Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mbedtls-2 for openSUSE:Factory checked in at 2023-10-08 12:19:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls-2 (Old) and /work/SRC/openSUSE:Factory/.mbedtls-2.new.28202 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls-2" Sun Oct 8 12:19:08 2023 rev:4 rq:1116220 version:2.28.5 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls-2/mbedtls-2.changes 2023-08-18 19:28:30.727332362 +0200 +++ /work/SRC/openSUSE:Factory/.mbedtls-2.new.28202/mbedtls-2.changes 2023-10-08 12:22:55.924110216 +0200 @@ -1,0 +2,49 @@ +Sat Oct 7 13:08:45 UTC 2023 - Jaime MarquÃnez Ferrándiz <jaime.marquinez.ferran...@fastmail.net> + +- Update to 2.28.5: + Features + * The documentation of mbedtls_ecp_group now describes the optimized + representation of A for some curves. Fixes gh#Mbed-TLS/mbedtls#8045. + Security + * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should + review the size of the output buffer passed to this function, and note that + the output after decryption may include CBC padding. Consider moving to the + new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which + checks for overflow of the output buffer and reports the actual length of + the output. + * Improve padding calculations in CBC decryption, NIST key unwrapping and + RSA OAEP decryption. With the previous implementation, some compilers + (notably recent versions of Clang and IAR) could produce non-constant time + code, which could allow a padding oracle attack if the attacker has access + to precise timing measurements. + * Fix a buffer overread when parsing short TLS application data records in + ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz. + Bugfix + * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when + using ECC key. The certificate was rejected by some crypto frameworks. + Fixes gh#Mbed-TLS/mbedtls#2924. + * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA + signature can silently return an incorrect result in low memory conditions. + * Fix IAR compiler warnings. Fixes gh#Mbed-TLS/mbedtls#7873, + gh#Mbed-TLS/mbedtls#4300. + * Fix an issue when parsing an otherName subject alternative name into a + mbedtls_x509_san_other_name struct. The type-id of the otherName was not + copied to the struct. This meant that the struct had incomplete information + about the otherName SAN and contained uninitialized memory. + * Fix the detection of HardwareModuleName otherName SANs. These were being + detected by comparing the wrong field and the check was erroneously + inverted. + * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not + MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes + gh#Mbed-TLS/mbedtls#7498. Functions in the ssl_cache module now return a + negative MBEDTLS_ERR_xxx error code on failure. Before, they returned 1 to + indicate failure in some cases involving a missing entry or a full cache. + Changes + * In configurations with ARIA or Camellia but not AES, the value of + MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might suggest. + This did not affect any library code, because this macro was only used in + relation with CMAC which does not support these ciphers. Its value is now + 16 if ARIA or Camellia are present. This may affect application code that + uses this macro. + +------------------------------------------------------------------- Old: ---- mbedtls-2.28.4.tar.gz New: ---- mbedtls-2.28.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls-2.spec ++++++ --- /var/tmp/diff_new_pack.kPPeMR/_old 2023-10-08 12:22:57.040150387 +0200 +++ /var/tmp/diff_new_pack.kPPeMR/_new 2023-10-08 12:22:57.040150387 +0200 @@ -21,7 +21,7 @@ %define lib_x509 libmbedx509-1 %define _rname mbedtls Name: mbedtls-2 -Version: 2.28.4 +Version: 2.28.5 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 ++++++ mbedtls-2.28.4.tar.gz -> mbedtls-2.28.5.tar.gz ++++++ ++++ 13049 lines of diff (skipped)