Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2022-07-22 19:20:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.21925 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-3"
Fri Jul 22 19:20:36 2022 rev:4 rq:990536 version:3.0.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-03-23
20:21:04.070554054 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.21925/openssl-3.changes
2022-07-22 19:20:46.480614056 +0200
@@ -1,0 +2,98 @@
+Thu Jul 21 09:09:07 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 3.0.5:
+ * The OpenSSL 3.0.4 release introduced a serious bug in the RSA
+ implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
+ This issue makes the RSA implementation with 2048 bit private keys
+ incorrect on such machines and memory corruption will happen during
+ the computation. As a consequence of the memory corruption an attacker
+ may be able to trigger a remote code execution on the machine performing
+ the computation.
+ SSL/TLS servers or other servers using 2048 bit RSA private keys running
+ on machines supporting AVX512IFMA instructions of the X86_64 architecture
+ are affected by this issue. [bsc#1201148, CVE-2022-2274]
+ * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
+ implementation would not encrypt the entirety of the data under some
+ circumstances. This could reveal sixteen bytes of data that was
+ preexisting in the memory that wasn't written. In the special case of
+ "in place" encryption, sixteen bytes of the plaintext would be revealed.
+ Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
+ they are both unaffected. [bsc#1201099, CVE-2022-2097]
+- Rebase patches:
+ * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+
+-------------------------------------------------------------------
+Mon Jul 18 12:03:55 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 3.0.4: [bsc#1199166, CVE-2022-1292]
+ * In addition to the c_rehash shell command injection identified in
+ CVE-2022-1292, further bugs where the c_rehash script does not
+ properly sanitise shell metacharacters to prevent command injection
+ have been fixed.
+ When the CVE-2022-1292 was fixed it was not discovered that there
+ are other places in the script where the file names of certificates
+ being hashed were possibly passed to a command executed through the shell.
+ This script is distributed by some operating systems in a manner where
+ it is automatically executed. On such operating systems, an attacker
+ could execute arbitrary commands with the privileges of the script.
+ Use of the c_rehash script is considered obsolete and should be replaced
+ by the OpenSSL rehash command line tool.
+ * Case insensitive string comparison no longer uses locales.
+ It has instead been directly implemented.
+
+-------------------------------------------------------------------
+Mon Jul 18 12:03:21 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 3.0.3:
+ * Case insensitive string comparison is reimplemented via new locale-agnostic
+ comparison functions OPENSSL_str[n]casecmp always using the POSIX locale
for
+ comparison. The previous implementation had problems when the Turkish
locale
+ was used.
+ * Fixed a bug in the c_rehash script which was not properly sanitising shell
+ metacharacters to prevent command injection. This script is distributed by
+ some operating systems in a manner where it is automatically executed. On
+ such operating systems, an attacker could execute arbitrary commands with
the
+ privileges of the script.
+ Use of the c_rehash script is considered obsolete and should be replaced
+ by the OpenSSL rehash command line tool. [bsc#1199166, CVE-2022-1292]
+ * Fixed a bug in the function 'OCSP_basic_verify' that verifies the signer
+ certificate on an OCSP response. The bug caused the function in the case
+ where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
+ response (meaning a successful verification) even in the case where the
+ response signing certificate fails to verify.
+ It is anticipated that most users of 'OCSP_basic_verify' will not use the
+ OCSP_NOCHECKS flag. In this case the 'OCSP_basic_verify' function will
return
+ a negative value (indicating a fatal error) in the case of a certificate
+ verification failure. The normal expected return value in this case would
be 0.
+ This issue also impacts the command line OpenSSL "ocsp" application. When
+ verifying an ocsp response with the "-no_cert_checks" option the command
line
+ application will report that the verification is successful even though it
+ has in fact failed. In this case the incorrect successful response will
also
+ be accompanied by error messages showing the failure and contradicting the
+ apparently successful result. [bsc#1199167, CVE-2022-1343]
+ * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
+ AAD data as the MAC key. This made the MAC key trivially predictable.
+ An attacker could exploit this issue by performing a man-in-the-middle
attack
+ to modify data being sent from one endpoint to an OpenSSL 3.0 recipient
such
+ that the modified data would still pass the MAC integrity check.
+ Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
+ endpoint will always be rejected by the recipient and the connection will
+ fail at that point. Many application protocols require data to be sent from
+ the client to the server first. Therefore, in such a case, only an OpenSSL
+ 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
+ [bsc#1199168, CVE-2022-1434]
+ * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the
memory
+ occuppied by the removed hash table entries.
+ This function is used when decoding certificates or keys. If a long lived
+ process periodically decodes certificates or keys its memory usage will
+ expand without bounds and the process might be terminated by the operating
+ system causing a denial of service. Also traversing the empty hash table
+ entries will take increasingly more time. Typically such long lived
processes
+ might be TLS clients or TLS servers configured to accept client certificate
+ authentication. [bsc#1199169, CVE-2022-1473]
+ * The functions 'OPENSSL_LH_stats' and 'OPENSSL_LH_stats_bio' now only report
+ the 'num_items', 'num_nodes' and 'num_alloc_nodes' statistics. All other
+ statistics are no longer supported. For compatibility, these statistics are
+ still listed in the output but are now always reported as zero.
+
+-------------------------------------------------------------------
@@ -214,2 +312,2 @@
- call `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
- The `EVP_PKEY_set_alias_type` function has now been removed.
+ call 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations.
+ The 'EVP_PKEY_set_alias_type' function has now been removed.
@@ -615 +713 @@
-- Use find -exec +. Replace `pwd` by simply $PWD.
+- Use find -exec +. Replace 'pwd' by simply $PWD.
Old:
----
openssl-3.0.2.tar.gz
openssl-3.0.2.tar.gz.asc
New:
----
openssl-3.0.5.tar.gz
openssl-3.0.5.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-3.spec ++++++
--- /var/tmp/diff_new_pack.VLdcBw/_old 2022-07-22 19:20:47.236615354 +0200
+++ /var/tmp/diff_new_pack.VLdcBw/_new 2022-07-22 19:20:47.240615362 +0200
@@ -21,7 +21,7 @@
%define _rname openssl
Name: openssl-3
# Don't forget to update the version in the "openssl" package!
-Version: 3.0.2
+Version: 3.0.5
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0
++++++ openssl-3.0.2.tar.gz -> openssl-3.0.5.tar.gz ++++++
/work/SRC/openSUSE:Factory/openssl-3/openssl-3.0.2.tar.gz
/work/SRC/openSUSE:Factory/.openssl-3.new.21925/openssl-3.0.5.tar.gz differ:
char 13, line 1
++++++ openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch ++++++
--- /var/tmp/diff_new_pack.VLdcBw/_old 2022-07-22 19:20:47.296615457 +0200
+++ /var/tmp/diff_new_pack.VLdcBw/_new 2022-07-22 19:20:47.296615457 +0200
@@ -15,10 +15,10 @@
util/libcrypto.num | 1 +
8 files changed, 110 insertions(+), 14 deletions(-)
-Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
+Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl
===================================================================
---- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
+--- openssl-3.0.5.orig/Configurations/unix-Makefile.tmpl
++++ openssl-3.0.5/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@@ -38,10 +38,10 @@
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-Index: openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
+Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
===================================================================
---- openssl-3.0.1.orig/doc/man1/openssl-ciphers.pod.in
-+++ openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
+--- openssl-3.0.5.orig/doc/man1/openssl-ciphers.pod.in
++++ openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@@ -58,10 +58,10 @@
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
-Index: openssl-3.0.1/include/openssl/ssl.h.in
+Index: openssl-3.0.5/include/openssl/ssl.h.in
===================================================================
---- openssl-3.0.1.orig/include/openssl/ssl.h.in
-+++ openssl-3.0.1/include/openssl/ssl.h.in
+--- openssl-3.0.5.orig/include/openssl/ssl.h.in
++++ openssl-3.0.5/include/openssl/ssl.h.in
@@ -210,6 +210,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@@ -74,10 +74,10 @@
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
-Index: openssl-3.0.1/ssl/ssl_ciph.c
+Index: openssl-3.0.5/ssl/ssl_ciph.c
===================================================================
---- openssl-3.0.1.orig/ssl/ssl_ciph.c
-+++ openssl-3.0.1/ssl/ssl_ciph.c
+--- openssl-3.0.5.orig/ssl/ssl_ciph.c
++++ openssl-3.0.5/ssl/ssl_ciph.c
@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
@@ -216,7 +216,7 @@
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-@@ -1690,6 +1748,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
@@ -227,14 +227,14 @@
+ OPENSSL_free(new_rules);
+#endif
+ return NULL;
-+
++
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-Index: openssl-3.0.1/ssl/ssl_lib.c
+Index: openssl-3.0.5/ssl/ssl_lib.c
===================================================================
---- openssl-3.0.1.orig/ssl/ssl_lib.c
-+++ openssl-3.0.1/ssl/ssl_lib.c
+--- openssl-3.0.5.orig/ssl/ssl_lib.c
++++ openssl-3.0.5/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
@@ -244,7 +244,7 @@
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
-@@ -3248,7 +3248,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
+@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@@ -253,10 +253,10 @@
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
-Index: openssl-3.0.1/test/cipherlist_test.c
+Index: openssl-3.0.5/test/cipherlist_test.c
===================================================================
---- openssl-3.0.1.orig/test/cipherlist_test.c
-+++ openssl-3.0.1/test/cipherlist_test.c
+--- openssl-3.0.5.orig/test/cipherlist_test.c
++++ openssl-3.0.5/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end:
int setup_tests(void)
@@ -267,20 +267,20 @@
ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear);
return 1;
-Index: openssl-3.0.1/util/libcrypto.num
+Index: openssl-3.0.5/util/libcrypto.num
===================================================================
---- openssl-3.0.1.orig/util/libcrypto.num
-+++ openssl-3.0.1/util/libcrypto.num
-@@ -5425,3 +5425,4 @@ ASN1_item_d2i_ex
- ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
- EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
+--- openssl-3.0.5.orig/util/libcrypto.num
++++ openssl-3.0.5/util/libcrypto.num
+@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
-+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
-Index: openssl-3.0.1/Configure
+ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
+ OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
++ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
+Index: openssl-3.0.5/Configure
===================================================================
---- openssl-3.0.1.orig/Configure
-+++ openssl-3.0.1/Configure
-@@ -27,7 +27,7 @@ use OpenSSL::config;
+--- openssl-3.0.5.orig/Configure
++++ openssl-3.0.5/Configure
+@@ -28,7 +28,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
@@ -289,7 +289,7 @@
my $banner = <<"EOF";
-@@ -61,6 +61,10 @@ EOF
+@@ -62,6 +62,10 @@ EOF
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
@@ -300,7 +300,7 @@
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
-@@ -387,6 +391,7 @@ $config{prefix}="";
+@@ -388,6 +392,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@@ -308,7 +308,7 @@
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
-@@ -989,6 +994,10 @@ while (@argvcopy)
+@@ -990,6 +995,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
