Hello community, here is the log from the commit of package Botan for openSUSE:Factory checked in at 2015-08-15 11:38:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/Botan (Old) and /work/SRC/openSUSE:Factory/.Botan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Botan" Changes: -------- --- /work/SRC/openSUSE:Factory/Botan/Botan.changes 2015-07-14 17:20:29.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.Botan.new/Botan.changes 2015-08-15 11:38:56.000000000 +0200 @@ -1,0 +2,40 @@ +Fri Aug 14 08:54:09 UTC 2015 - mvysko...@opensuse.org + +- Fix Source0 URL + +------------------------------------------------------------------- +Tue Aug 11 22:49:31 UTC 2015 - netsr...@opensuse.org + +- bump SONAME to libbotan-1_10-1 +- Update to 1.10.10 + * SECURITY: The BER decoder would crash due to reading from offset 0 + of an empty vector if it encountered a BIT STRING which did not + contain any data at all. As the type requires a 1 byte field this + is not valid BER but could occur in malformed data. Found with + afl. CVE-2015-5726 + * SECURITY: The BER decoder would allocate a fairly arbitrary amount + of memory in a length field, even if there was no chance the read + request would succeed. This might cause the process to run out of + memory or invoke the OOM killer. Found with afl. CVE-2015-5727 + * Due to an ABI incompatible (though not API incompatible) change in + this release, the version number of the shared object has been + increased. + * The default TLS policy no longer allows RC4. + * Fix a signed integer overflow in Blue Midnight Wish that may cause + incorrect computations or undefined behavior. + +- Update to 1.10.9 + * Fixed EAX tag verification to run in constant time + * The default TLS policy now disables SSLv3. + * A crash could occur when reading from a blocking random device if + the device initially indicated that entropy was available but a + concurrent process drained the entropy pool before the read was + initiated. + * Fix decoding indefinite length BER constructs that contain a + context sensitive tag of zero. Github pull 26 from Janusz Chorko. + * The botan-config script previously tried to guess its prefix from + the location of the binary. However this was error prone, and now + the script assumes the final installation prefix matches the value + set during the build. Github issue 29. + +------------------------------------------------------------------- Old: ---- Botan-1.10.8.tbz New: ---- Botan-1.10.10.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ Botan.spec ++++++ --- /var/tmp/diff_new_pack.zgluQ3/_old 2015-08-15 11:38:57.000000000 +0200 +++ /var/tmp/diff_new_pack.zgluQ3/_new 2015-08-15 11:38:57.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package Botan # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,17 +16,17 @@ # -%define version_suffix 1_10-0 +%define version_suffix 1_10-1 %define short_version 1.10 Name: Botan -Version: 1.10.8 +Version: 1.10.10 Release: 0 Url: http://botan.randombit.net Summary: A C++ Crypto Library License: BSD-2-Clause Group: Development/Libraries/C and C++ -Source: https://files.randombit.net/botan/%{name}-%{version}.tbz +Source0: http://botan.randombit.net/releases/%{name}-%{version}.tgz Source2: baselibs.conf Patch0: Botan-inttypes.patch Patch1: Botan-ull_constants.patch.bz2 ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.zgluQ3/_old 2015-08-15 11:38:57.000000000 +0200 +++ /var/tmp/diff_new_pack.zgluQ3/_new 2015-08-15 11:38:57.000000000 +0200 @@ -1,4 +1,4 @@ -libbotan-1_10-0 +libbotan-1_10-1 libbotan-devel requires -libbotan-<targettype> = <version> - requires "libbotan-1_10-0-<targettype> = <version>" + requires "libbotan-1_10-1-<targettype> = <version>"
