Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2017-07-21 22:37:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls" Fri Jul 21 22:37:14 2017 rev:12 rq:509216 version:2.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2017-03-15 01:59:44.281057929 +0100 +++ /work/SRC/openSUSE:Factory/.mbedtls.new/mbedtls.changes 2017-07-21 22:37:15.863435400 +0200 @@ -1,0 +2,30 @@ +Mon Jul 10 14:17:59 UTC 2017 - mplus...@suse.com + +- Update to version 2.5.1: + * Adds hardware acceleration support for the Elliptic Curve Point + module. This has involved exposing parts of the internal + interface to enable replacing the core functions and adding an + alternative, module level replacement to support for enabling + the extension of the interface. + * Adds a new configuration option to mbedtls_ssl_config() to + enable suppressing the CA list in Certificate Request messages. + The default behaviour has not changed, namely every configured + CA's name is included. + * Fixes an unlimited overread of heap-based buffers in + mbedtls_ssl_read(). The issue could only happen client-side + with renegotiation enabled. This could result in a Denial of + Service (such as crashing the application) or information leak. + * Adds exponent blinding to RSA private operations as a + countermeasure against side-channel attacks like the cache + attack described in https://arxiv.org/abs/1702.08719v2. + * Wipes stack buffers in RSA private key operations + (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()). + * Removes SHA-1 and RIPEMD-160 from the default hash algorithms + for certificate verification. SHA-1 can be turned back on with + a compile-time option if needed. + * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to + fail to detect it sometimes. Reported by Hugo Leisink. + * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a + potential Bleichenbacher/BERserk-style attack. + +------------------------------------------------------------------- Old: ---- mbedtls-2.4.2-apache.tgz New: ---- mbedtls-2.5.1-apache.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.DfeFNT/_old 2017-07-21 22:37:17.307231731 +0200 +++ /var/tmp/diff_new_pack.DfeFNT/_new 2017-07-21 22:37:17.311231167 +0200 @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto0 %define lib_x509 libmbedx509-0 Name: mbedtls -Version: 2.4.2 +Version: 2.5.1 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 @@ -32,7 +32,6 @@ BuildRequires: pkgconfig BuildRequires: pkgconfig(libpkcs11-helper-1) BuildRequires: pkgconfig(zlib) -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It @@ -119,7 +118,6 @@ %postun -n %{lib_x509} -p /sbin/ldconfig %files devel -%defattr(-,root,root) %doc ChangeLog README.md LICENSE %dir %{_includedir}/mbedtls %{_includedir}/mbedtls/*.h @@ -128,17 +126,14 @@ %{_libdir}/libmbedx509.so %files -n %{lib_tls} -%defattr(-,root,root) %doc LICENSE %{_libdir}/libmbedtls.so.* %files -n %{lib_crypto} -%defattr(-,root,root) %doc LICENSE %{_libdir}/libmbedcrypto.so.* %files -n %{lib_x509} -%defattr(-,root,root) %doc LICENSE %{_libdir}/libmbedx509.so.* ++++++ mbedtls-2.4.2-apache.tgz -> mbedtls-2.5.1-apache.tgz ++++++ ++++ 8167 lines of diff (skipped)