Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libressl for openSUSE:Factory
checked in at 2021-12-10 21:52:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libressl (Old)
and /work/SRC/openSUSE:Factory/.libressl.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl"
Fri Dec 10 21:52:28 2021 rev:59 rq:938272 version:3.3.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2021-08-26
23:16:35.988184113 +0200
+++ /work/SRC/openSUSE:Factory/.libressl.new.2520/libressl.changes
2021-12-10 21:52:42.826901286 +0100
@@ -1,0 +2,9 @@
+Thu Dec 9 19:41:49 UTC 2021 - Ferdinand Thiessen <r...@fthiessen.de>
+
+- Update to release 3.3.5
+ * Fixed: A stack overread could occur when checking X.509 name
+ constraints.
+ * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+ This compensates for the expiry of the DST Root X3 certificate.
+
+-------------------------------------------------------------------
Old:
----
libressl-3.3.4.tar.gz
libressl-3.3.4.tar.gz.asc
New:
----
libressl-3.3.5.tar.gz
libressl-3.3.5.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libressl.spec ++++++
--- /var/tmp/diff_new_pack.iRgfj5/_old 2021-12-10 21:52:44.102901851 +0100
+++ /var/tmp/diff_new_pack.iRgfj5/_new 2021-12-10 21:52:44.106901853 +0100
@@ -17,7 +17,7 @@
Name: libressl
-Version: 3.3.4
+Version: 3.3.5
Release: 0
Summary: An SSL/TLS protocol implementation
License: OpenSSL
++++++ libressl-3.3.4.tar.gz -> libressl-3.3.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/ChangeLog new/libressl-3.3.5/ChangeLog
--- old/libressl-3.3.4/ChangeLog 2021-08-23 16:48:48.000000000 +0200
+++ new/libressl-3.3.5/ChangeLog 2021-10-01 02:02:34.000000000 +0200
@@ -28,6 +28,14 @@
LibreSSL Portable Release Notes:
+3.3.5 - Security fix
+
+ * A stack overread could occur when checking X.509 name constraints.
+ From GoldBinocle on GitHub.
+
+ * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+ This compensates for the expiry of the DST Root X3 certificate.
+
3.3.4 - Security fix
* In LibreSSL, printing a certificate can result in a crash in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/VERSION new/libressl-3.3.5/VERSION
--- old/libressl-3.3.4/VERSION 2021-08-23 16:48:55.000000000 +0200
+++ new/libressl-3.3.5/VERSION 2021-10-01 02:13:55.000000000 +0200
@@ -1,2 +1,2 @@
-3.3.4
+3.3.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/cert.pem new/libressl-3.3.5/cert.pem
--- old/libressl-3.3.4/cert.pem 2021-08-23 16:48:53.000000000 +0200
+++ new/libressl-3.3.5/cert.pem 2021-10-01 02:03:17.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: cert.pem,v 1.22 2021/02/12 12:16:53 sthen Exp $
+# $OpenBSD: cert.pem,v 1.22.2.1 2021/09/30 18:28:20 deraadt Exp $
### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
=== /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
@@ -1965,49 +1965,6 @@
gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
-----END CERTIFICATE-----
-### Digital Signature Trust Co.
-
-=== /O=Digital Signature Trust Co./CN=DST Root CA X3
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
- Signature Algorithm: sha1WithRSAEncryption
- Validity
- Not Before: Sep 30 21:12:19 2000 GMT
- Not After : Sep 30 14:01:15 2021 GMT
- Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- X509v3 Subject Key Identifier:
- C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
-SHA256
Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
### Disig a.s.
=== /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/configure new/libressl-3.3.5/configure
--- old/libressl-3.3.4/configure 2021-08-23 16:49:43.000000000 +0200
+++ new/libressl-3.3.5/configure 2021-10-01 02:14:42.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libressl 3.3.4.
+# Generated by GNU Autoconf 2.69 for libressl 3.3.5.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='libressl'
PACKAGE_TARNAME='libressl'
-PACKAGE_VERSION='3.3.4'
-PACKAGE_STRING='libressl 3.3.4'
+PACKAGE_VERSION='3.3.5'
+PACKAGE_STRING='libressl 3.3.5'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1452,7 +1452,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libressl 3.3.4 to adapt to many kinds of systems.
+\`configure' configures libressl 3.3.5 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1523,7 +1523,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libressl 3.3.4:";;
+ short | recursive ) echo "Configuration of libressl 3.3.5:";;
esac
cat <<\_ACEOF
@@ -1641,7 +1641,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libressl configure 3.3.4
+libressl configure 3.3.5
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2189,7 +2189,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libressl $as_me 3.3.4, which was
+It was created by libressl $as_me 3.3.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3125,7 +3125,7 @@
# Define the identity of the package.
PACKAGE='libressl'
- VERSION='3.3.4'
+ VERSION='3.3.5'
cat >>confdefs.h <<_ACEOF
@@ -14945,7 +14945,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libressl $as_me 3.3.4, which was
+This file was extended by libressl $as_me 3.3.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15002,7 +15002,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libressl config.status 3.3.4
+libressl config.status 3.3.5
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/crypto/x509/x509_constraints.c
new/libressl-3.3.5/crypto/x509/x509_constraints.c
--- old/libressl-3.3.4/crypto/x509/x509_constraints.c 2021-08-23
16:48:53.000000000 +0200
+++ new/libressl-3.3.5/crypto/x509/x509_constraints.c 2021-09-30
16:34:07.000000000 +0200
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.15 2021/03/12 15:57:30 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.15.2.1 2021/09/26 14:07:40 deraadt Exp $ */
/*
* Copyright (c) 2020 Bob Beck <b...@openbsd.org>
*
@@ -334,16 +334,16 @@
if (c == '.')
goto bad;
}
- if (wi > DOMAIN_PART_MAX_LEN)
- goto bad;
if (accept) {
+ if (wi >= DOMAIN_PART_MAX_LEN)
+ goto bad;
working[wi++] = c;
accept = 0;
continue;
}
if (candidate_local != NULL) {
/* We are looking for the domain part */
- if (wi > DOMAIN_PART_MAX_LEN)
+ if (wi >= DOMAIN_PART_MAX_LEN)
goto bad;
working[wi++] = c;
if (i == len - 1) {
@@ -358,7 +358,7 @@
continue;
}
/* We are looking for the local part */
- if (wi > LOCAL_PART_MAX_LEN)
+ if (wi >= LOCAL_PART_MAX_LEN)
break;
if (quoted) {
@@ -378,6 +378,8 @@
*/
if (c == 9)
goto bad;
+ if (wi >= LOCAL_PART_MAX_LEN)
+ goto bad;
working[wi++] = c;
continue; /* all's good inside our quoted string */
}
@@ -407,6 +409,8 @@
}
if (!local_part_ok(c))
goto bad;
+ if (wi >= LOCAL_PART_MAX_LEN)
+ goto bad;
working[wi++] = c;
}
if (candidate_local == NULL || candidate_domain == NULL)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/crypto/x509/x509_vpm.c
new/libressl-3.3.5/crypto/x509/x509_vpm.c
--- old/libressl-3.3.4/crypto/x509/x509_vpm.c 2021-08-23 16:48:53.000000000
+0200
+++ new/libressl-3.3.5/crypto/x509/x509_vpm.c 2021-10-01 02:03:17.000000000
+0200
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.25 2021/04/15 14:15:03 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.25.2.1 2021/09/30 18:25:43 deraadt Exp $ */
/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL
* project 2004.
*/
@@ -598,6 +598,7 @@
static const X509_VERIFY_PARAM default_table[] = {
{
.name = "default",
+ .flags = X509_V_FLAG_TRUSTED_FIRST,
.depth = 100,
.trust = 0, /* XXX This is not the default trust value */
.id = vpm_empty_id
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libressl-3.3.4/include/openssl/opensslv.h
new/libressl-3.3.5/include/openssl/opensslv.h
--- old/libressl-3.3.4/include/openssl/opensslv.h 2021-08-23
16:48:48.000000000 +0200
+++ new/libressl-3.3.5/include/openssl/opensslv.h 2021-09-30
16:33:48.000000000 +0200
@@ -3,9 +3,9 @@
#define HEADER_OPENSSLV_H
/* These will change with each release of LibreSSL-portable */
-#define LIBRESSL_VERSION_NUMBER 0x3030400fL
+#define LIBRESSL_VERSION_NUMBER 0x3030500fL
/* ^ Patch starts here */
-#define LIBRESSL_VERSION_TEXT "LibreSSL 3.3.4"
+#define LIBRESSL_VERSION_TEXT "LibreSSL 3.3.5"
/* These will never change */
#define OPENSSL_VERSION_NUMBER 0x20000000L
