Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2025-07-02 12:11:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new.7067 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls" Wed Jul 2 12:11:45 2025 rev:48 rq:1289615 version:3.6.4 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2024-10-21 16:25:47.247913656 +0200 +++ /work/SRC/openSUSE:Factory/.mbedtls.new.7067/mbedtls.changes 2025-07-02 12:14:55.596269757 +0200 @@ -1,0 +2,839 @@ +Tue Jul 01 14:39:38 UTC 2025 - Jaime Marquínez Ferrándiz <jaime.marquinez.ferran...@fastmail.net> + +- Update to version 3.6.4: + * Added generated files + * Version bump 3.6.4 + * Assemble ChangeLog + * Properly initialize SSL endpoint objects + * Fix accidentally skipped test assertion + * Update framework pointer (release-sync) + * fix: additional MSVC v142 build issue with tls1.3 configuration enabled. + * Remove blank line + * Simplify changelog + * Add a note about processor memory reordering + * Add changelog + * Replace __attribute__((nonstring)) with macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING + * Improve some explanations + * Don't mutate dst_size + * Add __attribute__ ((nonstring)) to remove unterminated-string-initialization warning + * Note that GCM is also impacted + * Adjust test case with invalid base64 + * Fix race condition in mbedtls_aesni_has_support + * mbedtls_base64_decode: test dst=NULL with dlen>0 + * Explain some aspects of the tests + * mbedtls_base64_decode: insist on correct padding + * Added CVE's to ChangeLogs + * lms.c: Updated documentation + * test_suite_lms.data: Updated comments + * Fix mbedtls_base64_decode() accepting invalid inputs with 4n+1 digits + * mbedtls_base64_decode: assert sloppy behavior with bad number of = + * mbedtls_base64_decode: test the reported output length + * test_suite_lms: Added negative test for corrupted Merkle path + * test_suite_lms: Added a test for importing invalid sized key + * Added changelog for check return of merkle leaf + * Added changelog for lms enum casting + * Added changelog for lms overread + * Fix change log entry + * Fix build test programs in MSVC (due to a warning treated as error in winbase.h) + * Built-in lms driver: always zeroize output-buffer in create_merkle_leaf_value + * Built-in lms driver:Check return values of Merkle node creation + * Built-in lms/lmots driver: Harden public key import against enum truncation + * Built-in lms driver: Added input guard + * Add changelog + * Add fix for PEM underflow + * Add test using underflow-causing PEM keyfile + * Update framework with additional operation initialization checks + * Fix possible UB in mbedtls_asn1_write_raw_buffer() + * Fix psa_pake_operation_s member types + * Move PAKE size calculation macros, cipher suite and operation structs + * Add change log + * Move the inclusion of crypto_sizes.h and crypto_struct.h in crypto.h + * Add ChangeLog entry + * Improve unit tests for mbedtls_asn1_store_named_data + * Fix bug in mbedtls_asn1_store_named_data() + * Add tests for bug in mbedtls_x509_string_to_names() + * Restore standard initializers in _init tests + * Use short initializers for multipart operation structures + * Avoid a useless copy in cert_{req,write} + * Mark ssl_tls12_preset_suiteb_sig_algs const + * Mark ssl_tls12_preset_default_sig_algs const + * Fix type in ChangeLog + * Add comment on apparent type mismatch + * Remove redundant free loop + * Fix ECDSA documentation: blinding is no longer optional + * ECDSA is a special flower + * Note functions that store the RNG callback in a context + * Reference mbedtls_f_rng_t in public documentation + * Name and document the type of random generator callbacks + * Add credit to the reporters of the PKCS7 issue + * Grammar in comments + * Remove .gitmodules + * Changelog entry for the union initialization fixes + * Test with GCC 15 with sloppy union initialization + * Initialize MAC context in internal functions for one-shot MAC + * Initialize MAC context in internal functions for KDF + * Initialize driver context in setup functions + * Add unit test for new behaviour of string_to_names() + * Fix memory leak in cert_write & cert_req + * Fix runtime error in cert_write & cert_req + * Restore behaviour of mbedtls_x509write_set_foo_name() + * Fix undocumented free() in x509_string_to_names() + * Improve comments + * Update framework + * Allow gcc-15 to be in $PATH + * Enable drivers when testing with GCC 15 + * GCC 15: Silence -Wunterminated-string-initialization + * Test with GCC 15 + * Disable warning from gcc -pedantic on dlsym/dlopen + * Move persistent key tests to a separate .data file + * Move concurrent tests to a separate .data file + * Update obsolete section title + * Complain about a missing comma in multiline lists of strings + * Prepare framework for pylint check-str-concat-over-line-jumps + * framework: update reference + * Constify cipher_wrap:mbedtls_cipher_base_lookup_table + * Fix some test helper functions returning 0 on some failures + * Check the status of mbedtls_ssl_set_hostname() + * Add missing ifdef for mbedtls_ssl_tls13_exporter + * Add label_len argument to non-PSA tls_prf_generic + * Fix dependencies for TLS-Exporter tests + * Fix doxygen for MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + * Fix mistake in previous comment change + * Fix HkdfLabel comment + * Allow maximum label length in Hkdf-Expand-Label + * Exporter: Add min. and max. label tests + * Fix max. label length in key material exporter + * Document BAD_INPUT_DATA error in key material exporter + * Fix requirements for TLS 1.3 Exporter compat test + * Use mbedtls_calloc, not regular calloc + * Add fixed compatibility test for TLS 1.3 Exporter + * Remove exporter compatibility test for TLS 1.3 + * Fix openssl s_client invocation + * Print names of new tests properly + * Fix memory leak in example programs + * ssl-opt.sh: Add tests for keying material export + * mbedtls_test_ssl_do_handshake_with_endpoints: Zeroize endpoints + * Exporter tests: Don't use unavailbable constant + * Exporter tests: Add missing depends-ons + * Use one maximum key_len for all exported keys + * Exporter tests: Reduce key size in long key tests + * Exporter tests: Free endpoints before PSA_DONE() + * Exporter tests: Fix possible uninitialized variable use + * Coding style cleanup + * Exporter tests: Initialize allocated memory + * Exportert tests: Free endpoints and options + * Fix output size check for key material exporter + * Increase allowed output size of HKDF-Expand-Label + * Add more tests for keying material export + * Mention MBEDTLS_SSL_KEYING_MATERIAL_EXPORT in change log + * Fix #endif comment + * Enable MBEDTLS_SSL_KEYING_MATERIAL_EXPORT by default + * Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option + * Remove TLS 1.2 Exporter if we don't have randbytes + * Revert "Store randbytes for TLS 1.2 TLS-Exporter" + * Fix typos in comments + * Use fewer magic numbers in TLS-Exporter functions + * Add label length argument to tls_prf_generic() + * Store randbytes for TLS 1.2 TLS-Exporter + * Fix coding style + * Fix build when one of TLS 1.2 or 1.3 is disabled + * Fix coding style + * Fix TLS exporter changelog entry + * Fix doxygen comment parameter name + * Fix typos in comment + * Fix mismatches in function declarations + * Fix key_len check in TLS-Exporter + * Actually set exporter defaults in ssl_client2 + * Simplify mbedtls_ssl_tls13_exporter + * Add test for TLS-Exporter in TLS 1.3 + * Fix commented out function declaration + * Add changelog entry for TLS-Exporter feature + * Add TLS-Exporter options to ssl_client2 + * Add TLS-Exporter options to ssl_server2 + * Implement TLS-Exporter feature + * programs: demo: do not source project_detection.sh directly + * Fix record insertion + * programs: demo: source project_detection.sh + * framework: update reference + * Update feature macro for 3.6 + * Use HANDSHAKE_OVER in nominal test cases + * Improve comments + * Adapt dependencies to the 3.6 branch + * Use same dependencies for helper functions + * Tighten dependencies again + * Improve dependency declarations + * Tighten dependency declarations + * Improve documentation + * Remove redundant setup + * Fix copypasta + * Simulate closing the connection mid-message + * Also test inserting non-empty, non-handshake records + * Fix the build without MBEDTLS_DEBUG_C + * Fix the build in PSK-only configurations + * Fix printf of enum + * Pacify ancient clang -Wmissing-initializer + * Test split, coalesced-split and empty handshake records + * Create handshake record coalescing tests + * Document gotcha of move_handshake_to_state + * Add a log message on every SSL state transition + * Always call mbedtls_ssl_handshake_set_state + * Document assumption of mbedtls_get_pkcs_padding + * Modify ChangeLog entry to full plaintext recovery + * Add testcase for maximum padding length + * Remove unnecessary TEST_CF_PUBLIC macro call + * Update to the new name in usages as well + * Add missing credit for set_hostname issue + * cmake: Generate test_keys.h and test_certs.h in the build tree + * Update framework pointer + * Revert "Add auto-generated files" + * Restored framework as a submodule + * Deleted flattened framework dir. + * Appease check-names with prefix + * Disable check-names for static padding function + * Add ChangeLog entry for PKCS#7 side channel fix + * Fix timing side-channel in PKCS7 padding + * Add constant-flow testing for PKCS7 padding + +------------------------------------------------------------------- +Wed May 07 22:09:39 UTC 2025 - Yoshio Sato <vasua.ukra...@gmail.com> + +- Update _service file to easier obtain new sources. +- Update to version 3.6.3: + * Add auto-generated files + * Added framework as a flattened directory + * Unlinked framework as a submodule. + * Updated BRANCHES.md + * Finalise ChangeLog + * Version Bump for 3.6.3 + * Assemble Changelog + * Changelog: Added CVE. + * ssl-opt: Added 4 and 128 bytes tests to HS defragmentation for server initiated reneg + * ssl-opt: Fixed a minor typo. + * Reword slightly to be more tentative + * Re-introduce log asserts on positive cases + * Improve a test assertion + * Fix a typo + * Add test cases for EOF in the middle of fragments + * Adjust logic around log pattern + * Add test for length larger than 2^16 + * Adapt "large ClientHello" tests to incremental + * Cleanly reject non-HS in-between HS fragments + * Reduce the level of logging used in tests + * Move new tests to their own data file + * Fix dependency issues + * New test function for large ClientHello + * Fix hash dependencies for TLS 1.2 tests + * Fix curve dependencies + * Add missing dependency declaration + * Fix dependency issues + * Add test with non-HS record in-between HS fragments + * Add test to TLS 1.3 ClientHello fragmentation + * Add reference tests with 1.3 ClientHello + * Add supported_curves/groups extension + * New test function inject_client_content_on_the_wire() + * ssl-opt: Disabled the renegotiation delay for fragmented HS renegotiation. + * ssl-opt: Updated documentation. + * ssl-opt: Added client-initiated server-rejected renegotation test. + * ssl-opt: Updated O_NEXT_CLI_RENEGOTIATE used by fragmented HS renegotiation with certificates. + * ssl-opt: Fragmented HS renegotiation, removed -legacy_renegotiation argument. + * ssl-opt: Fragmented HS renegotiation, removed requires_certificate_authentication dependency. + * ssl-opt: Fragmented HS renegotiation, removed requires_openssl_3_x dependency. + * ssl-opt: Fragmented HS renegotiation, adjusted test names for consistency. + * ssl-opt: Fragmented HS renegotiation, updated matching regex + * ssl-opt: Added coverage for client-initiated fragmented HS renegotiation tests. + * ssl-opt: Refactored fragmented HS renegotiation tests. + * ssl-opt: Fragmented HS renegotiation, updated documentation. + * ssl-opt: Removed mock-tests from HS renegotiation. + * sll-opt: Added refence fix for the Mock HS Defrag test using renegotitiation delay + * programs -> ssl_client2.c: Added option renego_delay to set record buffer depth. + * Added Mock Renegotiation negative test for testing. + * ssl-opt: Added fragmented HS tests for server-initiated renegotiation. + * ssl-opt: Added fragmented HS tests for client-initiated renegotiation. + * ssl-opt: Added fragmented HS tests for SSL_VARIABLE_BUFFER_LENGTH. + * Add note about MBEDTLS_PRIVATE() in 3.6 + * Fix typos in the 3.0 migration guide + * mbedtls_net_send API description typo fix + * Use an array of strings instead of pointer smuggling + * Use dummy typedef instead of macro + * Clarify changelog + * Updated framework pointer. + * Update the location of defragmentation limitations + * State globally that the limitations don't apply to DTLS + * Clarify DTLS + * ClientHello may be fragmented in renegotiation + * Move the defragmentation documentation to mbedtls_ssl_handshake + * Refer to the API documentation for details + * Document the limitations of TLS handshake message defragmentation + * Add changelog entry for TLS 1.2 Finished fix + * More generally, what needs psa_crypto_init also needs threading + * PSA core: Allow enabling one volatile/builtin key + * Cleanly reject non-HS in-between HS fragments + * Replace zero by PSA_ALG_NONE in key derivation input functions + * Fix comments + * Update changelog to call out MinGW + * TLS1.2: Check for failures in Finished calculation + * Never use %zu on MinGW + * Remove Everest VS2010 compatibility headers + * Fix MSVC version guard for C99 format size specifiers + * Disable fatal assertions in Windows printf tests + * Add testcase for MBEDTLS_PRINTF_MS_TIME + * Test handling of format macros defined in debug.h + * Run test_suite_debug without MBEDTLS_SSL_TLS_C + * Fix a log message + * Note unused variables when debugging is disabled + * Pacify uncrustify + * Fix uninitialized variable + * Unify handshake fragment log messages + * Fix handshake defragmentation when the record has multiple messages + * Fix end check before memmove + * Zeroize temporary heap buffers used when deriving an ECC key + * Zeroize temporary heap buffers used in PSA operations + * Update framework + * Make conversion explicit to silence MSVC warning + * Fix dodgy printf calls + * Handshake defragmentation: reassemble incrementally + * mbedtls_ssl_prepare_handshake_record(): log offsets after decryption + * mbedtls_ssl_prepare_handshake_record(): refactor first fragment prep + * Tweak handshake fragment log message ++++ 542 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes ++++ and /work/SRC/openSUSE:Factory/.mbedtls.new.7067/mbedtls.changes Old: ---- mbedtls-3.6.2.obscpio New: ---- mbedtls-3.6.4.obscpio mbedtls-enable-srtp.patch ----------(New B)---------- New:- Enable SRTP protocol needed by some software. * Add patch mbedtls-enable-srtp.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.vC45Z2/_old 2025-07-02 12:14:56.688319554 +0200 +++ /var/tmp/diff_new_pack.vC45Z2/_new 2025-07-02 12:14:56.692319737 +0200 @@ -22,7 +22,7 @@ %define lib_everest libeverest %define lib_p256m libp256m Name: mbedtls -Version: 3.6.2 +Version: 3.6.4 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 OR GPL-2.0-or-later @@ -31,6 +31,8 @@ Source99: baselibs.conf # PATCH-FEATURE-OPENSUSE - enable MBEDTLS_THREADING_PTHREAD and MBEDTLS_THREADING_C Patch1: mbedtls-enable-pthread.patch +# PATCH-FEATURE-OPENSUSE - enable MBEDTLS_SSL_DTLS_SRTP +Patch2: mbedtls-enable-srtp.patch BuildRequires: cmake BuildRequires: ninja %{?suse_build_hwcaps_libs} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.vC45Z2/_old 2025-07-02 12:14:56.728321379 +0200 +++ /var/tmp/diff_new_pack.vC45Z2/_new 2025-07-02 12:14:56.732321561 +0200 @@ -1,11 +1,11 @@ <services> <service name="obs_scm" mode="manual"> - <param name="versionformat">3.6.2</param> <param name="url">https://github.com/Mbed-TLS/mbedtls.git</param> <param name="scm">git</param> + <param name="versionformat">@PARENT_TAG@</param> + <param name="revision">refs/tags/v3.6.4</param> + <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> - <param name="exclude">.*</param> - <param name="revision">refs/tags/v3.6.2</param> </service> <service name="tar" mode="buildtime"/> <service name="recompress" mode="buildtime"> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.vC45Z2/_old 2025-07-02 12:14:56.752322473 +0200 +++ /var/tmp/diff_new_pack.vC45Z2/_new 2025-07-02 12:14:56.752322473 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/Mbed-TLS/mbedtls.git</param> - <param name="changesrevision">107ea89daaefb9867ea9121002fbbdf926780e98</param></service></servicedata> + <param name="changesrevision">c765c831e5c2a0971410692f92f7a81d6ec65ec2</param></service></servicedata> (No newline at EOF) ++++++ mbedtls-3.6.2.obscpio -> mbedtls-3.6.4.obscpio ++++++ ++++ 181213 lines of diff (skipped) ++++++ mbedtls-enable-srtp.patch ++++++ --- mbedtls-3.6.2.orig/include/mbedtls/mbedtls_config.h 2025-05-06 19:21:15.440302375 +0300 +++ mbedtls-3.6.2/include/mbedtls/mbedtls_config.h 2025-05-06 19:22:15.156469574 +0300 @@ -2024,7 +2024,7 @@ * * Uncomment this to enable support for use_srtp extension. */ -//#define MBEDTLS_SSL_DTLS_SRTP +#define MBEDTLS_SSL_DTLS_SRTP /** * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE ++++++ mbedtls.obsinfo ++++++ --- /var/tmp/diff_new_pack.vC45Z2/_old 2025-07-02 12:14:58.404397808 +0200 +++ /var/tmp/diff_new_pack.vC45Z2/_new 2025-07-02 12:14:58.404397808 +0200 @@ -1,5 +1,5 @@ name: mbedtls -version: 3.6.2 -mtime: 1728898458 -commit: 107ea89daaefb9867ea9121002fbbdf926780e98 +version: 3.6.4 +mtime: 1750881360 +commit: c765c831e5c2a0971410692f92f7a81d6ec65ec2