commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2024-07-26 16:12:26
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.1882 (New)
Package is "openssl-3"
Fri Jul 26 16:12:26 2024 rev:27 rq:1189313 version:3.1.4
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2024-07-16
22:02:09.057272666 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.1882/openssl-3.changes
2024-07-26 16:12:27.074336493 +0200
@@ -1,0 +2,17 @@
+Mon Jul 22 16:42:52 UTC 2024 - Pedro Monreal
+
+- Build with no-afalgeng [bsc#1226463]
+
+---
+Mon Jul 22 08:30:16 UTC 2024 - Pedro Monreal
+
+- Security fix: [bsc#1227138, CVE-2024-5535]
+ * SSL_select_next_proto buffer overread
+ * Add openssl-CVE-2024-5535.patch
+
+---
+Wed Jul 17 12:55:39 UTC 2024 - Pedro Monreal
+
+- Build with enabled sm2 and sm4 support [bsc#1222899]
+
+---
@@ -5,0 +23,10 @@
+
+---
+Thu Jun 6 15:12:10 UTC 2024 - Peter Simons
+
+- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
+ security vulnerability. Calling the function SSL_free_buffers()
+ potentially caused memory to be accessed that was previously
+ freed in some situations and a malicious attacker could attempt
+ to engineer a stituation where this occurs to facilitate a
+ denial-of-service attack. [CVE-2024-4741, bsc#1225551]
New:
openssl-CVE-2024-4741.patch
openssl-CVE-2024-5535.patch
BETA DEBUG BEGIN:
New:
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
security vulnerability. Calling the function SSL_free_buffers()
New: * SSL_select_next_proto buffer overread
* Add openssl-CVE-2024-5535.patch
BETA DEBUG END:
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.TL3oAH/_old 2024-07-26 16:12:28.486393374 +0200
+++ /var/tmp/diff_new_pack.TL3oAH/_new 2024-07-26 16:12:28.486393374 +0200
@@ -94,8 +94,12 @@
# PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to
handshake failure
Patch30:openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
Patch31:openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
+# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with
SSL_free_buffers
+Patch32:openssl-CVE-2024-4741.patch
# PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility
issue
-Patch32:reproducible.patch
+Patch33:reproducible.patch
+# PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer
overread
+Patch34:openssl-CVE-2024-5535.patch
BuildRequires: pkgconfig
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
BuildRequires: ulp-macros
@@ -194,7 +198,8 @@
%endif
./Configure \
-no-mdc2 no-ec2m no-sm2 no-sm4 \
+no-mdc2 no-ec2m \
+no-afalgeng \
enable-rfc3779 enable-camellia enable-seed \
%ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \
++ openssl-CVE-2024-4741.patch ++
@@ -, +, @@
---
ssl/record/methods/tls_common.c | 8
1 file changed, 8 insertions(+)
--- openssl-3.0.8/ssl/record/ssl3_buffer.c
+++ openssl-3.0.8/ssl/record/ssl3_buffer.c
@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
OPENSSL_cleanse(b->buf, b->len);
OPENSSL_free(b->buf);
b->buf = NULL;
+s->rlayer.packet = NULL;
+s->rlayer.packet_length = 0;
return 1;
}
--- openssl-3.0.8/ssl/record/rec_layer_s3.c
+++ openssl-3.0.8/ssl/record/rec_layer_s3.c
@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
s->rlayer.packet_length = 0;
/* ... now we can act as if 'extend' was set */
}
+if (!ossl_assert(s->rlayer.packet != NULL)) {
+/* does not happen */
+SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+return -1;
+}
len = s->rlayer.packet_length;
pkt = rb->buf + align;
++ openssl-CVE-2024-5535.patch ++
>From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
From: Matt Caswell
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH] Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will no
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2024-05-23 15:34:05
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.24587 (New)
Package is "openssl-3"
Thu May 23 15:34:05 2024 rev:24 rq:1175444 version:3.1.4
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2024-05-11
18:19:06.753657879 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.24587/openssl-3.changes
2024-05-23 15:34:07.949160095 +0200
@@ -1,0 +2,7 @@
+Mon May 20 12:24:03 UTC 2024 - Otto Hollmann
+
+- Security fix: [bsc#1224388, CVE-2024-4603]
+ * Check DSA parameters for excessive sizes before validating
+ * Add openssl-CVE-2024-4603.patch
+
+---
New:
openssl-CVE-2024-4603.patch
BETA DEBUG BEGIN:
New: * Check DSA parameters for excessive sizes before validating
* Add openssl-CVE-2024-4603.patch
BETA DEBUG END:
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.VlEawa/_old 2024-05-23 15:34:11.305281881 +0200
+++ /var/tmp/diff_new_pack.VlEawa/_new 2024-05-23 15:34:11.305281881 +0200
@@ -89,6 +89,8 @@
Patch27:openssl-CVE-2024-0727.patch
# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with
session handling in TLSv1.3
Patch28:openssl-CVE-2024-2511.patch
+# PATCH-FIX-UPSTREAM: bsc#1224388 CVE-2024-4603: excessive time spent checking
DSA keys and parameters
+Patch29:openssl-CVE-2024-4603.patch
BuildRequires: pkgconfig
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
BuildRequires: ulp-macros
++ openssl-CVE-2024-4603.patch ++
>From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
From: Tomas Mraz
Date: Wed, 8 May 2024 15:23:45 +0200
Subject: [PATCH] Check DSA parameters for excessive sizes before validating
This avoids overly long computation of various validation
checks.
Fixes CVE-2024-4603
Reviewed-by: Paul Dale
Reviewed-by: Matt Caswell
Reviewed-by: Neil Horman
Reviewed-by: Shane Lontis
(Merged from https://github.com/openssl/openssl/pull/24346)
(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
---
CHANGES.md| 17 ++
crypto/dsa/dsa_check.c| 44 --
.../invalid/p10240_q256_too_big.pem | 57 +++
3 files changed, 114 insertions(+), 4 deletions(-)
create mode 100644
test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
Index: openssl-3.1.4/crypto/dsa/dsa_check.c
===
--- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
+++ openssl-3.1.4/crypto/dsa/dsa_check.c
@@ -19,8 +19,34 @@
#include "dsa_local.h"
#include "crypto/dsa.h"
+static int dsa_precheck_params(const DSA *dsa, int *ret)
+{
+if (dsa->params.p == NULL || dsa->params.q == NULL) {
+ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
+*ret = FFC_CHECK_INVALID_PQ;
+return 0;
+}
+
+if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
+*ret = FFC_CHECK_INVALID_PQ;
+return 0;
+}
+
+if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
+ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
+*ret = FFC_CHECK_INVALID_PQ;
+return 0;
+}
+
+return 1;
+}
+
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
{
+if (!dsa_precheck_params(dsa, ret))
+return 0;
+
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA, ret);
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
*/
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+if (!dsa_precheck_params(dsa, ret))
+return 0;
+
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
*/
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int
*ret)
{
+if (!dsa_precheck_params(dsa, ret))
+return 0;
+
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
{
*ret = 0;
-return (dsa->params.q != NULL
-&& ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
+if (!dsa_precheck_params(dsa,
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2024-05-09 12:07:13
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.1880 (New)
Package is "openssl-3"
Thu May 9 12:07:13 2024 rev:22 rq:1172431 version:3.1.4
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2024-03-01
23:33:55.289805006 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.1880/openssl-3.changes
2024-05-09 12:07:14.948519673 +0200
@@ -1,0 +2,13 @@
+Tue May 7 11:51:38 UTC 2024 - Otto Hollmann
+
+- Add ktls capability [bsc#1216950]
+ Already added in January, but not mentioned in this changelog.
+
+---
+Mon May 6 12:11:02 UTC 2024 - Otto Hollmann
+
+- Security fix: [bsc#1222548, CVE-2024-2511]
+ * Fix unconstrained session cache growth in TLSv1.3
+ * Add openssl-CVE-2024-2511.patch
+
+---
New:
openssl-CVE-2024-2511.patch
BETA DEBUG BEGIN:
New: * Fix unconstrained session cache growth in TLSv1.3
* Add openssl-CVE-2024-2511.patch
BETA DEBUG END:
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.rKhcBG/_old 2024-05-09 12:07:15.932553394 +0200
+++ /var/tmp/diff_new_pack.rKhcBG/_new 2024-05-09 12:07:15.932553394 +0200
@@ -83,6 +83,8 @@
Patch26:openssl-3-use-include-directive.patch
# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null
dereference
Patch27:openssl-CVE-2024-0727.patch
+# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with
session handling in TLSv1.3
+Patch28:openssl-CVE-2024-2511.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
++ openssl-CVE-2024-2511.patch ++
>From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
From: Matt Caswell
Date: Tue, 5 Mar 2024 15:43:53 +
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/24044)
---
ssl/ssl_lib.c| 5 +++--
ssl/ssl_sess.c | 28 ++--
ssl/statem/statem_srvr.c | 5 ++---
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b5cc4af2f0302..e747b7f90aa71 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
-if (s->session->session_id_length == 0)
+if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index bf84e792251b8..241cf43c46296 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-{
-return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(const SS
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2024-03-01 23:33:54 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.1770 (New) Package is "openssl-3" Fri Mar 1 23:33:54 2024 rev:21 rq:1153155 version:3.1.4 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2024-02-08 19:02:07.438998915 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.1770/openssl-3.changes 2024-03-01 23:33:55.289805006 +0100 @@ -1,0 +2,6 @@ +Fri Feb 23 11:31:44 UTC 2024 - Pedro Monreal + +- Build the 32bit flavor of libopenssl-3-fips-provider [bsc#1220232] + * Update baselibs.conf + +--- Other differences: -- ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.9QBsv4/_old 2024-03-01 23:33:56.305841751 +0100 +++ /var/tmp/diff_new_pack.9QBsv4/_new 2024-03-01 23:33:56.309841895 +0100 @@ -8,4 +8,6 @@ conflicts "libopenssl-1_1-devel-" requires -"openssl-3-" requires "libopenssl3- = " +libopenssl-3-fips-provider + requires "libopenssl3- >= "
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-10-27 22:27:00
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.17445 (New)
Package is "openssl-3"
Fri Oct 27 22:27:00 2023 rev:17 rq:1120189 version:3.1.4
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-10-20
23:18:12.197664021 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.17445/openssl-3.changes
2023-10-27 22:27:00.632911981 +0200
@@ -1,0 +2,30 @@
+Tue Oct 24 14:53:41 UTC 2023 - Otto Hollmann
+
+- Update to 3.1.4:
+ * Fix incorrect key and IV resizing issues when calling
+EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
+with OSSL_PARAM parameters that alter the key or IV length
+[bsc#1216163, CVE-2023-5363].
+
+---
+Thu Oct 19 15:03:14 UTC 2023 - Otto Hollmann
+
+- Performance enhancements for cryptography from OpenSSL 3.2
+ [jsc#PED-5086, jsc#PED-3514]
+ * Add patches:
+- openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
+- openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
+- openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
+- openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
+- openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
+- openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
+
+---
+Thu Oct 19 11:53:29 UTC 2023 - Pedro Monreal
+
+- FIPS: Add the FIPS_mode() compatibility macro and flag support.
+ * Add patches:
+- openssl-Add-FIPS_mode-compatibility-macro.patch
+- openssl-Add-Kernel-FIPS-mode-flag-support.patch
+
+---
Old:
openssl-3.1.3.tar.gz
openssl-3.1.3.tar.gz.asc
New:
openssl-3.1.4.tar.gz
openssl-3.1.4.tar.gz.asc
openssl-Add-FIPS_mode-compatibility-macro.patch
openssl-Add-Kernel-FIPS-mode-flag-support.patch
openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.suGu1W/_old 2023-10-27 22:27:01.836956141 +0200
+++ /var/tmp/diff_new_pack.suGu1W/_new 2023-10-27 22:27:01.840956287 +0200
@@ -22,7 +22,7 @@
%define man_suffix 3ssl
Name: openssl-3
# Don't forget to update the version in the "openssl" meta-package!
-Version:3.1.3
+Version:3.1.4
Release:0
Summary:Secure Sockets and Transport Layer Security
License:Apache-2.0
@@ -48,6 +48,17 @@
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch
+# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
+Patch10:openssl-Add-FIPS_mode-compatibility-macro.patch
+Patch11:openssl-Add-Kernel-FIPS-mode-flag-support.patch
+# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
+# POWER10 performance enhancements for cryptography
+Patch12:
openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
+Patch13:openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
+Patch14:
openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
+Patch15:openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
+Patch16:openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
+Patch17:
openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
++ openssl-3.1.3.tar.gz -> openssl-3.1.4.tar.gz ++
/work/SRC/openSUSE:Factory/openssl-3/openssl-3.1.3.tar.gz
/work/SRC/openSUSE:Factory/.openssl-3.new.17445/openssl-3.1.4.tar.gz differ:
char 12, line 1
++ openssl-Add-FIPS_mode-compatibility-macro.patch ++
>From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
From: rpm-build
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id:
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-10-20 23:17:16
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.1945 (New)
Package is "openssl-3"
Fri Oct 20 23:17:16 2023 rev:16 rq:1118892 version:3.1.3
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-09-29
21:12:28.055353821 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.1945/openssl-3.changes
2023-10-20 23:18:12.197664021 +0200
@@ -1,0 +2,10 @@
+Thu Oct 12 09:44:19 UTC 2023 -
+
+- As of openssl 3.1.3, the devel package installs at least 5200
+ manpage files and is the owner of the most files in the man3
+ directory (in second place after lapack-man); move these manpages
+ off to the -doc subpackage to reduce the walltime to install just
+ openssl-3-devel (because there is also an invocation of mandb
+ that runs at some point).
+
+---
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.6hDc0H/_old 2023-10-20 23:18:12.905689853 +0200
+++ /var/tmp/diff_new_pack.6hDc0H/_new 2023-10-20 23:18:12.921690437 +0200
@@ -109,7 +109,8 @@
that want to make use of the OpenSSL C API.
%package doc
-Summary:Additional Package Documentation
+Summary:Manpages and additional documentation for openssl
+Conflicts: libopenssl-3-devel < %{version}-%{release}
Conflicts: openssl-doc
Provides: openssl-doc = %{version}
Obsoletes: openssl-doc < %{version}
@@ -259,12 +260,12 @@
%{_includedir}/ssl
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
-%{_mandir}/man3/*
%files doc
%doc README.md
%doc doc/html/* doc/HOWTO/* demos
%doc showciphers.c
+%{_mandir}/man3/*
%files
%license LICENSE.txt
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2023-09-29 21:12:21 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.28202 (New) Package is "openssl-3" Fri Sep 29 21:12:21 2023 rev:15 rq:1113690 version:3.1.3 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-08-04 15:02:50.332061937 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.28202/openssl-3.changes 2023-09-29 21:12:28.055353821 +0200 @@ -1,0 +2,7 @@ +Tue Sep 19 14:17:56 UTC 2023 - Otto Hollmann + +- Update to 3.1.3: + * Fix POLY1305 MAC implementation corrupting XMM registers on +Windows (CVE-2023-4807) + +--- Old: openssl-3.1.2.tar.gz openssl-3.1.2.tar.gz.asc New: openssl-3.1.3.tar.gz openssl-3.1.3.tar.gz.asc Other differences: -- ++ openssl-3.spec ++ --- /var/tmp/diff_new_pack.GQXlVq/_old 2023-09-29 21:12:30.211431612 +0200 +++ /var/tmp/diff_new_pack.GQXlVq/_new 2023-09-29 21:12:30.211431612 +0200 @@ -22,7 +22,7 @@ %define man_suffix 3ssl Name: openssl-3 # Don't forget to update the version in the "openssl" meta-package! -Version:3.1.2 +Version:3.1.3 Release:0 Summary:Secure Sockets and Transport Layer Security License:Apache-2.0 ++ openssl-3.1.2.tar.gz -> openssl-3.1.3.tar.gz ++ /work/SRC/openSUSE:Factory/openssl-3/openssl-3.1.2.tar.gz /work/SRC/openSUSE:Factory/.openssl-3.new.28202/openssl-3.1.3.tar.gz differ: char 12, line 1
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-08-04 15:02:42
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.22712 (New)
Package is "openssl-3"
Fri Aug 4 15:02:42 2023 rev:14 rq:1101934 version:3.1.2
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-07-24
18:11:36.825086846 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.22712/openssl-3.changes
2023-08-04 15:02:50.332061937 +0200
@@ -1,0 +2,51 @@
+Tue Aug 1 15:24:46 UTC 2023 - Pedro Monreal
+
+- Update to 3.1.2:
+ * Fix excessive time spent checking DH q parameter value
+(bsc#1213853, CVE-2023-3817). The function DH_check() performs
+various checks on DH parameters. After fixing CVE-2023-3446 it
+was discovered that a large q parameter value can also trigger
+an overly long computation during some of these checks. A
+correct q value, if present, cannot be larger than the modulus
+p parameter, thus it is unnecessary to perform these checks if
+q is larger than p. If DH_check() is called with such q parameter
+value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
+computationally intensive checks are skipped.
+ * Fix DH_check() excessive time with over sized modulus
+(bsc#1213487, CVE-2023-3446). The function DH_check() performs
+various checks on DH parameters. One of those checks confirms
+that the modulus ("p" parameter) is not too large. Trying to use
+a very large modulus is slow and OpenSSL will not normally use
+a modulus which is over 10,000 bits in length. However the
+DH_check() function checks numerous aspects of the key or
+parameters that have been supplied. Some of those checks use the
+supplied modulus value even if it has already been found to be
+too large. A new limit has been added to DH_check of 32,768 bits.
+Supplying a key/parameters with a modulus over this size will
+simply cause DH_check() to fail.
+ * Do not ignore empty associated data entries with AES-SIV
+(bsc#1213383, CVE-2023-2975). The AES-SIV algorithm allows for
+authentication of multiple associated data entries along with the
+encryption. To authenticate empty data the application has to call
+EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as
+the output buffer and 0 as the input buffer length. The AES-SIV
+implementation in OpenSSL just returns success for such call
+instead of performing the associated data authentication operation.
+The empty data thus will not be authenticated. The fix changes the
+authentication tag value and the ciphertext for applications that
+use empty associated data entries with AES-SIV. To decrypt data
+encrypted with previous versions of OpenSSL the application has to
+skip calls to EVP_DecryptUpdate() for empty associated data entries.
+ * When building with the enable-fips option and using the resulting
+FIPS provider, TLS 1.2 will, by default, mandate the use of an
+extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC
+DRBGs will not operate with truncated digests (FIPS 140-3 IG G.R).
+ * Update openssl.keyring with the OTC members that sign releases
+ * Remove openssl-z16-s390x.patch fixed upstream in
+https://github.com/openssl/openssl/pull/21284
+ * Remove security patches fixed upstream:
+- openssl-CVE-2023-2975.patch
+- openssl-CVE-2023-3446.patch
+- openssl-CVE-2023-3446-test.patch
+
+---
Old:
openssl-3.1.1.tar.gz
openssl-3.1.1.tar.gz.asc
openssl-CVE-2023-2975.patch
openssl-CVE-2023-3446-test.patch
openssl-CVE-2023-3446.patch
openssl-z16-s390x.patch
New:
openssl-3.1.2.tar.gz
openssl-3.1.2.tar.gz.asc
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.WWv9E8/_old 2023-08-04 15:02:51.508069267 +0200
+++ /var/tmp/diff_new_pack.WWv9E8/_new 2023-08-04 15:02:51.512069293 +0200
@@ -22,7 +22,7 @@
%define man_suffix 3ssl
Name: openssl-3
# Don't forget to update the version in the "openssl" meta-package!
-Version:3.1.1
+Version:3.1.2
Release:0
Summary:Secure Sockets and Transport Layer Security
License:Apache-2.0
@@ -46,15 +46,8 @@
# Add crypto-policies support
Patch7:
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
-# PATCH-FIX-OPENSUSE: Fix compiler error "initializer element is not constant"
on s390
-Patch9: openssl-z16-
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-07-24 18:11:36
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.1467 (New)
Package is "openssl-3"
Mon Jul 24 18:11:36 2023 rev:13 rq:1099669 version:3.1.1
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-06-29
17:28:10.518205519 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.1467/openssl-3.changes
2023-07-24 18:11:36.825086846 +0200
@@ -1,0 +2,26 @@
+Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal
+
+- Security fix: [bsc#1213487, CVE-2023-3446]
+ * Fix DH_check() excessive time with over sized modulus.
+ * The function DH_check() performs various checks on DH parameters.
+One of those checks confirms that the modulus ("p" parameter) is
+not too large. Trying to use a very large modulus is slow and
+OpenSSL will not normally use a modulus which is over 10,000 bits
+in length.
+However the DH_check() function checks numerous aspects of the
+key or parameters that have been supplied. Some of those checks
+use the supplied modulus value even if it has already been found
+to be too large.
+A new limit has been added to DH_check of 32,768 bits. Supplying
+a key/parameters with a modulus over this size will simply cause
+DH_check() to fail.
+ * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
+
+---
+Tue Jul 18 07:32:49 UTC 2023 - Pedro Monreal
+
+- Security fix: [bsc#1213383, CVE-2023-2975]
+ * AES-SIV implementation ignores empty associated data entries
+ * Add openssl-CVE-2023-2975.patch
+
+---
New:
openssl-CVE-2023-2975.patch
openssl-CVE-2023-3446-test.patch
openssl-CVE-2023-3446.patch
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.rQhYeR/_old 2023-07-24 18:11:38.105094378 +0200
+++ /var/tmp/diff_new_pack.rQhYeR/_new 2023-07-24 18:11:38.109094402 +0200
@@ -50,7 +50,11 @@
Patch9: openssl-z16-s390x.patch
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
Patch10:openssl-Add_support_for_Windows_CA_certificate_store.patch
-
+# PATCH-FIX-UPSTREAM: bsc#1213383 CVE-2023-2975 AES-SIV ignores empty data
entries
+Patch11:openssl-CVE-2023-2975.patch
+# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with
over sized modulus
+Patch12:openssl-CVE-2023-3446.patch
+Patch13:openssl-CVE-2023-3446-test.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
++ openssl-CVE-2023-2975.patch ++
>From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001
From: Tomas Mraz
Date: Tue, 4 Jul 2023 17:30:35 +0200
Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
The AES-SIV mode allows for multiple associated data items
authenticated separately with any of these being 0 length.
The provided implementation ignores such empty associated data
which is incorrect in regards to the RFC 5297 and is also
a security issue because such empty associated data then become
unauthenticated if an application expects to authenticate them.
Fixes CVE-2023-2975
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/21384)
(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
---
.../implementations/ciphers/cipher_aes_siv.c | 18 +++---
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/providers/implementations/ciphers/cipher_aes_siv.c
b/providers/implementations/ciphers/cipher_aes_siv.c
index 45010b90db..b396c8651a 100644
--- a/providers/implementations/ciphers/cipher_aes_siv.c
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out,
size_t *outl,
if (!ossl_prov_is_running())
return 0;
-if (inl == 0) {
-*outl = 0;
-return 1;
-}
+/* Ignore just empty encryption/decryption call and not AAD. */
+if (out != NULL) {
+if (inl == 0) {
+if (outl != NULL)
+*outl = 0;
+return 1;
+}
-if (outsize < inl) {
-ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-return 0;
+if (outsize < inl) {
+ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+return 0;
+}
}
if (ctx->hw->cipher(ctx, out, in, inl) <= 0
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-06-29 17:27:49
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.13546 (New)
Package is "openssl-3"
Thu Jun 29 17:27:49 2023 rev:12 rq:1095607 version:3.1.1
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-06-01
17:18:47.285899926 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.13546/openssl-3.changes
2023-06-29 17:28:10.518205519 +0200
@@ -1,0 +2,8 @@
+Tue Jun 20 15:18:56 UTC 2023 - Otto Hollmann
+
+- Improve cross-package provides/conflicts [boo#1210313]
+ * Add Provides/Conflicts: ssl-devel
+ * Remove explicit conflicts with other devel-libraries
+ * Remove Provides: openssl(cli) - it's managed by meta package
+
+---
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.hCNzKn/_old 2023-06-29 17:28:11.186209432 +0200
+++ /var/tmp/diff_new_pack.hCNzKn/_new 2023-06-29 17:28:11.190209455 +0200
@@ -55,9 +55,7 @@
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
Requires: openssl
-Conflicts: ssl
Provides: ssl
-Provides: openssl(cli)
# Needed for clean upgrade path, boo#1070003
Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
@@ -102,9 +100,8 @@
Requires: libopenssl3 = %{version}
Requires: pkgconfig(zlib)
Recommends: %{name} = %{version}
-# Conflicting names with libopenssl-1_1-devel
-Conflicts: libopenssl-1_1-devel
-Conflicts: libressl-devel
+Provides: ssl-devel
+Conflicts: ssl-devel
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl-1_1_0-devel
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2023-06-01 17:18:42 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.2531 (New) Package is "openssl-3" Thu Jun 1 17:18:42 2023 rev:11 rq:1089933 version:3.1.1 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-03-12 16:22:18.796254105 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.2531/openssl-3.changes 2023-06-01 17:18:47.285899926 +0200 @@ -1,0 +2,134 @@ +Tue May 30 15:14:51 UTC 2023 - Otto Hollmann + +- Update to 3.1.1: + * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate +(CVE-2023-2650, bsc#1211430) + * Multiple algorithm implementation fixes for ARM BE platforms. + * Added a -pedantic option to fipsinstall that adjusts the various settings +to ensure strict FIPS compliance rather than backwards compatibility. + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which +happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can +trigger a crash of an application using AES-XTS decryption if the memory +just after the buffer being decrypted is not mapped. Thanks to Anton +Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) + * Add FIPS provider configuration option to disallow the use of truncated +digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The +option '-no_drbg_truncated_digests' can optionally be supplied +to 'openssl fipsinstall'. + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that +it does not enable policy checking. Thanks to David Benjamin for +discovering this issue. (CVE-2023-0466, bsc#1209873) + * Fixed an issue where invalid certificate policies in leaf certificates are +silently ignored by OpenSSL and other certificate policy checks are +skipped for that certificate. A malicious CA could use this to +deliberately assert invalid certificate policies in order to circumvent +policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) + * Limited the number of nodes created in a policy tree to mitigate against +CVE-2023-0464. The default limit is set to 1000 nodes, which should be +sufficient for most installations. If required, the limit can be adjusted +by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a +desired maximum number of nodes or zero to allow unlimited growth. +(CVE-2023-0464, bsc#1209624) + * Update openssl.keyring with key +A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) + * Rebased patches: +- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +- openssl-Add_support_for_Windows_CA_certificate_store.patch + * Removed patches: +- openssl-CVE-2023-0464.patch +- openssl-Fix-OBJ_nid2obj-regression.patch +- openssl-CVE-2023-0465.patch +- openssl-CVE-2023-0466.patch + +--- +Mon May 29 07:31:07 UTC 2023 - Pedro Monreal + +- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116] + +--- +Mon May 15 09:00:04 UTC 2023 - Otto Hollmann + +- Add support for Windows CA certificate store [bsc#1209430] + https://github.com/openssl/openssl/pull/18070 + * Add openssl-Add_support_for_Windows_CA_certificate_store.patch + +--- +Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0465, bsc#1209878] + * Invalid certificate policies in leaf certificates are silently ignored + * Add openssl-CVE-2023-0465.patch +- Security Fix: [CVE-2023-0466, bsc#1209873] + * Certificate policy check not enabled + * Add openssl-CVE-2023-0466.patch + +--- +Tue Mar 28 12:19:06 UTC 2023 - Pedro Monreal + +- Fix regression in the OBJ_nid2obj() function: [bsc#1209430] + * Upstream https://github.com/openssl/openssl/issues/20555 + * Add openssl-Fix-OBJ_nid2obj-regression.patch + +--- +Mon Mar 27 14:44:32 UTC 2023 - Otto Hollmann + +- Fix compiler error "initializer element is not constant" on s390 + * Add openssl-z16-s390x.patch + +--- +Fri Mar 24 13:55:25 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0464, bsc#1209624] + * Excessive Resource Usage Verifying X.509 Policy Constraints + * Add openssl-CVE-2023-0464.patch + +--- +Wed Mar 15 14:55:29 UT
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-03-12 16:22:18
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.31432 (New)
Package is "openssl-3"
Sun Mar 12 16:22:18 2023 rev:10 rq:1070585 version:3.0.8
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-02-20
17:45:09.579196375 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.31432/openssl-3.changes
2023-03-12 16:22:18.796254105 +0100
@@ -1,0 +2,5 @@
+Wed Mar 8 10:37:09 UTC 2023 - Martin Pluskal
+
+- Build AVX2 enabled hwcaps library for x86_64-v3
+
+---
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.PNOowJ/_old 2023-03-12 16:22:19.492257171 +0100
+++ /var/tmp/diff_new_pack.PNOowJ/_new 2023-03-12 16:22:19.500257206 +0100
@@ -61,6 +61,7 @@
Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: openssl-1_1_0
+%{?suse_build_hwcaps_libs}
%description
OpenSSL is a software library to be used in applications that need to
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2023-02-20 17:45:03 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.22824 (New) Package is "openssl-3" Mon Feb 20 17:45:03 2023 rev:9 rq:1063740 version:3.0.8 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-02-02 18:29:28.979869009 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.22824/openssl-3.changes 2023-02-20 17:45:09.579196375 +0100 @@ -1,0 +2,132 @@ +Tue Feb 7 15:43:22 UTC 2023 - Otto Hollmann + +- Update to 3.0.8: + * Fixed NULL dereference during PKCS7 data verification. +A NULL pointer can be dereferenced when signatures are being +verified on PKCS7 signed or signedAndEnveloped data. In case the hash +algorithm used for the signature is known to the OpenSSL library but +the implementation of the hash algorithm is not available the digest +initialization will fail. There is a missing check for the return +value from the initialization function which later leads to invalid +usage of the digest API most likely leading to a crash. +([bsc#1207541, CVE-2023-0401]) + +PKCS7 data is processed by the SMIME library calls and also by the +time stamp (TS) library calls. The TLS implementation in OpenSSL does +not call these functions however third party applications would be +affected if they call these functions to verify signatures on untrusted +data. + * Fixed X.400 address type confusion in X.509 GeneralName. +There is a type confusion vulnerability relating to X.400 address processing +inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING +but the public structure definition for GENERAL_NAME incorrectly specified +the type of the x400Address field as ASN1_TYPE. This field is subsequently +interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather +than an ASN1_STRING. + +When CRL checking is enabled (i.e. the application sets the +X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to +pass arbitrary pointers to a memcmp call, enabling them to read memory +contents or enact a denial of service. +([bsc#1207533, CVE-2023-0286]) + * Fixed NULL dereference validating DSA public key. +An invalid pointer dereference on read can be triggered when an +application tries to check a malformed DSA public key by the +EVP_PKEY_public_check() function. This will most likely lead +to an application crash. This function can be called on public +keys supplied from untrusted sources which could allow an attacker +to cause a denial of service attack. + +The TLS implementation in OpenSSL does not call this function +but applications might call the function if there are additional +security requirements imposed by standards such as FIPS 140-3. +([bsc#1207540, CVE-2023-0217]) + * Fixed Invalid pointer dereference in d2i_PKCS7 functions. +An invalid pointer dereference on read can be triggered when an +application tries to load malformed PKCS7 data with the +d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. + +The result of the dereference is an application crash which could +lead to a denial of service attack. The TLS implementation in OpenSSL +does not call this function however third party applications might +call these functions on untrusted data. +([bsc#1207539, CVE-2023-0216]) + * Fixed Use-after-free following BIO_new_NDEF. +The public API function BIO_new_NDEF is a helper function used for +streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL +to support the SMIME, CMS and PKCS7 streaming capabilities, but may also +be called directly by end user applications. + +The function receives a BIO from the caller, prepends a new BIO_f_asn1 +filter BIO onto the front of it to form a BIO chain, and then returns +the new head of the BIO chain to the caller. Under certain conditions, +for example if a CMS recipient public key is invalid, the new filter BIO +is freed and the function returns a NULL result indicating a failure. +However, in this case, the BIO chain is not properly cleaned up and the +BIO passed by the caller still retains internal pointers to the previously +freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO +then a use-after-free will occur. This will most likely result in a crash. +([bsc#1207536, CVE-2023-0215]) + * Fixed Double free after calling PEM_read_bio_ex. +The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and +decodes the "name" (e.g. "CERTIFICATE"), a
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-02-02 18:08:02
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.32243 (New)
Package is "openssl-3"
Thu Feb 2 18:08:02 2023 rev:8 rq:1062224 version:3.0.7
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-12-16
17:50:55.459777450 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.32243/openssl-3.changes
2023-02-02 18:29:28.979869009 +0100
@@ -1,0 +2,26 @@
+Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal
+
+- Relax the crypto-policies requirements for the regression tests
+
+---
+Wed Jan 25 11:09:52 UTC 2023 - Pedro Monreal
+
+- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042]
+ * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch
+ * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+ * Package a copy of the original default config file called
+openssl.cnf and name it as openssl-orig.cnf and warn the user
+if the files differ.
+ * Add openssl-3-devel as conflicting with libopenssl-1_1-devel
+ * Remove patches:
+- fix-config-in-tests.patch
+- openssl-use-versioned-config.patch
+
+---
+Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal
+
+- Create the openssl ca-certificates directory in case the
+ ca-certificates package is not installed. This directory is
+ required by the nodejs regression tests. [bsc#1207484]
+
+---
@@ -5,0 +32,7 @@
+
+---
+Wed Dec 14 12:40:04 UTC 2022 - Pedro Monreal
+
+- Compute the hmac files for FIPS 140-3 integrity checking of the
+ openssl shared libraries using the brp-50-generate-fips-hmac
+ script. Also computed for the 32bit package.
Old:
fix-config-in-tests.patch
openssl-1.1.0-no-html.patch
openssl-use-versioned-config.patch
New:
openssl-no-html-docs.patch
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.6Z58eF/_old 2023-02-02 18:29:29.643873076 +0100
+++ /var/tmp/diff_new_pack.6Z58eF/_new 2023-02-02 18:29:29.647873101 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl-3
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,8 +19,9 @@
%define ssletcdir %{_sysconfdir}/ssl
%define sover 3
%define _rname openssl
+%define man_suffix 3ssl
Name: openssl-3
-# Don't forget to update the version in the "openssl" package!
+# Don't forget to update the version in the "openssl" meta-package!
Version:3.0.7
Release:0
Summary:Secure Sockets and Transport Layer Security
@@ -35,28 +36,32 @@
#
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
Source4:%{_rname}.keyring
Source5:showciphers.c
-# PATCH-FIX-OPENSUSE: do not install html mans as it takes ages
-Patch1: openssl-1.1.0-no-html.patch
+# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
+Patch1: openssl-no-html-docs.patch
Patch2: openssl-truststore.patch
Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
-# Patches for crypto-policies
+# Add crypto-policies support
Patch7:
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
-# use openssl3.cnf
-Patch9: openssl-use-versioned-config.patch
-Patch10:fix-config-in-tests.patch
# PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double
Locking
-Patch11:openssl-3-Fix-double-locking-problem.patch
+Patch9: openssl-3-Fix-double-locking-problem.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
-# Add requires for ct_log_list.cnf{,.dist}
+Requires: libopenssl3 = %{version}-%{release}
Requires: openssl
+Conflicts: ssl
+Provides: ssl
+Provides: openssl(cli)
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies
%endif
+# Needed for clean upgrade path, boo#1070003
+Obsoletes: openssl-1_0_0
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes: openssl-1_1_0
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2022-12-16 17:50:53
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.1835 (New)
Package is "openssl-3"
Fri Dec 16 17:50:53 2022 rev:7 rq:1042989 version:3.0.7
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-11-03
19:13:03.851612254 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.1835/openssl-3.changes
2022-12-16 17:50:55.459777450 +0100
@@ -1,0 +2,6 @@
+Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann
+
+- Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996]
+ * Add patch: openssl-3-Fix-double-locking-problem.patch
+
+---
New:
openssl-3-Fix-double-locking-problem.patch
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.t6evqL/_old 2022-12-16 17:50:56.027780576 +0100
+++ /var/tmp/diff_new_pack.t6evqL/_new 2022-12-16 17:50:56.035780620 +0100
@@ -48,6 +48,8 @@
# use openssl3.cnf
Patch9: openssl-use-versioned-config.patch
Patch10:fix-config-in-tests.patch
+# PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double
Locking
+Patch11:openssl-3-Fix-double-locking-problem.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
# Add requires for ct_log_list.cnf{,.dist}
++ openssl-3-Fix-double-locking-problem.patch ++
>From 4d0340a6d2f327700a059f0b8f954d6160f8eef5 Mon Sep 17 00:00:00 2001
From: Pauli
Date: Fri, 11 Nov 2022 09:40:19 +1100
Subject: [PATCH] x509: fix double locking problem
This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
redundant flag setting.
Fixes #19643
Fixes LOW CVE-2022-3996
Reviewed-by: Dmitry Belyavskiy
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/19652)
---
crypto/x509/pcy_map.c | 4
1 file changed, 4 deletions(-)
diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
index 05406c6493f..60dfd1e3203 100644
--- a/crypto/x509/pcy_map.c
+++ b/crypto/x509/pcy_map.c
@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS
*maps)
ret = 1;
bad_mapping:
-if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
-x->ex_flags |= EXFLAG_INVALID_POLICY;
-CRYPTO_THREAD_unlock(x->lock);
-}
sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
return ret;
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2022-11-03 19:13:01 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.2275 (New) Package is "openssl-3" Thu Nov 3 19:13:01 2022 rev:6 rq:1032748 version:3.0.7 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-09-15 23:01:30.713608657 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.2275/openssl-3.changes 2022-11-03 19:13:03.851612254 +0100 @@ -1,0 +2,104 @@ +Tue Nov 1 18:29:41 UTC 2022 - Otto Hollmann + +- Temporary disable tests test_ssl_new and test_sslapi because they are + failing in openSUSE_Tumbleweed + +--- +Tue Nov 1 15:46:44 UTC 2022 - Otto Hollmann + +- Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786] + * Fixed two buffer overflows in punycode decoding functions. +A buffer overrun can be triggered in X.509 certificate verification, +specifically in name constraint checking. Note that this occurs after +certificate chain signature verification and requires either a CA to +have signed the malicious certificate or for the application to continue +certificate verification despite failure to construct a path to a trusted +issuer. + +In a TLS client, this can be triggered by connecting to a malicious +server. In a TLS server, this can be triggered if the server requests +client authentication and a malicious client connects. + +An attacker can craft a malicious email address to overflow +an arbitrary number of bytes containing the `.` character (decimal 46) +on the stack. This buffer overflow could result in a crash (causing a +denial of service). +([CVE-2022-3786]) + +An attacker can craft a malicious email address to overflow four +attacker-controlled bytes on the stack. This buffer overflow could +result in a crash (causing a denial of service) or potentially remote code +execution depending on stack layout for any given platform/compiler. +([CVE-2022-3602]) + * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT +parameters in OpenSSL code. +Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, +OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. +Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. +Using these invalid names may cause algorithms to use slower methods +that ignore the CRT parameters. + * Fixed a regression introduced in 3.0.6 version raising errors on some stack +operations. + * Fixed a regression introduced in 3.0.6 version not refreshing the certificate +data to be signed before signing the certificate. + * Added RIPEMD160 to the default provider. + * Ensured that the key share group sent or accepted for the key exchange +is allowed for the protocol version. + +--- +Tue Nov 1 10:42:00 UTC 2022 - Otto Hollmann + +- Update to 3.0.6: [bsc#1204226, CVE-2022-3358] + * OpenSSL supports creating a custom cipher via the legacy +EVP_CIPHER_meth_new() function and associated function calls. This function +was deprecated in OpenSSL 3.0 and application authors are instead encouraged +to use the new provider mechanism in order to implement custom ciphers. + * OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers +passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and +EVP_CipherInit_ex2() functions (as well as other similarly named encryption +and decryption initialisation functions). Instead of using the custom cipher +directly it incorrectly tries to fetch an equivalent cipher from the +available providers. An equivalent cipher is found based on the NID passed +to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID +for a given cipher. However it is possible for an application to incorrectly +pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When +NID_undef is used in this way the OpenSSL encryption/decryption +initialisation function will match the NULL cipher as being equivalent and +will fetch this from the available providers. This will succeed if the +default provider has been loaded (or if a third party provider has been +loaded that offers this cipher). Using the NULL cipher means that the +plaintext is emitted as the ciphertext. + * Applications are only affected by this issue if they call +EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to +an encryption/decryption initialisation function. Applications that
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2022-09-15 23:00:15 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.2083 (New) Package is "openssl-3" Thu Sep 15 23:00:15 2022 rev:5 rq:1003956 version:3.0.5 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-07-22 19:20:46.480614056 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.2083/openssl-3.changes 2022-09-15 23:01:30.713608657 +0200 @@ -1,0 +2,6 @@ +Wed Sep 14 09:22:14 UTC 2022 - Bruno Pitrus + +- Do not make libopenssl3-32bit obsolete libopenssl1_1-32bit. + They are independent libraries and can be installed simultaneously. + +--- Other differences: -- ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.6jXL1f/_old 2022-09-15 23:01:31.709611469 +0200 +++ /var/tmp/diff_new_pack.6jXL1f/_new 2022-09-15 23:01:31.709611469 +0200 @@ -1,6 +1,4 @@ libopenssl3 - obsoletes "libopenssl1_1_0-" - obsoletes "libopenssl1_1-" libopenssl-3-devel provides "libopenssl-devel- = " conflicts "otherproviders(libopenssl-devel-)"
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2022-07-22 19:20:36 Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.21925 (New) Package is "openssl-3" Fri Jul 22 19:20:36 2022 rev:4 rq:990536 version:3.0.5 Changes: --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-03-23 20:21:04.070554054 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.21925/openssl-3.changes 2022-07-22 19:20:46.480614056 +0200 @@ -1,0 +2,98 @@ +Thu Jul 21 09:09:07 UTC 2022 - Pedro Monreal + +- Update to 3.0.5: + * The OpenSSL 3.0.4 release introduced a serious bug in the RSA +implementation for X86_64 CPUs supporting the AVX512IFMA instructions. +This issue makes the RSA implementation with 2048 bit private keys +incorrect on such machines and memory corruption will happen during +the computation. As a consequence of the memory corruption an attacker +may be able to trigger a remote code execution on the machine performing +the computation. +SSL/TLS servers or other servers using 2048 bit RSA private keys running +on machines supporting AVX512IFMA instructions of the X86_64 architecture +are affected by this issue. [bsc#1201148, CVE-2022-2274] + * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised +implementation would not encrypt the entirety of the data under some +circumstances. This could reveal sixteen bytes of data that was +preexisting in the memory that wasn't written. In the special case of +"in place" encryption, sixteen bytes of the plaintext would be revealed. +Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, +they are both unaffected. [bsc#1201099, CVE-2022-2097] +- Rebase patches: + * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + +--- +Mon Jul 18 12:03:55 UTC 2022 - Pedro Monreal + +- Update to 3.0.4: [bsc#1199166, CVE-2022-1292] + * In addition to the c_rehash shell command injection identified in +CVE-2022-1292, further bugs where the c_rehash script does not +properly sanitise shell metacharacters to prevent command injection +have been fixed. +When the CVE-2022-1292 was fixed it was not discovered that there +are other places in the script where the file names of certificates +being hashed were possibly passed to a command executed through the shell. +This script is distributed by some operating systems in a manner where +it is automatically executed. On such operating systems, an attacker +could execute arbitrary commands with the privileges of the script. +Use of the c_rehash script is considered obsolete and should be replaced +by the OpenSSL rehash command line tool. + * Case insensitive string comparison no longer uses locales. +It has instead been directly implemented. + +--- +Mon Jul 18 12:03:21 UTC 2022 - Pedro Monreal + +- Update to 3.0.3: + * Case insensitive string comparison is reimplemented via new locale-agnostic +comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for +comparison. The previous implementation had problems when the Turkish locale +was used. + * Fixed a bug in the c_rehash script which was not properly sanitising shell +metacharacters to prevent command injection. This script is distributed by +some operating systems in a manner where it is automatically executed. On +such operating systems, an attacker could execute arbitrary commands with the +privileges of the script. +Use of the c_rehash script is considered obsolete and should be replaced +by the OpenSSL rehash command line tool. [bsc#1199166, CVE-2022-1292] + * Fixed a bug in the function 'OCSP_basic_verify' that verifies the signer +certificate on an OCSP response. The bug caused the function in the case +where the (non-default) flag OCSP_NOCHECKS is used to return a postivie +response (meaning a successful verification) even in the case where the +response signing certificate fails to verify. +It is anticipated that most users of 'OCSP_basic_verify' will not use the +OCSP_NOCHECKS flag. In this case the 'OCSP_basic_verify' function will return +a negative value (indicating a fatal error) in the case of a certificate +verification failure. The normal expected return value in this case would be 0. +This issue also impacts the command line OpenSSL "ocsp" application. When +verifying an ocsp response with the "-no_cert_checks" option the command line +application will report that the v
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2022-03-23 20:19:11
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.25692 (New)
Package is "openssl-3"
Wed Mar 23 20:19:11 2022 rev:3 rq:964296 version:3.0.2
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-03-16
20:20:41.740980107 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.25692/openssl-3.changes
2022-03-23 20:21:04.070554054 +0100
@@ -1,0 +2,13 @@
+Sat Mar 19 10:05:22 UTC 2022 - Pedro Monreal
+
+- Enable zlib compression support [bsc#1195149]
+
+---
+Fri Mar 18 22:27:34 UTC 2022 - Pedro Monreal
+
+- Add crypto-policies support.
+ * Fix some tests that couldn't find the openssl3.cnf location
+ * Rebase patch:
+openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+
+---
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.70nF89/_old 2022-03-23 20:21:04.830554484 +0100
+++ /var/tmp/diff_new_pack.70nF89/_new 2022-03-23 20:21:04.838554488 +0100
@@ -49,8 +49,12 @@
Patch9: openssl-use-versioned-config.patch
Patch10:fix-config-in-tests.patch
BuildRequires: pkgconfig
+BuildRequires: pkgconfig(zlib)
# Add requires for ct_log_list.cnf{,.dist}
Requires: openssl
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires: crypto-policies
+%endif
%description
OpenSSL is a software library to be used in applications that need to
@@ -60,6 +64,9 @@
%package -n libopenssl3
Summary:Secure Sockets and Transport Layer Security
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires: crypto-policies
+%endif
Recommends: ca-certificates-mozilla
%description -n libopenssl3
@@ -71,6 +78,7 @@
%package -n libopenssl-3-devel
Summary:Development files for OpenSSL
Requires: libopenssl3 = %{version}
+Requires: pkgconfig(zlib)
Recommends: %{name} = %{version}
# We need to have around only the exact version we are able to operate with
Conflicts: libopenssl-devel < %{version}
@@ -112,6 +120,7 @@
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
+zlib \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
@@ -125,7 +134,8 @@
-DOPENSSL_NO_BUF_FREELISTS \
$(getconf LFS_CFLAGS) \
-Wall \
---with-rand-seed=getrandom
+--with-rand-seed=getrandom \
+
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
# Show build configuration
perl configdata.pm --dump
@@ -135,16 +145,14 @@
%make_build all
%check
+
+# We must revert patch8 before running tests, otherwise they will fail.
+patch -p1 -R < %{P:8}
+
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
# export HARNESS_VERBOSE=yes
-LD_LIBRARY_PATH="$PWD" make TESTS='-test_req\
- -test_verify_store\
- -test_evp_fetch_prov\
- -test_ca\
- -test_ssl_old\
- -test_tsa'\
- test -j1
+LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa' test -j1
# show ciphers
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5}
-L%{buildroot}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
++ openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch ++
--- /var/tmp/diff_new_pack.70nF89/_old 2022-03-23 20:21:04.902554525 +0100
+++ /var/tmp/diff_new_pack.70nF89/_new 2022-03-23 20:21:04.906554527 +0100
@@ -216,14 +216,6 @@
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-@@ -1656,6 +1713,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
- OPENSSL_free(co_list);
- sk_SSL_CIPHER_free(cipherstack);
-+OPENSSL_free(co_list);
- return NULL;
- }
- }
@@ -1690,6 +1748,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
commit openssl-3 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2022-03-16 20:20:36
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.25692 (New)
Package is "openssl-3"
Wed Mar 16 20:20:36 2022 rev:2 rq:962004 version:3.0.2
Changes:
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-02-02
22:40:08.648048164 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.25692/openssl-3.changes
2022-03-16 20:20:41.740980107 +0100
@@ -1,0 +2,29 @@
+Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal
+
+- Update to 3.0.2: [bsc#1196877, CVE-2022-0778]
+ * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli
+in BN_mod_sqrt() reachable when parsing certificates.
+ * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
+(RFC 5489) to the list of ciphersuites providing Perfect Forward
+Secrecy as required by SECLEVEL >= 3.
+ * Made the AES constant time code for no-asm configurations
+optional due to the resulting 95% performance degradation.
+The AES constant time code can be enabled, for no assembly
+builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+ * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to
+use empty passphrase strings.
+ * The negative return value handling of the certificate
+verification callback was reverted. The replacement is to set
+the verification retry state with the SSL_set_retry_verify()
+function.
+ * Rebase openssl-use-versioned-config.patch
+
+---
+Tue Feb 22 18:46:13 UTC 2022 - Pedro Monreal
+
+- Keep CA_default and tsa_config1 default paths in openssl3.cnf
+- Rebase patches:
+ * openssl-Override-default-paths-for-the-CA-directory-tree.patch
+ * openssl-use-versioned-config.patch
+
+---
Old:
openssl-3.0.1.tar.gz
openssl-3.0.1.tar.gz.asc
New:
openssl-3.0.2.tar.gz
openssl-3.0.2.tar.gz.asc
Other differences:
--
++ openssl-3.spec ++
--- /var/tmp/diff_new_pack.hZMK97/_old 2022-03-16 20:20:42.668980775 +0100
+++ /var/tmp/diff_new_pack.hZMK97/_new 2022-03-16 20:20:42.672980778 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl-3
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
%define _rname openssl
Name: openssl-3
# Don't forget to update the version in the "openssl" package!
-Version:3.0.1
+Version:3.0.2
Release:0
Summary:Secure Sockets and Transport Layer Security
License:Apache-2.0
@@ -52,7 +52,6 @@
# Add requires for ct_log_list.cnf{,.dist}
Requires: openssl
-
%description
OpenSSL is a software library to be used in applications that need to
secure communications over computer networks against eavesdropping or
++ openssl-3.0.1.tar.gz -> openssl-3.0.2.tar.gz ++
/work/SRC/openSUSE:Factory/openssl-3/openssl-3.0.1.tar.gz
/work/SRC/openSUSE:Factory/.openssl-3.new.25692/openssl-3.0.2.tar.gz differ:
char 13, line 1
++ openssl-Override-default-paths-for-the-CA-directory-tree.patch ++
--- /var/tmp/diff_new_pack.hZMK97/_old 2022-03-16 20:20:42.776980853 +0100
+++ /var/tmp/diff_new_pack.hZMK97/_new 2022-03-16 20:20:42.780980856 +0100
@@ -40,22 +40,4 @@
[ ca ]
-@@ -79,7 +88,7 @@ default_ca = CA_default# The default c
-
- [ CA_default ]
-
--dir = ./demoCA # Where everything is kept
-+dir = /etc/pki/CA # Where everything is kept
- certs = $dir/certs# Where the issued certs are kept
- crl_dir = $dir/crl # Where the issued crl are kept
- database = $dir/index.txt# database index file.
-@@ -309,7 +318,7 @@ default_tsa = tsa_config1 # the default
- [ tsa_config1 ]
-
- # These are used by the TSA reply generation only.
--dir = ./demoCA # TSA root directory
-+dir = /etc/pki/CA # TSA root directory
- serial= $dir/tsaserial# The current serial number
(mandatory)
- crypto_device = builtin # OpenSSL engine to use for signing
- signer_cert = $dir/tsacert.pem # The TSA signing certificate
++ openssl-use-versioned-config.patch ++
--- /var/tmp/diff_new_pac
