commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2020-10-18 16:17:46 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new.3486 (New) Package is "openssl" Sun Oct 18 16:17:46 2020 rev:151 rq:836221 version:1.1.1h Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2020-04-27 23:27:45.698279863 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new.3486/openssl.changes 2020-10-18 16:17:48.672394416 +0200 @@ -1,0 +2,5 @@ +Tue Sep 22 20:41:09 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1h release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.zhO26p/_old 2020-10-18 16:17:49.484394778 +0200 +++ /var/tmp/diff_new_pack.zhO26p/_new 2020-10-18 16:17:49.488394780 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.1g +Version:1.1.1h Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2020-04-27 23:27:41 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new.2738 (New) Package is "openssl" Mon Apr 27 23:27:41 2020 rev:150 rq:796089 version:1.1.1g Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2020-04-02 17:42:29.577355954 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new.2738/openssl.changes 2020-04-27 23:27:45.698279863 +0200 @@ -1,0 +2,5 @@ +Tue Apr 21 13:43:27 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1g release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.SSWAD5/_old 2020-04-27 23:27:47.438283260 +0200 +++ /var/tmp/diff_new_pack.SSWAD5/_new 2020-04-27 23:27:47.442283267 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.1f +Version:1.1.1g Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2020-04-02 17:42:28 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new.3248 (New) Package is "openssl" Thu Apr 2 17:42:28 2020 rev:149 rq:790185 version:1.1.1f Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2019-12-07 15:15:18.991796451 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new.3248/openssl.changes 2020-04-02 17:42:29.577355954 +0200 @@ -1,0 +2,10 @@ +Tue Mar 31 14:04:29 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1f release + +--- +Sun Mar 22 11:18:29 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1e release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.JyWeut/_old 2020-04-02 17:42:32.017357843 +0200 +++ /var/tmp/diff_new_pack.JyWeut/_new 2020-04-02 17:42:32.021357846 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.1d +Version:1.1.1f Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2019-12-07 15:13:41
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new.4691 (New)
Package is "openssl"
Sat Dec 7 15:13:41 2019 rev:148 rq:753239 version:1.1.1d
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2019-11-20
13:42:25.520290146 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new.4691/openssl.changes
2019-12-07 15:15:18.991796451 +0100
@@ -1,0 +2,7 @@
+Tue Dec 3 12:57:07 UTC 2019 - Dominique Leuenberger
+
+- Remove Obsoletes: pkgconfig(*): Only package names can be
+ obsoleted. Until RPM 4.15, those lines were simply ineffective
+ and being ignored, but with RPM 4.15 they result in an error.
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.qLpZcI/_old 2019-12-07 15:15:19.807796336 +0100
+++ /var/tmp/diff_new_pack.qLpZcI/_new 2019-12-07 15:15:19.811796335 +0100
@@ -52,13 +52,9 @@
Obsoletes: openssl-devel < %{version}
Provides: openssl-devel = %{version}
Provides: pkgconfig(libssl) = %{version}
-Obsoletes: pkgconfig(libssl) < %{version}
Provides: pkgconfig(libopenssl) = %{version}
-Obsoletes: pkgconfig(libopenssl) < %{version}
Provides: pkgconfig(libcrypto) = %{version}
-Obsoletes: pkgconfig(libcrypto) < %{version}
Provides: pkgconfig(openssl) = %{version}
-Obsoletes: pkgconfig(openssl) < %{version}
%description -n libopenssl-devel
This package contains all necessary include files and libraries needed
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2019-11-20 13:42:24 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new.26869 (New) Package is "openssl" Wed Nov 20 13:42:24 2019 rev:147 rq:730207 version:1.1.1d Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2019-06-18 14:44:31.733740590 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new.26869/openssl.changes 2019-11-20 13:42:25.520290146 +0100 @@ -1,0 +2,5 @@ +Wed Sep 11 14:15:24 UTC 2019 - Vítězslav Čížek + +- Update to 1.1.1d release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.m2riSt/_old 2019-11-20 13:42:26.204289938 +0100 +++ /var/tmp/diff_new_pack.m2riSt/_new 2019-11-20 13:42:26.208289937 +0100 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.1c +Version:1.1.1d Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2019-06-18 14:44:27 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new.4811 (New) Package is "openssl" Tue Jun 18 14:44:27 2019 rev:146 rq:706515 version:1.1.1c Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2019-05-16 21:54:53.898918143 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new.4811/openssl.changes 2019-06-18 14:44:31.733740590 +0200 @@ -1,0 +2,5 @@ +Thu May 30 13:18:44 UTC 2019 - Vítězslav Čížek + +- Update to 1.1.1c release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.fOJdJH/_old 2019-06-18 14:44:32.901740472 +0200 +++ /var/tmp/diff_new_pack.fOJdJH/_new 2019-06-18 14:44:32.905740472 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.1b +Version:1.1.1c Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2019-05-16 21:54:50 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new.5148 (New) Package is "openssl" Thu May 16 21:54:50 2019 rev:145 rq:681715 version:1.1.1b Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2018-03-30 12:00:24.192963215 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new.5148/openssl.changes 2019-05-16 21:54:53.898918143 +0200 @@ -1,0 +2,25 @@ +Thu Feb 28 09:32:27 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 1.1.1b release + +--- +Tue Nov 20 14:36:29 UTC 2018 - Vítězslav Čížek + +- Update to 1.1.1a release + +--- +Tue Sep 11 13:46:57 UTC 2018 - Vítězslav Čížek + +- Update to 1.1.1 release + +--- +Fri Aug 24 10:32:43 UTC 2018 - vci...@suse.com + +- Update to 1.1.1~pre9 (Beta 7) + +--- +Tue Aug 14 14:11:48 UTC 2018 - vci...@suse.com + +- Update to 1.1.0i release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.vmr8eA/_old 2019-05-16 21:54:54.522917877 +0200 +++ /var/tmp/diff_new_pack.vmr8eA/_new 2019-05-16 21:54:54.526917876 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.0h +Version:1.1.1b Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2018-03-30 12:00:06 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Fri Mar 30 12:00:06 2018 rev:144 rq:591688 version:1.1.0h Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2018-03-01 12:04:43.732730080 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2018-03-30 12:00:24.192963215 +0200 @@ -1,0 +2,5 @@ +Tue Mar 27 14:29:04 UTC 2018 - vci...@suse.com + +- Update to 1.1.0h release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.I3dQcu/_old 2018-03-30 12:00:26.176891471 +0200 +++ /var/tmp/diff_new_pack.I3dQcu/_new 2018-03-30 12:00:26.180891327 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_1 Name: openssl -Version:1.1.0g +Version:1.1.0h Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2018-03-01 12:04:40 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Thu Mar 1 12:04:40 2018 rev:143 rq:578326 version:1.1.0g Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-11-26 10:34:46.383267118 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2018-03-01 12:04:43.732730080 +0100 @@ -1,0 +2,7 @@ +Fri Feb 16 11:55:28 UTC 2018 - vci...@suse.com + +- change the sonum to 1.1, as all the minor versions keep ABI + compatibility (bsc#1081335) +- update baselibs.conf + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.5gKwWg/_old 2018-03-01 12:04:44.500702527 +0100 +++ /var/tmp/diff_new_pack.5gKwWg/_new 2018-03-01 12:04:44.500702527 +0100 @@ -16,7 +16,7 @@ # -%define _sonum 1_1_0 +%define _sonum 1_1 Name: openssl Version:1.1.0g Release:0 ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.5gKwWg/_old 2018-03-01 12:04:44.552700661 +0100 +++ /var/tmp/diff_new_pack.5gKwWg/_new 2018-03-01 12:04:44.552700661 +0100 @@ -1,6 +1,8 @@ openssl - requires "openssl-1_0_0- = " + requires "openssl-1_1- = " + obsoletes "openssl-1_1_0-" libopenssl-devel requires "openssl- = " - requires "libopenssl1_0_0- = " - requires "libopenssl-1_0_0-devel- = " + requires "libopenssl1_1- = " + requires "libopenssl-1_1-devel- = " + obsoletes "libopenssl-1_1_0-devel-"
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2017-11-26 10:34:40 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Sun Nov 26 10:34:40 2017 rev:142 rq:541546 version:1.1.0g Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-11-10 14:37:24.579438384 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-11-26 10:34:46.383267118 +0100 @@ -1,0 +2,5 @@ +Mon Nov 6 15:42:39 UTC 2017 - vci...@suse.com + +- Update to 1.1.0g release + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.OR8M01/_old 2017-11-26 10:34:47.923210964 +0100 +++ /var/tmp/diff_new_pack.OR8M01/_new 2017-11-26 10:34:47.923210964 +0100 @@ -16,9 +16,9 @@ # -%define _sonum 1_0_0 +%define _sonum 1_1_0 Name: openssl -Version:1.0.2m +Version:1.1.0g Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2017-11-10 14:37:17 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Fri Nov 10 14:37:17 2017 rev:141 rq:538750 version:1.0.2m Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-07-17 09:01:55.633938948 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-11-10 14:37:24.579438384 +0100 @@ -1,0 +2,12 @@ +Thu Nov 2 16:42:16 UTC 2017 - vci...@suse.com + +- Revert version back to 1.0.2m to get security fixes quickly to + Tumbleweed + * OpenSSL Security Advisory [02 Nov 2017] (bsc#1066242,bsc#1056058) + +--- +Mon Jul 31 11:16:45 UTC 2017 - tchva...@suse.com + +- Switch to 1.1.0f release as default again + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.GNZVmN/_old 2017-11-10 14:37:25.419408028 +0100 +++ /var/tmp/diff_new_pack.GNZVmN/_new 2017-11-10 14:37:25.423407883 +0100 @@ -18,7 +18,7 @@ %define _sonum 1_0_0 Name: openssl -Version:1.0.2l +Version:1.0.2m Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2017-07-17 09:01:38
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Mon Jul 17 09:01:38 2017 rev:140 rq:509431 version:1.0.2l
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-06-27
10:19:51.447193508 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-07-17
09:01:55.633938948 +0200
@@ -1,0 +2,7 @@
+Tue Jul 11 11:46:56 UTC 2017 - vci...@suse.com
+
+- Obsolete openssl-debuginfo
+ * the package doesn't exist any more, has been replaced by
+openssl-{so_version}-debuginfo (bsc#1040172)
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.vxwzvb/_old 2017-07-17 09:01:56.193860103 +0200
+++ /var/tmp/diff_new_pack.vxwzvb/_new 2017-07-17 09:01:56.197859540 +0200
@@ -29,6 +29,8 @@
Source99: baselibs.conf
BuildRequires: libopenssl%{_sonum} = %{version}
Requires: openssl-%{_sonum} = %{version}
+# the debuginfo package is now openssl-%{_sonum}-debuginfo (boo#1040172)
+Obsoletes: openssl-debuginfo
BuildArch: noarch
%description
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2017-06-27 10:19:50 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Tue Jun 27 10:19:50 2017 rev:139 rq:506205 version:1.0.2l Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-05-18 20:46:41.389065383 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-06-27 10:19:51.447193508 +0200 @@ -1,0 +2,16 @@ +Fri Jun 23 15:23:59 UTC 2017 - tchva...@suse.com + +- Revert back to 1.0.2l for now so we get new fixes of 1.0 openssl + to tumbleweed + +--- +Mon May 29 10:18:31 UTC 2017 - tchva...@suse.com + +- Update to 1.1.0f release + +--- +Wed May 24 08:06:58 UTC 2017 - tchva...@suse.com + +- Switch default to openssl-1.1.0 + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.Jhnd2G/_old 2017-06-27 10:19:52.235082151 +0200 +++ /var/tmp/diff_new_pack.Jhnd2G/_new 2017-06-27 10:19:52.235082151 +0200 @@ -18,7 +18,7 @@ %define _sonum 1_0_0 Name: openssl -Version:1.0.2k +Version:1.0.2l Release:0 Summary:Secure Sockets and Transport Layer Security # Yes there is no license but to not confuse people keep it aligned to the pkg
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2017-05-18 20:46:33 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Thu May 18 20:46:33 2017 rev:138 rq:492985 version:1.0.2k Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-04-11 09:29:35.117110729 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-05-18 20:46:41.389065383 +0200 @@ -1,0 +2,75 @@ +Fri May 5 09:21:04 UTC 2017 - tchva...@suse.com + +- Provide pkgconfig(openssl) + +--- +Tue May 2 10:34:51 UTC 2017 - tchva...@suse.com + +- Provide basic baselibs.conf for 32bit subpackages +- Specify this package as noarch (as we just provide README files) + +--- +Wed Apr 26 12:51:45 UTC 2017 - tchva...@suse.com + +- Fix typo in openssl requires +- Add dependency on the branched devel package +- Provide all pkgconfig symbols to hide them in versioned subpkgs +- This allows us to propagate only the preffered version of openssl + while allowing us to add extra openssl only as additional dependency + +--- +Wed Apr 12 12:25:26 UTC 2017 - tchva...@suse.com + +- Remove the ssl provides as it is applicable for only those that + really provide it + +--- +Wed Apr 12 11:51:36 UTC 2017 - tchva...@suse.com + +- Prepare to split to various subpackages converting main one to + dummy package +- Reduce to only provide main pkg and devel and depend on proper + soversioned package +- Version in this package needs to be synced with the one provided + by the split package +- Remove all the patches, now in the proper versioned namespace: + * merge_from_0.9.8k.patch + * openssl-1.0.0-c_rehash-compat.diff + * bug610223.patch + * openssl-ocloexec.patch + * openssl-1.0.2a-padlock64.patch + * openssl-fix-pod-syntax.diff + * openssl-truststore.patch + * compression_methods_switch.patch + * 0005-libssl-Hide-library-private-symbols.patch + * openssl-1.0.2a-default-paths.patch + * openssl-pkgconfig.patch + * openssl-1.0.2a-ipv6-apps.patch + * 0001-libcrypto-Hide-library-private-symbols.patch + * openssl-1.0.2i-fips.patch + * openssl-1.0.2a-fips-ec.patch + * openssl-1.0.2a-fips-ctor.patch + * openssl-1.0.2i-new-fips-reqs.patch + * openssl-gcc-attributes.patch + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + * openssl-no-egd.patch + * openssl-fips-hidden.patch + * openssl-1.0.1e-add-suse-default-cipher.patch + * openssl-1.0.1e-add-test-suse-default-cipher-suite.patch + * openssl-missing_FIPS_ec_group_new_by_curve_name.patch + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips_disallow_x931_rand_method.patch + * openssl-fips_disallow_ENGINE_loading.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-urandom-reseeding.patch + * openssl-fips-rsagen-d-bits.patch + * openssl-fips-selftests_in_nonfips_mode.patch + * openssl-fips-fix-odd-rsakeybits.patch + * openssl-fips-clearerror.patch + * openssl-fips-dont-fall-back-to-default-digest.patch + * openssl-fipslocking.patch + * openssl-print_notice-NULL_crash.patch + * openssl-randfile_fread_interrupt.patch + + +--- Old: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch 0001-libcrypto-Hide-library-private-symbols.patch 0005-libssl-Hide-library-private-symbols.patch README-FIPS.txt bug610223.patch compression_methods_switch.patch merge_from_0.9.8k.patch openssl-1.0.0-c_rehash-compat.diff openssl-1.0.1e-add-suse-default-cipher.patch openssl-1.0.1e-add-test-suse-default-cipher-suite.patch openssl-1.0.2a-default-paths.patch openssl-1.0.2a-fips-ctor.patch openssl-1.0.2a-fips-ec.patch openssl-1.0.2a-ipv6-apps.patch openssl-1.0.2a-padlock64.patch openssl-1.0.2i-fips.patch openssl-1.0.2i-new-fips-reqs.patch openssl-1.0.2k.tar.gz openssl-1.0.2k.tar.gz.asc openssl-fips-clearerror.patch openssl-fips-dont-fall-back-to-default-digest.patch openssl-fips-dont_run_FIPS_module_installed.patch openssl-fips-fix-odd-rsakeybits.patch openssl-fips-hidden.patch openssl-fips-rsagen-d-bits.patch openssl-fips-selftests_in_nonfips_mode.patch openssl-fips_disallow_ENGINE_loading.patch openssl-fips_disallow_x931_rand_method.patch openssl-fipslocking.patch openssl-fix-pod-syntax.diff openssl-gcc-attributes.patch openssl-missing_FIPS_ec_group_new_by_curve_name.patch openssl-no-egd.patch openssl-ocloexec.patch openssl-pkgconfig.patch
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2017-04-11 09:29:32
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Tue Apr 11 09:29:32 2017 rev:137 rq:485219 version:1.0.2k
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-02-07
11:57:30.416284045 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-04-11
09:29:35.117110729 +0200
@@ -1,0 +2,8 @@
+Tue Apr 4 11:41:40 UTC 2017 - tchva...@suse.com
+
+- Remove O3 from optflags, no need to not rely on distro wide settings
+- Remove conditions for sle10 and sle11, we care only about sle12+
+- USE SUSE instead of SuSE in readme
+- Pass over with spec-cleaner
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.Jr4BMT/_old 2017-04-11 09:29:36.828868976 +0200
+++ /var/tmp/diff_new_pack.Jr4BMT/_new 2017-04-11 09:29:36.828868976 +0200
@@ -16,19 +16,10 @@
#
-Name: openssl
-BuildRequires: bc
-BuildRequires: ed
-BuildRequires: pkg-config
-BuildRequires: zlib-devel
%define ssletcdir %{_sysconfdir}/ssl
#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
%define num_version 1.0.0
-Provides: ssl
-# bug437293
-%ifarch ppc64
-Obsoletes: openssl-64bit
-%endif
+Name: openssl
Version:1.0.2k
Release:0
Summary:Secure Sockets and Transport Layer Security
@@ -36,21 +27,19 @@
Group: Productivity/Networking/Security
Url:https://www.openssl.org/
Source: https://www.%{name}.org/source/%{name}-%{version}.tar.gz
-Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
-# https://www.openssl.org/about/
-#
http://pgp.mit.edu:11371/pks/lookup?op=get=0xA2D29B7BF295C759#/%name.keyring
-Source43: %name.keyring
# to get mtime of file:
Source1:openssl.changes
Source2:baselibs.conf
Source10: README.SUSE
Source11: README-FIPS.txt
+Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
+# https://www.openssl.org/about/
+#
http://pgp.mit.edu:11371/pks/lookup?op=get=0xA2D29B7BF295C759#/%name.keyring
+Source43: %{name}.keyring
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
-%if 0%{?suse_version} >= 1120
Patch3: openssl-ocloexec.patch
-%endif
Patch4: openssl-1.0.2a-padlock64.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
@@ -84,11 +73,14 @@
Patch57:openssl-fips-fix-odd-rsakeybits.patch
Patch58:openssl-fips-clearerror.patch
Patch59:openssl-fips-dont-fall-back-to-default-digest.patch
-
Patch61:openssl-fipslocking.patch
Patch62:openssl-print_notice-NULL_crash.patch
Patch63:openssl-randfile_fread_interrupt.patch
-
+BuildRequires: bc
+BuildRequires: ed
+BuildRequires: pkgconfig
+BuildRequires: pkgconfig(zlib)
+Provides: ssl
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -112,11 +104,6 @@
License:OpenSSL
Group: Productivity/Networking/Security
Recommends: ca-certificates-mozilla
-# bug437293
-%ifarch ppc64
-Obsoletes: openssl-64bit
-%endif
-#
%description -n libopenssl1_0_0
The OpenSSL Project is a collaborative effort to develop a robust,
@@ -138,16 +125,11 @@
Summary:Include Files and Libraries mandatory for Development
License:OpenSSL
Group: Development/Libraries/C and C++
-Obsoletes: openssl-devel < %{version}
-Requires: %name = %version
+Requires: %{name} = %{version}
Requires: libopenssl1_0_0 = %{version}
-Requires: zlib-devel
+Requires: pkgconfig(zlib)
+Obsoletes: openssl-devel < %{version}
Provides: openssl-devel = %{version}
-# bug437293
-%ifarch ppc64
-Obsoletes: openssl-devel-64bit
-%endif
-#
%description -n libopenssl-devel
This package contains all necessary include files and libraries needed
@@ -167,9 +149,7 @@
Summary:Additional Package Documentation
License:OpenSSL
Group: Productivity/Networking/Security
-%if 0%{?suse_version} >= 1140
BuildArch: noarch
-%endif
%description doc
This package contains optional documentation provided in addition to
@@ -211,13 +191,11 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
-%if 0%{?suse_version} >= 1120
%patch3
-%endif
%patch8 -p1
%patch14 -p1
-cp -p %{S:10} .
-cp -p %{S:11} .
+cp -p %{SOURCE10} .
+cp -p
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2017-02-07 11:57:29
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2017-02-03
17:52:12.285698173 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-02-07
11:57:30.416284045 +0100
@@ -1,0 +2,6 @@
+Thu Feb 2 15:19:15 UTC 2017 - vci...@suse.com
+
+- fix X509_CERT_FILE path (bsc#1022271) and rename
+ updated openssl-1.0.1e-truststore.diff to openssl-truststore.patch
+
+---
Old:
openssl-1.0.1e-truststore.diff
New:
openssl-truststore.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.hpOtbl/_old 2017-02-07 11:57:32.623971061 +0100
+++ /var/tmp/diff_new_pack.hpOtbl/_new 2017-02-07 11:57:32.623971061 +0100
@@ -54,7 +54,7 @@
Patch4: openssl-1.0.2a-padlock64.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
-Patch6: openssl-1.0.1e-truststore.diff
+Patch6: openssl-truststore.patch
Patch7: compression_methods_switch.patch
Patch8: 0005-libssl-Hide-library-private-symbols.patch
Patch9: openssl-1.0.2a-default-paths.patch
++ openssl-truststore.patch ++
Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-1.0.2j/crypto/cryptlib.h
===
--- openssl-1.0.2j.orig/crypto/cryptlib.h 2017-02-01 16:50:51.103706760
+0100
+++ openssl-1.0.2j/crypto/cryptlib.h2017-02-01 16:52:10.517058963 +0100
@@ -81,8 +81,8 @@ extern "C" {
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
-# define X509_CERT_DIR OPENSSLDIR "/certs"
-# define X509_CERT_FILE OPENSSLDIR "/cert.pem"
+# define X509_CERT_DIR "/var/lib/ca-certificates/openssl"
+# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem"
# define X509_PRIVATE_DIROPENSSLDIR "/private"
# else
# define X509_CERT_AREA "SSLROOT:[00]"
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2017-01-31 12:37:40
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-10-10
16:17:30.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2017-02-03
17:52:12.285698173 +0100
@@ -1,0 +2,9 @@
+Fri Jan 27 10:21:42 UTC 2017 - meiss...@suse.com
+
+- Updated to openssl 1.0.2k
+ - bsc#1009528 / CVE-2016-7055: openssl: Montgomery multiplication may
produce incorrect results
+ - bsc#1019334 / CVE-2016-7056: openssl: ECSDA P-256 timing attack key
recovery
+ - bsc#1022085 / CVE-2017-3731: openssl: Truncated packet could crash via OOB
read
+ - bsc#1022086 / CVE-2017-3732: openssl: BN_mod_exp may produce incorrect
results on x86_64
+
+---
Old:
openssl-1.0.2j.tar.gz
openssl-1.0.2j.tar.gz.asc
New:
openssl-1.0.2k.tar.gz
openssl-1.0.2k.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.HBsxmc/_old 2017-02-03 17:52:13.821481630 +0100
+++ /var/tmp/diff_new_pack.HBsxmc/_new 2017-02-03 17:52:13.829480503 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.2j
+Version:1.0.2k
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
++ openssl-fips-dont-fall-back-to-default-digest.patch ++
--- /var/tmp/diff_new_pack.HBsxmc/_old 2017-02-03 17:52:14.057448359 +0100
+++ /var/tmp/diff_new_pack.HBsxmc/_new 2017-02-03 17:52:14.061447795 +0100
@@ -114,9 +114,9 @@
+if (non_fips_allow)
+FIPS_mode_set(0);
+
- #ifndef OPENSSL_NO_ENGINE
- setup_engine(bio_err, engine, 0);
- #endif
+ e = setup_engine(bio_err, engine, 0);
+
+ if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
@@ -338,7 +342,7 @@ int MAIN(int argc, char **argv)
goto end;
}
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2016-10-10 16:17:30
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-09-28
15:03:35.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-10-10
16:17:30.0 +0200
@@ -1,0 +2,21 @@
+Fri Sep 30 10:53:56 UTC 2016 - vci...@suse.com
+
+- resume reading from /dev/urandom when interrupted by a signal
+ (bsc#995075)
+ * add openssl-randfile_fread_interrupt.patch
+
+---
+Fri Sep 30 10:53:06 UTC 2016 - vci...@suse.com
+
+- add FIPS changes from SP2:
+- fix problems with locking in FIPS mode (bsc#992120)
+ * duplicates: bsc#991877, bsc#991193, bsc#990392, bsc#990428
+and bsc#990207
+ * bring back openssl-fipslocking.patch
+- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream)
+ (bsc#984323)
+- don't check for /etc/system-fips (bsc#982268)
+ * add openssl-fips-dont_run_FIPS_module_installed.patch
+- refresh openssl-fips-rsagen-d-bits.patch
+
+---
Old:
openssl-fips_RSA_compute_d_with_lcm.patch
New:
openssl-fips-dont_run_FIPS_module_installed.patch
openssl-fipslocking.patch
openssl-randfile_fread_interrupt.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.xNi2BB/_old 2016-10-10 16:17:32.0 +0200
+++ /var/tmp/diff_new_pack.xNi2BB/_new 2016-10-10 16:17:32.0 +0200
@@ -74,9 +74,9 @@
Patch37:openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
Patch38:openssl-missing_FIPS_ec_group_new_by_curve_name.patch
# FIPS patches from SLE-12
+Patch41:openssl-fips-dont_run_FIPS_module_installed.patch
Patch50:openssl-fips_disallow_x931_rand_method.patch
Patch51:openssl-fips_disallow_ENGINE_loading.patch
-Patch52:openssl-fips_RSA_compute_d_with_lcm.patch
Patch53:openssl-rsakeygen-minimum-distance.patch
Patch54:openssl-urandom-reseeding.patch
Patch55:openssl-fips-rsagen-d-bits.patch
@@ -85,7 +85,9 @@
Patch58:openssl-fips-clearerror.patch
Patch59:openssl-fips-dont-fall-back-to-default-digest.patch
-Patch60:openssl-print_notice-NULL_crash.patch
+Patch61:openssl-fipslocking.patch
+Patch62:openssl-print_notice-NULL_crash.patch
+Patch63:openssl-randfile_fread_interrupt.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -196,9 +198,9 @@
%patch35 -p1
%patch37 -p1
%patch38 -p1
+%patch41 -p1
%patch50 -p1
%patch51 -p1
-%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
@@ -206,7 +208,9 @@
%patch57 -p1
%patch58 -p1
%patch59 -p1
-%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
%if 0%{?suse_version} >= 1120
%patch3
%endif
++ openssl-fips-dont_run_FIPS_module_installed.patch ++
Index: openssl-1.0.2h/crypto/o_init.c
===
--- openssl-1.0.2h.orig/crypto/o_init.c 2016-06-01 15:26:25.026937000 +0200
+++ openssl-1.0.2h/crypto/o_init.c 2016-06-01 16:23:24.980858697 +0200
@@ -111,9 +111,9 @@ void __attribute__ ((constructor)) OPENS
return;
done = 1;
#ifdef OPENSSL_FIPS
-if (!FIPS_module_installed()) {
+/*if (!FIPS_module_installed()) {
return;
-}
+}*/
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode()) {
++ openssl-fips-rsagen-d-bits.patch ++
--- /var/tmp/diff_new_pack.xNi2BB/_old 2016-10-10 16:17:32.0 +0200
+++ /var/tmp/diff_new_pack.xNi2BB/_new 2016-10-10 16:17:32.0 +0200
@@ -1,8 +1,8 @@
-Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c
+Index: openssl-1.0.2h/crypto/rsa/rsa_gen.c
===
openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-14 10:23:50.941168136
+0200
-+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c2016-04-14 10:47:56.651757817
+0200
-@@ -237,6 +237,12 @@ static int FIPS_rsa_builtin_keygen(RSA *
+--- openssl-1.0.2h.orig/crypto/rsa/rsa_gen.c 2016-07-14 15:25:28.640174922
+0200
openssl-1.0.2h/crypto/rsa/rsa_gen.c2016-07-14 15:27:41.330349764
+0200
+@@ -234,6 +234,12 @@ static int FIPS_rsa_builtin_keygen(RSA *
goto err;
}
@@ -15,7 +15,7 @@
/* prepare approximate minimum p and q */
if (!BN_set_word(r0, 0xB504F334))
goto err;
-@@ -249,12 +255,6 @@ static int FIPS_rsa_builtin_keygen(RSA *
+@@ -246,12 +252,6 @@ static int FIPS_rsa_builtin_keygen(RSA *
if
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2016-09-28 15:03:33
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-05-08
10:38:50.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-09-28
15:03:35.0 +0200
@@ -1,0 +2,39 @@
+Tue Sep 27 06:20:03 UTC 2016 - mich...@stroeder.com
+
+- update to openssl-1.0.2j
+ * Missing CRL sanity check (CVE-2016-7052 bsc#1001148)
+
+---
+Fri Sep 23 08:22:01 UTC 2016 - vci...@suse.com
+
+- OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)
+ Severity: High
+ * OCSP Status Request extension unbounded memory growth
+(CVE-2016-6304) (bsc#999666)
+ Severity: Low
+ * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
+ * Constant time flag not preserved in DSA signing (CVE-2016-2178)
(bsc#983249)
+ * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
+ * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)
+ * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
+ * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
+ * Birthday attack against 64-bit block ciphers (SWEET32)
+(CVE-2016-2183) (bsc#995359)
+ * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
+ * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
+ * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)
+- update to openssl-1.0.2i
+ * remove patches:
+openssl-1.0.2a-new-fips-reqs.patch
+openssl-1.0.2e-fips.patch
+ * add patches:
+openssl-1.0.2i-fips.patch
+openssl-1.0.2i-new-fips-reqs.patch
+
+---
+Wed Aug 3 12:41:41 UTC 2016 - vci...@suse.com
+
+- fix crash in print_notice (bsc#998190)
+ * add openssl-print_notice-NULL_crash.patch
+
+---
Old:
openssl-1.0.2a-new-fips-reqs.patch
openssl-1.0.2e-fips.patch
openssl-1.0.2h.tar.gz
openssl-1.0.2h.tar.gz.asc
New:
openssl-1.0.2i-fips.patch
openssl-1.0.2i-new-fips-reqs.patch
openssl-1.0.2j.tar.gz
openssl-1.0.2j.tar.gz.asc
openssl-print_notice-NULL_crash.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.aOxkbB/_old 2016-09-28 15:03:37.0 +0200
+++ /var/tmp/diff_new_pack.aOxkbB/_new 2016-09-28 15:03:37.0 +0200
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.2h
+Version:1.0.2j
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
@@ -62,10 +62,10 @@
Patch13:openssl-1.0.2a-ipv6-apps.patch
Patch14:0001-libcrypto-Hide-library-private-symbols.patch
# FIPS patches:
-Patch15:openssl-1.0.2e-fips.patch
+Patch15:openssl-1.0.2i-fips.patch
Patch16:openssl-1.0.2a-fips-ec.patch
Patch17:openssl-1.0.2a-fips-ctor.patch
-Patch18:openssl-1.0.2a-new-fips-reqs.patch
+Patch18:openssl-1.0.2i-new-fips-reqs.patch
Patch19:openssl-gcc-attributes.patch
Patch26:0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
Patch33:openssl-no-egd.patch
@@ -85,6 +85,8 @@
Patch58:openssl-fips-clearerror.patch
Patch59:openssl-fips-dont-fall-back-to-default-digest.patch
+Patch60:openssl-print_notice-NULL_crash.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -204,6 +206,7 @@
%patch57 -p1
%patch58 -p1
%patch59 -p1
+%patch60 -p1
%if 0%{?suse_version} >= 1120
%patch3
%endif
++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++
--- /var/tmp/diff_new_pack.aOxkbB/_old 2016-09-28 15:03:37.0 +0200
+++ /var/tmp/diff_new_pack.aOxkbB/_new 2016-09-28 15:03:37.0 +0200
@@ -4,10 +4,10 @@
Subject: [PATCH] Axe builtin printf implementation, use glibc instead
-Index: openssl-1.0.2g/crypto/bio/b_print.c
+Index: openssl-1.0.2i/crypto/bio/b_print.c
===
openssl-1.0.2g.orig/crypto/bio/b_print.c 2016-03-01 14:35:05.0
+0100
-+++ openssl-1.0.2g/crypto/bio/b_print.c2016-03-01 15:26:55.597307479
+0100
+--- openssl-1.0.2i.orig/crypto/bio/b_print.c 2016-09-22 12:23:06.0
+0200
openssl-1.0.2i/crypto/bio/b_print.c2016-09-23 10:18:39.805097010
+0200
@@ -56,17 +56,10 @@
* [including the GNU Public Licence.]
*/
@@ -28,7 +28,7 @@
#include
#include
#include
-@@
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2016-05-08 10:38:49
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-04-22
16:17:18.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-05-08
10:38:50.0 +0200
@@ -1,0 +2,39 @@
+Tue May 3 14:43:47 UTC 2016 - vci...@suse.com
+
+- OpenSSL Security Advisory [3rd May 2016]
+- update to 1.0.2h (boo#977584, boo#977663)
+ * Prevent padding oracle in AES-NI CBC MAC check
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+ (CVE-2016-2107, boo#977616)
+ * Fix EVP_EncodeUpdate overflow
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very
large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+ (CVE-2016-2105, boo#977614)
+ * Fix EVP_EncryptUpdate overflow
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call
to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption.
+ (CVE-2016-2106, boo#977615)
+ * Prevent ASN.1 BIO excessive memory allocation
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+ (CVE-2016-2109, boo#976942)
+ * EBCDIC overread
+ ASN1 Strings that are over 1024 bytes can cause an overread in
applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could
result
+ in arbitrary stack data being returned in the buffer.
+ (CVE-2016-2176, boo#978224)
+ * Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ * Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ * Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+
+---
Old:
openssl-1.0.2g.tar.gz
openssl-1.0.2g.tar.gz.asc
New:
openssl-1.0.2h.tar.gz
openssl-1.0.2h.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.RBup3R/_old 2016-05-08 10:38:52.0 +0200
+++ /var/tmp/diff_new_pack.RBup3R/_new 2016-05-08 10:38:52.0 +0200
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.2g
+Version:1.0.2h
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
++ openssl-1.0.1e-add-suse-default-cipher.patch ++
--- /var/tmp/diff_new_pack.RBup3R/_old 2016-05-08 10:38:52.0 +0200
+++ /var/tmp/diff_new_pack.RBup3R/_new 2016-05-08 10:38:52.0 +0200
@@ -1,8 +1,8 @@
-Index: openssl-1.0.2a/ssl/ssl_ciph.c
+Index: openssl-1.0.2h/ssl/ssl_ciph.c
===
openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-05-24 14:26:18.132243785 +0200
-+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-05-24 14:26:18.229245199 +0200
-@@ -1604,7 +1604,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+--- openssl-1.0.2h.orig/ssl/ssl_ciph.c 2016-05-03 16:36:50.482900040 +0200
openssl-1.0.2h/ssl/ssl_ciph.c 2016-05-03 16:36:51.951922883 +0200
+@@ -1608,7 +1608,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
@@ -18,21 +18,20 @@
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
, , ca_list);
rule_p += 7;
-Index: openssl-1.0.2a/ssl/ssl.h
+Index: openssl-1.0.2h/ssl/ssl.h
===
openssl-1.0.2a.orig/ssl/ssl.h 2015-03-19 14:30:36.0 +0100
-+++ openssl-1.0.2a/ssl/ssl.h 2015-05-24 14:31:25.801726491 +0200
-@@ -338,7 +338,12 @@ extern "C" {
+--- openssl-1.0.2h.orig/ssl/ssl.h 2016-05-03 16:36:51.951922883 +0200
openssl-1.0.2h/ssl/ssl.h 2016-05-03 16:41:00.024781841 +0200
+@@ -338,7 +338,11 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2016-04-22 16:17:16
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2016-03-05
11:21:19.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-04-22
16:17:18.0 +0200
@@ -1,0 +2,27 @@
+Fri Apr 15 16:55:05 UTC 2016 - dval...@suse.com
+
+- Remove a hack for bsc#936563
+- Drop bsc936563_hack.patch
+
+---
+Fri Apr 15 11:59:48 UTC 2016 - vci...@suse.com
+
+- import fips patches from SLE-12
+ * openssl-fips-clearerror.patch
+ * openssl-fips-dont-fall-back-to-default-digest.patch
+ * openssl-fips-fix-odd-rsakeybits.patch
+ * openssl-fips-rsagen-d-bits.patch
+ * openssl-fips-selftests_in_nonfips_mode.patch
+ * openssl-fips_RSA_compute_d_with_lcm.patch
+ * openssl-fips_disallow_ENGINE_loading.patch
+ * openssl-fips_disallow_x931_rand_method.patch
+ * openssl-rsakeygen-minimum-distance.patch
+ * openssl-urandom-reseeding.patch
+
+---
+Tue Mar 8 12:50:28 UTC 2016 - vci...@suse.com
+
+- add support for "ciphers" providing no encryption (bsc#937085)
+ * don't build with -DSSL_FORBID_ENULL
+
+---
Old:
bsc936563_hack.patch
New:
openssl-fips-clearerror.patch
openssl-fips-dont-fall-back-to-default-digest.patch
openssl-fips-fix-odd-rsakeybits.patch
openssl-fips-rsagen-d-bits.patch
openssl-fips-selftests_in_nonfips_mode.patch
openssl-fips_RSA_compute_d_with_lcm.patch
openssl-fips_disallow_ENGINE_loading.patch
openssl-fips_disallow_x931_rand_method.patch
openssl-rsakeygen-minimum-distance.patch
openssl-urandom-reseeding.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.kAvHBL/_old 2016-04-22 16:17:20.0 +0200
+++ /var/tmp/diff_new_pack.kAvHBL/_new 2016-04-22 16:17:20.0 +0200
@@ -73,7 +73,17 @@
Patch35:openssl-1.0.1e-add-suse-default-cipher.patch
Patch37:openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
Patch38:openssl-missing_FIPS_ec_group_new_by_curve_name.patch
-Patch40:bsc936563_hack.patch
+# FIPS patches from SLE-12
+Patch50:openssl-fips_disallow_x931_rand_method.patch
+Patch51:openssl-fips_disallow_ENGINE_loading.patch
+Patch52:openssl-fips_RSA_compute_d_with_lcm.patch
+Patch53:openssl-rsakeygen-minimum-distance.patch
+Patch54:openssl-urandom-reseeding.patch
+Patch55:openssl-fips-rsagen-d-bits.patch
+Patch56:openssl-fips-selftests_in_nonfips_mode.patch
+Patch57:openssl-fips-fix-odd-rsakeybits.patch
+Patch58:openssl-fips-clearerror.patch
+Patch59:openssl-fips-dont-fall-back-to-default-digest.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -184,15 +194,21 @@
%patch35 -p1
%patch37 -p1
%patch38 -p1
+%patch50 -p1
+%patch51 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
%if 0%{?suse_version} >= 1120
%patch3
%endif
%patch8 -p1
%patch14 -p1
-#workaround https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66728
-%ifarch ppc64le
-%patch40 -p1
-%endif
cp -p %{S:10} .
cp -p %{S:11} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
@@ -264,7 +280,6 @@
-fno-common \
-DTERMIO \
-DPURIFY \
--DSSL_FORBID_ENULL \
-D_GNU_SOURCE \
-DOPENSSL_NO_BUF_FREELISTS \
$(getconf LFS_CFLAGS) \
++ openssl-fips-clearerror.patch ++
Index: openssl-1.0.2g/crypto/o_init.c
===
--- openssl-1.0.2g.orig/crypto/o_init.c 2016-04-14 10:54:05.763929573 +0200
+++ openssl-1.0.2g/crypto/o_init.c 2016-04-14 10:59:08.366168879 +0200
@@ -91,6 +91,7 @@ static void init_fips_mode(void)
NONFIPS_selftest_check();
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
+ERR_clear_error();
} else {
/* abort if selftest failed */
FIPS_selftest_check();
++ openssl-fips-dont-fall-back-to-default-digest.patch ++
Index: openssl-1.0.2g/apps/dgst.c
===
--- openssl-1.0.2g.orig/apps/dgst.c 2016-03-01 14:35:53.0 +0100
+++ openssl-1.0.2g/apps/dgst.c 2016-04-14 11:04:21.706558132 +0200
@@ -147,7 +147,7 @@ int MAIN(int argc, char **argv)
/* first check the program name */
program_name(argv[0],
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2016-03-05 11:21:18 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is "openssl" Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2015-12-13 09:36:20.0 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-03-05 11:21:19.0 +0100 @@ -1,0 +2,55 @@ +Tue Mar 1 14:40:18 UTC 2016 - vci...@suse.com + +- update to 1.0.2g (bsc#968044) + * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. +Builds that are not configured with "enable-weak-ssl-ciphers" will not +provide any "EXPORT" or "LOW" strength ciphers. + * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 +is by default disabled at build-time. Builds that are not configured with +"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, +users who want to negotiate SSLv2 via the version-flexible SSLv23_method() +will need to explicitly call either of: +SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); +or +SSL_clear_options(ssl, SSL_OP_NO_SSLv2); +(CVE-2016-0800) + * Fix a double-free in DSA code + (CVE-2016-0705) + * Disable SRP fake user seed to address a server memory leak. + Add a new method SRP_VBASE_get1_by_user that handles the seed properly. + (CVE-2016-0798) + * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption + (CVE-2016-0797) + *) Side channel attack on modular exponentiation + http://cachebleed.info. + (CVE-2016-0702) + *) Change the req app to generate a 2048-bit RSA/DSA key by default, + if no keysize is specified with default_bits. This fixes an + omission in an earlier change that changed all RSA/DSA key generation + apps to use 2048 bits by default. + +--- +Thu Jan 28 15:10:38 UTC 2016 - vci...@suse.com + +- update to 1.0.2f (boo#963410) + *) DH small subgroups (boo#963413) + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + (CVE-2016-0701) + *) SSLv2 doesn't block disabled ciphers (boo#963415) + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + (CVE-2015-3197) + *) Reject DH handshakes with parameters shorter than 1024 bits. + +--- Old: openssl-1.0.2e.tar.gz openssl-1.0.2e.tar.gz.asc New: openssl-1.0.2g.tar.gz openssl-1.0.2g.tar.gz.asc Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.4dhzIu/_old 2016-03-05 11:21:21.0 +0100 +++ /var/tmp/diff_new_pack.4dhzIu/_new 2016-03-05 11:21:21.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version:1.0.2e +Version:1.0.2g Release:0 Summary:Secure Sockets and Transport Layer Security License:OpenSSL ++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++ --- /var/tmp/diff_new_pack.4dhzIu/_old 2016-03-05 11:21:21.0 +0100 +++ /var/tmp/diff_new_pack.4dhzIu/_new 2016-03-05 11:21:21.0 +0100 @@ -4,10 +4,10 @@ Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.0.2b/crypto/bio/b_print.c +Index: openssl-1.0.2g/crypto/bio/b_print.c ===
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2015-12-13 09:36:18
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is "openssl"
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2015-07-12
22:51:56.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2015-12-13
09:36:20.0 +0100
@@ -1,0 +2,20 @@
+Fri Dec 4 23:06:18 UTC 2015 - vci...@suse.com
+
+- update to 1.0.2e
+ * fixes five security vulnerabilities
+ * Anon DH ServerKeyExchange with 0 p parameter
+(CVE-2015-1794) (bsc#957984)
+ * BN_mod_exp may produce incorrect results on x86_64
+(CVE-2015-3193) (bsc#957814)
+ * Certificate verify crash with missing PSS parameter
+(CVE-2015-3194) (bsc#957815)
+ * X509_ATTRIBUTE memory leak
+(CVE-2015-3195) (bsc#957812)
+ * Race condition handling PSK identify hint
+(CVE-2015-3196) (bsc#957813)
+- pulled a refreshed fips patch from Fedora
+ * openssl-1.0.2a-fips.patch was replaced by
+openssl-1.0.2e-fips.patch
+- refresh openssl-ocloexec.patch
+
+---
Old:
openssl-1.0.2a-fips.patch
openssl-1.0.2d.tar.gz
openssl-1.0.2d.tar.gz.asc
New:
openssl-1.0.2e-fips.patch
openssl-1.0.2e.tar.gz
openssl-1.0.2e.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.sHSPAw/_old 2015-12-13 09:36:22.0 +0100
+++ /var/tmp/diff_new_pack.sHSPAw/_new 2015-12-13 09:36:22.0 +0100
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.2d
+Version:1.0.2e
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
@@ -62,7 +62,7 @@
Patch13:openssl-1.0.2a-ipv6-apps.patch
Patch14:0001-libcrypto-Hide-library-private-symbols.patch
# FIPS patches:
-Patch15:openssl-1.0.2a-fips.patch
+Patch15:openssl-1.0.2e-fips.patch
Patch16:openssl-1.0.2a-fips-ec.patch
Patch17:openssl-1.0.2a-fips-ctor.patch
Patch18:openssl-1.0.2a-new-fips-reqs.patch
++ openssl-1.0.2e-fips.patch ++
13704 lines (skipped)
++ openssl-1.0.2d.tar.gz -> openssl-1.0.2e.tar.gz ++
13069 lines of diff (skipped)
++ openssl-ocloexec.patch ++
--- /var/tmp/diff_new_pack.sHSPAw/_old 2015-12-13 09:36:25.0 +0100
+++ /var/tmp/diff_new_pack.sHSPAw/_new 2015-12-13 09:36:25.0 +0100
@@ -1,7 +1,7 @@
Index: crypto/bio/b_sock.c
===
crypto/bio/b_sock.c.orig 2015-05-29 11:54:57.219659682 +0200
-+++ crypto/bio/b_sock.c2015-05-29 11:56:47.059884761 +0200
+--- crypto/bio/b_sock.c.orig 2015-12-05 00:04:11.291027369 +0100
crypto/bio/b_sock.c2015-12-05 00:04:13.283055286 +0100
@@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in
}
@@ -31,8 +31,8 @@
sa.len.i = (int)sa.len.s;
Index: crypto/bio/bss_conn.c
===
crypto/bio/bss_conn.c.orig 2015-05-29 11:54:57.219659682 +0200
-+++ crypto/bio/bss_conn.c 2015-05-29 11:57:45.668538446 +0200
+--- crypto/bio/bss_conn.c.orig 2015-12-05 00:04:11.291027369 +0100
crypto/bio/bss_conn.c 2015-12-05 00:04:13.283055286 +0100
@@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC
c->them.sin_addr.s_addr = htonl(l);
c->state = BIO_CONN_S_CREATE_SOCKET;
@@ -44,9 +44,9 @@
ERR_add_error_data(4, "host=", c->param_hostname,
Index: crypto/bio/bss_dgram.c
===
crypto/bio/bss_dgram.c.orig2015-05-29 11:54:57.221659705 +0200
-+++ crypto/bio/bss_dgram.c 2015-05-29 13:29:42.463696425 +0200
-@@ -1176,7 +1176,7 @@ static int dgram_sctp_read(BIO *b, char
+--- crypto/bio/bss_dgram.c.orig2015-12-05 00:04:11.292027383 +0100
crypto/bio/bss_dgram.c 2015-12-05 00:04:13.284055300 +0100
+@@ -1177,7 +1177,7 @@ static int dgram_sctp_read(BIO *b, char
msg.msg_control = cmsgbuf;
msg.msg_controllen = 512;
msg.msg_flags = 0;
@@ -55,7 +55,7 @@
if (n <= 0) {
if (n < 0)
-@@ -1801,7 +1801,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
+@@ -1802,7 +1802,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
@@ -64,7 +64,7 @@
if (n <= 0) {
if ((n < 0) && (get_last_socket_error() != EAGAIN)
&& (get_last_socket_error() != EWOULDBLOCK))
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2015-07-12 22:51:54
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2015-06-08
08:25:59.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2015-07-12
22:51:56.0 +0200
@@ -1,0 +2,63 @@
+Thu Jul 9 13:32:34 UTC 2015 - vci...@suse.com
+
+- update to 1.0.2d
+ * fixes CVE-2015-1793 (bsc#936746)
+
+ Alternate chains certificate forgery
+
+ During certificate verfification, OpenSSL will attempt to find an
+ alternative certificate chain if the first attempt to build such a chain
+ fails. An error in the implementation of this logic can mean that an
+ attacker could cause certain checks on untrusted certificates to be
+ bypassed, such as the CA flag, enabling them to use a valid leaf
+ certificate to act as a CA and issue an invalid certificate.
+- drop openssl-fix_invalid_manpage_name.patch (upstream)
+
+---
+Thu Jul 2 14:46:36 UTC 2015 - dval...@suse.com
+
+- Workaround debugit crash on ppc64le with gcc5
+ bsc936563_hack.patch (bsc#936563)
+
+---
+Wed Jul 1 09:26:26 UTC 2015 - norm...@linux.vnet.ibm.com
+
+- update merge_from_0.9.8k.patch replacing __LP64__ by __LP64
+ this is a change versus previous request 309611
+ required to avoid build error for ppc64
+
+---
+Fri Jun 26 00:11:20 UTC 2015 - crrodrig...@opensuse.org
+
+- Build with no-ssl3, for details on why this is needed read
+ rfc7568. Contrary to the no-ssl2 option, this does not
+ require us to patch dependant packages as the relevant
+ functions are still available (SSLv3_(client|server)_method)
+ but will fail to negotiate. if removing SSL3 methods is desired
+ at a later time, option no-ssl3-method needs to be used.
+
+---
+Fri Jun 12 21:22:45 UTC 2015 - vci...@suse.com
+
+- update to 1.0.2c
+ * Fix HMAC ABI incompatibility
+- refreshed openssl-1.0.2a-fips.patch
+
+---
+Thu Jun 11 15:50:44 UTC 2015 - vci...@suse.com
+
+- update to 1.0.2b
+ * Malformed ECParameters causes infinite loop (CVE-2015-1788)
+ * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+ * PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+ * CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+ * Race condition handling NewSessionTicket (CVE-2015-1791)
+- refreshed patches:
+ * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+ * 0001-libcrypto-Hide-library-private-symbols.patch
+ * openssl-1.0.2a-default-paths.patch
+ * openssl-1.0.2a-fips.patch
+ * compression_methods_switch.patch
+ * openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+
+---
Old:
openssl-1.0.2a.tar.gz
openssl-1.0.2a.tar.gz.asc
openssl-fix_invalid_manpage_name.patch
New:
bsc936563_hack.patch
openssl-1.0.2d.tar.gz
openssl-1.0.2d.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.KRnmBc/_old 2015-07-12 22:51:59.0 +0200
+++ /var/tmp/diff_new_pack.KRnmBc/_new 2015-07-12 22:51:59.0 +0200
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.2a
+Version:1.0.2d
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
@@ -73,7 +73,7 @@
Patch35:openssl-1.0.1e-add-suse-default-cipher.patch
Patch37:openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
Patch38:openssl-missing_FIPS_ec_group_new_by_curve_name.patch
-Patch39:openssl-fix_invalid_manpage_name.patch
+Patch40:bsc936563_hack.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -184,12 +184,15 @@
%patch35 -p1
%patch37 -p1
%patch38 -p1
-%patch39 -p1
%if 0%{?suse_version} = 1120
%patch3
%endif
%patch8 -p1
%patch14 -p1
+#workaround https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66728
+%ifarch ppc64le
+%patch40 -p1
+%endif
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -241,6 +244,7 @@
fips \
%if 0%{suse_version} 1310
no-ssl2 \
+no-ssl3 \
enable-rfc3779 \
%endif
%ifarch x86_64 aarch64 ppc64le
++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2015-03-23 12:16:06
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2015-02-06
10:50:58.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2015-03-23
12:16:07.0 +0100
@@ -1,0 +2,24 @@
+Thu Mar 19 14:26:01 UTC 2015 - vci...@suse.com
+
+- security update:
+ * CVE-2015-0209 (bnc#919648)
+ - Fix a failure to NULL a pointer freed on error
+ * CVE-2015-0286 (bnc#922496)
+ - Segmentation fault in ASN1_TYPE_cmp
+ * CVE-2015-0287 (bnc#922499)
+ - ASN.1 structure reuse memory corruption
+ * CVE-2015-0288 x509: (bnc#920236)
+ - added missing public key is not NULL check
+ * CVE-2015-0289 (bnc#922500)
+ - PKCS7 NULL pointer dereferences
+ * CVE-2015-0293 (bnc#922488)
+ - Fix reachable assert in SSLv2 servers
+ * added patches:
+ openssl-CVE-2015-0209.patch
+ openssl-CVE-2015-0286.patch
+ openssl-CVE-2015-0287.patch
+ openssl-CVE-2015-0288.patch
+ openssl-CVE-2015-0289.patch
+ openssl-CVE-2015-0293.patch
+
+---
New:
openssl-CVE-2015-0209.patch
openssl-CVE-2015-0286.patch
openssl-CVE-2015-0287.patch
openssl-CVE-2015-0288.patch
openssl-CVE-2015-0289.patch
openssl-CVE-2015-0293.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.1qYb6Y/_old 2015-03-23 12:16:08.0 +0100
+++ /var/tmp/diff_new_pack.1qYb6Y/_new 2015-03-23 12:16:08.0 +0100
@@ -75,6 +75,12 @@
Patch35:openssl-1.0.1e-add-suse-default-cipher.patch
Patch36:openssl-1.0.1e-add-suse-default-cipher-header.patch
Patch37:openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+Patch52:openssl-CVE-2015-0209.patch
+Patch53:openssl-CVE-2015-0286.patch
+Patch54:openssl-CVE-2015-0287.patch
+Patch55:openssl-CVE-2015-0288.patch
+Patch56:openssl-CVE-2015-0289.patch
+Patch57:openssl-CVE-2015-0293.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -191,6 +197,12 @@
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
++ openssl-CVE-2015-0209.patch ++
commit 89117535f1bb3ea72a17933b703271587d7aaf0b
Author: Matt Caswell m...@openssl.org
Date: Mon Feb 9 11:38:41 2015 +
Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman ero...@chromium.org
CVE-2015-0209
Reviewed-by: Emilia Käsper emi...@openssl.org
Index: openssl-1.0.1k/crypto/ec/ec_asn1.c
===
--- openssl-1.0.1k.orig/crypto/ec/ec_asn1.c 2015-03-19 15:58:22.021039425
+0100
+++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 15:58:26.431103852 +0100
@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (a)
- *a = ret;
}
else
ret = *a;
@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
ret-enc_flag |= EC_PKEY_NO_PUBKEY;
}
+ if (a)
+ *a = ret;
ok = 1;
err:
if (!ok)
{
- if (ret)
+ if (ret (a == NULL || *a != ret))
EC_KEY_free(ret);
ret = NULL;
}
++ openssl-CVE-2015-0286.patch ++
commit ee5a1253285e5c9f406c8b57b0686319b70c07d8
Author: Dr. Stephen Henson st...@openssl.org
Date: Mon Mar 9 23:11:45 2015 +
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte levi...@openssl.org
Index: openssl-1.0.1i/crypto/asn1/a_type.c
===
--- openssl-1.0.1i.orig/crypto/asn1/a_type.c2015-03-17 14:15:18.832332902
+0100
+++ openssl-1.0.1i/crypto/asn1/a_type.c 2015-03-17 14:15:19.738346161 +0100
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
case V_ASN1_OBJECT:
result = OBJ_cmp(a-value.object,
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2015-02-06 10:50:56 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2015-01-20 21:53:47.0 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2015-02-06 10:50:58.0 +0100 @@ -1,0 +2,6 @@ +Wed Feb 4 08:08:27 UTC 2015 - meiss...@suse.com + +- The DATE stamp moved from crypto/Makefile to crypto/buildinf.h, + replace it there (bsc#915947) + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.hOF1LW/_old 2015-02-06 10:51:00.0 +0100 +++ /var/tmp/diff_new_pack.hOF1LW/_new 2015-02-06 10:51:00.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -223,9 +223,6 @@ EOF_ED # fix ENGINESDIR path sed -i 's,/lib/engines,/%_lib/engines,' Configure -# Record mtime of changes file instead of build time -CHANGES=`stat --format=%y %SOURCE1` -sed -i -e s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES| crypto/Makefile %build @@ -296,6 +293,14 @@ linux64-sparcv9 \ %endif $config_flags + + # Record mtime of changes file instead of build time to make build-compare work + make PERL=perl -C crypto buildinf.h + CHANGES=`stat --format=%y %SOURCE1` + cat crypto/buildinf.h + sed -i -e s|#define DATE .*|#define DATE \built on: $CHANGES\| crypto/buildinf.h + cat crypto/buildinf.h + make depend make LD_LIBRARY_PATH=`pwd` make rehash -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2015-01-20 21:53:46
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-12-17
19:17:04.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2015-01-20
21:53:47.0 +0100
@@ -1,0 +2,24 @@
+Fri Jan 9 10:03:37 UTC 2015 - meiss...@suse.com
+
+- openssl 1.0.1k release
+ bsc#912294 CVE-2014-3571: Fix DTLS segmentation fault in dtls1_get_record.
+ bsc#912292 CVE-2015-0206: Fix DTLS memory leak in dtls1_buffer_record.
+ bsc#911399 CVE-2014-3569: Fix issue where no-ssl3 configuration sets method
to NULL.
+ bsc#912015 CVE-2014-3572: Abort handshake if server key exchange
+message is omitted for ephemeral ECDH ciphersuites.
+ bsc#912014 CVE-2015-0204: Remove non-export ephemeral RSA code on client and
server.
+ bsc#912293 CVE-2015-0205: Fixed issue where DH client certificates are
accepted without verification.
+ bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues.
+ bsc#912296 CVE-2014-3570: Correct Bignum squaring.
+ and other bugfixes.
+- openssl.keyring: use Matt Caswells current key.
+ pub 2048R/0E604491 2013-04-30
+ uidMatt Caswell fr...@baggins.org
+ uidMatt Caswell m...@openssl.org
+ sub 2048R/E3C21B70 2013-04-30
+
+- openssl-1.0.1e-fips.patch: rediffed
+- openssl-1.0.1i-noec2m-fix.patch: removed (upstream)
+- openssl-ocloexec.patch: rediffed
+
+---
Old:
openssl-1.0.1i-noec2m-fix.patch
openssl-1.0.1j.tar.gz
openssl-1.0.1j.tar.gz.asc
New:
openssl-1.0.1k.tar.gz
openssl-1.0.1k.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.8uO0Vp/_old 2015-01-20 21:53:49.0 +0100
+++ /var/tmp/diff_new_pack.8uO0Vp/_new 2015-01-20 21:53:49.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.1j
+Version:1.0.1k
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
@@ -38,7 +38,8 @@
Source: https://www.%{name}.org/source/%{name}-%{version}.tar.gz
Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
# https://www.openssl.org/about/
-Source43:
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xA2D29B7BF295C759#/%name.keyring
+#
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xA2D29B7BF295C759#/%name.keyring
+Source43: %name.keyring
# to get mtime of file:
Source1:openssl.changes
Source2:baselibs.conf
@@ -74,7 +75,6 @@
Patch35:openssl-1.0.1e-add-suse-default-cipher.patch
Patch36:openssl-1.0.1e-add-suse-default-cipher-header.patch
Patch37:openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
-Patch38:openssl-1.0.1i-noec2m-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -191,7 +191,6 @@
%patch35 -p1
%patch36 -p1
%patch37 -p1
-%patch38 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
++ VIA_padlock_support_on_64systems.patch ++
--- /var/tmp/diff_new_pack.8uO0Vp/_old 2015-01-20 21:53:49.0 +0100
+++ /var/tmp/diff_new_pack.8uO0Vp/_new 2015-01-20 21:53:49.0 +0100
@@ -1,7 +1,7 @@
-Index: openssl-1.0.1c/engines/e_padlock.c
+Index: openssl-1.0.1k/engines/e_padlock.c
===
openssl-1.0.1c.orig/engines/e_padlock.c
-+++ openssl-1.0.1c/engines/e_padlock.c
+--- openssl-1.0.1k.orig/engines/e_padlock.c
openssl-1.0.1k/engines/e_padlock.c
@@ -101,7 +101,10 @@
compiler choice is limited to GCC and Microsoft C. */
#undef COMPILE_HW_PADLOCK
@@ -22,29 +22,7 @@
/*
* As for excessive push %ebx/pop %ebx found all over.
* When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
- return padlock_use_ace + padlock_use_rng;
- }
-
--#ifndef OPENSSL_NO_AES
--/* Our own htonl()/ntohl() */
--static inline void
--padlock_bswapl(AES_KEY *ks)
--{
-- size_t i =
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-12-17 19:18:04
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-08-25
11:03:36.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-12-17
19:17:04.0 +0100
@@ -1,0 +2,25 @@
+Tue Nov 18 09:42:50 UTC 2014 - br...@aljex.com
+
+- suse_version 10.1 10.2 x86_64 can not enable-ec_nistp_64_gcc_128
+
+---
+Mon Nov 17 12:34:12 UTC 2014 - meiss...@suse.com
+
+- openssl-1.0.1i-noec2m-fix.patch: only report the Elliptic Curves
+ we actually support (not the binary ones) (bnc#905037)
+
+---
+Fri Nov 7 22:09:27 UTC 2014 - br...@aljex.com
+
+- openSUSE 11.2 doesn't have accept4()
+
+---
+Tue Oct 21 19:58:31 UTC 2014 - crrodrig...@opensuse.org
+
+- openSSL 1.0.1j
+* Fix SRTP Memory Leak (CVE-2014-3513)
+* Session Ticket Memory Leak (CVE-2014-3567)
+* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV)
+* Build option no-ssl3 is incomplete (CVE-2014-3568)
+
+---
Old:
openssl-1.0.1i.tar.gz
openssl-1.0.1i.tar.gz.asc
New:
openssl-1.0.1i-noec2m-fix.patch
openssl-1.0.1j.tar.gz
openssl-1.0.1j.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.p3p8Ac/_old 2014-12-17 19:17:06.0 +0100
+++ /var/tmp/diff_new_pack.p3p8Ac/_new 2014-12-17 19:17:06.0 +0100
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.1i
+Version:1.0.1j
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
@@ -47,7 +47,9 @@
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
+%if 0%{?suse_version} = 1120
Patch3: openssl-ocloexec.patch
+%endif
Patch4: VIA_padlock_support_on_64systems.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
@@ -72,6 +74,7 @@
Patch35:openssl-1.0.1e-add-suse-default-cipher.patch
Patch36:openssl-1.0.1e-add-suse-default-cipher-header.patch
Patch37:openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+Patch38:openssl-1.0.1i-noec2m-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -164,7 +167,9 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%if 0%{?suse_version} = 1120
%patch3
+%endif
%patch4 -p1
%patch5 -p1
%patch6 -p1
@@ -186,6 +191,7 @@
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch38 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -243,8 +249,10 @@
enable-rfc3779 \
%endif
%ifarch x86_64 aarch64 ppc64le
+%if 0%{?suse_version} 1010 || 0%{?suse_version} 1020
enable-ec_nistp_64_gcc_128 \
%endif
+%endif
enable-camellia \
zlib \
no-ec2m \
++ 0001-libcrypto-Hide-library-private-symbols.patch ++
715 lines (skipped)
between
/work/SRC/openSUSE:Factory/openssl/0001-libcrypto-Hide-library-private-symbols.patch
and
/work/SRC/openSUSE:Factory/.openssl.new/0001-libcrypto-Hide-library-private-symbols.patch
++ openssl-1.0.1e-fips-ec.patch ++
--- /var/tmp/diff_new_pack.p3p8Ac/_old 2014-12-17 19:17:06.0 +0100
+++ /var/tmp/diff_new_pack.p3p8Ac/_new 2014-12-17 19:17:06.0 +0100
@@ -1,7 +1,5 @@
-Index: openssl-1.0.1g/crypto/ecdh/ecdh.h
-===
openssl-1.0.1g.orig/crypto/ecdh/ecdh.h
-+++ openssl-1.0.1g/crypto/ecdh/ecdh.h
+--- openssl-1.0.1j.orig/crypto/ecdh/ecdh.h
openssl-1.0.1j/crypto/ecdh/ecdh.h
@@ -85,6 +85,8 @@
extern C {
#endif
@@ -11,10 +9,8 @@
const ECDH_METHOD *ECDH_OpenSSL(void);
voidECDH_set_default_method(const ECDH_METHOD *);
-Index: openssl-1.0.1g/crypto/ecdh/ecdhtest.c
-===
openssl-1.0.1g.orig/crypto/ecdh/ecdhtest.c
-+++ openssl-1.0.1g/crypto/ecdh/ecdhtest.c
+--- openssl-1.0.1j.orig/crypto/ecdh/ecdhtest.c
openssl-1.0.1j/crypto/ecdh/ecdhtest.c
@@ -323,11 +323,15 @@ int main(int argc, char *argv[])
if ((ctx=BN_CTX_new()) == NULL) goto err;
@@ -31,10 +27,8 @@
#ifndef OPENSSL_NO_EC2M
/* NIST BINARY CURVES TESTS */
if (!test_ecdh_curve(NID_sect163k1,
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-08-25 11:03:07 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-07-27 08:25:53.0 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-08-25 11:03:36.0 +0200 @@ -1,0 +2,63 @@ +Thu Aug 21 15:05:43 UTC 2014 - meiss...@suse.com + +- openssl.keyring: the 1.0.1i release was done by + Matt Caswell m...@openssl.org UK 0E604491 + +--- +Thu Aug 14 10:27:07 UTC 2014 - vci...@suse.com + +- rename README.SuSE (old spelling) to README.SUSE (bnc#889013) + +--- +Wed Aug 13 17:43:21 UTC 2014 - vci...@suse.com + +- update to 1.0.1i + * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the +SRP code can be overrun an internal buffer. Add sanity check that +g, A, B N to SRP code. +(CVE-2014-3512) + * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate +TLS 1.0 instead of higher protocol versions when the ClientHello message +is badly fragmented. This allows a man-in-the-middle attacker to force a +downgrade to TLS 1.0 even if both the server and the client support a +higher protocol version, by modifying the client's TLS records. +(CVE-2014-3511) + * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject +to a denial of service attack. A malicious server can crash the client +with a null pointer dereference (read) by specifying an anonymous (EC)DH +ciphersuite and sending carefully crafted handshake messages. +(CVE-2014-3510) + * By sending carefully crafted DTLS packets an attacker could cause openssl +to leak memory. This can be exploited through a Denial of Service attack. +(CVE-2014-3507) + * An attacker can force openssl to consume large amounts of memory whilst +processing DTLS handshake messages. This can be exploited through a +Denial of Service attack. +(CVE-2014-3506) + * An attacker can force an error condition which causes openssl to crash +whilst processing DTLS packets due to memory being freed twice. This +can be exploited through a Denial of Service attack. +(CVE-2014-3505) + * If a multithreaded client connects to a malicious server using a resumed +session and the server sends an ec point format extension it could write +up to 255 bytes to freed memory. +(CVE-2014-3509) + * A malicious server can crash an OpenSSL client with a null pointer +dereference (read) by specifying an SRP ciphersuite even though it was not +properly negotiated with the client. This can be exploited through a +Denial of Service attack. +(CVE-2014-5139) + * A flaw in OBJ_obj2txt may cause pretty printing functions such as +X509_name_oneline, X509_name_print_ex et al. to leak some information +from the stack. Applications may be affected if they echo pretty printing +output to the attacker. +(CVE-2014-3508) + * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) +for corner cases. (Certain input points at infinity could lead to +bogus results, with non-infinity inputs mapped to infinity too.) +- refreshed patches: + * openssl-1.0.1e-new-fips-reqs.patch + * 0005-libssl-Hide-library-private-symbols.patch +(thanks to Marcus Meissner) + +--- Old: README.SuSE openssl-1.0.1h.tar.gz openssl-1.0.1h.tar.gz.asc New: README.SUSE openssl-1.0.1i.tar.gz openssl-1.0.1i.tar.gz.asc Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.enj1Ob/_old 2014-08-25 11:03:37.0 +0200 +++ /var/tmp/diff_new_pack.enj1Ob/_new 2014-08-25 11:03:37.0 +0200 @@ -29,7 +29,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version:1.0.1h +Version:1.0.1i Release:0 Summary:Secure Sockets and Transport Layer Security License:OpenSSL @@ -42,7 +42,7 @@ # to get mtime of file: Source1:openssl.changes Source2:baselibs.conf -Source10: README.SuSE +Source10: README.SUSE Source11: README-FIPS.txt Patch0: merge_from_0.9.8k.patch Patch1: openssl-1.0.0-c_rehash-compat.diff @@ -467,7 +467,7 @@ %files -f filelist %defattr(-, root, root) %doc CHANGE* INSTAL* AVAILABLE_CIPHERS -%doc LICENSE NEWS README README.SuSE README-FIPS.txt +%doc LICENSE NEWS README README.SUSE
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-07-27 08:25:44
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-06-25
15:24:32.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-07-27
08:25:53.0 +0200
@@ -1,0 +2,7 @@
+Mon Jul 21 10:49:35 UTC 2014 - jeng...@inai.de
+
+- Move manpages around: *.1ssl should be in openssl
+ (e.g. ciphers(1ssl) is also referenced by openssl(1)),
+ and *.3ssl should be in openssl-doc.
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.0m6JVV/_old 2014-07-27 08:25:54.0 +0200
+++ /var/tmp/diff_new_pack.0m6JVV/_new 2014-07-27 08:25:54.0 +0200
@@ -336,8 +336,8 @@
else
mv $i ${i}ssl
fi
- case `basename ${i%.*}` in
-
asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509)
+ case $i in
+ *.1)
# these are the pages mentioned in openssl(1). They go into the
main package.
echo %doc %{_mandir}/${i}ssl.gz $OLDPWD/filelist;;
*)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-06-25 15:24:16 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-06-18 07:47:43.0 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-06-25 15:24:32.0 +0200 @@ -1,0 +2,5 @@ +Tue Jun 24 08:22:24 UTC 2014 - meiss...@suse.com + +- recommend: ca-certificates-mozilla instead of openssl-certs + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.8LGSDw/_old 2014-06-25 15:24:33.0 +0200 +++ /var/tmp/diff_new_pack.8LGSDw/_new 2014-06-25 15:24:33.0 +0200 @@ -95,7 +95,7 @@ Summary:Secure Sockets and Transport Layer Security License:OpenSSL Group: Productivity/Networking/Security -Recommends: openssl-certs +Recommends: ca-certificates-mozilla # bug437293 %ifarch ppc64 Obsoletes: openssl-64bit -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-06-18 07:47:41 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-05-14 10:26:09.0 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-06-18 07:47:43.0 +0200 @@ -1,0 +2,40 @@ +Thu Jun 5 14:37:19 UTC 2014 - meiss...@suse.com + +- updated openssl to 1.0.1h (bnc#880891): + - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted +handshake can force the use of weak keying material in OpenSSL +SSL/TLS clients and servers. + - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an +OpenSSL DTLS client the code can be made to recurse eventually crashing +in a DoS attack. + - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer +overrun attack can be triggered by sending invalid DTLS fragments to +an OpenSSL DTLS client or server. This is potentially exploitable to +run arbitrary code on a vulnerable client or server. + - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous +ECDH ciphersuites are subject to a denial of service attack. +- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream +- CVE-2014-0198.patch: removed, upstream +- 0009-Fix-double-frees.patch: removed, upstream +- 0012-Fix-eckey_priv_encode.patch: removed, upstream +- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream +- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream +- 0020-Initialize-num-properly.patch: removed, upstream +- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream +- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream +- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream +- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream + +- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase +- openssl-1.0.1c-ipv6-apps.patch: refreshed +- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed + +--- +Wed May 21 12:19:53 UTC 2014 - vpere...@novell.com + +- Added new SUSE default cipher suite + openssl-1.0.1e-add-suse-default-cipher.patch + openssl-1.0.1e-add-suse-default-cipher-header.patch + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch + +--- Old: 0009-Fix-double-frees.patch 0012-Fix-eckey_priv_encode.patch 0017-Double-free-in-i2o_ECPublicKey.patch 0018-fix-coverity-issues-966593-966596.patch 0020-Initialize-num-properly.patch 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch 0023-evp-prevent-underflow-in-base64-decoding.patch 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch CVE-2014-0198.patch openssl-1.0.1g.tar.gz openssl-1.0.1g.tar.gz.asc openssl-buffreelistbug-aka-CVE-2010-5298.patch New: openssl-1.0.1e-add-suse-default-cipher-header.patch openssl-1.0.1e-add-suse-default-cipher.patch openssl-1.0.1e-add-test-suse-default-cipher-suite.patch openssl-1.0.1h.tar.gz openssl-1.0.1h.tar.gz.asc Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.Ma4WJG/_old 2014-06-18 07:47:45.0 +0200 +++ /var/tmp/diff_new_pack.Ma4WJG/_new 2014-06-18 07:47:45.0 +0200 @@ -29,7 +29,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version:1.0.1g +Version:1.0.1h Release:0 Summary:Secure Sockets and Transport Layer Security License:OpenSSL @@ -65,21 +65,14 @@ Patch17:openssl-1.0.1e-fips-ctor.patch Patch18:openssl-1.0.1e-new-fips-reqs.patch Patch19:openssl-gcc-attributes.patch -Patch20:openssl-buffreelistbug-aka-CVE-2010-5298.patch Patch21:openssl-libssl-noweakciphers.patch -Patch22:CVE-2014-0198.patch -Patch23:0009-Fix-double-frees.patch -Patch24:0012-Fix-eckey_priv_encode.patch -Patch25:0017-Double-free-in-i2o_ECPublicKey.patch Patch26:0001-Axe-builtin-printf-implementation-use-glibc-instead.patch -Patch27:0018-fix-coverity-issues-966593-966596.patch -Patch28:0020-Initialize-num-properly.patch -Patch29:0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch -Patch30:0023-evp-prevent-underflow-in-base64-decoding.patch -Patch31:
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-05-14 10:26:07
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-05-09
06:57:36.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-05-14
10:26:09.0 +0200
@@ -1,0 +2,25 @@
+Fri May 9 04:42:46 UTC 2014 - crrodrig...@opensuse.org
+
+- Add upstream patches fixing coverity scan issues:
+* 0018-fix-coverity-issues-966593-966596.patch
+* 0020-Initialize-num-properly.patch
+* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
+* 0023-evp-prevent-underflow-in-base64-decoding.patch
+* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
+* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
+
+- Update 0001-libcrypto-Hide-library-private-symbols.patch
+ to cover more private symbols, now 98% complete and probably
+ not much more can be done to fix the rest of the ill-defined API.
+
+- openssl-fips-hidden.patch new, hides private symbols added by the
+ FIPS patches.
+
+- openssl-no-egd.patch disable the EGD (entropy gathering daemon)
+ interface, we have no EGD in the distro and obtaining entropy from
+ a place other than /dev/*random, the hardware rng or the openSSL
+ internal PRNG is an extremely bad dangerous idea.
+
+- use secure_getenv instead of getenv everywhere.
+
+---
New:
0018-fix-coverity-issues-966593-966596.patch
0020-Initialize-num-properly.patch
0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
0023-evp-prevent-underflow-in-base64-decoding.patch
0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
openssl-fips-hidden.patch
openssl-no-egd.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.9ImmWn/_old 2014-05-14 10:26:11.0 +0200
+++ /var/tmp/diff_new_pack.9ImmWn/_new 2014-05-14 10:26:11.0 +0200
@@ -72,6 +72,14 @@
Patch24:0012-Fix-eckey_priv_encode.patch
Patch25:0017-Double-free-in-i2o_ECPublicKey.patch
Patch26:0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+Patch27:0018-fix-coverity-issues-966593-966596.patch
+Patch28:0020-Initialize-num-properly.patch
+Patch29:0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
+Patch30:0023-evp-prevent-underflow-in-base64-decoding.patch
+Patch31:0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
+Patch32:0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
+Patch33:openssl-no-egd.patch
+Patch34:openssl-fips-hidden.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -185,6 +193,14 @@
%patch24 -p1
%patch25 -p1
%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -222,6 +238,11 @@
sed -i -e s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|
crypto/Makefile
%build
+
+%if 0%{suse_version} = 1230
+find -type f -name *.c -exec sed -i -e s@getenv@secure_getenv@g {} +
+%endif
+
%ifarch armv5el armv5tel
export MACHINE=armv5el
%endif
@@ -236,7 +257,7 @@
no-ssl2 \
enable-rfc3779 \
%endif
-%ifarch x86_64
+%ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
++ 0001-libcrypto-Hide-library-private-symbols.patch ++
--- /var/tmp/diff_new_pack.9ImmWn/_old 2014-05-14 10:26:11.0 +0200
+++ /var/tmp/diff_new_pack.9ImmWn/_new 2014-05-14 10:26:11.0 +0200
@@ -37,8 +37,6 @@
crypto/x509v3/pcy_int.h | 3 +++
31 files changed, 85 insertions(+), 17 deletions(-)
-Index: openssl-1.0.1g/apps/Makefile
-===
--- openssl-1.0.1g.orig/apps/Makefile
+++ openssl-1.0.1g/apps/Makefile
@@ -20,7 +20,7 @@ EXE_EXT=
@@ -50,8 +48,6 @@
GENERAL=Makefile makeapps.com install.com
-Index: openssl-1.0.1g/crypto/asn1/asn1_locl.h
-===
--- openssl-1.0.1g.orig/crypto/asn1/asn1_locl.h
+++ openssl-1.0.1g/crypto/asn1/asn1_locl.h
@@ -58,6 +58,8 @@
@@ -69,8 +65,6 @@
};
+
+#pragma GCC visibility pop
-Index: openssl-1.0.1g/crypto/bn/bn_lcl.h
-===
--- openssl-1.0.1g.orig/crypto/bn/bn_lcl.h
+++
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-04-26 17:01:45
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-04-18
11:07:27.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-26
17:01:46.0 +0200
@@ -1,0 +2,47 @@
+Sun Apr 20 00:53:34 UTC 2014 - crrodrig...@opensuse.org
+
+- Build everything with full RELRO (-Wl,-z,relro,-z,now)
+- Remove -fstack-protector from the hardcoded build options
+ it is already in RPM_OPT_FLAGS and is replaced by
+ -fstack-protector-strong with gcc 4.9
+
+---
+Sun Apr 20 00:49:25 UTC 2014 - crrodrig...@opensuse.org
+
+- Remove the gmp and capi shared engines, nobody noticed
+ but they are just dummies that do nothing.
+
+---
+Sat Apr 19 22:29:10 UTC 2014 - crrodrig...@opensuse.org
+
+- Use enable-rfc3779 to allow projects such as rpki.net
+ to work in openSUSE and match the functionality
+ available in Debian/Fedora/etc
+
+---
+Sat Apr 19 22:22:01 UTC 2014 - crrodrig...@opensuse.org
+
+- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
+ CVE-2010-5298 and disable the internal BUF_FREELISTS
+ functionality. it hides bugs like heartbleed and is
+ there only for systems on which malloc() free() are slow.
+
+- ensure we export MALLOC_CHECK and PERTURB during the test
+ suite, now that the freelist functionality is disabled it
+ will help to catch bugs before they hit users.
+
+---
+Sat Apr 19 03:45:20 UTC 2014 - crrodrig...@opensuse.org
+
+- openssl-libssl-noweakciphers.patch do not offer export
+ or low quality ciphers by default. using such ciphers
+ is not forbidden but requires an explicit request
+
+---
+Fri Apr 18 14:07:47 UTC 2014 - crrodrig...@opensuse.org
+
+- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
+ not return memory of num * old_num but only num size
+ fortunately this function is currently unused.
+
+---
New:
openssl-buffreelistbug-aka-CVE-2010-5298.patch
openssl-libssl-noweakciphers.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.Nrfoy5/_old 2014-04-26 17:01:47.0 +0200
+++ /var/tmp/diff_new_pack.Nrfoy5/_new 2014-04-26 17:01:47.0 +0200
@@ -65,6 +65,8 @@
Patch17:openssl-1.0.1e-fips-ctor.patch
Patch18:openssl-1.0.1e-new-fips-reqs.patch
Patch19:openssl-gcc-attributes.patch
+Patch20:openssl-buffreelistbug-aka-CVE-2010-5298.patch
+Patch21:openssl-libssl-noweakciphers.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -171,6 +173,8 @@
%patch17 -p1
%patch18 -p1
%patch19 -p1
+%patch20 -p1
+%patch21 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -220,6 +224,7 @@
fips \
%if 0%{suse_version} 1310
no-ssl2 \
+enable-rfc3779 \
%endif
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
@@ -232,18 +237,16 @@
--openssldir=%{ssletcdir} \
$RPM_OPT_FLAGS -O3 -std=gnu99 \
-Wa,--noexecstack \
+-Wl,-z,relro,-z,now \
-fomit-frame-pointer \
-DTERMIO \
-DPURIFY \
-DSSL_FORBID_ENULL \
-D_GNU_SOURCE \
+-DOPENSSL_NO_BUF_FREELISTS \
$(getconf LFS_CFLAGS) \
-%ifnarch hppa aarch64
--Wall \
--fstack-protector
-%else
-Wall
-%endif
+
#
#%{!?do_profiling:%define do_profiling 0}
#%if %do_profiling
@@ -278,7 +281,8 @@
# These files are just there for the make test below...
crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 .libcrypto.so.1.0.0.hmac
crypto/fips/fips_standalone_hmac libssl.so.1.0.0 .libssl.so.1.0.0.hmac
-
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=
%ifnarch armv4l
LD_LIBRARY_PATH=`pwd` make test
@@ -401,7 +405,7 @@
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
-for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
+for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do
rm %{buildroot}/%{_lib}/engines/lib$engine.so
done
++ openssl-buffreelistbug-aka-CVE-2010-5298.patch ++
--- openssl-1.0.1g.orig/ssl/s3_pkt.c
+++ openssl-1.0.1g/ssl/s3_pkt.c
@@
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-04-18 11:07:25
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-04-17
14:35:57.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-18
11:07:27.0 +0200
@@ -1,0 +2,14 @@
+Fri Apr 11 02:40:34 UTC 2014 - crrodrig...@opensuse.org
+
+- openssl-gcc-attributes.patch
+ * annotate memory allocation wrappers with attribute(alloc_size)
+so the compiler can tell us if it knows they are being misused
+ * OPENSSL_showfatal is annotated with attribute printf to detect
+format string problems.
+
+- It is time to try to disable SSLv2 again, it was tried a while
+ ago but broke too many things, nowadays Debian, Ubuntu, the BSDs
+ all have disabled it, most components are already fixed.
+ I will fix the remaining fallout if any. (email me)
+
+---
New:
openssl-gcc-attributes.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.RuN2pa/_old 2014-04-18 11:25:05.0 +0200
+++ /var/tmp/diff_new_pack.RuN2pa/_new 2014-04-18 11:25:05.0 +0200
@@ -64,6 +64,7 @@
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
Patch18:openssl-1.0.1e-new-fips-reqs.patch
+Patch19:openssl-gcc-attributes.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -169,7 +170,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
-
+%patch19 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -217,6 +218,9 @@
#
config_flags=threads shared no-rc5 no-idea \
fips \
+%if 0%{suse_version} 1310
+no-ssl2 \
+%endif
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
++ openssl-gcc-attributes.patch ++
--- openssl-1.0.1g.orig/crypto/cryptlib.h
+++ openssl-1.0.1g/crypto/cryptlib.h
@@ -100,7 +100,7 @@ extern C {
void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *fmta,...);
+void OPENSSL_showfatal(const char *fmta,...) __attribute__ ((format (printf,
1, 2)));
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
--- openssl-1.0.1g.orig/crypto/crypto.h
+++ openssl-1.0.1g/crypto/crypto.h
@@ -487,15 +487,15 @@ void CRYPTO_get_mem_debug_functions(void
void (**so)(long),
long (**go)(void));
-void *CRYPTO_malloc_locked(int num, const char *file, int line);
+void *CRYPTO_malloc_locked(int num, const char *file, int line)
__attribute__((alloc_size(1)));
void CRYPTO_free_locked(void *ptr);
-void *CRYPTO_malloc(int num, const char *file, int line);
+void *CRYPTO_malloc(int num, const char *file, int line)
__attribute__((alloc_size(1)));
char *CRYPTO_strdup(const char *str, const char *file, int line);
void CRYPTO_free(void *ptr);
-void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
+void *CRYPTO_realloc(void *addr,int num, const char *file, int line)
__attribute__((alloc_size(2)));
void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
- int line);
-void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
+ int line) __attribute__((alloc_size(2, 3)));
+void *CRYPTO_remalloc(void *addr,int num, const char *file, int line)
__attribute__((alloc_size(2)));
void OPENSSL_cleanse(void *ptr, size_t len);
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-04-17 14:35:56
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-04-15
07:34:11.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-17
14:35:57.0 +0200
@@ -2,14 +1,0 @@
-Fri Apr 11 02:40:34 UTC 2014 - crrodrig...@opensuse.org
-
-- openssl-gcc-attributes.patch
- * annotate memory allocation wrappers with attribute(alloc_size)
-so the compiler can tell us if it knows they are being misused
- * OPENSSL_showfatal is annotated with attribute printf to detect
-format string problems.
-
-- It is time to try to disable SSLv2 again, it was tried a while
- ago but broke too many things, nowadays Debian, Ubuntu, the BSDs
- all have disabled it, most components are already fixed.
- I will fix the remaining fallout if any. (email me)
-
Old:
openssl-gcc-attributes.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.rrt9Eu/_old 2014-04-17 14:35:58.0 +0200
+++ /var/tmp/diff_new_pack.rrt9Eu/_new 2014-04-17 14:35:58.0 +0200
@@ -64,7 +64,6 @@
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
Patch18:openssl-1.0.1e-new-fips-reqs.patch
-Patch19:openssl-gcc-attributes.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -170,7 +169,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
-%patch19 -p1
+
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -218,9 +217,6 @@
#
config_flags=threads shared no-rc5 no-idea \
fips \
-%if 0%{suse_version} 1310
-no-ssl2 \
-%endif
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-04-15 07:34:09
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-04-09
18:17:29.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-15
07:34:11.0 +0200
@@ -1,0 +2,14 @@
+Fri Apr 11 02:40:34 UTC 2014 - crrodrig...@opensuse.org
+
+- openssl-gcc-attributes.patch
+ * annotate memory allocation wrappers with attribute(alloc_size)
+so the compiler can tell us if it knows they are being misused
+ * OPENSSL_showfatal is annotated with attribute printf to detect
+format string problems.
+
+- It is time to try to disable SSLv2 again, it was tried a while
+ ago but broke too many things, nowadays Debian, Ubuntu, the BSDs
+ all have disabled it, most components are already fixed.
+ I will fix the remaining fallout if any. (email me)
+
+---
New:
openssl-gcc-attributes.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.Tl15V8/_old 2014-04-15 07:34:12.0 +0200
+++ /var/tmp/diff_new_pack.Tl15V8/_new 2014-04-15 07:34:12.0 +0200
@@ -64,6 +64,7 @@
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
Patch18:openssl-1.0.1e-new-fips-reqs.patch
+Patch19:openssl-gcc-attributes.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -169,7 +170,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
-
+%patch19 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -217,6 +218,9 @@
#
config_flags=threads shared no-rc5 no-idea \
fips \
+%if 0%{suse_version} 1310
+no-ssl2 \
+%endif
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
++ openssl-gcc-attributes.patch ++
--- openssl-1.0.1g.orig/crypto/cryptlib.h
+++ openssl-1.0.1g/crypto/cryptlib.h
@@ -100,7 +100,7 @@ extern C {
void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *fmta,...);
+void OPENSSL_showfatal(const char *fmta,...) __attribute__ ((format (printf,
1, 2)));
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
--- openssl-1.0.1g.orig/crypto/crypto.h
+++ openssl-1.0.1g/crypto/crypto.h
@@ -487,15 +487,15 @@ void CRYPTO_get_mem_debug_functions(void
void (**so)(long),
long (**go)(void));
-void *CRYPTO_malloc_locked(int num, const char *file, int line);
+void *CRYPTO_malloc_locked(int num, const char *file, int line)
__attribute__((alloc_size(1)));
void CRYPTO_free_locked(void *ptr);
-void *CRYPTO_malloc(int num, const char *file, int line);
+void *CRYPTO_malloc(int num, const char *file, int line)
__attribute__((alloc_size(1)));
char *CRYPTO_strdup(const char *str, const char *file, int line);
void CRYPTO_free(void *ptr);
-void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
+void *CRYPTO_realloc(void *addr,int num, const char *file, int line)
__attribute__((alloc_size(2)));
void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
- int line);
-void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
+ int line) __attribute__((alloc_size(2, 3)));
+void *CRYPTO_remalloc(void *addr,int num, const char *file, int line)
__attribute__((alloc_size(2)));
void OPENSSL_cleanse(void *ptr, size_t len);
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-04-03 16:38:28
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-03-06
19:29:26.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-03
16:38:30.0 +0200
@@ -1,0 +2,6 @@
+Tue Mar 25 08:11:11 UTC 2014 - shch...@suse.com
+
+- Fix bug[ bnc#869945] CVE-2014-0076: openssl: Recovering OpenSSL ECDSA Nonces
Using the FLUSH+RELOAD Cache Side-channel Attack
+ Add file: CVE-2014-0076.patch
+
+---
New:
CVE-2014-0076.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.dXu0c4/_old 2014-04-03 16:38:31.0 +0200
+++ /var/tmp/diff_new_pack.dXu0c4/_new 2014-04-03 16:38:31.0 +0200
@@ -64,6 +64,7 @@
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
Patch18:openssl-1.0.1e-new-fips-reqs.patch
+Patch19:CVE-2014-0076.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -169,6 +170,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
cp -p %{S:10} .
cp -p %{S:11} .
++ CVE-2014-0076.patch ++
Index: openssl-1.0.1f/crypto/bn/bn.h
===
--- openssl-1.0.1f.orig/crypto/bn/bn.h
+++ openssl-1.0.1f/crypto/bn/bn.h
@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
BIGNUM *BN_mod_sqrt(BIGNUM *ret,
const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
+
/* Deprecated versions */
#ifndef OPENSSL_NO_DEPRECATED
BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
@@ -774,12 +776,22 @@ int RAND_pseudo_bytes(unsigned char *buf
#define bn_fix_top(a) bn_check_top(a)
+#define bn_check_size(bn, bits) bn_wcheck_size(bn,
((bits+BN_BITS2-1))/BN_BITS2)
+#define bn_wcheck_size(bn, words) \
+ do { \
+ const BIGNUM *_bnum2 = (bn); \
+ assert(words = (_bnum2)-dmax words = (_bnum2)-top); \
+ } while(0)
+
#else /* !BN_DEBUG */
#define bn_pollute(a)
#define bn_check_top(a)
#define bn_fix_top(a) bn_correct_top(a)
+#define bn_check_size(bn, bits)
+#define bn_wcheck_size(bn, words)
+
#endif
#define bn_correct_top(a) \
Index: openssl-1.0.1f/crypto/bn/bn_lib.c
===
--- openssl-1.0.1f.orig/crypto/bn/bn_lib.c
+++ openssl-1.0.1f/crypto/bn/bn_lib.c
@@ -824,3 +824,56 @@ int bn_cmp_part_words(const BN_ULONG *a,
}
return bn_cmp_words(a,b,cl);
}
+
+/*
+ * Constant-time conditional swap of a and b.
+ * a and b are swapped if condition is not 0. The code assumes that at most
one bit of condition is set.
+ * nwords is the number of words to swap. The code assumes that at least
nwords are allocated in both a and b,
+ * and that no more than nwords are used by either a or b.
+ * a and b cannot be the same number
+ */
+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
+ {
+ BN_ULONG t;
+ int i;
+
+ bn_wcheck_size(a, nwords);
+ bn_wcheck_size(b, nwords);
+
+ assert(a != b);
+ assert((condition (condition - 1)) == 0);
+ assert(sizeof(BN_ULONG) = sizeof(int));
+
+ condition = ((condition - 1) (BN_BITS2 - 1)) - 1;
+
+ t = (a-top^b-top) condition;
+ a-top ^= t;
+ b-top ^= t;
+
+#define BN_CONSTTIME_SWAP(ind) \
+ do { \
+ t = (a-d[ind] ^ b-d[ind]) condition; \
+ a-d[ind] ^= t; \
+ b-d[ind] ^= t; \
+ } while (0)
+
+
+ switch (nwords) {
+ default:
+ for (i = 10; i nwords; i++)
+ BN_CONSTTIME_SWAP(i);
+ /* Fallthrough */
+ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
+ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
+ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
+ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
+ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
+ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
+ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
+ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
+ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
+ case 1: BN_CONSTTIME_SWAP(0);
+ }
+#undef BN_CONSTTIME_SWAP
+}
+
Index: openssl-1.0.1f/crypto/ec/ec2_mult.c
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-03-06 19:29:26
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-01-23
15:50:23.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-03-06
19:29:26.0 +0100
@@ -1,0 +2,6 @@
+Mon Mar 3 06:44:52 UTC 2014 - shch...@suse.com
+
+- additional changes required for FIPS validation( from Fedora repo)
+ Add patch file: openssl-1.0.1e-new-fips-reqs.patch
+
+---
New:
openssl-1.0.1e-new-fips-reqs.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.VEnGIt/_old 2014-03-06 19:29:28.0 +0100
+++ /var/tmp/diff_new_pack.VEnGIt/_new 2014-03-06 19:29:28.0 +0100
@@ -63,6 +63,7 @@
Patch15:openssl-1.0.1e-fips.patch
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
+Patch18:openssl-1.0.1e-new-fips-reqs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -167,6 +168,7 @@
%patch15 -p1
%patch16 -p1
%patch17 -p1
+%patch18 -p1
cp -p %{S:10} .
cp -p %{S:11} .
++ openssl-1.0.1e-new-fips-reqs.patch ++
1113 lines (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-01-17 11:05:16
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-01-09
17:25:39.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-01-23
15:50:23.0 +0100
@@ -1,0 +2,34 @@
+Sat Jan 11 08:42:54 UTC 2014 - shch...@suse.com
+
+- Remove GCC option -O3 for compiliation issue of ARM version
+ Modify: openssl.spec
+
+---
+Fri Jan 10 14:43:20 UTC 2014 - shch...@suse.com
+
+- Adjust the installation path( libopenssl/hmac into /lib or /lib64)
+ Modify files: README-FIPS.txt openssl.spec
+
+---
+Thu Jan 9 23:08:29 UTC 2014 - andreas.stie...@gmx.de
+
+- 1.0.1f:
+ * Fix for TLS record tampering bug CVE-2013-4353
+- already included:
+ * Fix for TLS version checking bug CVE-2013-6449
+ * Fix for DTLS retransmission bug CVE-2013-6450
+- removed patches:
+ * CVE-2013-6449.patch, committed upstream
+ * CVE-2013-6450.patch, committed upstream
+ * SSL_get_certificate-broken.patch, committed upstream
+ * openssl-1.0.1e-bnc822642.patch, committed upstream
+- modified patches:
+ * openssl-1.0.1e-fips.patch, adjust for upstream changes
+ * openssl-fix-pod-syntax.diff, adjust for upstream changes
+
+---
+Wed Jan 8 22:01:36 UTC 2014 - andreas.stie...@gmx.de
+
+- add a gpg keyring for source tarball
+
+---
Old:
CVE-2013-6449.patch
CVE-2013-6450.patch
SSL_get_certificate-broken.patch
openssl-1.0.1e-bnc822642.patch
openssl-1.0.1e.tar.gz
openssl-1.0.1e.tar.gz.asc
New:
openssl-1.0.1f.tar.gz
openssl-1.0.1f.tar.gz.asc
openssl.keyring
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.BTHegN/_old 2014-01-23 15:50:23.0 +0100
+++ /var/tmp/diff_new_pack.BTHegN/_new 2014-01-23 15:50:23.0 +0100
@@ -29,14 +29,16 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.1e
+Version:1.0.1f
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
Group: Productivity/Networking/Security
-Url:http://www.openssl.org/
-Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz
-Source42: http://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
+Url:https://www.openssl.org/
+Source: https://www.%{name}.org/source/%{name}-%{version}.tar.gz
+Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
+# https://www.openssl.org/about/
+Source43:
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xA2D29B7BF295C759#/%name.keyring
# to get mtime of file:
Source1:openssl.changes
Source2:baselibs.conf
@@ -54,8 +56,6 @@
Patch8: 0005-libssl-Hide-library-private-symbols.patch
Patch9: openssl-1.0.1c-default-paths.patch
Patch10:openssl-pkgconfig.patch
-Patch11:SSL_get_certificate-broken.patch
-Patch12:openssl-1.0.1e-bnc822642.patch
# From Fedora openssl.
Patch13:openssl-1.0.1c-ipv6-apps.patch
Patch14:0001-libcrypto-Hide-library-private-symbols.patch
@@ -63,8 +63,6 @@
Patch15:openssl-1.0.1e-fips.patch
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
-Patch18:CVE-2013-6449.patch
-Patch19:CVE-2013-6450.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -164,15 +162,11 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
-%patch11 -p1
-%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
-%patch18 -p1
-%patch19 -p1
cp -p %{S:10} .
cp -p %{S:11} .
@@ -230,7 +224,7 @@
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
-$RPM_OPT_FLAGS -O3 -std=gnu99 \
+$RPM_OPT_FLAGS -std=gnu99 \
-Wa,--noexecstack \
-fomit-frame-pointer \
-DTERMIO \
@@ -383,25 +377,23 @@
%{expand:%%global __os_install_post {%__os_install_post
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
- $RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{num_version} \
-$RPM_BUILD_ROOT/%{_libdir}/.libssl.so.%{num_version}.hmac
+ $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{num_version} \
+$RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{num_version}.hmac
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
- $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so.%{num_version} \
-
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-01-09 17:25:37
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-01-03
14:57:37.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-01-09
17:25:39.0 +0100
@@ -1,0 +2,6 @@
+Wed Jan 8 10:57:24 UTC 2014 - shch...@suse.com
+
+- Fixed bnc#857850, openssl doesn't load engine
+ Modify file: openssl.spec
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.Lj2pim/_old 2014-01-09 17:25:40.0 +0100
+++ /var/tmp/diff_new_pack.Lj2pim/_new 2014-01-09 17:25:40.0 +0100
@@ -396,7 +396,7 @@
mkdir $RPM_BUILD_ROOT/%{_lib}
#mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
#mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
$RPM_BUILD_ROOT/%{_lib}/
-#mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
+mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
cd $RPM_BUILD_ROOT%{_libdir}/
ln -sf /%{_libdir}/libssl.so.%{num_version} ./libssl.so
#ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so.%{num_version}
@@ -404,11 +404,11 @@
#ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so.%{num_version}
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
-rm %{buildroot}/%{_libdir}/engines/lib$engine.so
+rm %{buildroot}/%{_lib}/engines/lib$engine.so
done
%ifnarch %{ix86} x86_64
-rm %{buildroot}/%{_libdir}/engines/libpadlock.so
+rm %{buildroot}/%{_lib}/engines/libpadlock.so
%endif
%clean
@@ -422,7 +422,7 @@
%defattr(-, root, root)
/%{_libdir}/libssl.so.%{num_version}
/%{_libdir}/libcrypto.so.%{num_version}
-/%{_libdir}/engines
+/%{_lib}/engines
%files -n libopenssl1_0_0-hmac
%defattr(-, root, root)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-01-03 14:57:36
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-12-23
22:16:57.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-01-03
14:57:37.0 +0100
@@ -1,0 +2,6 @@
+Thu Jan 2 17:28:41 UTC 2014 - shch...@suse.com
+
+- Fixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss
+ Add file: CVE-2013-6450.patch
+
+---
New:
CVE-2013-6450.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.2RQeA6/_old 2014-01-03 14:57:38.0 +0100
+++ /var/tmp/diff_new_pack.2RQeA6/_new 2014-01-03 14:57:38.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -64,6 +64,7 @@
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
Patch18:CVE-2013-6449.patch
+Patch19:CVE-2013-6450.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -171,6 +172,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
cp -p %{S:10} .
cp -p %{S:11} .
++ CVE-2013-6450.patch ++
Index: openssl-1.0.1e/ssl/d1_both.c
===
--- openssl-1.0.1e.orig/ssl/d1_both.c
+++ openssl-1.0.1e/ssl/d1_both.c
@@ -214,6 +214,11 @@ dtls1_hm_fragment_new(unsigned long frag
static void
dtls1_hm_fragment_free(hm_fragment *frag)
{
+ if (frag-msg_header.is_ccs)
+ {
+
EVP_CIPHER_CTX_free(frag-msg_header.saved_retransmit_state.enc_write_ctx);
+
EVP_MD_CTX_destroy(frag-msg_header.saved_retransmit_state.write_hash);
+ }
if (frag-fragment) OPENSSL_free(frag-fragment);
if (frag-reassembly) OPENSSL_free(frag-reassembly);
OPENSSL_free(frag);
Index: openssl-1.0.1e/ssl/ssl_locl.h
===
--- openssl-1.0.1e.orig/ssl/ssl_locl.h
+++ openssl-1.0.1e/ssl/ssl_locl.h
@@ -625,6 +625,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
extern SSL3_ENC_METHOD SSLv3_enc_data;
extern SSL3_ENC_METHOD DTLSv1_enc_data;
+#define SSL_IS_DTLS(s) (s-method-version == DTLS1_VERSION)
+
#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
s_get_meth) \
const SSL_METHOD *func_name(void) \
Index: openssl-1.0.1e/ssl/t1_enc.c
===
--- openssl-1.0.1e.orig/ssl/t1_enc.c
+++ openssl-1.0.1e/ssl/t1_enc.c
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int
s-mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
else
s-mac_flags = ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
- if (s-enc_write_ctx != NULL)
+if (s-enc_write_ctx != NULL !SSL_IS_DTLS(s))
reuse_dd = 1;
- else if
((s-enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+else if ((s-enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
goto err;
- else
- /* make sure it's intialized in case we exit later with
an error */
- EVP_CIPHER_CTX_init(s-enc_write_ctx);
dd= s-enc_write_ctx;
- mac_ctx = ssl_replace_hash(s-write_hash,NULL);
+ if (SSL_IS_DTLS(s))
+ {
+ mac_ctx = EVP_MD_CTX_create();
+ if (!mac_ctx)
+ goto err;
+ s-write_hash = mac_ctx;
+ }
+ else
+ mac_ctx = ssl_replace_hash(s-write_hash,NULL);
#ifndef OPENSSL_NO_COMP
if (s-compress != NULL)
{
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-12-23 22:16:55
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-12-19
13:34:53.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-12-23
22:16:57.0 +0100
@@ -1,0 +2,6 @@
+Sun Dec 22 08:10:55 UTC 2013 - shch...@suse.com
+
+- Fixed bnc#856687, openssl: crash when using TLS 1.2
+ Add file: CVE-2013-6449.patch
+
+---
New:
CVE-2013-6449.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.cq8NAA/_old 2013-12-23 22:16:58.0 +0100
+++ /var/tmp/diff_new_pack.cq8NAA/_new 2013-12-23 22:16:58.0 +0100
@@ -63,6 +63,7 @@
Patch15:openssl-1.0.1e-fips.patch
Patch16:openssl-1.0.1e-fips-ec.patch
Patch17:openssl-1.0.1e-fips-ctor.patch
+Patch18:CVE-2013-6449.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -169,6 +170,7 @@
%patch15 -p1
%patch16 -p1
%patch17 -p1
+%patch18 -p1
cp -p %{S:10} .
cp -p %{S:11} .
++ CVE-2013-6449.patch ++
Index: openssl-1.0.1e/ssl/s3_lib.c
===
--- openssl-1.0.1e.orig/ssl/s3_lib.c
+++ openssl-1.0.1e/ssl/s3_lib.c
@@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT.
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s-s3-tmp.new_cipher-algorithm2;
- if (TLS1_get_version(s) = TLS1_2_VERSION
+ if (s-method-version == TLS1_2_VERSION
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
Index: openssl-1.0.1e/ssl/s3_both.c
===
--- openssl-1.0.1e.orig/ssl/s3_both.c
+++ openssl-1.0.1e/ssl/s3_both.c
@@ -161,6 +161,10 @@ int ssl3_send_finished(SSL *s, int a, in
i=s-method-ssl3_enc-final_finish_mac(s,
sender,slen,s-s3-tmp.finish_md);
+
+ if (i == 0)
+ return 0;
+
s-s3-tmp.finish_md_len = i;
memcpy(p, s-s3-tmp.finish_md, i);
p+=i;
Index: openssl-1.0.1e/ssl/s3_pkt.c
===
--- openssl-1.0.1e.orig/ssl/s3_pkt.c
+++ openssl-1.0.1e/ssl/s3_pkt.c
@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
slen=s-method-ssl3_enc-client_finished_label_len;
}
- s-s3-tmp.peer_finish_md_len = s-method-ssl3_enc-final_finish_mac(s,
+ i = s-method-ssl3_enc-final_finish_mac(s,
sender,slen,s-s3-tmp.peer_finish_md);
+ if (i == 0)
+ {
+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ s-s3-tmp.peer_finish_md_len = i;
return(1);
}
Index: openssl-1.0.1e/ssl/t1_enc.c
===
--- openssl-1.0.1e.orig/ssl/t1_enc.c
+++ openssl-1.0.1e/ssl/t1_enc.c
@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
if (mask ssl_get_algorithm2(s))
{
int hashsize = EVP_MD_size(md);
- if (hashsize 0 || hashsize (int)(sizeof buf -
(size_t)(q-buf)))
+ EVP_MD_CTX *hdgst = s-s3-handshake_dgst[idx];
+ if (!hdgst || hashsize 0 || hashsize (int)(sizeof
buf - (size_t)(q-buf)))
{
/* internal error: 'buf' is too small for this
cipersuite! */
err = 1;
}
else
{
-
EVP_MD_CTX_copy_ex(ctx,s-s3-handshake_dgst[idx]);
- EVP_DigestFinal_ex(ctx,q,i);
- if (i != (unsigned int)hashsize) /* can't
really happen */
+ if (!EVP_MD_CTX_copy_ex(ctx, hdgst) ||
+ !EVP_DigestFinal_ex(ctx,q,i) ||
+ (i != (unsigned int)hashsize))
err = 1;
- q+=i;
+ q+=hashsize;
}
}
}
--
To unsubscribe, e-mail:
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-12-19 13:34:52
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-12-17
10:02:18.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-12-19
13:34:53.0 +0100
@@ -1,0 +2,8 @@
+Tue Dec 17 13:57:40 UTC 2013 - meiss...@suse.com
+
+- compression_methods_switch.patch: setenv might not be successful
+ if a surrounding library or application filters it, like e.g. sudo.
+ As setenv() does not seem to be useful anyway, remove it.
+ bnc#849377
+
+---
Other differences:
--
++ compression_methods_switch.patch ++
--- /var/tmp/diff_new_pack.T49vxA/_old 2013-12-19 13:34:54.0 +0100
+++ /var/tmp/diff_new_pack.T49vxA/_new 2013-12-19 13:34:54.0 +0100
@@ -31,16 +31,21 @@
===
--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1e/ssl/ssl_ciph.c
-@@ -455,7 +455,11 @@ static void load_builtin_compressions(vo
+@@ -452,10 +452,16 @@ static void load_builtin_compressions(vo
+ if (ssl_comp_methods == NULL)
+ {
+ SSL_COMP *comp = NULL;
++ const char *nodefaultzlib;
MemCheck_off();
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL)
+
-+ if( getenv(OPENSSL_NO_DEFAULT_ZLIB) == NULL)
-+ setenv(OPENSSL_NO_DEFAULT_ZLIB, yes, 1);
-+
-+ if (ssl_comp_methods != NULL strncmp(
getenv(OPENSSL_NO_DEFAULT_ZLIB), no, 2) == 0)
++ /* The default is no compression to avoid CRIME/BEAST
*/
++ nodefaultzlib = getenv(OPENSSL_NO_DEFAULT_ZLIB);
++ if (ssl_comp_methods != NULL
++ nodefaultzlib
++ strncmp( nodefaultzlib, no, 2) == 0)
{
comp=(SSL_COMP
*)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-12-17 10:02:17
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-11-30
18:01:22.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-12-17
10:02:18.0 +0100
@@ -1,0 +2,31 @@
+Mon Dec 16 04:28:09 UTC 2013 - shch...@suse.com
+
+- Adjust the installation path.
+ Modify files: README-FIPS.txt openssl.spec
+
+---
+Fri Dec 6 08:07:06 UTC 2013 - lnus...@suse.de
+
+- don't own /etc/ssl/certs, it's owned by ca-certificates
+
+---
+Tue Dec 3 12:51:15 UTC 2013 - meiss...@suse.com
+
+- Actually enable it (in a building way) for openSUSE and SLES,
+ as we intended.
+- Add README-FIPS.txt from SLE 11.
+
+---
+Mon Dec 2 21:15:41 UTC 2013 - crrodrig...@opensuse.org
+
+- Restrict the (broken beyond build) FIPS certification code
+ to SLE releases only, it has no value in openSUSE at all.
+
+---
+Sat Nov 23 08:23:59 UTC 2013 - shch...@suse.com
+
+- Patches for OpenSSL FIPS-140-2/3 certification
+ Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
+ openssl-1.0.1e-fips-ctor.patch
+
+---
New:
README-FIPS.txt
openssl-1.0.1e-fips-ctor.patch
openssl-1.0.1e-fips-ec.patch
openssl-1.0.1e-fips.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.ZUW3ST/_old 2013-12-17 10:02:19.0 +0100
+++ /var/tmp/diff_new_pack.ZUW3ST/_new 2013-12-17 10:02:19.0 +0100
@@ -41,6 +41,7 @@
Source1:openssl.changes
Source2:baselibs.conf
Source10: README.SuSE
+Source11: README-FIPS.txt
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
@@ -58,6 +59,10 @@
# From Fedora openssl.
Patch13:openssl-1.0.1c-ipv6-apps.patch
Patch14:0001-libcrypto-Hide-library-private-symbols.patch
+# FIPS patches:
+Patch15:openssl-1.0.1e-fips.patch
+Patch16:openssl-1.0.1e-fips-ec.patch
+Patch17:openssl-1.0.1e-fips-ctor.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -78,6 +83,7 @@
%package -n libopenssl1_0_0
Summary:Secure Sockets and Transport Layer Security
+License:OpenSSL
Group: Productivity/Networking/Security
Recommends: openssl-certs
# bug437293
@@ -104,6 +110,7 @@
%package -n libopenssl-devel
Summary:Include Files and Libraries mandatory for Development
+License:OpenSSL
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
Requires: %name = %version
@@ -120,8 +127,19 @@
This package contains all necessary include files and libraries needed
to develop applications that require these.
+%package -n libopenssl1_0_0-hmac
+Summary:HMAC files for FIPS-140-2 integrity checking of the openssl
shared libraries
+License:BSD-3-Clause
+Group: Productivity/Networking/Security
+Requires: libopenssl1_0_0 = %{version}-%{release}
+
+%description -n libopenssl1_0_0-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
%package doc
Summary:Additional Package Documentation
+License:OpenSSL
Group: Productivity/Networking/Security
%if 0%{?suse_version} = 1140
BuildArch: noarch
@@ -148,8 +166,12 @@
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
cp -p %{S:10} .
+cp -p %{S:11} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
export
DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
@@ -194,11 +216,13 @@
./config --test-sanity
#
config_flags=threads shared no-rc5 no-idea \
+fips \
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
zlib \
+no-ec2m \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
@@ -245,6 +269,13 @@
make depend
make
LD_LIBRARY_PATH=`pwd` make rehash
+# for FIPS mode testing; the same hashes are being created later just before
+# the wrap-up of the files into
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-11-30 17:59:30
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-11-29
07:03:10.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-11-30
18:01:22.0 +0100
@@ -2,7 +1,0 @@
-Sat Nov 23 08:23:59 UTC 2013 - shch...@suse.com
-
-- Patches for OpenSSL FIPS-140-2/3 certification
- Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
- openssl-1.0.1e-fips-ctor.patch
-
Old:
openssl-1.0.1e-fips-ctor.patch
openssl-1.0.1e-fips-ec.patch
openssl-1.0.1e-fips.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.jxpxcJ/_old 2013-11-30 18:01:23.0 +0100
+++ /var/tmp/diff_new_pack.jxpxcJ/_new 2013-11-30 18:01:23.0 +0100
@@ -58,10 +58,6 @@
# From Fedora openssl.
Patch13:openssl-1.0.1c-ipv6-apps.patch
Patch14:0001-libcrypto-Hide-library-private-symbols.patch
-# FIPS patches
-Patch15:openssl-1.0.1e-fips.patch
-Patch16:openssl-1.0.1e-fips-ec.patch
-Patch17:openssl-1.0.1e-fips-ctor.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -82,7 +78,6 @@
%package -n libopenssl1_0_0
Summary:Secure Sockets and Transport Layer Security
-License:OpenSSL
Group: Productivity/Networking/Security
Recommends: openssl-certs
# bug437293
@@ -109,7 +104,6 @@
%package -n libopenssl-devel
Summary:Include Files and Libraries mandatory for Development
-License:OpenSSL
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
Requires: %name = %version
@@ -126,19 +120,8 @@
This package contains all necessary include files and libraries needed
to develop applications that require these.
-%package -n libopenssl1_0_0-hmac
-Summary:HMAC files for FIPS-140-2 integrity checking of the openssl
shared libraries
-License:BSD-3-Clause
-Group: Productivity/Networking/Security
-Requires: libopenssl1_0_0 = %{version}-%{release}
-
-%description -n libopenssl1_0_0-hmac
-The FIPS compliant operation of the openssl shared libraries is NOT
-possible without the HMAC hashes contained in this package!
-
%package doc
Summary:Additional Package Documentation
-License:OpenSSL
Group: Productivity/Networking/Security
%if 0%{?suse_version} = 1140
BuildArch: noarch
@@ -165,9 +148,6 @@
%patch12 -p1
%patch13 -p1
%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -213,13 +193,12 @@
%endif
./config --test-sanity
#
-config_flags=threads shared no-rc5 no-idea fips \
+config_flags=threads shared no-rc5 no-idea \
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
zlib \
-no-ec2m \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
@@ -266,15 +245,6 @@
make depend
make
LD_LIBRARY_PATH=`pwd` make rehash
-
-# for FIPS mode testing; the same hashes are being created later just before
-# the wrap-up of the files into the package.
-# These files are just there for the make test below...
-crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 .libcrypto.so.1.0.0.hmac
-crypto/fips/fips_standalone_hmac libssl.so.1.0.0 .libssl.so.1.0.0.hmac
-
-LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=
-
%ifnarch armv4l
LD_LIBRARY_PATH=`pwd` make test
%endif
@@ -288,7 +258,6 @@
%install
rm -rf $RPM_BUILD_ROOT
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
-cp -a crypto/fips/fips_standalone_hmac
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
@@ -366,29 +335,6 @@
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
-# the hmac hashes:
-#
-# this is a hack that re-defines the __os_install_post macro
-# for a simple reason: the macro strips the binaries and thereby
-# invalidates a HMAC that may have been created earlier.
-# solution: create the hashes _after_ the macro runs.
-#
-# this shows up earlier because otherwise the %expand of
-# the macro is too late.
-# remark: This is the same as running
-# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
-%{expand:%%global
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-11-29 07:03:09
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-10-24
14:10:46.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-11-29
07:03:10.0 +0100
@@ -1,0 +2,7 @@
+Sat Nov 23 08:23:59 UTC 2013 - shch...@suse.com
+
+- Patches for OpenSSL FIPS-140-2/3 certification
+ Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
+ openssl-1.0.1e-fips-ctor.patch
+
+---
New:
openssl-1.0.1e-fips-ctor.patch
openssl-1.0.1e-fips-ec.patch
openssl-1.0.1e-fips.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.EWFA2J/_old 2013-11-29 07:03:11.0 +0100
+++ /var/tmp/diff_new_pack.EWFA2J/_new 2013-11-29 07:03:11.0 +0100
@@ -58,6 +58,10 @@
# From Fedora openssl.
Patch13:openssl-1.0.1c-ipv6-apps.patch
Patch14:0001-libcrypto-Hide-library-private-symbols.patch
+# FIPS patches
+Patch15:openssl-1.0.1e-fips.patch
+Patch16:openssl-1.0.1e-fips-ec.patch
+Patch17:openssl-1.0.1e-fips-ctor.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -78,6 +82,7 @@
%package -n libopenssl1_0_0
Summary:Secure Sockets and Transport Layer Security
+License:OpenSSL
Group: Productivity/Networking/Security
Recommends: openssl-certs
# bug437293
@@ -104,6 +109,7 @@
%package -n libopenssl-devel
Summary:Include Files and Libraries mandatory for Development
+License:OpenSSL
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
Requires: %name = %version
@@ -120,8 +126,19 @@
This package contains all necessary include files and libraries needed
to develop applications that require these.
+%package -n libopenssl1_0_0-hmac
+Summary:HMAC files for FIPS-140-2 integrity checking of the openssl
shared libraries
+License:BSD-3-Clause
+Group: Productivity/Networking/Security
+Requires: libopenssl1_0_0 = %{version}-%{release}
+
+%description -n libopenssl1_0_0-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
%package doc
Summary:Additional Package Documentation
+License:OpenSSL
Group: Productivity/Networking/Security
%if 0%{?suse_version} = 1140
BuildArch: noarch
@@ -148,6 +165,9 @@
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -193,12 +213,13 @@
%endif
./config --test-sanity
#
-config_flags=threads shared no-rc5 no-idea \
+config_flags=threads shared no-rc5 no-idea fips \
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
zlib \
+no-ec2m \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
@@ -245,6 +266,15 @@
make depend
make
LD_LIBRARY_PATH=`pwd` make rehash
+
+# for FIPS mode testing; the same hashes are being created later just before
+# the wrap-up of the files into the package.
+# These files are just there for the make test below...
+crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 .libcrypto.so.1.0.0.hmac
+crypto/fips/fips_standalone_hmac libssl.so.1.0.0 .libssl.so.1.0.0.hmac
+
+LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=
+
%ifnarch armv4l
LD_LIBRARY_PATH=`pwd` make test
%endif
@@ -258,6 +288,7 @@
%install
rm -rf $RPM_BUILD_ROOT
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
+cp -a crypto/fips/fips_standalone_hmac
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
@@ -335,6 +366,29 @@
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
+%{expand:%%global
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-10-24 14:10:45
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-10-17
17:42:54.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-10-24
14:10:46.0 +0200
@@ -1,0 +2,13 @@
+Wed Oct 23 02:59:05 UTC 2013 - crrodrig...@opensuse.org
+
+- 0001-libcrypto-Hide-library-private-symbols.patch
+ This patch implements the libcrpto part complimentary to
+ 0005-libssl-Hide-library-private-symbols.patch.
+ This patch is however not 100% complete, as some private library
+ symbols are declared in public headers that shall not be touched
+ or are defined/declared in perlasm. (tested in 13.1, 12.3, factory)
+
+- openSSL defaults to -O3 optimization level but we override
+ it with RPM_OPT_FLAGS, ensure we use -O3 like upstream.
+
+---
New:
0001-libcrypto-Hide-library-private-symbols.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.YNTzMM/_old 2013-10-24 14:10:47.0 +0200
+++ /var/tmp/diff_new_pack.YNTzMM/_new 2013-10-24 14:10:47.0 +0200
@@ -57,6 +57,7 @@
Patch12:openssl-1.0.1e-bnc822642.patch
# From Fedora openssl.
Patch13:openssl-1.0.1c-ipv6-apps.patch
+Patch14:0001-libcrypto-Hide-library-private-symbols.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -146,6 +147,7 @@
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
@@ -200,7 +202,7 @@
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
-$RPM_OPT_FLAGS -std=gnu99 \
+$RPM_OPT_FLAGS -O3 -std=gnu99 \
-Wa,--noexecstack \
-fomit-frame-pointer \
-DTERMIO \
++ 0001-libcrypto-Hide-library-private-symbols.patch ++
622 lines (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-10-17 14:24:04
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-09-27
19:48:22.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-10-17
17:42:54.0 +0200
@@ -1,0 +2,6 @@
+Fri Oct 11 12:24:14 UTC 2013 - meiss...@suse.com
+
+- openssl-1.0.1c-ipv6-apps.patch:
+ Support ipv6 in the openssl s_client / s_server commandline app.
+
+---
New:
openssl-1.0.1c-ipv6-apps.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.Nx2Drp/_old 2013-10-17 17:43:01.0 +0200
+++ /var/tmp/diff_new_pack.Nx2Drp/_new 2013-10-17 17:43:01.0 +0200
@@ -55,6 +55,8 @@
Patch10:openssl-pkgconfig.patch
Patch11:SSL_get_certificate-broken.patch
Patch12:openssl-1.0.1e-bnc822642.patch
+# From Fedora openssl.
+Patch13:openssl-1.0.1c-ipv6-apps.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -143,6 +145,7 @@
%patch10 -p1
%patch11 -p1
%patch12 -p1
+%patch13 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
++ openssl-1.0.1c-ipv6-apps.patch ++
diff -up openssl-1.0.1c/apps/s_apps.h.ipv6-apps openssl-1.0.1c/apps/s_apps.h
--- openssl-1.0.1c/apps/s_apps.h.ipv6-apps 2012-07-11 22:46:02.409221206
+0200
+++ openssl-1.0.1c/apps/s_apps.h2012-07-11 22:46:02.451222165 +0200
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR4433
#define PROTOCOLtcp
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s,
unsigned char *context), unsigned char *context);
+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int
s, unsigned char *context), unsigned char *context);
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
#endif
-int init_client(int *sock, char *server, int port, int type);
+int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i);
-int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
diff -up openssl-1.0.1c/apps/s_client.c.ipv6-apps openssl-1.0.1c/apps/s_client.c
--- openssl-1.0.1c/apps/s_client.c.ipv6-apps2012-07-11 22:46:02.433221754
+0200
+++ openssl-1.0.1c/apps/s_client.c 2012-07-11 22:46:02.45187 +0200
@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
- short port=PORT;
+ char *port_str = PORT_STR;
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
@@ -664,13 +664,12 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,-port) == 0)
{
if (--argc 1) goto bad;
- port=atoi(*(++argv));
- if (port == 0) goto bad;
+ port_str= *(++argv);
}
else if (strcmp(*argv,-connect) == 0)
{
if (--argc 1) goto bad;
- if (!extract_host_port(*(++argv),host,NULL,port))
+ if (!extract_host_port(*(++argv),host,port_str))
goto bad;
}
else if (strcmp(*argv,-verify) == 0)
@@ -1253,7 +1252,7 @@ bad:
re_start:
- if (init_client(s,host,port,socket_type) == 0)
+ if (init_client(s,host,port_str,socket_type) == 0)
{
BIO_printf(bio_err,connect:errno=%d\n,get_last_socket_error());
SHUTDOWN(s);
diff -up openssl-1.0.1c/apps/s_server.c.ipv6-apps openssl-1.0.1c/apps/s_server.c
--- openssl-1.0.1c/apps/s_server.c.ipv6-apps2012-07-11 22:46:02.434221777
+0200
+++ openssl-1.0.1c/apps/s_server.c 2012-07-11 22:46:02.45310 +0200
@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
{
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-09-27 19:48:21
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-09-05
23:22:31.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-09-27
19:48:22.0 +0200
@@ -1,0 +2,6 @@
+Fri Sep 27 10:26:43 UTC 2013 - dmacvi...@suse.de
+
+- VPN openconnect problem (DTLS handshake failed)
+ (git 9fe4603b8, bnc#822642, openssl ticket#2984)
+
+---
New:
openssl-1.0.1e-bnc822642.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.pNoTxw/_old 2013-09-27 19:48:23.0 +0200
+++ /var/tmp/diff_new_pack.pNoTxw/_new 2013-09-27 19:48:23.0 +0200
@@ -54,6 +54,7 @@
Patch9: openssl-1.0.1c-default-paths.patch
Patch10:openssl-pkgconfig.patch
Patch11:SSL_get_certificate-broken.patch
+Patch12:openssl-1.0.1e-bnc822642.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -141,6 +142,7 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
++ openssl-1.0.1e-bnc822642.patch ++
commit 9fe4603b8245425a4c46986ed000fca054231253
Author: David Woodhouse dw...@infradead.org
Date: Tue Feb 12 14:55:32 2013 +
Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.
PR:2984
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 02edf3f..443a31e 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned padding_length, good, to_check, i;
const unsigned overhead = 1 /* padding length byte */ + mac_size;
/* Check if version requires explicit IV */
- if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION)
+ if (s-version = TLS1_1_VERSION || s-version == DTLS1_BAD_VER)
{
/* These lengths are all public so we can test them in
* non-constant time.
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2013-09-05 23:22:31 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-08-13 11:00:55.0 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-09-05 23:22:31.0 +0200 @@ -1,0 +2,6 @@ +Wed Sep 4 18:56:38 UTC 2013 - guilla...@opensuse.org + +- Fix armv6l arch (armv7 was previously used to build armv6 which + lead to illegal instruction when used) + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.B9tJU2/_old 2013-09-05 23:22:33.0 +0200 +++ /var/tmp/diff_new_pack.B9tJU2/_new 2013-09-05 23:22:33.0 +0200 @@ -181,6 +181,9 @@ %ifarch armv5el armv5tel export MACHINE=armv5el %endif +%ifarch armv6l armv6hl +export MACHINE=armv6l +%endif ./config --test-sanity # config_flags=threads shared no-rc5 no-idea \ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-08-13 11:00:53
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-08-04
16:59:22.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-08-13
11:00:55.0 +0200
@@ -1,0 +2,47 @@
+Mon Aug 12 06:05:03 UTC 2013 - shch...@suse.com
+
+- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken
+ modify patch file: SSL_get_certificate-broken.patch
+
+---
+Fri Aug 9 23:24:14 UTC 2013 - crrodrig...@opensuse.org
+
+- Via padlock is only found in x86 and x86_64 CPUs, remove
+ the shared module for other archs.
+
+---
+Wed Aug 7 18:30:45 UTC 2013 - crrodrig...@opensuse.org
+
+- Cleanup engines that are of no use in a modern linux distro
+- The following engines stay:
+* libcapi.so -- usable in case you have third party /dev/crypto
+* libgmp.so -- may help to doing some maths using GMP
+* libgost.so -- implements the GOST block cipher
+* libpadlock.so -- VIA padlock support
+- Al other are removed because they require third party propietary
+ shared libraries nowhere to be found or that we can test.
+
+---
+Wed Aug 7 18:30:23 UTC 2013 - crrodrig...@opensuse.org
+
+- openssl-pkgconfig.patch: Here we go.. For applications
+to benefit fully of features provided by openSSL engines
+(rdrand, aes-ni..etc) either builtin or in DSO form applications
+have to call ENGINE_load_builtin_engines() or OPENSSL_config()
+unfortunately from a total of 68 apps/libraries linked to libcrypto
+in a desktop system, only 4 do so, and there is a sea of buggy
+code that I dont feel like fixing.
+Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files
+so the needed operation becomes implicit the next time such apps
+are recompiled, see OPENSSL_config(3)
+Unfortunately this does not fix everything, because there are apps
+not using pkgconfig or using it incorrectly, but it is a good start.
+
+---
+Wed Aug 7 09:33:55 UTC 2013 - dmuel...@suse.com
+
+- add openssl-1.0.1c-default-paths.patch:
+ Fix from Fedora for openssl s_client not setting
+ CApath by default
+
+---
New:
SSL_get_certificate-broken.patch
openssl-1.0.1c-default-paths.patch
openssl-pkgconfig.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.VltZDx/_old 2013-08-13 11:00:56.0 +0200
+++ /var/tmp/diff_new_pack.VltZDx/_new 2013-08-13 11:00:56.0 +0200
@@ -51,6 +51,9 @@
Patch6: openssl-1.0.1e-truststore.diff
Patch7: compression_methods_switch.patch
Patch8: 0005-libssl-Hide-library-private-symbols.patch
+Patch9: openssl-1.0.1c-default-paths.patch
+Patch10:openssl-pkgconfig.patch
+Patch11:SSL_get_certificate-broken.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -135,6 +138,10 @@
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@@ -327,6 +334,14 @@
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
+for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
+rm %{buildroot}/%{_lib}/engines/lib$engine.so
+done
+
+%ifnarch %{ix86} x86_64
+rm %{buildroot}/%{_lib}/engines/libpadlock.so
+%endif
+
%clean
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
++ SSL_get_certificate-broken.patch ++
Index: openssl-1.0.1e/ssl/ssl_lib.c
===
--- openssl-1.0.1e.orig/ssl/ssl_lib.c
+++ openssl-1.0.1e/ssl/ssl_lib.c
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
- if (s-server)
- return(ssl_get_server_send_cert(s));
- else if (s-cert != NULL)
+ if (s-cert != NULL)
return(s-cert-key-x509);
else
return(NULL);
++ openssl-1.0.1c-default-paths.patch ++
diff -up openssl-1.0.1c/apps/s_client.c.default-paths
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-08-04 16:59:21
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-07-30
18:42:59.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-08-04
16:59:22.0 +0200
@@ -1,0 +2,12 @@
+Sat Aug 3 21:15:07 UTC 2013 - crrodrig...@opensuse.org
+
+- 0005-libssl-Hide-library-private-symbols.patch: hide
+ private symbols, this *only* applies to libssl where
+ it is straightforward to do so as applications should
+ not be using any of the symbols declared/defined in headers
+ that the library does not install.
+ A separate patch MAY be provided in the future for libcrypto
+ where things are much more complicated and threfore requires
+ careful testing.
+
+---
New:
0005-libssl-Hide-library-private-symbols.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.0wLKXM/_old 2013-08-04 16:59:23.0 +0200
+++ /var/tmp/diff_new_pack.0wLKXM/_new 2013-08-04 16:59:23.0 +0200
@@ -50,6 +50,7 @@
Patch5: openssl-fix-pod-syntax.diff
Patch6: openssl-1.0.1e-truststore.diff
Patch7: compression_methods_switch.patch
+Patch8: 0005-libssl-Hide-library-private-symbols.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -133,6 +134,7 @@
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ 0005-libssl-Hide-library-private-symbols.patch ++
From 89d5aecbc62842651cf22e48c405eb435feb0df3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= crrodrig...@opensuse.org
Date: Wed, 24 Jul 2013 23:29:05 -0400
Subject: [PATCH 5/5] libssl: Hide library private symbols
This patch only contains the libssl part (the easy one)
patch to libcrypto will follow after it is complete and good enough.
It hides all the library symbols that are not part of the public
API/ABI when GCC 4 or later is used.
---
ssl/kssl_lcl.h | 9 +
ssl/ssl_locl.h | 8
2 files changed, 17 insertions(+)
diff --git a/ssl/kssl_lcl.h b/ssl/kssl_lcl.h
index c039c91..69972b1 100644
--- a/ssl/kssl_lcl.h
+++ b/ssl/kssl_lcl.h
@@ -61,6 +61,10 @@
#include openssl/kssl.h
+#if defined(__GNUC__) __GNUC__ = 4
+#pragma GCC visibility push(hidden)
+#endif
+
#ifndef OPENSSL_NO_KRB5
#ifdef __cplusplus
@@ -84,4 +88,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl_ctx);
}
#endif
#endif /* OPENSSL_NO_KRB5 */
+
+#if defined(__GNUC__) __GNUC__ = 4
+#pragma GCC visibility pop
+#endif
+
#endif /* KSSL_LCL_H */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 56f9b4b..dde4e3e 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -165,6 +165,10 @@
#include openssl/ssl.h
#include openssl/symhacks.h
+#if defined(__GNUC__) __GNUC__ = 4
+#pragma GCC visibility push(hidden)
+#endif
+
#ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
# define OPENSSL_EXTERN OPENSSL_EXPORT
@@ -1357,4 +1361,8 @@ void tls_fips_digest_extra(
const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
const unsigned char *data, size_t data_len, size_t orig_len);
+#if defined(__GNUC__) __GNUC__ = 4
+#pragma GCC visibility pop
+#endif
+
#endif
--
1.8.3.1
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-07-30 18:42:57
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-07-04
18:04:59.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-07-30
18:42:59.0 +0200
@@ -1,0 +2,9 @@
+Mon Jul 29 08:06:48 UTC 2013 - meiss...@suse.com
+
+- compression_methods_switch.patch: Disable compression by default to
+ avoid the CRIME attack (CVE-2012-4929 bnc#793420)
+
+ Can be override by setting environment variable
+ OPENSSL_NO_DEFAULT_ZLIB=no
+
+---
New:
compression_methods_switch.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.UNlkbn/_old 2013-07-30 18:43:00.0 +0200
+++ /var/tmp/diff_new_pack.UNlkbn/_new 2013-07-30 18:43:00.0 +0200
@@ -49,6 +49,7 @@
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
Patch6: openssl-1.0.1e-truststore.diff
+Patch7: compression_methods_switch.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -131,6 +132,7 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ compression_methods_switch.patch ++
Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
===
--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -41,6 +41,24 @@ of compression methods supported on a pe
The OpenSSL library has the compression methods BCOMP_rle() and (when
especially enabled during compilation) BCOMP_zlib() available.
+And, there is an environment variable to switch the compression
+methods off and on. In default the compression is off to mitigate
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
+compression again set OPENSSL_NO_DEFAULT_ZLIB to no.
+
+The variable can be switched on and off at runtime; when this variable
+is set no compression is enabled, otherwise no, for example:
+
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
+or in C to call
+int setenv(const char *name, const char *value, int overwrite); and
+int unsetenv(const char *name);
+
+Note: This reverts the behavior of the variable as it was before!
+
+And pay attention that this freaure is temporary, it maybe changed by
+the following updates.
+
=head1 WARNINGS
Once the identities of the compression methods for the TLS protocol have
Index: openssl-1.0.1e/ssl/ssl_ciph.c
===
--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1e/ssl/ssl_ciph.c
@@ -455,7 +455,11 @@ static void load_builtin_compressions(vo
MemCheck_off();
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL)
+
+ if( getenv(OPENSSL_NO_DEFAULT_ZLIB) == NULL)
+ setenv(OPENSSL_NO_DEFAULT_ZLIB, yes, 1);
+
+ if (ssl_comp_methods != NULL strncmp(
getenv(OPENSSL_NO_DEFAULT_ZLIB), no, 2) == 0)
{
comp=(SSL_COMP
*)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-07-04 18:04:58
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-07-02
07:40:13.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-07-04
18:04:59.0 +0200
@@ -1,0 +2,7 @@
+Tue Jul 2 09:02:59 UTC 2013 - lnus...@suse.de
+
+- Don't use the legacy /etc/ssl/certs directory anymore but rather
+ the p11-kit generated /var/lib/ca-certificates/openssl one
+ (fate#314991, openssl-1.0.1e-truststore.diff)
+
+---
New:
openssl-1.0.1e-truststore.diff
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.8eo3MA/_old 2013-07-04 18:05:01.0 +0200
+++ /var/tmp/diff_new_pack.8eo3MA/_new 2013-07-04 18:05:01.0 +0200
@@ -48,6 +48,7 @@
Patch4: VIA_padlock_support_on_64systems.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
+Patch6: openssl-1.0.1e-truststore.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -129,6 +130,7 @@
%patch3
%patch4 -p1
%patch5 -p1
+%patch6 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ openssl-1.0.1e-truststore.diff ++
Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-1.0.1e/crypto/cryptlib.h
===
--- openssl-1.0.1e.orig/crypto/cryptlib.h
+++ openssl-1.0.1e/crypto/cryptlib.h
@@ -81,7 +81,7 @@ extern C {
#ifndef OPENSSL_SYS_VMS
#define X509_CERT_AREA OPENSSLDIR
-#define X509_CERT_DIR OPENSSLDIR /certs
+#define X509_CERT_DIR /var/lib/ca-certificates/openssl
#define X509_CERT_FILE OPENSSLDIR /cert.pem
#define X509_PRIVATE_DIR OPENSSLDIR /private
#else
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-07-02 07:40:12
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-06-25
14:43:15.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-07-02
07:40:13.0 +0200
@@ -1,0 +2,12 @@
+Sat Jun 29 22:47:54 UTC 2013 - crrodrig...@opensuse.org
+
+- Build enable-ec_nistp_64_gcc_128, ecdh is many times faster
+ but only works in x86_64.
+ According to the openSSL team
+it is superior to the default in multiple regards (speed, and also
+security as the new implementations are secure against timing
+attacks)
+It is not enabled by default due to the build system being unable
+to detect if the compiler supports __uint128_t.
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.FOYYz9/_old 2013-07-02 07:40:14.0 +0200
+++ /var/tmp/diff_new_pack.FOYYz9/_new 2013-07-02 07:40:14.0 +0200
@@ -171,6 +171,9 @@
./config --test-sanity
#
config_flags=threads shared no-rc5 no-idea \
+%ifarch x86_64
+enable-ec_nistp_64_gcc_128 \
+%endif
enable-camellia \
zlib \
--prefix=%{_prefix} \
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-06-25 07:43:23
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-06-05
13:05:48.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-06-25
14:43:15.0 +0200
@@ -1,0 +2,6 @@
+Thu Jun 20 07:58:33 UTC 2013 - co...@suse.com
+
+- pick openssl-fix-pod-syntax.diff out of the upstream RT to fix
+ build with perl 5.18
+
+---
New:
openssl-fix-pod-syntax.diff
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.xfum3F/_old 2013-06-25 14:43:16.0 +0200
+++ /var/tmp/diff_new_pack.xfum3F/_new 2013-06-25 14:43:16.0 +0200
@@ -46,6 +46,8 @@
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
Patch4: VIA_padlock_support_on_64systems.patch
+# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
+Patch5: openssl-fix-pod-syntax.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -64,19 +66,6 @@
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
-
-
-Authors:
-
-Mark J. Cox m...@openssl.org
-Ralf S. Engelschall r...@openssl.org
-Dr. Stephen Henson st...@openssl.org
-Ben Laurie b...@openssl.org
-Bodo Moeller b...@openssl.org
-Ulf Moeller u...@openssl.org
-Holger Reif hol...@openssl.org
-Paul C. Sutton p...@openssl.org
-
%package -n libopenssl1_0_0
Summary:Secure Sockets and Transport Layer Security
Group: Productivity/Networking/Security
@@ -103,19 +92,6 @@
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
-
-
-Authors:
-
-Mark J. Cox m...@openssl.org
-Ralf S. Engelschall r...@openssl.org
-Dr. Stephen Henson st...@openssl.org
-Ben Laurie b...@openssl.org
-Bodo Moeller b...@openssl.org
-Ulf Moeller u...@openssl.org
-Holger Reif hol...@openssl.org
-Paul C. Sutton p...@openssl.org
-
%package -n libopenssl-devel
Summary:Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
@@ -134,19 +110,6 @@
This package contains all necessary include files and libraries needed
to develop applications that require these.
-
-
-Authors:
-
-Mark J. Cox m...@openssl.org
-Ralf S. Engelschall r...@openssl.org
-Dr. Stephen Henson st...@openssl.org
-Ben Laurie b...@openssl.org
-Bodo Moeller b...@openssl.org
-Ulf Moeller u...@openssl.org
-Holger Reif hol...@openssl.org
-Paul C. Sutton p...@openssl.org
-
%package doc
Summary:Additional Package Documentation
Group: Productivity/Networking/Security
@@ -158,19 +121,6 @@
This package contains optional documentation provided in addition to
this package's base documentation.
-
-
-Authors:
-
-Mark J. Cox m...@openssl.org
-Ralf S. Engelschall r...@openssl.org
-Dr. Stephen Henson st...@openssl.org
-Ben Laurie b...@openssl.org
-Bodo Moeller b...@openssl.org
-Ulf Moeller u...@openssl.org
-Holger Reif hol...@openssl.org
-Paul C. Sutton p...@openssl.org
-
%prep
%setup -q
%patch0 -p1
@@ -178,6 +128,7 @@
%patch2 -p1
%patch3
%patch4 -p1
+%patch5 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ openssl-fix-pod-syntax.diff ++
From jaeni...@openssl.net Thu May 30 09:46:58 2013
CC: Jonathan Liu net...@gmail.com
Resent-Date: Thu, 30 May 2013 09:46:58 +0200
X-Spam-Status: No, score=-2.3 required=5.0 tests=FREEMAIL_FROM,
RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_TO_NO_BRKTS_FREEMAIL autolearn=ham
version=3.3.2
X-Mailer: git-send-email 1.8.3
Message-ID: 1369887573-10819-1-git-send-email-net...@gmail.com
X-Received: by 10.68.65.134 with SMTP id x6mr5859535pbs.219.1369886755138; Wed,
29 May 2013 21:05:55 -0700 (PDT)
Resent-To: rt-...@openssl.net
Received: by openssl.net (Postfix, from userid 29209) id 1548C1E0128; Thu, 30
May 2013 09:46:58 +0200 (CEST)
Received: by openssl.net (Postfix, from userid 65534) id 852471E12CB; Thu, 30
May 2013 06:14:07 +0200 (CEST)
Received: by openssl.net (Postfix, from userid 30009) id 6FF4D1E12CF; Thu, 30
May 2013 06:14:07 +0200 (CEST)
Received: from master.openssl.org (openssl.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-06-05 13:05:48
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-02-23
16:39:09.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-06-05
13:05:48.0 +0200
@@ -1,0 +2,5 @@
+Sat May 25 10:10:07 UTC 2013 - i...@marguerite.su
+
+- add %if tag for BuildArch. sles may also need latest openssl.
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.5yktdO/_old 2013-06-05 13:05:49.0 +0200
+++ /var/tmp/diff_new_pack.5yktdO/_new 2013-06-05 13:05:49.0 +0200
@@ -150,7 +150,9 @@
%package doc
Summary:Additional Package Documentation
Group: Productivity/Networking/Security
+%if 0%{?suse_version} = 1140
BuildArch: noarch
+%endif
%description doc
This package contains optional documentation provided in addition to
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2013-02-23 16:39:08 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl, Maintainer is g...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-02-12 16:41:42.0 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-02-23 16:39:09.0 +0100 @@ -1,0 +2,5 @@ +Fri Feb 22 16:00:16 UTC 2013 - dmuel...@suse.com + +- disable fstack-protector on aarch64 + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.pa06pt/_old 2013-02-23 16:39:10.0 +0100 +++ /var/tmp/diff_new_pack.pa06pt/_new 2013-02-23 16:39:10.0 +0100 @@ -231,7 +231,7 @@ -DSSL_FORBID_ENULL \ -D_GNU_SOURCE \ $(getconf LFS_CFLAGS) \ -%ifnarch hppa +%ifnarch hppa aarch64 -Wall \ -fstack-protector %else -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-02-12 16:41:40
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-02-11
11:07:27.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-02-12
16:41:42.0 +0100
@@ -1,0 +2,7 @@
+Tue Feb 12 00:08:06 UTC 2013 - hrvoje.sen...@gmail.com
+
+- Update to 1.0.1e
+ o Bugfix release (bnc#803004)
+- Drop openssl-1.0.1d-s3-packet.patch, included upstream
+
+---
Old:
openssl-1.0.1d-s3-packet.patch
openssl-1.0.1d.tar.gz
openssl-1.0.1d.tar.gz.asc
New:
openssl-1.0.1e.tar.gz
openssl-1.0.1e.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.CRWuMj/_old 2013-02-12 16:41:44.0 +0100
+++ /var/tmp/diff_new_pack.CRWuMj/_new 2013-02-12 16:41:44.0 +0100
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.1d
+Version:1.0.1e
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
@@ -46,8 +46,6 @@
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
Patch4: VIA_padlock_support_on_64systems.patch
-# PATCH-FIX-UPSTREAM openssl-1.0.1d-s3-packet.patch Fix the calculation that
checks there is enough room in a record after removing padding and optional
explicit IV bnc#803004, openssl ticket#2975
-Patch5: openssl-1.0.1d-s3-packet.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -178,7 +176,6 @@
%patch2 -p1
%patch3
%patch4 -p1
-%patch5 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ openssl-1.0.1d.tar.gz - openssl-1.0.1e.tar.gz ++
1697 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-02-11 11:07:26
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-02-07
10:44:03.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-02-11
11:07:27.0 +0100
@@ -1,0 +2,6 @@
+Sun Feb 10 20:33:51 UTC 2013 - hrvoje.sen...@gmail.com
+
+- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
+ bnc#803004, openssl ticket#2975
+
+---
New:
openssl-1.0.1d-s3-packet.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.mXrCuc/_old 2013-02-11 11:07:29.0 +0100
+++ /var/tmp/diff_new_pack.mXrCuc/_new 2013-02-11 11:07:29.0 +0100
@@ -46,6 +46,8 @@
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
Patch4: VIA_padlock_support_on_64systems.patch
+# PATCH-FIX-UPSTREAM openssl-1.0.1d-s3-packet.patch Fix the calculation that
checks there is enough room in a record after removing padding and optional
explicit IV bnc#803004, openssl ticket#2975
+Patch5: openssl-1.0.1d-s3-packet.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -176,6 +178,7 @@
%patch2 -p1
%patch3
%patch4 -p1
+%patch5 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ openssl-1.0.1d-s3-packet.patch ++
https://bugs.gentoo.org/456108
taken from upstream
From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001
From: Dr. Stephen Henson st...@openssl.org
Date: Thu, 7 Feb 2013 21:06:37 +
Subject: [PATCH] Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)
For AEAD remove the correct number of padding bytes (by Andy)
---
ssl/s3_cbc.c | 33 -
1 file changed, 12 insertions(+), 21 deletions(-)
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index ce77acd..0f60507 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned mac_size)
{
unsigned padding_length, good, to_check, i;
- const char has_explicit_iv =
- s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION;
- const unsigned overhead = 1 /* padding length byte */ +
- mac_size +
- (has_explicit_iv ? block_size : 0);
-
- /* These lengths are all public so we can test them in non-constant
-* time. */
- if (overhead rec-length)
- return 0;
-
- /* We can always safely skip the explicit IV. We check at the beginning
-* of this function that the record has at least enough space for the
-* IV, MAC and padding length byte. (These can be checked in
-* non-constant time because it's all public information.) So, if the
-* padding was invalid, then we didn't change |rec-length| and this is
-* safe. If the padding was valid then we know that we have at least
-* overhead+padding_length bytes of space and so this is still safe
-* because overhead accounts for the explicit IV. */
- if (has_explicit_iv)
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+ if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION)
{
+ /* These lengths are all public so we can test them in
+* non-constant time.
+*/
+ if (overhead + block_size rec-length)
+ return 0;
+ /* We can now safely skip explicit IV */
rec-data += block_size;
rec-input += block_size;
rec-length -= block_size;
}
+ else if (overhead rec-length)
+ return 0;
padding_length = rec-data[rec-length-1];
@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s,
if (EVP_CIPHER_flags(s-enc_read_ctx-cipher)EVP_CIPH_FLAG_AEAD_CIPHER)
{
/* padding is already verified */
- rec-length -= padding_length;
+ rec-length -= padding_length + 1;
return 1;
}
--
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-02-07 10:44:00
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-11-22
16:51:35.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-02-07
10:44:03.0 +0100
@@ -1,0 +2,11 @@
+Tue Feb 5 16:00:17 UTC 2013 - meiss...@suse.com
+
+- update to version 1.0.1d, fixing security issues
+ o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
+ o Include the fips configuration module.
+ o Fix OCSP bad key DoS attack CVE-2013-0166
+ o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+bnc#802184
+ o Fix for TLS AESNI record handling flaw CVE-2012-2686
+
+---
Old:
openssl-1.0.1c.tar.gz
New:
openssl-1.0.1d.tar.gz
openssl-1.0.1d.tar.gz.asc
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.WYIxsS/_old 2013-02-07 10:44:05.0 +0100
+++ /var/tmp/diff_new_pack.WYIxsS/_new 2013-02-07 10:44:05.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,7 +16,6 @@
#
-
Name: openssl
BuildRequires: bc
BuildRequires: ed
@@ -30,13 +29,14 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.1c
+Version:1.0.1d
Release:0
Summary:Secure Sockets and Transport Layer Security
License:OpenSSL
Group: Productivity/Networking/Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz
+Source42: http://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
# to get mtime of file:
Source1:openssl.changes
Source2:baselibs.conf
++ openssl-1.0.1c.tar.gz - openssl-1.0.1d.tar.gz ++
7948 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-11-22 16:51:34
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-08-26
14:22:13.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-11-22
16:51:35.0 +0100
@@ -1,0 +2,6 @@
+Mon Nov 12 08:39:31 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#784994] - VIA padlock support on 64 systems
+ e_padlock: add support for x86_64 gcc
+
+---
New:
VIA_padlock_support_on_64systems.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.PXQ5W6/_old 2012-11-22 16:51:37.0 +0100
+++ /var/tmp/diff_new_pack.PXQ5W6/_new 2012-11-22 16:51:37.0 +0100
@@ -16,8 +16,6 @@
#
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
-#
Name: openssl
BuildRequires: bc
@@ -47,6 +45,7 @@
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
+Patch4: VIA_padlock_support_on_64systems.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -176,6 +175,7 @@
%patch1 -p1
%patch2 -p1
%patch3
+%patch4 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ VIA_padlock_support_on_64systems.patch ++
Index: openssl-1.0.1c/engines/e_padlock.c
===
--- openssl-1.0.1c.orig/engines/e_padlock.c
+++ openssl-1.0.1c/engines/e_padlock.c
@@ -101,7 +101,10 @@
compiler choice is limited to GCC and Microsoft C. */
#undef COMPILE_HW_PADLOCK
#if !defined(I386_ONLY) !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) __GNUC__=2 \
+ (defined(__i386__) || defined(__i386) || \
+defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
* ===
*/
#if defined(__GNUC__) __GNUC__=2
+#if defined(__i386__) || defined(__i386)
/*
* As for excessive push %ebx/pop %ebx found all over.
* When generating position-independent code GCC won't let
@@ -383,21 +387,6 @@ padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-#ifndef OPENSSL_NO_AES
-/* Our own htonl()/ntohl() */
-static inline void
-padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks-rd_key)/sizeof(ks-rd_key[0]);
- unsigned int *key = ks-rd_key;
-
- while (i--) {
- asm volatile (bswapl %0 : +r(*key));
- key++;
- }
-}
-#endif
-
/* Force key reload from memory to the CPU microcode.
Loading EFLAGS from the stack clears EFLAGS[30]
which does the trick. */
@@ -456,11 +445,130 @@ static inline void *name(size_t cnt, \
return iv; \
}
+
+#endif
+
+#elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+ static int
+padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x;
+ vendor_string[12] = 0;
+ asm volatile (
+ cpuid\n
+ movl %%ebx,(%1)\n
+ movl %%edx,4(%1)\n
+ movl %%ecx,8(%1)\n
+ : +a(eax) : r(vendor_string) : rbx, rcx, rdx);
+ if (strcmp(vendor_string, CentaurHauls) != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC000;
+ asm volatile (cpuid
+ : +a(eax) : : rbx, rcx, rdx);
+ if (eax 0xC001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC001;
+ asm volatile (cpuid
+ : +a(eax), =d(edx) : : rbx, rcx);
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx (0x36)) == (0x36));
+ padlock_use_rng = ((edx (0x32)) == (0x32));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-08-26 14:22:07
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-08-08
11:18:04.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-08-26
14:22:13.0 +0200
@@ -1,0 +2,7 @@
+Sun Aug 19 23:38:32 UTC 2012 - crrodrig...@opensuse.org
+
+- Open Internal file descriptors with O_CLOEXEC, leaving
+ those open across fork()..execve() makes a perfect
+ vector for a side-channel attack...
+
+---
New:
openssl-ocloexec.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.ncRTax/_old 2012-08-26 14:22:14.0 +0200
+++ /var/tmp/diff_new_pack.ncRTax/_new 2012-08-26 14:22:14.0 +0200
@@ -46,6 +46,7 @@
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
+Patch3: openssl-ocloexec.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -174,6 +175,7 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@@ -366,11 +368,9 @@
%clean
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
-%post -n libopenssl1_0_0
-/sbin/ldconfig
+%post -n libopenssl1_0_0 -p /sbin/ldconfig
-%postun -n libopenssl1_0_0
-/sbin/ldconfig
+%postun -n libopenssl1_0_0 -p /sbin/ldconfig
%files -n libopenssl1_0_0
%defattr(-, root, root)
++ openssl-ocloexec.patch ++
--- crypto/bio/b_sock.c.orig
+++ crypto/bio/b_sock.c
@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in
}
again:
- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
if (s == INVALID_SOCKET)
{
SYSerr(SYS_F_SOCKET,get_last_socket_error());
@@ -784,7 +784,7 @@ again:
}
elsegoto err;
}
-
cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+
cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
if (cs != INVALID_SOCKET)
{
int ii;
--- crypto/bio/bss_conn.c.orig
+++ crypto/bio/bss_conn.c
@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC
c-them.sin_addr.s_addr=htonl(l);
c-state=BIO_CONN_S_CREATE_SOCKET;
- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+
ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
if (ret == INVALID_SOCKET)
{
SYSerr(SYS_F_SOCKET,get_last_socket_error());
--- crypto/bio/bss_dgram.c.orig
+++ crypto/bio/bss_dgram.c
@@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char
msg.msg_control = cmsgbuf;
msg.msg_controllen = 512;
msg.msg_flags = 0;
- n = recvmsg(b-num, msg, 0);
+ n = recvmsg(b-num, msg, MSG_CMSG_CLOEXEC);
if (msg.msg_controllen 0)
{
@@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b-num, msg, MSG_PEEK);
+ n = recvmsg(b-num, msg, MSG_PEEK| MSG_CMSG_CLOEXEC);
if (n = 0)
{
if ((n 0) (get_last_socket_error() != EAGAIN)
(get_last_socket_error() != EWOULDBLOCK))
@@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b-num, msg, 0);
+ n = recvmsg(b-num, msg, MSG_CMSG_CLOEXEC);
if (n = 0)
{
if ((n 0) (get_last_socket_error() != EAGAIN)
(get_last_socket_error() != EWOULDBLOCK))
@@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
fcntl(b-num, F_SETFL, O_NONBLOCK);
}
- n = recvmsg(b-num, msg,
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2012-08-08 11:18:03 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl, Maintainer is g...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-05-21 10:00:44.0 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-08-08 11:18:04.0 +0200 @@ -1,0 +2,5 @@ +Tue Aug 7 17:17:34 UTC 2012 - dmuel...@suse.com + +- fix build on armv5 (bnc#774710) + +--- Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.JIc8BB/_old 2012-08-08 11:18:06.0 +0200 +++ /var/tmp/diff_new_pack.JIc8BB/_new 2012-08-08 11:18:06.0 +0200 @@ -210,6 +210,9 @@ sed -i -e s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES| crypto/Makefile %build +%ifarch armv5el armv5tel +export MACHINE=armv5el +%endif ./config --test-sanity # config_flags=threads shared no-rc5 no-idea \ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-05-21 10:00:42
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-05-08
12:28:29.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-05-21
10:00:44.0 +0200
@@ -1,0 +2,10 @@
+Thu May 10 19:18:06 UTC 2012 - crrodrig...@opensuse.org
+
+- Update to version 1.0.1c for the complete list of changes see
+ NEWS, this only list packaging changes.
+- Drop aes-ni patch, no longer needed as it is builtin in openssl
+ now.
+- Define GNU_SOURCE and use -std=gnu99 to build the package.
+- Use LFS_CFLAGS in platforms where it matters.
+
+---
Old:
openssl-1.0.0b-aesni.patch
openssl-1.0.0i.tar.bz2
openssl-call-engine-reg-comp.patch
New:
openssl-1.0.1c.tar.gz
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.oC9s96/_old 2012-05-21 10:00:47.0 +0200
+++ /var/tmp/diff_new_pack.oC9s96/_new 2012-05-21 10:00:47.0 +0200
@@ -15,26 +15,30 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
-# norootforbuild
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
Name: openssl
-BuildRequires: bc ed pkg-config zlib-devel
+BuildRequires: bc
+BuildRequires: ed
+BuildRequires: pkg-config
+BuildRequires: zlib-devel
%define ssletcdir %{_sysconfdir}/ssl
-%define num_version %(echo %{version} | sed -e s+[a-zA-Z]++g; s+_.*++g)
-License:OpenSSL
-Group: Productivity/Networking/Security
+#%define num_version %(echo %{version} | sed -e s+[a-zA-Z]++g; s+_.*++g)
+%define num_version 1.0.0
Provides: ssl
-AutoReqProv:on
# bug437293
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.0i
-Release:1
+Version:1.0.1c
+Release:0
Summary:Secure Sockets and Transport Layer Security
+License:OpenSSL
+Group: Productivity/Networking/Security
Url:http://www.openssl.org/
-Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
+Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz
# to get mtime of file:
Source1:openssl.changes
Source2:baselibs.conf
@@ -42,19 +46,6 @@
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
-#Patch3: CVE-2010-1633_and_CVE-2010-0742.patch
-#Patch4: patchset-19727.diff
-#Patch5: CVE-2010-2939.patch
-#Patch6: CVE-2010-3864.patch
-Patch7: openssl-1.0.0b-aesni.patch
-#Patch8: CVE-2011-0014.patch
-Patch10:openssl-call-engine-reg-comp.patch
-#Patch11:Bug748738_Tolerate_bad_MIME_headers.patch
-#Patch12:bug749213-Free-headers-after-use.patch
-#Patch13:bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
-#Patch14:CVE-2012-1165.patch
-#Patch15:CVE-2012-0884.patch
-#Patch16:bug749735.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -87,7 +78,6 @@
Paul C. Sutton p...@openssl.org
%package -n libopenssl1_0_0
-License:OpenSSL
Summary:Secure Sockets and Transport Layer Security
Group: Productivity/Networking/Security
Recommends: openssl-certs
@@ -127,12 +117,12 @@
Paul C. Sutton p...@openssl.org
%package -n libopenssl-devel
-License:OpenSSL
Summary:Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
-Requires: libopenssl1_0_0 = %{version} zlib-devel
Requires: %name = %version
+Requires: libopenssl1_0_0 = %{version}
+Requires: zlib-devel
Provides: openssl-devel = %{version}
# bug437293
%ifarch ppc64
@@ -158,7 +148,6 @@
Paul C. Sutton p...@openssl.org
%package doc
-License:OpenSSL
Summary:Additional Package Documentation
Group: Productivity/Networking/Security
BuildArch: noarch
@@ -185,19 +174,6 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
-#%patch3 -p1
-#%patch4 -p1
-#%patch5 -p1
-#%patch6 -p1
-%patch7
-#%patch8 -p1
-%patch10
-#%patch11 -p1
-#%patch12 -p1
-#%patch13 -p1
-#%patch14 -p1
-#%patch15 -p1
-#%patch16 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@@
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-05-08 12:28:22
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-04-23
17:40:11.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-05-08
12:28:29.0 +0200
@@ -1,0 +2,5 @@
+Fri May 4 12:09:57 UTC 2012 - lnus...@suse.de
+
+- don't install any demo or expired certs at all
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.H7uZqm/_old 2012-05-08 12:28:31.0 +0200
+++ /var/tmp/diff_new_pack.H7uZqm/_new 2012-05-08 12:28:31.0 +0200
@@ -296,8 +296,7 @@
%install
rm -rf $RPM_BUILD_ROOT
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
-# install standard root certificates
-cp -pr certs/* $RPM_BUILD_ROOT%{ssletcdir}/certs
+install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
@@ -421,7 +420,6 @@
%doc LICENSE NEWS README README.SuSE
%dir %{ssletcdir}
%dir %{ssletcdir}/certs
-%{ssletcdir}/certs/*
%config (noreplace) %{ssletcdir}/openssl.cnf
%attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-04-23 17:40:09
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-04-17
22:00:29.0 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-04-23
17:40:11.0 +0200
@@ -1,0 +2,13 @@
+Mon Apr 23 05:57:35 UTC 2012 - g...@suse.com
+
+- update to latest stable verison 1.0.0i
+ including the following patches:
+ CVE-2012-2110.path
+ Bug748738_Tolerate_bad_MIME_headers.patch
+ bug749213-Free-headers-after-use.patch
+ bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+ CVE-2012-1165.patch
+ CVE-2012-0884.patch
+ bug749735.patch
+
+---
Old:
Bug748738_Tolerate_bad_MIME_headers.patch
CVE-2012-0884.patch
CVE-2012-1165.patch
bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
bug749213-Free-headers-after-use.patch
bug749735.patch
openssl-1.0.0g.tar.bz2
New:
openssl-1.0.0i.tar.bz2
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.0yOMFp/_old 2012-04-23 17:40:13.0 +0200
+++ /var/tmp/diff_new_pack.0yOMFp/_new 2012-04-23 17:40:13.0 +0200
@@ -30,7 +30,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version:1.0.0g
+Version:1.0.0i
Release:1
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
@@ -49,12 +49,12 @@
Patch7: openssl-1.0.0b-aesni.patch
#Patch8: CVE-2011-0014.patch
Patch10:openssl-call-engine-reg-comp.patch
-Patch11:Bug748738_Tolerate_bad_MIME_headers.patch
-Patch12:bug749213-Free-headers-after-use.patch
-Patch13:bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
-Patch14:CVE-2012-1165.patch
-Patch15:CVE-2012-0884.patch
-Patch16:bug749735.patch
+#Patch11:Bug748738_Tolerate_bad_MIME_headers.patch
+#Patch12:bug749213-Free-headers-after-use.patch
+#Patch13:bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+#Patch14:CVE-2012-1165.patch
+#Patch15:CVE-2012-0884.patch
+#Patch16:bug749735.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -192,12 +192,12 @@
%patch7
#%patch8 -p1
%patch10
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
+#%patch11 -p1
+#%patch12 -p1
+#%patch13 -p1
+#%patch14 -p1
+#%patch15 -p1
+#%patch16 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-04-17 22:00:24
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-03-20
17:49:17.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-04-17
22:00:29.0 +0200
@@ -1,0 +2,19 @@
+Tue Mar 27 09:16:37 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#749735] - Memory leak when creating public keys.
+ fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack
+ CVE-2012-0884
+
+---
+Thu Mar 22 03:24:20 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#751946] - S/MIME verification may erroneously fail
+ CVE-2012-1165
+
+---
+Wed Mar 21 02:44:41 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#749213]-Free headers after use in error message
+ and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt
+
+---
@@ -6 +24,0 @@
-
@@ -11,0 +30 @@
+ CVE-2006-7250
New:
CVE-2012-0884.patch
CVE-2012-1165.patch
bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
bug749213-Free-headers-after-use.patch
bug749735.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.WvLsxJ/_old 2012-04-17 22:00:31.0 +0200
+++ /var/tmp/diff_new_pack.WvLsxJ/_new 2012-04-17 22:00:31.0 +0200
@@ -50,6 +50,11 @@
#Patch8: CVE-2011-0014.patch
Patch10:openssl-call-engine-reg-comp.patch
Patch11:Bug748738_Tolerate_bad_MIME_headers.patch
+Patch12:bug749213-Free-headers-after-use.patch
+Patch13:bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+Patch14:CVE-2012-1165.patch
+Patch15:CVE-2012-0884.patch
+Patch16:bug749735.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -188,6 +193,11 @@
#%patch8 -p1
%patch10
%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2012-0884.patch ++
Index: openssl-1.0.0c/crypto/cms/cms.h
===
--- openssl-1.0.0c.orig/crypto/cms/cms.h
+++ openssl-1.0.0c/crypto/cms/cms.h
@@ -111,6 +111,7 @@ DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentI
#define CMS_PARTIAL0x4000
#define CMS_REUSE_DIGEST 0x8000
#define CMS_USE_KEYID 0x1
+#define CMS_DEBUG_DECRYPT 0x2
const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms);
Index: openssl-1.0.0c/crypto/cms/cms_enc.c
===
--- openssl-1.0.0c.orig/crypto/cms/cms_enc.c
+++ openssl-1.0.0c/crypto/cms/cms_enc.c
@@ -73,6 +73,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_E
const EVP_CIPHER *ciph;
X509_ALGOR *calg = ec-contentEncryptionAlgorithm;
unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
+ unsigned char *tkey = NULL;
+ size_t tkeylen;
int ok = 0;
@@ -139,30 +141,55 @@ BIO *cms_EncryptedContent_init_bio(CMS_E
}
- if (enc !ec-key)
+ /* Generate random session key */
+ if (!enc || !ec-key)
{
- /* Generate random key */
- if (!ec-keylen)
- ec-keylen = EVP_CIPHER_CTX_key_length(ctx);
- ec-key = OPENSSL_malloc(ec-keylen);
- if (!ec-key)
+ tkeylen = EVP_CIPHER_CTX_key_length(ctx);
+ tkey = OPENSSL_malloc(tkeylen);
+ if (!tkey)
{
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (EVP_CIPHER_CTX_rand_key(ctx, ec-key) = 0)
+ if (EVP_CIPHER_CTX_rand_key(ctx, tkey) = 0)
goto err;
- keep_key = 1;
}
- else if (ec-keylen != (unsigned int)EVP_CIPHER_CTX_key_length(ctx))
+ if (!ec-key)
+ {
+ ec-key = tkey;
+ ec-keylen = tkeylen;
+ tkey = NULL;
+ if (enc)
+ keep_key = 1;
+ else
+
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-03-20 17:49:15
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-03-07
20:09:59.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-03-20
17:49:17.0 +0100
@@ -1,0 +2,6 @@
+Tue Mar 20 14:29:24 UTC 2012 - cfarr...@suse.com
+
+- license update: OpenSSL
+
+
+---
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.XMQ0rp/_old 2012-03-20 17:49:19.0 +0100
+++ /var/tmp/diff_new_pack.XMQ0rp/_new 2012-03-20 17:49:19.0 +0100
@@ -22,7 +22,7 @@
BuildRequires: bc ed pkg-config zlib-devel
%define ssletcdir %{_sysconfdir}/ssl
%define num_version %(echo %{version} | sed -e s+[a-zA-Z]++g; s+_.*++g)
-License:BSD-3-Clause
+License:OpenSSL
Group: Productivity/Networking/Security
Provides: ssl
AutoReqProv:on
@@ -82,7 +82,7 @@
Paul C. Sutton p...@openssl.org
%package -n libopenssl1_0_0
-License:BSD-3-Clause
+License:OpenSSL
Summary:Secure Sockets and Transport Layer Security
Group: Productivity/Networking/Security
Recommends: openssl-certs
@@ -122,7 +122,7 @@
Paul C. Sutton p...@openssl.org
%package -n libopenssl-devel
-License:BSD-3-Clause
+License:OpenSSL
Summary:Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
@@ -153,7 +153,7 @@
Paul C. Sutton p...@openssl.org
%package doc
-License:BSD-3-Clause
+License:OpenSSL
Summary:Additional Package Documentation
Group: Productivity/Networking/Security
BuildArch: noarch
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2012-03-07 20:09:51
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2012-02-03
10:25:02.0 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-03-07
20:09:59.0 +0100
@@ -1,0 +2,6 @@
+Fri Feb 24 02:33:22 UTC 2012 - g...@suse.com
+
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+ asn1 parser.
+
+---
New:
Bug748738_Tolerate_bad_MIME_headers.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.cUqlj4/_old 2012-03-07 20:10:00.0 +0100
+++ /var/tmp/diff_new_pack.cUqlj4/_new 2012-03-07 20:10:00.0 +0100
@@ -49,6 +49,7 @@
Patch7: openssl-1.0.0b-aesni.patch
#Patch8: CVE-2011-0014.patch
Patch10:openssl-call-engine-reg-comp.patch
+Patch11:Bug748738_Tolerate_bad_MIME_headers.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -186,6 +187,7 @@
%patch7
#%patch8 -p1
%patch10
+%patch11 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ Bug748738_Tolerate_bad_MIME_headers.patch ++
Index: openssl-1.0.0g/crypto/asn1/asn_mime.c
===
--- openssl-1.0.0g.orig/crypto/asn1/asn_mime.c
+++ openssl-1.0.0g/crypto/asn1/asn_mime.c
@@ -858,6 +858,10 @@ static int mime_hdr_addparam(MIME_HEADER
static int mime_hdr_cmp(const MIME_HEADER * const *a,
const MIME_HEADER * const *b)
{
+ if ((*a)-name == NULL || (*b)-name == NULL)
+ return (*a)-name - (*b)-name 0 ? -1 :
+ (*a)-name - (*b)-name 0 ? 1 : 0;
+
return(strcmp((*a)-name, (*b)-name));
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2012-02-03 10:24:53 Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) Package is openssl, Maintainer is g...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2011-10-19 13:42:11.0 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2012-02-03 10:25:02.0 +0100 @@ -1,0 +2,16 @@ +Thu Feb 2 06:55:12 UTC 2012 - g...@suse.com + +- Update to version 1.0.0g fix the following: + DTLS DoS attack (CVE-2012-0050) + +--- +Wed Jan 11 05:35:18 UTC 2012 - g...@suse.com + +- Update to version 1.0.0f fix the following: + DTLS Plaintext Recovery Attack (CVE-2011-4108) + Uninitialized SSL 3.0 Padding (CVE-2011-4576) + Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) + SGC Restart DoS Attack (CVE-2011-4619) + Invalid GOST parameters DoS Attack (CVE-2012-0027) + +--- Old: openssl-1.0.0e.tar.bz2 New: openssl-1.0.0g.tar.bz2 Other differences: -- ++ openssl.spec ++ --- /var/tmp/diff_new_pack.Ij5yxf/_old 2012-02-03 10:25:03.0 +0100 +++ /var/tmp/diff_new_pack.Ij5yxf/_new 2012-02-03 10:25:03.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,9 +30,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -# -#Version:1.0.0 -Version:1.0.0e +Version:1.0.0g Release:1 Summary:Secure Sockets and Transport Layer Security Url:http://www.openssl.org/ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2011-12-06 18:34:43
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
Package is openssl, Maintainer is g...@suse.com
Changes:
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.lcta5C/_old 2011-12-06 18:56:18.0 +0100
+++ /var/tmp/diff_new_pack.lcta5C/_new 2011-12-06 18:56:18.0 +0100
@@ -22,7 +22,7 @@
BuildRequires: bc ed pkg-config zlib-devel
%define ssletcdir %{_sysconfdir}/ssl
%define num_version %(echo %{version} | sed -e s+[a-zA-Z]++g; s+_.*++g)
-License:BSD3c(or similar)
+License:BSD-3-Clause
Group: Productivity/Networking/Security
Provides: ssl
AutoReqProv:on
@@ -83,7 +83,7 @@
Paul C. Sutton p...@openssl.org
%package -n libopenssl1_0_0
-License:BSD3c(or similar)
+License:BSD-3-Clause
Summary:Secure Sockets and Transport Layer Security
Group: Productivity/Networking/Security
Recommends: openssl-certs
@@ -123,7 +123,7 @@
Paul C. Sutton p...@openssl.org
%package -n libopenssl-devel
-License:BSD3c(or similar)
+License:BSD-3-Clause
Summary:Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
@@ -154,7 +154,7 @@
Paul C. Sutton p...@openssl.org
%package doc
-License:BSD3c(or similar)
+License:BSD-3-Clause
Summary:Additional Package Documentation
Group: Productivity/Networking/Security
BuildArch: noarch
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory
checked in at Fri Sep 9 11:49:18 CEST 2011.
--- openssl/openssl.changes 2011-08-06 02:37:39.0 +0200
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes2011-09-07
16:32:25.0 +0200
@@ -1,0 +2,6 @@
+Wed Sep 7 14:29:41 UTC 2011 - crrodrig...@opensuse.org
+
+- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210
+ see http://openssl.org/news/secadv_20110906.txt for details.
+
+---
calling whatdependson for head-i586
Old:
ECDSA_signatures_timing_attack.patch
openssl-1.0.0d.tar.bz2
New:
openssl-1.0.0e.tar.bz2
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.ThJV88/_old 2011-09-09 11:49:11.0 +0200
+++ /var/tmp/diff_new_pack.ThJV88/_new 2011-09-09 11:49:11.0 +0200
@@ -32,8 +32,8 @@
%endif
#
#Version:1.0.0
-Version:1.0.0d
-Release:31
+Version:1.0.0e
+Release:1
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -50,7 +50,6 @@
#Patch6: CVE-2010-3864.patch
Patch7: openssl-1.0.0b-aesni.patch
#Patch8: CVE-2011-0014.patch
-Patch9: ECDSA_signatures_timing_attack.patch
Patch10:openssl-call-engine-reg-comp.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -188,7 +187,6 @@
#%patch6 -p1
%patch7 -p1
#%patch8 -p1
-%patch9 -p1
%patch10
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
++ openssl-1.0.0d.tar.bz2 - openssl-1.0.0e.tar.bz2 ++
9639 lines of diff (skipped)
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory
checked in at Mon Aug 15 09:41:59 CEST 2011.
--- openssl/openssl.changes 2011-08-05 21:10:43.0 +0200
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes2011-08-06
02:37:39.0 +0200
@@ -1,0 +2,7 @@
+Sat Aug 6 00:33:47 UTC 2011 - crrodrig...@opensuse.org
+
+- Add upstream patch that calls ENGINE_register_all_complete()
+ in ENGINE_load_builtin_engines() saving us from adding dozens
+ of calls to such function to calling applications.
+
+---
calling whatdependson for head-i586
New:
openssl-call-engine-reg-comp.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.w6LUgZ/_old 2011-08-15 09:41:26.0 +0200
+++ /var/tmp/diff_new_pack.w6LUgZ/_new 2011-08-15 09:41:26.0 +0200
@@ -33,7 +33,7 @@
#
#Version:1.0.0
Version:1.0.0d
-Release:29
+Release:31
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -51,6 +51,7 @@
Patch7: openssl-1.0.0b-aesni.patch
#Patch8: CVE-2011-0014.patch
Patch9: ECDSA_signatures_timing_attack.patch
+Patch10:openssl-call-engine-reg-comp.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -188,6 +189,7 @@
%patch7 -p1
#%patch8 -p1
%patch9 -p1
+%patch10
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ openssl-call-engine-reg-comp.patch ++
Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),
this means that some implementations will be used automatically, e.g. aesni,
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
Origin: UPSTREAM
URL: http://cvs.openssl.org/chngview?cn=19781
--- crypto/engine/eng_all.c.orig
+++ crypto/engine/eng_all.c
@@ -61,6 +61,8 @@
void ENGINE_load_builtin_engines(void)
{
+ /* Some ENGINEs need this */
+ OPENSSL_cpuid_setup();
#if 0
/* There's no longer any need for an openssl ENGINE unless, one day,
* it is the *only* way for standard builtin implementations to be be
@@ -115,6 +117,7 @@ void ENGINE_load_builtin_engines(void)
ENGINE_load_capi();
#endif
#endif
+ENGINE_register_all_complete();
}
#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory
checked in at Sat Aug 6 19:08:57 CEST 2011.
--- openssl/openssl.changes 2011-07-25 21:07:45.0 +0200
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes2011-08-05
21:10:43.0 +0200
@@ -1,0 +2,6 @@
+Fri Aug 5 19:09:42 UTC 2011 - crrodrig...@opensuse.org
+
+- remove -fno-strict-aliasing from CFLAGS no longer needed
+ and is likely to slow down stuff.
+
+---
calling whatdependson for head-i586
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.SCyvo8/_old 2011-08-06 19:08:39.0 +0200
+++ /var/tmp/diff_new_pack.SCyvo8/_new 2011-08-06 19:08:39.0 +0200
@@ -33,7 +33,7 @@
#
#Version:1.0.0
Version:1.0.0d
-Release:27
+Release:29
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -235,7 +235,6 @@
$RPM_OPT_FLAGS \
-Wa,--noexecstack \
-fomit-frame-pointer \
--fno-strict-aliasing \
-DTERMIO \
-DPURIFY \
%ifnarch hppa
@@ -340,7 +339,7 @@
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
- meth = SSLv2_client_method();
+ meth = SSLv23_client_method();
SSLeay_add_ssl_algorithms();
ctx = SSL_CTX_new(meth);
if (ctx == NULL) return 0;
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory
checked in at Tue Jun 28 10:06:37 CEST 2011.
--- openssl/openssl.changes 2011-05-16 16:38:57.0 +0200
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes2011-06-24
07:11:45.0 +0200
@@ -1,0 +2,18 @@
+Fri Jun 24 04:51:50 UTC 2011 - g...@novell.com
+
+- update to latest stable version 1.0.0d.
+ patch removed(already in the new package):
+ CVE-2011-0014
+ patch added:
+ ECDSA_signatures_timing_attack.patch
+
+---
+Tue May 31 07:07:49 UTC 2011 - g...@novell.com
+
+- fix bug[bnc#693027].
+ Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+ http://eprint.iacr.org/2011/232.pdf
+ [Billy Bob Brumley and Nicola Tuveri]
+
+---
calling whatdependson for head-i586
Old:
CVE-2011-0014.patch
openssl-1.0.0c.tar.bz2
New:
ECDSA_signatures_timing_attack.patch
openssl-1.0.0d.tar.bz2
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.PF5Mos/_old 2011-06-28 10:04:13.0 +0200
+++ /var/tmp/diff_new_pack.PF5Mos/_new 2011-06-28 10:04:13.0 +0200
@@ -32,8 +32,8 @@
%endif
#
#Version:1.0.0
-Version:1.0.0c
-Release:25
+Version:1.0.0d
+Release:22
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -49,7 +49,8 @@
#Patch5: CVE-2010-2939.patch
#Patch6: CVE-2010-3864.patch
Patch7: openssl-1.0.0b-aesni.patch
-Patch8: CVE-2011-0014.patch
+#Patch8: CVE-2011-0014.patch
+Patch9: ECDSA_signatures_timing_attack.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -185,7 +186,8 @@
#%patch5 -p1
#%patch6 -p1
%patch7 -p1
-%patch8 -p1
+#%patch8 -p1
+%patch9 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ ECDSA_signatures_timing_attack.patch ++
Index: openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c
===
--- openssl-1.0.0c.orig/crypto/ecdsa/ecs_ossl.c
+++ openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke
}
while (BN_is_zero(k));
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+ /* We do not want timing information to leak the length of k,
+* so we compute G*k using an equivalent scalar of fixed
+* bit-length. */
+
+ if (!BN_add(k, k, order)) goto err;
+ if (BN_num_bits(k) = BN_num_bits(order))
+ if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
Index: openssl-1.0.0c/crypto/ocsp/ocsp_lib.c
===
--- openssl-1.0.0c.orig/crypto/ocsp/ocsp_lib.c
+++ openssl-1.0.0c/crypto/ocsp/ocsp_lib.c
@@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho
char *host, *port;
+ *phost = NULL;
+ *pport = NULL;
+ *ppath = NULL;
+
/* dup the buffer since we are going to mess with it */
buf = BUF_strdup(url);
if (!buf) goto mem_err;
- *phost = NULL;
- *pport = NULL;
- *ppath = NULL;
/* Check for initial colon */
p = strchr(buf, ':');
++ openssl-1.0.0c.tar.bz2 - openssl-1.0.0d.tar.bz2 ++
1724 lines of diff (skipped)
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory
checked in at Mon May 30 09:05:51 CEST 2011.
--- openssl/openssl.changes 2011-02-10 08:45:42.0 +0100
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes2011-05-16
16:38:57.0 +0200
@@ -1,0 +2,5 @@
+Mon May 16 14:38:26 UTC 2011 - and...@opensuse.org
+
+- added openssl as dependency in the devel package
+
+---
calling whatdependson for head-i586
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.VcMGII/_old 2011-05-30 09:05:09.0 +0200
+++ /var/tmp/diff_new_pack.VcMGII/_new 2011-05-30 09:05:09.0 +0200
@@ -33,7 +33,7 @@
#
#Version:1.0.0
Version:1.0.0c
-Release:21
+Release:25
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -127,6 +127,7 @@
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel %{version}
Requires: libopenssl1_0_0 = %{version} zlib-devel
+Requires: %name = %version
Provides: openssl-devel = %{version}
# bug437293
%ifarch ppc64
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openssl for openSUSE:Factory
Hello community,
here is the log from the commit of package openssl for openSUSE:Factory
checked in at Tue Mar 15 09:28:50 CET 2011.
--- openssl/openssl.changes 2011-01-15 21:02:09.0 +0100
+++ /mounts/work_src_done/STABLE/openssl/openssl.changes2011-02-10
08:45:42.0 +0100
@@ -1,0 +2,6 @@
+Thu Feb 10 07:42:01 UTC 2011 - g...@novell.com
+
+- fix bug [bnc#670526]
+ CVE-2011-0014,OCSP stapling vulnerability
+
+---
calling whatdependson for head-i586
New:
CVE-2011-0014.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.N472WH/_old 2011-03-15 09:28:46.0 +0100
+++ /var/tmp/diff_new_pack.N472WH/_new 2011-03-15 09:28:46.0 +0100
@@ -33,7 +33,7 @@
#
#Version:1.0.0
Version:1.0.0c
-Release:3
+Release:20
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -49,6 +49,7 @@
#Patch5: CVE-2010-2939.patch
#Patch6: CVE-2010-3864.patch
Patch7: openssl-1.0.0b-aesni.patch
+Patch8: CVE-2011-0014.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -183,6 +184,7 @@
#%patch5 -p1
#%patch6 -p1
%patch7 -p1
+%patch8 -p1
cp -p %{S:10} .
echo adding/overwriting some entries in the 'table' hash in Configure
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2011-0014.patch ++
Index: openssl-1.0.0c/ssl/t1_lib.c
===
--- openssl-1.0.0c.orig/ssl/t1_lib.c
+++ openssl-1.0.0c/ssl/t1_lib.c
@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
n2s(data, idsize);
dsize -= 2 + idsize;
+ size -= 2 + idsize;
if (dsize 0)
{
*al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
/* Read in request_extensions */
+ if (size 2)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
n2s(data,dsize);
size -= 2;
- if (dsize size)
+ if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
