Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libressl for openSUSE:Factory checked in at 2021-12-10 21:52:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libressl (Old) and /work/SRC/openSUSE:Factory/.libressl.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl" Fri Dec 10 21:52:28 2021 rev:59 rq:938272 version:3.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2021-08-26 23:16:35.988184113 +0200 +++ /work/SRC/openSUSE:Factory/.libressl.new.2520/libressl.changes 2021-12-10 21:52:42.826901286 +0100 @@ -1,0 +2,9 @@ +Thu Dec 9 19:41:49 UTC 2021 - Ferdinand Thiessen <r...@fthiessen.de> + +- Update to release 3.3.5 + * Fixed: A stack overread could occur when checking X.509 name + constraints. + * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. + This compensates for the expiry of the DST Root X3 certificate. + +------------------------------------------------------------------- Old: ---- libressl-3.3.4.tar.gz libressl-3.3.4.tar.gz.asc New: ---- libressl-3.3.5.tar.gz libressl-3.3.5.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libressl.spec ++++++ --- /var/tmp/diff_new_pack.iRgfj5/_old 2021-12-10 21:52:44.102901851 +0100 +++ /var/tmp/diff_new_pack.iRgfj5/_new 2021-12-10 21:52:44.106901853 +0100 @@ -17,7 +17,7 @@ Name: libressl -Version: 3.3.4 +Version: 3.3.5 Release: 0 Summary: An SSL/TLS protocol implementation License: OpenSSL ++++++ libressl-3.3.4.tar.gz -> libressl-3.3.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/ChangeLog new/libressl-3.3.5/ChangeLog --- old/libressl-3.3.4/ChangeLog 2021-08-23 16:48:48.000000000 +0200 +++ new/libressl-3.3.5/ChangeLog 2021-10-01 02:02:34.000000000 +0200 @@ -28,6 +28,14 @@ LibreSSL Portable Release Notes: +3.3.5 - Security fix + + * A stack overread could occur when checking X.509 name constraints. + From GoldBinocle on GitHub. + + * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. + This compensates for the expiry of the DST Root X3 certificate. + 3.3.4 - Security fix * In LibreSSL, printing a certificate can result in a crash in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/VERSION new/libressl-3.3.5/VERSION --- old/libressl-3.3.4/VERSION 2021-08-23 16:48:55.000000000 +0200 +++ new/libressl-3.3.5/VERSION 2021-10-01 02:13:55.000000000 +0200 @@ -1,2 +1,2 @@ -3.3.4 +3.3.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/cert.pem new/libressl-3.3.5/cert.pem --- old/libressl-3.3.4/cert.pem 2021-08-23 16:48:53.000000000 +0200 +++ new/libressl-3.3.5/cert.pem 2021-10-01 02:03:17.000000000 +0200 @@ -1,4 +1,4 @@ -# $OpenBSD: cert.pem,v 1.22 2021/02/12 12:16:53 sthen Exp $ +# $OpenBSD: cert.pem,v 1.22.2.1 2021/09/30 18:28:20 deraadt Exp $ ### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 === /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 @@ -1965,49 +1965,6 @@ gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE----- -### Digital Signature Trust Co. - -=== /O=Digital Signature Trust Co./CN=DST Root CA X3 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Sep 30 21:12:19 2000 GMT - Not After : Sep 30 14:01:15 2021 GMT - Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 -SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 -SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39 ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- - ### Disig a.s. === /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/configure new/libressl-3.3.5/configure --- old/libressl-3.3.4/configure 2021-08-23 16:49:43.000000000 +0200 +++ new/libressl-3.3.5/configure 2021-10-01 02:14:42.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libressl 3.3.4. +# Generated by GNU Autoconf 2.69 for libressl 3.3.5. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='libressl' PACKAGE_TARNAME='libressl' -PACKAGE_VERSION='3.3.4' -PACKAGE_STRING='libressl 3.3.4' +PACKAGE_VERSION='3.3.5' +PACKAGE_STRING='libressl 3.3.5' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1452,7 +1452,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libressl 3.3.4 to adapt to many kinds of systems. +\`configure' configures libressl 3.3.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1523,7 +1523,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libressl 3.3.4:";; + short | recursive ) echo "Configuration of libressl 3.3.5:";; esac cat <<\_ACEOF @@ -1641,7 +1641,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libressl configure 3.3.4 +libressl configure 3.3.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2189,7 +2189,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libressl $as_me 3.3.4, which was +It was created by libressl $as_me 3.3.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3125,7 +3125,7 @@ # Define the identity of the package. PACKAGE='libressl' - VERSION='3.3.4' + VERSION='3.3.5' cat >>confdefs.h <<_ACEOF @@ -14945,7 +14945,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libressl $as_me 3.3.4, which was +This file was extended by libressl $as_me 3.3.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15002,7 +15002,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libressl config.status 3.3.4 +libressl config.status 3.3.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/crypto/x509/x509_constraints.c new/libressl-3.3.5/crypto/x509/x509_constraints.c --- old/libressl-3.3.4/crypto/x509/x509_constraints.c 2021-08-23 16:48:53.000000000 +0200 +++ new/libressl-3.3.5/crypto/x509/x509_constraints.c 2021-09-30 16:34:07.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.15 2021/03/12 15:57:30 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.15.2.1 2021/09/26 14:07:40 deraadt Exp $ */ /* * Copyright (c) 2020 Bob Beck <b...@openbsd.org> * @@ -334,16 +334,16 @@ if (c == '.') goto bad; } - if (wi > DOMAIN_PART_MAX_LEN) - goto bad; if (accept) { + if (wi >= DOMAIN_PART_MAX_LEN) + goto bad; working[wi++] = c; accept = 0; continue; } if (candidate_local != NULL) { /* We are looking for the domain part */ - if (wi > DOMAIN_PART_MAX_LEN) + if (wi >= DOMAIN_PART_MAX_LEN) goto bad; working[wi++] = c; if (i == len - 1) { @@ -358,7 +358,7 @@ continue; } /* We are looking for the local part */ - if (wi > LOCAL_PART_MAX_LEN) + if (wi >= LOCAL_PART_MAX_LEN) break; if (quoted) { @@ -378,6 +378,8 @@ */ if (c == 9) goto bad; + if (wi >= LOCAL_PART_MAX_LEN) + goto bad; working[wi++] = c; continue; /* all's good inside our quoted string */ } @@ -407,6 +409,8 @@ } if (!local_part_ok(c)) goto bad; + if (wi >= LOCAL_PART_MAX_LEN) + goto bad; working[wi++] = c; } if (candidate_local == NULL || candidate_domain == NULL) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/crypto/x509/x509_vpm.c new/libressl-3.3.5/crypto/x509/x509_vpm.c --- old/libressl-3.3.4/crypto/x509/x509_vpm.c 2021-08-23 16:48:53.000000000 +0200 +++ new/libressl-3.3.5/crypto/x509/x509_vpm.c 2021-10-01 02:03:17.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.25 2021/04/15 14:15:03 tb Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.25.2.1 2021/09/30 18:25:43 deraadt Exp $ */ /* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL * project 2004. */ @@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM default_table[] = { { .name = "default", + .flags = X509_V_FLAG_TRUSTED_FIRST, .depth = 100, .trust = 0, /* XXX This is not the default trust value */ .id = vpm_empty_id diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.3.4/include/openssl/opensslv.h new/libressl-3.3.5/include/openssl/opensslv.h --- old/libressl-3.3.4/include/openssl/opensslv.h 2021-08-23 16:48:48.000000000 +0200 +++ new/libressl-3.3.5/include/openssl/opensslv.h 2021-09-30 16:33:48.000000000 +0200 @@ -3,9 +3,9 @@ #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3030400fL +#define LIBRESSL_VERSION_NUMBER 0x3030500fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.3.4" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.3.5" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L