +49,7 @@
#Patch5: CVE-2010-2939.patch
#Patch6: CVE-2010-3864.patch
Patch7: openssl-1.0.0b-aesni.patch
+Patch8: ECDSA_signatures_timing_attack.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -183,6 +184,7 @@
#%patch5 -p1
#%patch6 -p1
%patch7 -p1
+%patch8 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ ECDSA_signatures_timing_attack.patch ++
Index: openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c
===
--- openssl-1.0.0c.orig/crypto/ecdsa/ecs_ossl.c
+++ openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke
}
while (BN_is_zero(k));
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+ /* We do not want timing information to leak the length of k,
+* so we compute G*k using an equivalent scalar of fixed
+* bit-length. */
+
+ if (!BN_add(k, k, order)) goto err;
+ if (BN_num_bits(k) = BN_num_bits(order))
+ if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
Index: openssl-1.0.0c/crypto/ocsp/ocsp_lib.c
===
--- openssl-1.0.0c.orig/crypto/ocsp/ocsp_lib.c
+++ openssl-1.0.0c/crypto/ocsp/ocsp_lib.c
@@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho
char *host, *port;
+ *phost = NULL;
+ *pport = NULL;
+ *ppath = NULL;
+
/* dup the buffer since we are going to mess with it */
buf = BUF_strdup(url);
if (!buf) goto mem_err;
- *phost = NULL;
- *pport = NULL;
- *ppath = NULL;
/* Check for initial colon */
p = strchr(buf, ':');
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
