Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-1_1 for openSUSE:Factory
checked in at 2022-03-11 21:39:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
and /work/SRC/openSUSE:Factory/.openssl-1_1.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1"
Fri Mar 11 21:39:43 2022 rev:33 rq:960473 version:1.1.1m
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes 2022-02-15
23:56:59.208163895 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.25692/openssl-1_1.changes
2022-03-11 21:39:44.862004694 +0100
@@ -1,0 +2,19 @@
+Fri Mar 4 13:11:14 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- Security fix: [bsc#1192820, CVE-2002-20001]
+ * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
+ remote attackers (from the client side) to send arbitrary
+ numbers that are actually not public keys, and trigger
+ expensive server-side DHE calculation.
+ * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
+ * Rebase openssl-DEFAULT_SUSE_cipher.patch
+
+-------------------------------------------------------------------
+Tue Feb 22 17:35:53 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187]
+ * In an INI-type file, the sections begin with a [section_name]
+ and they run until the next section begins.
+ * Rebase openssl-1_1-use-include-directive.patch
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-1_1-use-include-directive.patch ++++++
--- /var/tmp/diff_new_pack.q62zIR/_old 2022-03-11 21:39:46.750006037 +0100
+++ /var/tmp/diff_new_pack.q62zIR/_new 2022-03-11 21:39:46.754006040 +0100
@@ -1,27 +1,30 @@
---- a/apps/openssl.cnf 2021-08-24 09:38:47.000000000 -0400
-+++ b/apps/openssl.cnf 2021-12-06 17:13:34.549291242 -0500
-@@ -11,9 +11,23 @@
+Index: openssl-1.1.1m/apps/openssl.cnf
+===================================================================
+--- openssl-1.1.1m.orig/apps/openssl.cnf
++++ openssl-1.1.1m/apps/openssl.cnf
+@@ -11,6 +11,24 @@
# defined.
HOME = .
-+openssl_conf = openssl_init
++openssl_conf = openssl_init
+
-+[openssl_init]
++[ openssl_init ]
+
- # Extra OBJECT IDENTIFIER info:
- #oid_file = $ENV::HOME/.oid
- oid_section = new_oids
-+engines = engine_section
++engines = engine_section
++
++[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
-+[engine_section]
-+.include /etc/ssl/engines.d/
++.include /etc/ssl/engines.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
-+.include /etc/ssl/engdef.d/
-
- # To use this configuration file with the "-extfile" option of the
- # "openssl x509" utility, name here the section containing the
++.include /etc/ssl/engdef.d
++
++[ oid_section ]
++
+ # Extra OBJECT IDENTIFIER info:
+ #oid_file = $ENV::HOME/.oid
+ oid_section = new_oids
++++++ openssl-DEFAULT_SUSE_cipher.patch ++++++
--- /var/tmp/diff_new_pack.q62zIR/_old 2022-03-11 21:39:46.778006057 +0100
+++ /var/tmp/diff_new_pack.q62zIR/_new 2022-03-11 21:39:46.782006060 +0100
@@ -22,14 +22,13 @@
===================================================================
--- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000
+0200
+++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981
+0200
-@@ -171,6 +171,11 @@ extern "C" {
+@@ -171,6 +171,10 @@ extern "C" {
* This applies to ciphersuites for TLSv1.2 and below.
*/
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_SUSE_CIPHER_LIST
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
+
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
+
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
-+
"DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+
"AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
