Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package AusweisApp for openSUSE:Factory checked in at 2026-04-12 21:14:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/AusweisApp (Old) and /work/SRC/openSUSE:Factory/.AusweisApp.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "AusweisApp" Sun Apr 12 21:14:00 2026 rev:19 rq:1346209 version:2.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/AusweisApp/AusweisApp.changes 2026-04-09 16:12:00.215103687 +0200 +++ /work/SRC/openSUSE:Factory/.AusweisApp.new.21863/AusweisApp.changes 2026-04-12 21:14:02.332862207 +0200 @@ -1,0 +2,10 @@ +Sun Apr 12 16:20:07 UTC 2026 - John Paul Adrian Glaubitz <[email protected]> + +- New upstream release + + Version 2.5.1 + - Fix an error regarding the minimum supported macOS version. + - Update of OpenSSL to version 3.6.2. + - Fix version number on Android mistakenly including the + architecture. + +------------------------------------------------------------------- Old: ---- 2.5.0.tar.gz New: ---- 2.5.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ AusweisApp.spec ++++++ --- /var/tmp/diff_new_pack.ce7pgT/_old 2026-04-12 21:14:03.036890918 +0200 +++ /var/tmp/diff_new_pack.ce7pgT/_new 2026-04-12 21:14:03.036890918 +0200 @@ -17,7 +17,7 @@ Name: AusweisApp -Version: 2.5.0 +Version: 2.5.1 Release: 0 Summary: Official authentication app for German ID cards and residence permits License: EUPL-1.2 ++++++ 2.5.0.tar.gz -> 2.5.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/.gitlab-ci-child.yml new/AusweisApp-2.5.1/.gitlab-ci-child.yml --- old/AusweisApp-2.5.0/.gitlab-ci-child.yml 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/.gitlab-ci-child.yml 2026-04-12 12:11:17.000000000 +0200 @@ -228,11 +228,11 @@ matrix: - openssl: - "1.1.1w" - - "3.0.18" - - "3.5.5" + - "3.0.20" + - "3.5.6" legacy: 'OFF' - openssl: - - "3.6.1" + - "3.6.2" legacy: 'ON' script: - apk add gcovr @@ -344,7 +344,6 @@ - key: "${CI_JOB_NAME}-gradle" paths: - .gradle/caches/ - - .gradle/wrapper/ before_script: - !reference [.prepare, setup] - apk add gcompat maven gradle ccache unzip perl bash g++ linux-headers libxslt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/Dockerfile new/AusweisApp-2.5.1/Dockerfile --- old/AusweisApp-2.5.0/Dockerfile 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/Dockerfile 2026-04-12 12:11:17.000000000 +0200 @@ -2,7 +2,13 @@ FROM alpine:$ALPINE_VERSION AS builder # Install development stuff -RUN apk --no-cache upgrade -a && \ +ARG MIRROR_ALPINE="" +ARG MIRROR_GITHUB="" +ARG MIRROR_QT="" +RUN if [ -n "$MIRROR_ALPINE" ]; then \ + sed -i "s|https://[^/]*/alpine/|$MIRROR_ALPINE/|g" /etc/apk/repositories; \ + fi && \ + apk --no-cache upgrade -a && \ apk --no-cache add patch cmake ccache make ninja g++ pkgconf pcsc-lite-dev binutils-gold eudev-libs perl python3 linux-headers # Use optional remote ccache diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/Dockerfile.vnc new/AusweisApp-2.5.1/Dockerfile.vnc --- old/AusweisApp-2.5.0/Dockerfile.vnc 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/Dockerfile.vnc 2026-04-12 12:11:17.000000000 +0200 @@ -2,7 +2,11 @@ FROM alpine:$ALPINE_VERSION AS builder # Install development stuff -RUN apk --no-cache upgrade -a && \ +ARG MIRROR_ALPINE="" +RUN if [ -n "$MIRROR_ALPINE" ]; then \ + sed -i "s|https://[^/]*/alpine/|$MIRROR_ALPINE/|g" /etc/apk/repositories; \ + fi && \ + apk --no-cache upgrade -a && \ apk --no-cache add patch cmake ccache make ninja g++ pkgconf pcsc-lite-dev binutils-gold eudev-libs \ llhttp-dev openssl-dev \ qt6-qtbase-dev qt6-qtsvg-dev qt6-qtwebsockets-dev qt6-qttools-dev qt6-qtdeclarative-dev qt6-qtscxml-dev qt6-qtconnectivity-dev qt6-qtimageformats-dev qt6-qtimageformats @@ -46,7 +50,10 @@ COPY --from=builder /usr/local/share /usr/local/share COPY --from=builder /usr/local/bin/AusweisApp /usr/local/bin/AusweisApp -RUN apk --no-cache upgrade -a && \ +RUN if [ -n "$MIRROR_ALPINE" ]; then \ + sed -i "s|https://[^/]*/alpine/|$MIRROR_ALPINE/|g" /etc/apk/repositories; \ + fi && \ + apk --no-cache upgrade -a && \ apk --no-cache add tini pcsc-lite-libs eudev-libs doas ttf-freefont \ llhttp qt6-qtbase qt6-qtsvg qt6-qtwebsockets qt6-qtdeclarative qt6-qtscxml qt6-qtconnectivity qt6-qtimageformats && \ echo 'permit nopass :wheel' > /etc/doas.d/wheel.conf && \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/LICENSE.officially.txt new/AusweisApp-2.5.1/LICENSE.officially.txt --- old/AusweisApp-2.5.0/LICENSE.officially.txt 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/LICENSE.officially.txt 2026-04-12 12:11:17.000000000 +0200 @@ -260,7 +260,7 @@ OpenSSL Lizenz: Apache 2.0 - Version: 3.6.1 + Version: 3.6.2 Adresse: https://www.openssl.org/ Qt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/LICENSE.txt new/AusweisApp-2.5.1/LICENSE.txt --- old/AusweisApp-2.5.0/LICENSE.txt 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/LICENSE.txt 2026-04-12 12:11:17.000000000 +0200 @@ -228,7 +228,7 @@ OpenSSL Lizenz: Apache 2.0 - Version: 3.6.1 + Version: 3.6.2 Adresse: https://www.openssl.org/ Qt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/ci/presets/macOS.json new/AusweisApp-2.5.1/ci/presets/macOS.json --- old/AusweisApp-2.5.0/ci/presets/macOS.json 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/ci/presets/macOS.json 2026-04-12 12:11:17.000000000 +0200 @@ -18,6 +18,7 @@ "name": "ci-macos-release", "inherits": "ci-with-libs", "generator": "Xcode", + "toolchainFile": "${sourceDir}/cmake/macOS.toolchain.cmake", "cacheVariables": { "CMAKE_BUILD_TYPE": "MinSizeRel" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/ci/scripts/Container.cmake new/AusweisApp-2.5.1/ci/scripts/Container.cmake --- old/AusweisApp-2.5.0/ci/scripts/Container.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/ci/scripts/Container.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -28,13 +28,19 @@ set(CACHE_REGISTRY $ENV{CI_REGISTRY_IMAGE}/cache/${TARGET}) +foreach(entry CCACHE_REMOTE_STORAGE MIRROR_ALPINE MIRROR_GITHUB MIRROR_QT) + if(DEFINED ENV{${entry}}) + list(APPEND BUILD_ARGS --build-arg "${entry}=$ENV{${entry}}") + endif() +endforeach() + step(${CMD} build --pull --layers --cache-from ${CACHE_REGISTRY} --cache-to ${CACHE_REGISTRY} -t ${IMAGE} - --build-arg CCACHE_REMOTE_STORAGE=$ENV{CCACHE_REMOTE_STORAGE} + ${BUILD_ARGS} ${Dockerfile} ${CMAKE_SOURCE_DIR} ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/ci/scripts/Deploy.cmake/GitHub.cmake new/AusweisApp-2.5.1/ci/scripts/Deploy.cmake/GitHub.cmake --- old/AusweisApp-2.5.0/ci/scripts/Deploy.cmake/GitHub.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/ci/scripts/Deploy.cmake/GitHub.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -68,7 +68,7 @@ "${WORKSPACE}/*.dmg" "${WORKSPACE}/*.dmg.sha*" "${WORKSPACE}/*-ReleaseNotes.pdf" - "${WORKSPACE}/*-NetInstallation_Integration.pdf" + "${WORKSPACE}/*-NetInstallation_Integration_*.pdf" "${WORKSPACE}/*-SDK.pdf" "${WORKSPACE}/*-Lizenz.txt" ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/ci/scripts/SonarQube.cmake new/AusweisApp-2.5.1/ci/scripts/SonarQube.cmake --- old/AusweisApp-2.5.0/ci/scripts/SonarQube.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/ci/scripts/SonarQube.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -10,10 +10,10 @@ endif() message(STATUS "Use PACKAGES_DIR: ${PACKAGES_DIR}") -set(SONARSCANNERCLI_VERSION 7.3.0.5189) # https://binaries.sonarsource.com/?prefix=Distribution/sonar-scanner-cli/ +set(SONARSCANNERCLI_VERSION 8.0.1.6346) # https://binaries.sonarsource.com/?prefix=Distribution/sonar-scanner-cli/ set(SONARSCANNERCLI_ZIP_NAME sonar-scanner-cli-${SONARSCANNERCLI_VERSION}.zip) set(SONARSCANNERCLI_URL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/${SONARSCANNERCLI_ZIP_NAME}) -set(SONARSCANNERCLI_HASH a251d0793cb6bd889e4fd30299bb5dc4e07433e57133b16fc227aca98f8d2c2d) +set(SONARSCANNERCLI_HASH 8fbfb1eb546b734a60fc3e537108f06e389a8ca124fbab3a16236a8a51edcc15) set(SONARQUBETOOLS_DIR ${WORKSPACE}/sonarqubetools) step(${CMAKE_COMMAND} -E make_directory ${SONARQUBETOOLS_DIR}) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/cmake/DVCS.cmake new/AusweisApp-2.5.1/cmake/DVCS.cmake --- old/AusweisApp-2.5.0/cmake/DVCS.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/cmake/DVCS.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -32,23 +32,20 @@ endfunction() -function(DVCS_CALL _name _sep ${ARGN}) +function(DVCS_CALL _name ${ARGN}) DVCS_EXECUTE(_exec ${ARGN}) if(DEFINED _exec) message(STATUS "DVCS ${_name}: ${_exec}") set(dvcs_${_name} ${_exec} PARENT_SCOPE) - if(NOT "${_sep}" STREQUAL "") - set(VERSION_DVCS ${VERSION_DVCS}${_sep}${_exec} PARENT_SCOPE) - endif() endif() endfunction() macro(CHECK_DVCS) if(HG_FOUND) - DVCS_CALL("tag" "" id -t) + DVCS_CALL("tag" id -t) elseif(GIT_FOUND) - DVCS_CALL("tag" "" tag -l --points-at HEAD) + DVCS_CALL("tag" tag -l --points-at HEAD) endif() if(NOT "${dvcs_tag}" STREQUAL "tip" AND NOT "${dvcs_tag}" STREQUAL "" AND NOT "${dvcs_tag}" STREQUAL "undefined") if(NOT dvcs_tag STREQUAL PROJECT_VERSION) @@ -60,30 +57,29 @@ DVCS_EXECUTE(dvcs_distance log -r ${PROJECT_VERSION}::. --template 1) string(LENGTH "${dvcs_distance}" dvcs_distance) message(STATUS "DVCS distance: ${dvcs_distance}") - set(VERSION_DVCS ${VERSION_DVCS}+${dvcs_distance}) elseif(GIT_FOUND) - DVCS_CALL("distance" "+" rev-list --count ${PROJECT_VERSION}...HEAD) + DVCS_CALL("distance" rev-list --count ${PROJECT_VERSION}...HEAD) endif() - - GET_DVCS_INFO() endif() + + GET_DVCS_INFO() endmacro() macro(GET_DVCS_INFO) if(HG_FOUND) - DVCS_CALL("branch" "-" branch) + DVCS_CALL("branch" branch) elseif(GIT_FOUND) - DVCS_CALL("branch" "-" rev-parse --abbrev-ref HEAD) + DVCS_CALL("branch" rev-parse --abbrev-ref HEAD) endif() if(HG_FOUND) - DVCS_CALL("revision" "-" id -i) + DVCS_CALL("revision" id -i) elseif(GIT_FOUND) - DVCS_CALL("revision" "-" rev-parse --verify --short HEAD) + DVCS_CALL("revision" rev-parse --verify --short HEAD) endif() if(HG_FOUND) - DVCS_CALL("phase" "" log -r . -T {phase}) + DVCS_CALL("phase" log -r . -T {phase}) if(DEFINED dvcs_phase) if("${dvcs_phase}" STREQUAL "public") if("${dvcs_revision}" MATCHES "\\+") @@ -91,14 +87,15 @@ else() unset(dvcs_phase) endif() - else() - set(VERSION_DVCS ${VERSION_DVCS}-${dvcs_phase}) + endif() + + if(DEFINED dvcs_phase) + set(USE_ARTIFACT_DEV_VERSION ON) endif() endif() endif() endmacro() -set(VERSION_DVCS ${PROJECT_VERSION}) FIND_DVCS(${CMAKE_SOURCE_DIR}) if(DVCS_FOUND) option(ENABLE_DVCS "Check consistency of version/tag and get additional revision data" true) @@ -108,7 +105,7 @@ endif() function(CHECK_FINAL_VERSION _out) - if(PROJECT_VERSION_MINOR LESS 100 AND PROJECT_VERSION_PATCH LESS 100 AND NOT dvcs_revision) + if(PROJECT_VERSION_MINOR LESS 100 AND PROJECT_VERSION_PATCH LESS 100 AND NOT USE_ARTIFACT_DEV_VERSION) set(${_out} true PARENT_SCOPE) return() endif() @@ -120,26 +117,35 @@ message(STATUS "DVCS final: ${IS_FINAL_VERSION}") -set(ARTIFACT_VERSION ${PROJECT_VERSION}) - -if(CMAKE_ANDROID_ARCH_ABI) - set(ARTIFACT_VERSION ${ARTIFACT_VERSION}-${CMAKE_ANDROID_ARCH_ABI}) -endif() - if(DEFINED dvcs_distance) - set(ARTIFACT_VERSION ${ARTIFACT_VERSION}+${dvcs_distance}) + set(ARTIFACT_DEV_VERSION ${ARTIFACT_DEV_VERSION}+${dvcs_distance}) endif() if(DEFINED dvcs_branch) - set(ARTIFACT_VERSION ${ARTIFACT_VERSION}-${dvcs_branch}) + set(ARTIFACT_DEV_VERSION ${ARTIFACT_DEV_VERSION}-${dvcs_branch}) endif() if(DEFINED dvcs_phase) - set(ARTIFACT_VERSION ${ARTIFACT_VERSION}-${dvcs_phase}) + set(ARTIFACT_DEV_VERSION ${ARTIFACT_DEV_VERSION}-${dvcs_phase}) endif() if(DEFINED dvcs_revision) - set(ARTIFACT_VERSION ${ARTIFACT_VERSION}-${dvcs_revision}) + set(ARTIFACT_DEV_VERSION ${ARTIFACT_DEV_VERSION}-${dvcs_revision}) endif() -set(ARTIFACT_FILENAME ${PROJECT_NAME}-${ARTIFACT_VERSION}) + +set(ARTIFACT_FILENAME ${PROJECT_NAME}-${PROJECT_VERSION}) +if(CMAKE_ANDROID_ARCH_ABI) + set(ARTIFACT_FILENAME ${ARTIFACT_FILENAME}-${CMAKE_ANDROID_ARCH_ABI}) +endif() + +set(ARTIFACT_VERSION ${PROJECT_VERSION}) + +if(USE_ARTIFACT_DEV_VERSION) + set(ARTIFACT_FILENAME ${ARTIFACT_FILENAME}${ARTIFACT_DEV_VERSION}) + set(ARTIFACT_VERSION ${ARTIFACT_VERSION}${ARTIFACT_DEV_VERSION}) +endif() + +if(CMAKE_BUILD_TYPE STREQUAL "DEBUG") + set(ARTIFACT_FILENAME ${ARTIFACT_FILENAME}-debug) +endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/cmake/Libraries.cmake new/AusweisApp-2.5.1/cmake/Libraries.cmake --- old/AusweisApp-2.5.0/cmake/Libraries.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/cmake/Libraries.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -85,7 +85,7 @@ if(LIBS_GOVERNIKUS) set(MIN_OPENSSL_VERSION ${LIBS_OPENSSL}) - string(REGEX REPLACE "[a-z]" "" MIN_OPENSSL_VERSION "${MIN_OPENSSL_VERSION}") + string(REGEX REPLACE "[-a-zA-Z].*$" "" MIN_OPENSSL_VERSION "${MIN_OPENSSL_VERSION}") else() set(MIN_OPENSSL_VERSION 1.1.1) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/cmake/Packaging.android.cmake new/AusweisApp-2.5.1/cmake/Packaging.android.cmake --- old/AusweisApp-2.5.0/cmake/Packaging.android.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/cmake/Packaging.android.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -42,6 +42,18 @@ endif() +if(DEFINED ENV{MIRROR_GITHUB}) + file(READ "${QT_INSTALL_ARCHDATA}/src/3rdparty/gradle/gradle/wrapper/gradle-wrapper.properties" BUILD_GRADLE_WRAPPER_PROPERTIES) + string(REGEX MATCH "gradle-([0-9]+\\.[0-9]+\\.[0-9]+)-bin\\.zip" _match "${BUILD_GRADLE_WRAPPER_PROPERTIES}") + set(GRADLE_VERSION "${CMAKE_MATCH_1}") + + set(GRADLE_WRAPPER_URL "$ENV{MIRROR_GITHUB}/gradle/gradle-distributions/releases/download/v${GRADLE_VERSION}/gradle-${GRADLE_VERSION}-bin.zip") + string(REGEX REPLACE "distributionUrl=.*" "distributionUrl=${GRADLE_WRAPPER_URL}" BUILD_GRADLE_WRAPPER_PROPERTIES "${BUILD_GRADLE_WRAPPER_PROPERTIES}") + string(REPLACE "://" "\\://" BUILD_GRADLE_WRAPPER_PROPERTIES "${BUILD_GRADLE_WRAPPER_PROPERTIES}") + + file(WRITE "${ANDROID_BUILD_DIR}/gradle/wrapper/gradle-wrapper.properties" "${BUILD_GRADLE_WRAPPER_PROPERTIES}") +endif() + set(QT_BUILD_GRADLE "${QT_INSTALL_ARCHDATA}/src/android/templates/build.gradle") set(BUILD_GRADLE_APPEND "${PACKAGING_DIR}/android/build.gradle.append") set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS "${QT_BUILD_GRADLE}") @@ -76,7 +88,7 @@ if(INTEGRATED_SDK) set(ANDROID_FILE_EXT aar) file(APPEND "${ANDROID_BUILD_DIR}/build.gradle" "android.defaultConfig.consumerProguardFiles 'consumer-rules.pro'\n") - if(DEFINED dvcs_revision) + if(USE_ARTIFACT_DEV_VERSION) set(POM_SNAPSHOT "-SNAPSHOT") endif() configure_file(${PACKAGING_DIR}/android/pom.xml.in ${ANDROID_BUILD_DIR}/${CPACK_PACKAGE_FILE_NAME}.pom @ONLY) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/cmake/Version.cmake new/AusweisApp-2.5.1/cmake/Version.cmake --- old/AusweisApp-2.5.0/cmake/Version.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/cmake/Version.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -1,6 +1,6 @@ set(PROJECT_VERSION_MAJOR 2) set(PROJECT_VERSION_MINOR 5) -set(PROJECT_VERSION_PATCH 0) +set(PROJECT_VERSION_PATCH 1) #set(PROJECT_VERSION_TWEAK 0) unset(PROJECT_VERSION) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/docs/releasenotes/2.5.1.rst new/AusweisApp-2.5.1/docs/releasenotes/2.5.1.rst --- old/AusweisApp-2.5.0/docs/releasenotes/2.5.1.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/AusweisApp-2.5.1/docs/releasenotes/2.5.1.rst 2026-04-12 12:11:17.000000000 +0200 @@ -0,0 +1,16 @@ +AusweisApp 2.5.1 +^^^^^^^^^^^^^^^^ + +**Releasedatum:** 11. April 2026 + + +Anwender +"""""""" +- Fehlerkorrektur der minimal unterstützten macOS Version. + + +Entwickler +"""""""""" +- Aktualisierung von OpenSSL auf die Version 3.6.2. + +- Unter Android enthielt die Version irrtümlich die Architektur. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/docs/releasenotes/versions.rst new/AusweisApp-2.5.1/docs/releasenotes/versions.rst --- old/AusweisApp-2.5.0/docs/releasenotes/versions.rst 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/docs/releasenotes/versions.rst 2026-04-12 12:11:17.000000000 +0200 @@ -6,6 +6,7 @@ .. toctree:: :maxdepth: 1 + 2.5.1 2.5.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/libs/CMakeLists.txt new/AusweisApp-2.5.1/libs/CMakeLists.txt --- old/AusweisApp-2.5.0/libs/CMakeLists.txt 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/libs/CMakeLists.txt 2026-04-12 12:11:17.000000000 +0200 @@ -163,7 +163,15 @@ list(APPEND OPENSSL_URLS ${OPENSSL_SOURCE}/snapshot/${OPENSSL_FILE}) else() string(SUBSTRING ${OPENSSL} 0 5 OPENSSL_SUBVERSION) - list(APPEND OPENSSL_URLS $ENV{MIRROR_GITHUB}/openssl/openssl/releases/download/openssl-${OPENSSL}/${OPENSSL_FILE}) + set(OPENSSL_GITHUB $ENV{MIRROR_GITHUB}/openssl/openssl/releases/download) + + list(APPEND OPENSSL_URLS ${OPENSSL_GITHUB}/openssl-${OPENSSL}/${OPENSSL_FILE}) + + if(OPENSSL VERSION_LESS 3) + string(REPLACE "." "_" OPENSSL_ALTERNATIVE "${OPENSSL}") + list(APPEND OPENSSL_URLS ${OPENSSL_GITHUB}/OpenSSL_${OPENSSL_ALTERNATIVE}/${OPENSSL_FILE}) + endif() + list(APPEND OPENSSL_URLS ${OPENSSL_SOURCE}/old/${OPENSSL_SUBVERSION}/${OPENSSL_FILE}) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/libs/Versions.cmake new/AusweisApp-2.5.1/libs/Versions.cmake --- old/AusweisApp-2.5.0/libs/Versions.cmake 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/libs/Versions.cmake 2026-04-12 12:11:17.000000000 +0200 @@ -14,15 +14,15 @@ ######################################## OpenSSL if(NOT DEFINED OPENSSL) - set(OPENSSL 3.6.1) + set(OPENSSL 3.6.2) set(OPENSSL_PATCHES ON) endif() if(NOT OPENSSL_HASH) set(OPENSSL_HASH_1.1.1w cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8) - set(OPENSSL_HASH_3.0.18 d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b) - set(OPENSSL_HASH_3.5.5 b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89) - set(OPENSSL_HASH_3.6.1 b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e) + set(OPENSSL_HASH_3.0.20 c80a01dfc70ece4dc21168932c37739042d404d46ccc81a5986dd75314ecda6f) + set(OPENSSL_HASH_3.5.6 deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736) + set(OPENSSL_HASH_3.6.2 aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f) set(OPENSSL_HASH ${OPENSSL_HASH_${OPENSSL}}) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/libs/patches/openssl-0001-android-shlib_variant.patch new/AusweisApp-2.5.1/libs/patches/openssl-0001-android-shlib_variant.patch --- old/AusweisApp-2.5.0/libs/patches/openssl-0001-android-shlib_variant.patch 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/libs/patches/openssl-0001-android-shlib_variant.patch 2026-04-12 12:11:17.000000000 +0200 @@ -1,4 +1,4 @@ -From 04b838e3abb9dd8a7f2aae7b1f26bc62845f139b Mon Sep 17 00:00:00 2001 +From c7224c60cad63c7a50e923aa9924eecf29e4d652 Mon Sep 17 00:00:00 2001 From: Lars Schmertmann <[email protected]> Date: Tue, 19 Jan 2021 17:07:51 +0100 Subject: android shlib_variant diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/libs/patches/openssl-0002-Fix-group-tuple-handling-in-DEFAULT-expansion.patch new/AusweisApp-2.5.1/libs/patches/openssl-0002-Fix-group-tuple-handling-in-DEFAULT-expansion.patch --- old/AusweisApp-2.5.0/libs/patches/openssl-0002-Fix-group-tuple-handling-in-DEFAULT-expansion.patch 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/libs/patches/openssl-0002-Fix-group-tuple-handling-in-DEFAULT-expansion.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,483 +0,0 @@ -From 1d4c0f85dadf5b5d0c91ffd8bd77413d999d7836 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni <[email protected]> -Date: Tue, 17 Feb 2026 18:37:06 +1100 -Subject: Fix group tuple handling in DEFAULT expansion - -Also fine-tune docs and add tests. - -Fixes: #30109 -Fixes: CVE-2026-2673 - -Reviewed-by: Matt Caswell <[email protected]> -Reviewed-by: Paul Dale <[email protected]> -Reviewed-by: Tomas Mraz <[email protected]> -MergeDate: Fri Mar 13 12:42:50 2026 -(Merged from https://github.com/openssl/openssl/pull/30111) -(cherry picked from commit 2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f) ---- - CHANGES.md | 12 +++ - NEWS.md | 7 ++ - doc/man3/SSL_CTX_set1_curves.pod | 123 +++++++++++++++++++++---------- - ssl/t1_lib.c | 89 ++++++++++++---------- - test/tls13groupselection_test.c | 37 ++++++++-- - 5 files changed, 187 insertions(+), 81 deletions(-) - -diff --git x/CHANGES.md y/CHANGES.md -index e5a0bed1389a14587b2bccc2c6866c252262802b..58993024a3b9bde12e0a16d3e5d6276d6fc45e58 100644 ---- x/CHANGES.md -+++ y/CHANGES.md -@@ -29,6 +29,17 @@ OpenSSL Releases - OpenSSL 3.6 - ----------- - -+### Changes between 3.6.1 and 3.6.2 -+ -+ * Fixed loss of key agreement group tuple structure when the `DEFAULT` keyword -+ is used in the server-side configuration of the key-agreement group list. -+ This could result in accepting a less preferred than intended client -+ keyshare. -+ -+ ([CVE-2026-2673]) -+ -+ *Viktor Dukhovni* -+ - ### Changes between 3.6.0 and 3.6.1 [27 Jan 2026] - - * Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification. -@@ -21850,6 +21861,7 @@ ndif - - <!-- Links --> - -+[CVE-2026-2673]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-2673 - [CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796 - [CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795 - [CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421 -diff --git x/NEWS.md y/NEWS.md -index 2a382f39ada814808e7c9f47ebe7937bf43cc1ac..5606333783060c79537bd341de09f1532d8aa3f1 100644 ---- x/NEWS.md -+++ y/NEWS.md -@@ -24,6 +24,12 @@ OpenSSL Releases - OpenSSL 3.6 - ----------- - -+### Major changes between OpenSSL 3.6.1 and OpenSSL 3.6.2 -+ -+ * Fixed loss of key agreement group tuple structure when the `DEFAULT` keyword -+ is used in the server-side configuration of the key-agreement group list. -+ ([CVE-2026-2673]) -+ - ### Major changes between OpenSSL 3.6.0 and OpenSSL 3.6.1 [27 Jan 2026] - - OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this -@@ -2028,6 +2034,7 @@ OpenSSL 0.9.x - * Support for various new platforms - - <!-- Links --> -+[CVE-2026-2673]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-2673 - [CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796 - [CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795 - [CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421 -diff --git x/doc/man3/SSL_CTX_set1_curves.pod y/doc/man3/SSL_CTX_set1_curves.pod -index 352fe343471ae54c6b807426b24f2700a2fb9ee3..bcf792023c65fc70dcb1530b73348bf23fbc1b82 100755 ---- x/doc/man3/SSL_CTX_set1_curves.pod -+++ y/doc/man3/SSL_CTX_set1_curves.pod -@@ -40,13 +40,13 @@ SSL_get1_curves, SSL_get_shared_curve, SSL_CTX_get0_implemented_groups - - For all of the functions below that set the supported groups there must be at - least one group in the list. A number of these functions identify groups via a --unique integer NID value. However, support for some groups may be added by --external providers. In this case there will be no NID assigned for the group. -+unique integer B<NID> value. However, support for some groups may be added by -+external providers. In this case there will be no B<NID> assigned for the group. - When setting such groups applications should use the "list" form of these - functions (i.e. SSL_CTX_set1_groups_list() and SSL_set1_groups_list()). - - SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen> --groups in the array B<glist>. The array consist of all NIDs of supported groups. -+groups in the array B<glist>. The array consist of all B<NIDs> of supported groups. - The supported groups for B<TLSv1.3> include: - B<NID_X9_62_prime256v1>, - B<NID_secp384r1>, -@@ -73,20 +73,27 @@ B<SSL_OP_SERVER_PREFERENCE> is set, the order of the elements in the - array determines the selected group. Otherwise, the order is ignored and the - client's order determines the selection. - --For a TLS 1.3 server, the groups determine the selected group, but --selection is more complex. A TLS 1.3 client sends both a group list as well as a --predicted subset of groups. Choosing a group outside the predicted subset incurs --an extra roundtrip. However, in some situations, the most preferred group may --not be predicted. OpenSSL considers all supported groups in I<clist> to be comparable --in security and prioritizes avoiding roundtrips above either client or server --preference order. If an application uses an external provider to extend OpenSSL --with, e.g., a post-quantum algorithm, this behavior may allow a network attacker --to downgrade connections to a weaker algorithm. It is therefore recommended --to use SSL_CTX_set1_groups_list() with the ability to specify group tuples. -+For a TLS 1.3 server, the groups determine the selected group, but selection is -+more complex. -+A TLS 1.3 client sends both a group list and predicted keyshares for a subset -+of groups. -+A server choosing a group outside the client's predicted subset incurs an extra -+roundtrip. -+However, in some situations, the most preferred group may not be predicted. -+ -+When groups are specified via SSL_CTX_set1_groups() as a list of B<NID> -+values, OpenSSL considers all supported groups in I<clist> to be comparable in -+security and prioritises avoiding roundtrips above either client or server -+preference order. -+If an application uses an external provider to extend OpenSSL with, e.g., a -+post-quantum algorithm, this behavior may allow a network attacker to downgrade -+connections to a weaker algorithm. -+It is therefore recommended to use SSL_CTX_set1_groups_list() instead, making -+it possible to specify group tuples as described below. - - SSL_CTX_set1_groups_list() sets the supported groups for B<ctx> to - string I<list>. In contrast to SSL_CTX_set1_groups(), the names of the --groups, rather than their NIDs, are used. -+groups, rather than their B<NIDs>, are used. - - The commands below list the available groups for TLS 1.2 and TLS 1.3, - respectively: -@@ -102,30 +109,72 @@ The preferred group names are those defined by - L<IANA|https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>. - - The I<list> can be used to define several group tuples of comparable security --levels, and can specify which key shares should be sent by a client. --The specified list elements can optionally be ignored, if not implemented -+levels, and can specify which predicted key shares should be sent by a client. -+Group tuples are used by OpenSSL TLS servers to decide whether to request a -+stronger keyshare than those predicted by sending a Hello Retry Request -+(B<HRR>) even if some of the predicted groups are supported. -+OpenSSL clients ignore tuple boundaries, and pay attenion only to the overall -+order of I<list> elements and which groups are selected as predicted keyshares -+as described below. -+ -+The specified list elements can optionally be ignored if not implemented - (listing unknown groups otherwise results in error). --It is also possible to specify the built-in default set of groups, and to explicitly --remove a group from that list. -- --In its simplest form, the string I<list> is just a colon separated list --of group names, for example "P-521:P-384:P-256:X25519:ffdhe2048". The first --group listed will also be used for the B<key_share> sent by a client in a --TLSv1.3 B<ClientHello>. For servers note the discussion above. The list should --be in order of preference with the most preferred group first. -- --Group tuples of comparable security are defined by separating them from each --other by a tuple separator C</>. Keyshares to be sent by a client are specified --by prepending a C<*> to the group name, while any C<*> will be ignored by a --server. The following string I<list> for example defines three tuples when --used on the server-side, and triggers the generation of three key shares --when used on the client-side: P-521:*P-256/*P-384/*X25519:P-384:ffdhe2048. -- --If a group name is preceded with the C<?> character, it will be ignored if an --implementation is missing. If a group name is preceded with the C<-> character, it --will be removed from the list of groups if present (including not sending a --key share for this group), ignored otherwise. The pseudo group name --C<DEFAULT> can be used to select the OpenSSL built-in default list of groups. -+It is also possible to specify the built-in default set of groups, and to -+explicitly remove a group from that list. -+ -+In its simplest legacy form, the string I<list> is just a colon separated list -+of group names, for example "P-521:P-384:P-256:X25519:ffdhe2048". -+The first group listed will in this case be used as the sole predicted -+B<key_share> sent by a client in a TLSv1.3 B<ClientHello>. -+The list should be in order of preference with the most preferred group first. -+ -+A more expressive syntax supports definition of group tuples of comparable -+security by separating them from each other with C</> characters. -+ -+The predicted keyshares to be sent by clients can be explicitly specified by -+adding a C<*> prefix to the associated group name. -+These C<*> prefixes are ignored by servers. -+ -+If a group name is prefixed with the C<?> character, it will be ignored if an -+implementation is missing. -+Otherwise, listing an unknown group name will cause a failure to parse the -+I<list>. -+Note that whether a group is known or not may depend on the OpenSSL version, -+how OpenSSL was compiled and/or which providers are loaded. -+Make sure you have the correct spelling of the group name and when in doubt -+prefix it with a C<?> to handle configurations in which it might nevertheless -+be unknown. -+ -+If a group name is prefixed with the C<-> character, it will be removed from -+the list of groups specified up to that point. -+It can be added again if specified later. -+Removal of groups that have not been included earlier in the list is silently -+ignored. -+ -+The pseudo group name C<DEFAULT> can be used to select the OpenSSL built-in -+default list of groups. -+Prepending one or more groups to C<DEFAULT> using only C<:> separators prepends those -+groups to the built-in default list's first tuple. -+Additional tuples can be prepended by use of the C</> separator. -+Appending a set of groups to C<DEFAULT> using only C<:> separators appends those -+groups to the built-in default list's last tuple. -+Additional tuples can be appended by use of the C</> separator. -+ -+The B<DEFAULT> list selects B<X25519MLKEM768> as one of the predicted keyshares. -+In rare cases this can lead to failures or timeouts because the resulting -+larger TLS Client Hello message may no longer fit in a single TCP segment and -+firewall software may erroneously disrupt the TLS handshake. -+If this is an issue or concern, prepending C<?X25519MLKEM768:> without a C<*> -+prefix leads to its occurrence in the default list to be ignored as a duplicate, -+and along with that also the keyshare prediction. -+The group will then only be selected by servers that specifically expect it, -+after a Hello Retry Request (HRR). -+Servers that specifically prefer B<X25519MLKEM768>, are much less likely to be -+found behind problematic firewalls. -+ -+The following string I<list> for example defines three tuples when used on the -+server-side, and triggers the generation of three key shares when used on the -+client-side: P-521:*P-256/*P-384/*X25519:P-384:ffdhe2048. - - For a TLS 1.3 client, all the groups in the string I<list> are added to the - supported groups extension of a C<ClientHello>, in the order in which they are listed, -diff --git x/ssl/t1_lib.c y/ssl/t1_lib.c -index 9ece318950351d22f5f6cc75a15111fb89ce4fa4..9adbabe5eef5fc16cb983424ddff2ba947459ec9 100644 ---- x/ssl/t1_lib.c -+++ y/ssl/t1_lib.c -@@ -215,7 +215,7 @@ static const uint16_t suiteb_curves[] = { - - /* Group list string of the built-in pseudo group DEFAULT_SUITE_B */ - #define SUITE_B_GROUP_NAME "DEFAULT_SUITE_B" --#define SUITE_B_GROUP_LIST "secp256r1:secp384r1", -+#define SUITE_B_GROUP_LIST "?secp256r1:?secp384r1", - - struct provider_ctx_data_st { - SSL_CTX *ctx; -@@ -1248,8 +1248,8 @@ typedef struct { - size_t ksidcnt; /* Number of key shares */ - uint16_t *ksid_arr; /* The IDs of the key share groups (flat list) */ - /* Variable to keep state between execution of callback or helper functions */ -- size_t tuple_mode; /* Keeps track whether tuple_cb called from 'the top' or from gid_cb */ -- int ignore_unknown_default; /* Flag such that unknown groups for DEFAULT[_XYZ] are ignored */ -+ int inner; /* Are we expanding a DEFAULT list */ -+ int first; /* First tuple of possibly nested expansion? */ - } gid_cb_st; - - /* Forward declaration of tuple callback function */ -@@ -1324,16 +1324,16 @@ static int gid_cb(const char *elem, int len, void *arg) - for (i = 0; i < OSSL_NELEM(default_group_strings); i++) { - if ((size_t)len == (strlen(default_group_strings[i].list_name)) - && OPENSSL_strncasecmp(default_group_strings[i].list_name, elem, len) == 0) { -+ int saved_first; -+ - /* - * We're asked to insert an entire list of groups from a - * DEFAULT[_XYZ] 'pseudo group' which we do by - * recursively calling this function (indirectly via - * CONF_parse_list and tuple_cb); essentially, we treat a DEFAULT - * group string like a tuple which is appended to the current tuple -- * rather then starting a new tuple. Variable tuple_mode is the flag which -- * controls append tuple vs start new tuple. -+ * rather then starting a new tuple. - */ -- - if (ignore_unknown || remove_group) - return -1; /* removal or ignore not allowed here -> syntax error */ - -@@ -1354,15 +1354,17 @@ static int gid_cb(const char *elem, int len, void *arg) - default_group_strings[i].group_string, - strlen(default_group_strings[i].group_string)); - restored_default_group_string[strlen(default_group_strings[i].group_string) + restored_prefix_index] = '\0'; -- /* We execute the recursive call */ -- garg->ignore_unknown_default = 1; /* We ignore unknown groups for DEFAULT_XYZ */ -- /* we enforce group mode (= append tuple) for DEFAULT_XYZ group lists */ -- garg->tuple_mode = 0; -- /* We use the tuple_cb callback to process the pseudo group tuple */ -+ /* -+ * Append first tuple of result to current tuple, and don't -+ * terminate the last tuple until we return to a top-level -+ * tuple_cb. -+ */ -+ saved_first = garg->first; -+ garg->inner = garg->first = 1; - retval = CONF_parse_list(restored_default_group_string, - TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, garg); -- garg->tuple_mode = 1; /* next call to tuple_cb will again start new tuple */ -- garg->ignore_unknown_default = 0; /* reset to original value */ -+ garg->inner = 0; -+ garg->first = saved_first; - /* We don't need the \0-terminated string anymore */ - OPENSSL_free(restored_default_group_string); - -@@ -1382,9 +1384,6 @@ static int gid_cb(const char *elem, int len, void *arg) - if (len == 0) - return -1; /* Seems we have prefxes without a group name -> syntax error */ - -- if (garg->ignore_unknown_default == 1) /* Always ignore unknown groups for DEFAULT[_XYZ] */ -- ignore_unknown = 1; -- - /* Memory management in case more groups are present compared to initial allocation */ - if (garg->gidcnt == garg->gidmax) { - uint16_t *tmp = OPENSSL_realloc_array(garg->gid_arr, -@@ -1520,7 +1519,7 @@ static int gid_cb(const char *elem, int len, void *arg) - /* and update the book keeping for the number of groups in current tuple */ - garg->tuplcnt_arr[garg->tplcnt]++; - -- /* We memorize if needed that we want to add a key share for the current group */ -+ /* We want to add a key share for the current group */ - if (add_keyshare) - garg->ksid_arr[garg->ksidcnt++] = gid; - } -@@ -1529,6 +1528,35 @@ done: - return retval; - } - -+static int grow_tuples(gid_cb_st *garg) -+{ -+ if (garg->tplcnt == garg->tplmax) { -+ size_t newcnt = garg->tplmax + GROUPLIST_INCREMENT; -+ size_t *tmp = OPENSSL_realloc_array(garg->tuplcnt_arr, -+ newcnt, sizeof(*garg->tuplcnt_arr)); -+ -+ if (tmp == NULL) -+ return 0; -+ -+ garg->tplmax = newcnt; -+ garg->tuplcnt_arr = tmp; -+ } -+ return 1; -+} -+ -+static int close_tuple(gid_cb_st *garg) -+{ -+ size_t gidcnt = garg->tuplcnt_arr[garg->tplcnt]; -+ -+ if (gidcnt == 0) -+ return 1; -+ if (!grow_tuples(garg)) -+ return 0; -+ -+ garg->tuplcnt_arr[++garg->tplcnt] = 0; -+ return 1; -+} -+ - /* Extract and process a tuple of groups */ - static int tuple_cb(const char *tuple, int len, void *arg) - { -@@ -1542,17 +1570,9 @@ static int tuple_cb(const char *tuple, int len, void *arg) - return 0; - } - -- /* Memory management for tuples */ -- if (garg->tplcnt == garg->tplmax) { -- size_t *tmp = OPENSSL_realloc_array(garg->tuplcnt_arr, -- garg->tplmax + GROUPLIST_INCREMENT, -- sizeof(*garg->tuplcnt_arr)); -- -- if (tmp == NULL) -- return 0; -- garg->tplmax += GROUPLIST_INCREMENT; -- garg->tuplcnt_arr = tmp; -- } -+ if (garg->inner && !garg->first && !close_tuple(garg)) -+ return 0; -+ garg->first = 0; - - /* Convert to \0-terminated string */ - restored_tuple_string = OPENSSL_malloc(len + 1 /* \0 */); -@@ -1567,15 +1587,8 @@ static int tuple_cb(const char *tuple, int len, void *arg) - /* We don't need the \o-terminated string anymore */ - OPENSSL_free(restored_tuple_string); - -- if (garg->tuplcnt_arr[garg->tplcnt] > 0) { /* Some valid groups are present in current tuple... */ -- if (garg->tuple_mode) { -- /* We 'close' the tuple */ -- garg->tplcnt++; -- garg->tuplcnt_arr[garg->tplcnt] = 0; /* Next tuple is initialized to be empty */ -- garg->tuple_mode = 1; /* next call will start a tuple (unless overridden in gid_cb) */ -- } -- } -- -+ if (!garg->inner && !close_tuple(garg)) -+ return 0; - return retval; - } - -@@ -1606,8 +1619,6 @@ int tls1_set_groups_list(SSL_CTX *ctx, - } - - memset(&gcb, 0, sizeof(gcb)); -- gcb.tuple_mode = 1; /* We prepare to collect the first tuple */ -- gcb.ignore_unknown_default = 0; - gcb.gidmax = GROUPLIST_INCREMENT; - gcb.tplmax = GROUPLIST_INCREMENT; - gcb.ksidmax = GROUPLIST_INCREMENT; -diff --git x/test/tls13groupselection_test.c y/test/tls13groupselection_test.c -index 54e094464fdde97252abadd3a4b175bf9965be6b..98c81cde0707377f500d52d4831b03332f09cd52 100644 ---- x/test/tls13groupselection_test.c -+++ y/test/tls13groupselection_test.c -@@ -40,6 +40,12 @@ typedef enum SERVER_RESPONSE { - SH = 2 - } SERVER_RESPONSE; - -+static const char *response_desc[] = { -+ "HRR", -+ "INIT", -+ "SH", -+}; -+ - static char *cert = NULL; - static char *privkey = NULL; - -@@ -307,7 +313,23 @@ static const struct tls13groupselection_test_st tls13groupselection_tests[] = { - { "*brainpoolP256r1:X25519", /* test 43 */ - "X25519", - SERVER_PREFERENCE, -- NEGOTIATION_FAILURE, INIT } -+ NEGOTIATION_FAILURE, INIT }, -+ -+ /* DEFAULT retains tuple structure */ -+ { "*X25519:secp256r1", -+ "secp256r1:DEFAULT", /* test 44 */ -+ SERVER_PREFERENCE, -+ "secp256r1", HRR }, -+#ifndef OPENSSL_NO_DH -+ { "*ffdhe2048:secp256r1", -+ "DEFAULT:ffdhe4096", /* test 45 */ -+ CLIENT_PREFERENCE, -+ "secp256r1", HRR }, -+ { "x25519:ffdhe2048:*ffdhe4096", -+ "DEFAULT:ffdhe4096", /* test 46 */ -+ SERVER_PREFERENCE, -+ "x25519", HRR }, -+#endif - }; - - static void server_response_check_cb(int write_p, int version, -@@ -318,10 +340,12 @@ static void server_response_check_cb(int write_p, int version, - enum SERVER_RESPONSE *server_response = (enum SERVER_RESPONSE *)arg; - /* Prepare check for HRR */ - const uint8_t *incoming_random = (uint8_t *)buf + 6; -- const uint8_t magic_HRR_random[32] = { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, -+ const uint8_t magic_HRR_random[32] = { -+ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, - 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, - 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, -- 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C }; -+ 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C -+ }; - - /* Did a server hello arrive? */ - if (write_p == 0 && /* Incoming data... */ -@@ -450,13 +474,16 @@ static int test_groupnegotiation(const struct tls13groupselection_test_st *curre - group_name_client = SSL_group_to_name(clientssl, negotiated_group_client); - if (!TEST_int_eq(negotiated_group_client, negotiated_group_server)) - goto end; -- if (!TEST_int_eq((int)current_test_vector->expected_server_response, (int)server_response)) -+ if (!TEST_str_eq(response_desc[current_test_vector->expected_server_response], -+ response_desc[server_response])) - goto end; - if (TEST_str_eq(group_name_client, current_test_vector->expected_group)) - ok = 1; - } else { - TEST_false_or_end(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)); -- if (test_type == TEST_NEGOTIATION_FAILURE && !TEST_int_eq((int)current_test_vector->expected_server_response, (int)server_response)) -+ if (test_type == TEST_NEGOTIATION_FAILURE -+ && !TEST_str_eq(response_desc[current_test_vector->expected_server_response], -+ response_desc[server_response])) - goto end; - ok = 1; - } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/publiccode.yml new/AusweisApp-2.5.1/publiccode.yml --- old/AusweisApp-2.5.0/publiccode.yml 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/publiccode.yml 2026-04-12 12:11:17.000000000 +0200 @@ -15,9 +15,10 @@ - android softwareType: standalone/mobile categories: + - citizen-services - identity-management - - security - - authentication + - it-security + - service-consolidation maintenance: type: contract contacts: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/resources/packaging/android/build.gradle.append new/AusweisApp-2.5.1/resources/packaging/android/build.gradle.append --- old/AusweisApp-2.5.0/resources/packaging/android/build.gradle.append 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/resources/packaging/android/build.gradle.append 2026-04-12 12:11:17.000000000 +0200 @@ -22,7 +22,7 @@ lint { baseline = file('lint-baseline.xml') - disable += ['LintBaseline'] + disable += ['LintBaseline', 'AndroidGradlePluginVersion'] } buildFeatures { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/resources/packaging/android/lint.apk.xml new/AusweisApp-2.5.1/resources/packaging/android/lint.apk.xml --- old/AusweisApp-2.5.0/resources/packaging/android/lint.apk.xml 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/resources/packaging/android/lint.apk.xml 2026-04-12 12:11:17.000000000 +0200 @@ -2,17 +2,6 @@ <issues format="6" by="lint 8.10.1" type="baseline" client="gradle" dependencies="false" name="AGP (8.10.1)" variant="all" version="8.10.1"> <issue - id="AndroidGradlePluginVersion" - message="A newer version of Gradle than 8.14.3 is available: 8.14.4" - errorLine1="distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip" - errorLine2=" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"> - <location - file="gradle/wrapper/gradle-wrapper.properties" - line="3" - column="17"/> - </issue> - - <issue id="ChromeOsAbiSupport" message="Missing x86_64 ABI support for ChromeOS" errorLine1=" ndk.abiFilters = qtTargetAbiList.split(",")" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/resources/updatable-files/supported-readers.json new/AusweisApp-2.5.1/resources/updatable-files/supported-readers.json --- old/AusweisApp-2.5.0/resources/updatable-files/supported-readers.json 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/resources/updatable-files/supported-readers.json 2026-04-12 12:11:17.000000000 +0200 @@ -120,7 +120,7 @@ "os": "mac" } ], - "URL": "https://www.reiner-sct.com/support/support-anfrage/?os=MacOS&productGroup=77304735&product=77304822&q=driver#choice5"; + "URL": "https://help.reiner-sct.com/de/support/solutions/articles/101000480002"; }, { "Platforms": [ @@ -226,7 +226,7 @@ "os": "mac" } ], - "URL": "https://www.reiner-sct.com/treiber-mac"; + "URL": "https://help.reiner-sct.com/de/support/solutions/articles/101000480002"; }, { "Platforms": [ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/test/qt/card/drivers/test_ReaderDetector.cpp new/AusweisApp-2.5.1/test/qt/card/drivers/test_ReaderDetector.cpp --- old/AusweisApp-2.5.0/test/qt/card/drivers/test_ReaderDetector.cpp 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/test/qt/card/drivers/test_ReaderDetector.cpp 2026-04-12 12:11:17.000000000 +0200 @@ -17,7 +17,7 @@ #if defined(Q_OS_WIN) const QLatin1String KOMFORT_DRIVER_URL("https://www.reiner-sct.com/support/support-anfrage/?os=Windows&productGroup=77304735&product=77304822&q=driver#choice5";); #elif defined(Q_OS_MACOS) -const QLatin1String KOMFORT_DRIVER_URL("https://www.reiner-sct.com/support/support-anfrage/?os=MacOS&productGroup=77304735&product=77304822&q=driver#choice5";); +const QLatin1String KOMFORT_DRIVER_URL("https://help.reiner-sct.com/de/support/solutions/articles/101000480002";); #else const QLatin1String KOMFORT_DRIVER_URL("https://www.reiner-sct.com/support/support-anfrage/?os=Linux&productGroup=77304735&product=77304822&q=driver#choice5";); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/AusweisApp-2.5.0/test/qt/configuration/test_ReaderConfiguration.cpp new/AusweisApp-2.5.1/test/qt/configuration/test_ReaderConfiguration.cpp --- old/AusweisApp-2.5.0/test/qt/configuration/test_ReaderConfiguration.cpp 2026-04-08 11:18:17.000000000 +0200 +++ new/AusweisApp-2.5.1/test/qt/configuration/test_ReaderConfiguration.cpp 2026-04-12 12:11:17.000000000 +0200 @@ -178,13 +178,13 @@ QTest::newRow("Simulator") << UsbId(0x0000, 0x0002) << "Simulator" << "Simulator"; QTest::newRow("REINER SCT cyberJack RFID komfort-windows-10-11") << UsbId(0x0C4B, 0x0501) << "REINER SCT cyberJack RFID komfort USB 1" << "REINER SCT cyberJack RFID komfort"; - QTest::newRow("REINER SCT cyberJack RFID komfort-macosx-12-15") << UsbId(0x0C4B, 0x0501) << "REINER SCT cyberJack RFID komfort" << "REINER SCT cyberJack RFID komfort"; + QTest::newRow("REINER SCT cyberJack RFID komfort-macosx-13-26") << UsbId(0x0C4B, 0x0501) << "REINER SCT cyberJack RFID komfort" << "REINER SCT cyberJack RFID komfort"; QTest::newRow("REINER SCT cyberJack RFID komfort-FON-windows-7-10") << UsbId(0x0C4B, 0x2007) << "REINER SCT cyberJack RFID komfort FON USB 52" << "REINER SCT cyberJack RFID komfort FON"; QTest::newRow("REINER SCT cyberJack RFID komfort-FON-macosx-10.13-11.0") << UsbId(0x0C4B, 0x2007) << "REINER SCT cyberJack RFID komfort FON" << "REINER SCT cyberJack RFID komfort FON"; QTest::newRow("REINER SCT cyberJack RFID standard-windows-10-11") << UsbId(0x0C4B, 0x0500) << "REINER SCT cyberJack RFID standard USB 1" << "REINER SCT cyberJack RFID standard"; - QTest::newRow("REINER SCT cyberJack RFID standard-macosx-12-15") << UsbId(0x0C4B, 0x0500) << "REINER SCT cyberJack RFID standard" << "REINER SCT cyberJack RFID standard"; + QTest::newRow("REINER SCT cyberJack RFID standard-macosx-13-26") << UsbId(0x0C4B, 0x0500) << "REINER SCT cyberJack RFID standard" << "REINER SCT cyberJack RFID standard"; QTest::newRow("REINER SCT cyberJack RFID basis-windows-10-11") << UsbId(0x0C4B, 0x9102) << "REINER SCT cyberJack RFID basis 0" << "REINER SCT cyberJack RFID basis"; QTest::newRow("REINER SCT cyberJack RFID basis-macosx-13-26") << UsbId(0x0C4B, 0x9102) << "REINER SCT cyberJack RFID basis" << "REINER SCT cyberJack RFID basis";
