Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package Botan.16333 for openSUSE:Leap:15.2:Update checked in at 2021-05-22 07:04:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/Botan.16333 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.Botan.16333.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Botan.16333" Sat May 22 07:04:04 2021 rev:1 rq:894659 version:2.10.0 Changes: -------- New Changes file: --- /dev/null 2021-04-29 10:03:23.520854754 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.Botan.16333.new.2988/Botan.changes 2021-05-22 07:04:05.443848483 +0200 @@ -0,0 +1,1475 @@ +------------------------------------------------------------------- +Fri Apr 16 16:04:06 UTC 2021 - Ferdinand Thiessen <[email protected]> + +- Added CVE-2021-24115.patch to fix CVE-2021-24115 ( boo#1182670 ) + * Backport 4db001ca2 to 2.10 + * In Botan before 2.17.3, or this backport, constant-time + computations are not used for certain decoding and encoding + operations (base32, base58, base64, and hex) +- Dropped unneeded build requirement gmp, + GNU MP was removed in 1.11.10 +- Enabled tests to verify integrity after patching + +------------------------------------------------------------------- +Tue Apr 2 12:54:40 UTC 2019 - Daniel Molkentin <[email protected]> + +- Update to Botan 2.10 + + * Bump SONAME + + * Warning: XMSS currently implements draft-06 which is not compatible with + the final RFC 8391 specification. A PR is open to fix this, however it will + break all current uses of XMSS. If you are currently using XMSS please + comment at https://github.com/randombit/botan/pull/1858. Otherwise the PR + will be merged and support for draft-06 will be removed starting in 2.11. + + * Added a new certificate store implementation that can access the MacOS + keychain certificate store. (GH #1830) + + * Redesigned Memory_Pool class, which services allocations out of a set of + pages locked into memory (using mlock/VirtualLock). It is now faster and + with improved exploit mitigations. (GH #1800) + + * Add BMI2 implementations of SHA-512 and SHA-3 which improve performance by + 25-35% on common CPUs. (GH #1815) + + * Unroll SHA-3 computation improving performance by 10-12% (GH #1838) + + * Add a Thread_Pool class. It is now possible to run the tests in multiple + threads with --test-threads=N flag to select the number of threads to use. + Use --test-threads=0 to run with as many CPU cores as are available on the + current system. The default remains single threaded. (GH #1819) + + * XMSS signatures now uses a global thread pool instead of spawning new + threads for each usage. This improves signature generation performance by + between 10% and 60% depending on architecture and core count. (GH #1864) + + * Some functions related to encoding and decoding BigInts have been + deprecated. (GH #1817) + + * Binary encoding and decoding of BigInts has been optimized by performing + word-size operations when possible. (GH #1817) + + * Rename the exception Integrity_Failure to Invalid_Authentication_Tag to + make its meaning and usage more clear. The old name remains as a typedef. + (GH #1816) + + * Support for using Boost filesystem and MSVC???s std::filesystem have been + removed, since already POSIX and Win32 versions had to be maintained for + portability. (GH #1814) + + * Newly generated McEliece and XMSS keys now default to being encrypted using + SIV mode, support for which was added in 2.8.0. Previously GCM was used by + default for these algorithms. + + * Use arc4random on Android systems (GH #1851) + + * Fix the encoding of PGP-S2K iteration counts (GH #1853 #1854) + + * Add a facility for sandboxing the command line util. Currently FreeBSD + (Capsicum) and OpenBSD (pledge) sandboxes are supported. (GH #1808) + + * Use if constexpr when available. + + * Disable building shared libs on iOS as it was broken and it is not clear + shared libraries are ever useful on iOS (GH #1865) + + * Renamed the darwin build target to macos. This should not cause any + user-visible change. (GH #1866) + + * Add support for using sccache to cache the Windows CI build (GH #1807) + + * Add --extra-cxxflags option which allows adding compilation flags without + overriding the default set. (GH #1826) + + * Add --format= option to the hash cli which allows formatting the output as + base64 or base58, default output remains hex. + + * Add base58_enc and base58_dec cli utils for base58 encoding/decoding. (GH #1848) + + * Enable getentropy by default on macOS (GH #1862) + + * Avoid using -momit-leaf-frame-pointer flags, since -fomit-frame-pointer is + already the default with recent versions of GCC. + + * Fix XLC sanitizer flags. + + * Rename Blake2b class to BLAKE2b to match the official name. There is a typedef for compat. + + * Fix a bug where loading a raw Ed25519_PublicKey of incorrect length would + lead to a crash. (GH #1850) + + * Fix a bug that caused compilation problems using CryptoNG PRNG. (GH #1832) + + * Extended SHAKE-128 cipher to support any key between 1 and 160 bytes, + instead of only multiples of 8 bytes. + + * Minor HMAC optimizations. + + * Build fixes for GNU/Hurd. + + * Fix a bug that prevented generating or verifying Ed25519 signatures in the + CLI (GH #1828 #1829) + + * Fix a compilation error when building the amalgamation outside of the + original source directory when AVX2 was enabled. (GH #1812) + + * Fix a crash when creating the amalgamation if a header file was edited on + Windows but then the amalgamation was built on Linux (GH #1763) + +------------------------------------------------------------------- +Thu Jan 10 10:04:33 UTC 2019 - Daniel Molkentin <[email protected]> + +- Update to Botan 2.9 + + * Bump SONAME + + * CVE-2018-20187 Address a side channel during ECC key generation, which used an + unblinded Montgomery ladder. As a result, a timing attack can reveal + information about the high bits of the secret key. + + * Fix bugs in TLS which caused negotiation failures when the client used an + unknown signature algorithm or version (GH #1711 #1709 #1708) + + * Fix bug affecting GCM, EAX and ChaCha20Poly1305 where if the associated data + was set after starting a message, the new AD was not reflected in the produced + tag. Now with these modes setting an AD after beginning a message throws an + exception. + + * Use a smaller sieve which improves performance of prime generation. + + * Fixed a bug that caused ChaCha to produce incorrect output after encrypting 256 + GB. (GH #1728) + + * Add NEON and AltiVec implementations of ChaCha (GH #1719 #1728 #1729) + + * Optimize AVX2 ChaCha (GH #1730) + + * Many more operations in BigInt, ECC and RSA code paths are either fully const + time or avoid problematic branches that could potentially be exploited in a + side channel attack. (GH #1738 #1750 #1754 #1755 #1757 #1758 #1759 #1762 #1765 + #1770 #1773 #1774 #1779 #1780 #1794 #1795 #1796 #1797) + + * Several optimizations for BigInt and ECC, improving ECDSA performance by as + much as 30%. (GH #1734 #1737 #1777 #1750 #1737 #1788) + + * Support recovering an ECDSA public key from a message/signature pair (GH #664 + #1784) + + * Add base58 encoding/decoding functions (GH #1783) + + * In the command line interface, add support for reading passphrases from the + terminal with echo disabled (GH #1756) + + * Add CT::Mask type to simplify const-time programming (GH #1751) + + * Add new configure options --disable-bmi2, --disable-rdrand, and + --disable-rdseed to prevent use of those instruction sets. + + * Add error_type and error_code functions to Exception type (GH #1744) + + * Now on POSIX systems posix_memalign is used instead of mmap for allocating the + page-locked memory pool. This avoids issues with fork. (GH #602 #1798) + + * When available, use RDRAND to generate the additional data in + Stateful_RNG::randomize_with_ts_input + + * Use vzeroall/vzeroupper intrinsics to avoid AVX2/SSE transition penalties. + + * Support for Visual C++ 2013 has been removed (GH #1557 #1697) + + * Resolve a memory leak when verifying ECDSA signatures with versions of OpenSSL + before 1.1.0 (GH #1698) + + * Resolve a memory leak using ECDH via OpenSSL (GH #1767) + + * Fix an error in XTS which prohibited encrypting values which were exactly the + same length as the underlying block size. Messages of this size are allowed by + the standard and other XTS implementations. (GH #1706) + + * Resolve a bug in TSS which resulted in it using an incorrect length field in + the shares. Now the correct length is encoded, but either correct or buggy + lengths are accepted when decoding. (GH #1722) + + * Correct a bug when reducing a negative BigInt modulo a small power of 2. (GH + #1755) + + * Add CLI utils for threshold secret splitting. (GH #1722) ++++ 1278 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.Botan.16333.new.2988/Botan.changes New: ---- Botan-2.10.0.tgz Botan-2.10.0.tgz.asc Botan.changes Botan.keyring Botan.spec CVE-2021-24115.patch baselibs.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ Botan.spec ++++++ # # spec file for package Botan # # Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define version_suffix 2-10 %define short_version 2 Name: Botan Version: 2.10.0 Release: 0 Summary: A C++ Crypto Library License: BSD-2-Clause Group: Development/Libraries/C and C++ URL: https://botan.randombit.net Source0: https://botan.randombit.net/releases/Botan-%{version}.tgz Source1: https://botan.randombit.net/releases/Botan-%{version}.tgz.asc Source2: %{name}.keyring Source3: baselibs.conf # PATCH-FIX-UPSTREAM CVE-2021-24115.patch -- Backport for 2.10.0 of https://github.com/randombit/botan/pull/2549 Patch0: CVE-2021-24115.patch BuildRequires: bzip2 >= 1.0.2 BuildRequires: gcc-c++ BuildRequires: libbz2-devel BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: python3 BuildRequires: zlib-devel %description Botan is a C++ library that provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and CRLs. A wide variety of algorithms is supported, including RSA, DSA, DES, AES, MD5, and SHA-1. %package -n libbotan-%{version_suffix} Summary: A C++ Crypto Library Group: System/Libraries %description -n libbotan-%{version_suffix} Botan is a C++ library that provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and CRLs. A wide variety of algorithms is supported, including RSA, DSA, DES, AES, MD5, and SHA-1. %package -n libbotan-devel Summary: Development files for Botan Group: Development/Libraries/C and C++ Requires: libbotan-%{version_suffix} = %{version} Requires: libbz2-devel Provides: Botan-devel = %{version} Obsoletes: Botan-devel < %{version} %description -n libbotan-devel This package contains the header files and libraries needed to develop programs that use the Botan library. %package -n python3-botan Summary: Botan python bindings Group: Development/Languages/Python Requires: python3 %description -n python3-botan This package contains the python bindings to libbotan's C98 interface. %package doc %define botan_docdir %{_docdir}/botan-%{version} Summary: Documentation of Botan Group: Development/Libraries/C and C++ BuildArch: noarch %description doc Documentation of Botan package. %prep %setup -q -n Botan-%{version} %patch0 -p1 %build export RPM_OPT_FLAGS python3 ./configure.py \ --prefix=%{_prefix} \ --bindir=%{_bindir} \ --libdir=%{_libdir} \ --docdir=%{_defaultdocdir} \ --includedir=%{_includedir} \ --with-bzip2 \ --with-zlib \ --with-openssl \ %ifarch %ix86 --cpu=x86_32 %else %ifarch %{arm} --cpu=arm %else --cpu=%{_target_cpu} %endif %endif make %{?_smp_mflags} WARN_FLAGS="%{optflags}" %install sed -i 's/env python/env python3/' src/scripts/install.py %make_install rm -f %{buildroot}/%{_libdir}/libbotan*.a chmod +x %{buildroot}%{python3_sitearch}/botan2.py sed -i '1s@^#!/.*@#!%{_bindir}/python3@' %{buildroot}%{python3_sitearch}/botan2.py %check ./botan-test --verbose %post -n libbotan-%{version_suffix} -p /sbin/ldconfig %postun -n libbotan-%{version_suffix} -p /sbin/ldconfig %files %{_bindir}/botan %files doc %docdir %{botan_docdir} %{botan_docdir} %files -n libbotan-%{version_suffix} %{_libdir}/libbotan-%{short_version}.so.* %files -n libbotan-devel %{_libdir}/libbotan-%{short_version}.so %{_libdir}/pkgconfig/botan-%{short_version}.pc %{_includedir}/botan-%{short_version} %files -n python3-botan %{python3_sitearch}/botan2.py %changelog ++++++ CVE-2021-24115.patch ++++++ ++++ 803 lines (skipped) ++++++ baselibs.conf ++++++ libbotan-2-10 libbotan-devel requires -libbotan-<targettype> = <version> requires "libbotan-2-10-<targettype> = <version>"
