Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2015-10-17 16:38:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls" Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2015-08-10 09:11:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mbedtls.new/mbedtls.changes 2015-10-17 16:38:11.000000000 +0200 @@ -1,0 +2,75 @@ +Thu Oct 8 06:53:02 UTC 2015 - mplus...@suse.com + +- Update to 1.3.14 + * Added fix for CVE-2015-5291 (boo#949380) to prevent heap corruption due to buffer + overflow of the hostname or session ticket. Found by Guido Vranken, + Intelworks. + * Fix stack buffer overflow in pkcs12 decryption (used by + mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by + Guido Vranken, Intelworks. Not triggerable remotely. + * Fix potential buffer overflow in mbedtls_mpi_read_string(). + Found by Guido Vranken, Intelworks. Not exploitable remotely in the context + of TLS, but might be in other uses. On 32 bit machines, requires reading a + string of close to or larger than 1GB to exploit; on 64 bit machines, would + require reading a string of close to or larger than 2^62 bytes. + * Fix potential random memory allocation in mbedtls_pem_read_buffer() + on crafted PEM input data. Found and fix provided by Guido Vranken, + Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you + accept PEM data from an untrusted source. + * Fix potential double-free if ssl_set_psk() is called repeatedly on + the same ssl_context object and some memory allocations fail. Found by + Guido Vranken, Intelworks. Can not be forced remotely. + * Fix possible heap buffer overflow in base64_encode() when the input + buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken, + Intelworks. Found by Guido Vranken. Not trigerrable remotely in TLS. + * Fix potential heap buffer overflow in servers that perform client + authentication against a crafted CA cert. Cannot be triggered remotely + unless you allow third parties to pick trust CAs for client auth. Found by + Guido Vranken, Intelworks. + * Fix compile error in net.c with musl libc. Found and patch provided by + zhasha (#278). + * Fix macroization of 'inline' keywork when building as C++. (#279) + * Added checking of hostname length in ssl_set_hostname() to ensure domain + names are compliant with RFC 1035. +- Changes for 1.3.13 + * Fix possible client-side NULL pointer dereference (read) when the client + tries to continue the handshake after it failed (a misuse of the API). + (Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.) + * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5 + signatures. (Found by Florian Weimer, Red Hat.) + https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ + * Setting SSL_MIN_DHM_BYTES in config.h had no effect (overriden in ssl.h) + (found by Fabio Solari) (#256) + * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could + result trying to unlock an unlocked mutex on invalid input (found by + Fredrik Axelsson) (#257) + * Fix -Wshadow warnings (found by hnrkp) (#240) + * Fix unused function warning when using MBEDTLS_MDx_ALT or + MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) + * Fix memory corruption in pkey programs (found by yankuncheng) (#210) + * Fix memory corruption on client with overlong PSK identity, around + SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by + Aleksandrs Saveljevs) (#238) + * Fix off-by-one error in parsing Supported Point Format extension that + caused some handshakes to fail. + * When verifying a certificate chain, if an intermediate certificate is + trusted, no later cert is checked. (suggested by hannes-landeholm) + (#220). +- Changes for 1.3.12 + * Increase the minimum size of Diffie-Hellman parameters accepted by the + client to 1024 bits, to protect against Logjam attack. + * Increase the size of default Diffie-Hellman parameters on the server to + 2048 bits. This can be changed with ssl_set_dh_params(). + * Fix thread-safety issue in SSL debug module (found by Edwin van Vliet). + * Some example programs were not built using make, not included in Visual + Studio projects (found by Kristian Bendiksen). + * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo + Leisink). + * Fix missing -static-ligcc when building shared libraries for Windows with + make. + * Fix compile error with armcc5 --gnu. + * Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the + minimum size of Diffie-Hellman parameters accepted by the client. + * The PEM parser now accepts a trailing space at end of lines (#226). + +------------------------------------------------------------------- Old: ---- mbedtls-1.3.11-gpl.tgz New: ---- mbedtls-1.3.14-gpl.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.dgsBBu/_old 2015-10-17 16:38:11.000000000 +0200 +++ /var/tmp/diff_new_pack.dgsBBu/_new 2015-10-17 16:38:11.000000000 +0200 @@ -18,7 +18,7 @@ %define lib_name lib%{name}9 Name: mbedtls -Version: 1.3.11 +Version: 1.3.14 Release: 0 Summary: Open Source embedded SSL/TLS cryptographic library License: GPL-2.0+ ++++++ mbedtls-1.3.11-gpl.tgz -> mbedtls-1.3.14-gpl.tgz ++++++ ++++ 4464 lines of diff (skipped)