commit openssl for openSUSE:11.3
Hello community,
here is the log from the commit of package openssl for openSUSE:11.3
checked in at Wed Jan 11 17:57:30 CET 2012.
--- old-versions/11.3/UPDATES/all/openssl/openssl.changes 2011-09-20
10:50:08.0 +0200
+++ 11.3/openssl/openssl.changes2012-01-11 08:36:51.0 +0100
@@ -1,0 +2,13 @@
+Wed Jan 11 07:23:14 UTC 2012 - g...@suse.com
+
+- fix security bug[bnc#739719] - openssl: various security issues
+ DTLS Plaintext Recovery Attack (CVE-2011-4108)
+ Uninitialized SSL 3.0 Padding (CVE-2011-4576)
+ Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
+ SGC Restart DoS Attack (CVE-2011-4619)
+ Invalid GOST parameters DoS Attack (CVE-2012-0027)
+
+ not affected:
+ Double-free in Policy Checks (CVE-2011-4109)
+
+---
calling whatdependson for 11.3-i586
New:
CVE-2011-4108.patch
CVE-2011-4576.patch
CVE-2011-4577.patch
CVE-2011-4619.patch
CVE-2012-0027.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.PgRJW1/_old 2012-01-11 17:56:49.0 +0100
+++ /var/tmp/diff_new_pack.PgRJW1/_new 2012-01-11 17:56:49.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -32,7 +32,7 @@
%endif
#
Version:1.0.0
-Release:6.
+Release:6.
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -51,6 +51,11 @@
Patch8: ECDSA_signatures_timing_attack.patch
Patch9: CVE-2011-3207.patch
Patch10:CVE-2011-3210.patch
+Patch21:CVE-2011-4108.patch
+Patch22:CVE-2011-4576.patch
+Patch23:CVE-2011-4577.patch
+Patch24:CVE-2011-4619.patch
+Patch25:CVE-2012-0027.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -188,6 +193,11 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
cp -p %{S:10} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2011-4108.patch ++
Index: openssl-1.0.0/ssl/d1_pkt.c
===
--- openssl-1.0.0.orig/ssl/d1_pkt.c
+++ openssl-1.0.0/ssl/d1_pkt.c
@@ -375,6 +375,7 @@ dtls1_process_record(SSL *s)
SSL3_RECORD *rr;
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
+ int decryption_failed_or_bad_record_mac = 0;
rr= &(s->s3->rrec);
@@ -409,12 +410,10 @@ dtls1_process_record(SSL *s)
enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0)
{
- if (enc_err == 0)
- /* SSLerr() and ssl3_send_alert() have been called */
- goto err;
-
- /* otherwise enc_err == -1 */
- goto decryption_failed_or_bad_record_mac;
+ /* To minimize information leaked via timing, we will always
+* perform all computations before discarding the message.
+*/
+ decryption_failed_or_bad_record_mac = 1;
}
#ifdef TLS_DEBUG
@@ -444,7 +443,7 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the
tail) */
@@ -455,17 +454,25 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
rr->length-=mac_size;
i=s->method->ssl3_enc->mac(s,md,0);
if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
{
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
}
}
+ if (decryption_failed_or_bad_record_mac)
+ {
+ /* decryption failed, silently discard
commit openssl for openSUSE:11.3
Hello community,
here is the log from the commit of package openssl for openSUSE:11.3
checked in at Tue Sep 20 12:06:01 CEST 2011.
--- old-versions/11.3/UPDATES/all/openssl/openssl.changes 2011-05-31
09:52:17.0 +0200
+++ 11.3/openssl/openssl.changes2011-09-20 10:50:08.0 +0200
@@ -1,0 +2,13 @@
+Tue Sep 20 08:48:50 UTC 2011 - g...@suse.com
+
+- fix bug[bnc#716144] - VUL-0: openssl ECDH crash.
+ CVE-2011-3210
+
+---
+Tue Sep 13 03:12:21 UTC 2011 - g...@suse.com
+
+- Fix bug[bnc#716143].Fix bug where CRLs with nextUpdate
+ in the past are sometimes accepted by initialising
+ X509_STORE_CTX properly. (CVE-2011-3207)
+
+---
calling whatdependson for 11.3-i586
New:
CVE-2011-3207.patch
CVE-2011-3210.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.u0gD7E/_old 2011-09-20 11:55:39.0 +0200
+++ /var/tmp/diff_new_pack.u0gD7E/_new 2011-09-20 11:55:39.0 +0200
@@ -32,7 +32,7 @@
%endif
#
Version:1.0.0
-Release:6.
+Release:6.
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -49,6 +49,8 @@
Patch6: CVE-2010-4180.patch
Patch7: CVE-2011-0014.patch
Patch8: ECDSA_signatures_timing_attack.patch
+Patch9: CVE-2011-3207.patch
+Patch10:CVE-2011-3210.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -184,6 +186,8 @@
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
+%patch10 -p1
cp -p %{S:10} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ CVE-2011-3207.patch ++
Index: openssl-1.0.0c/crypto/x509/x509_vfy.c
===
--- openssl-1.0.0c.orig/crypto/x509/x509_vfy.c
+++ openssl-1.0.0c/crypto/x509/x509_vfy.c
@@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ct
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
ctx->current_issuer = NULL;
+ ctx->current_crl_score = 0;
ctx->current_reasons = 0;
while (ctx->current_reasons != CRLDP_ALL_REASONS)
{
@@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *
ctx->error_depth=0;
ctx->current_cert=NULL;
ctx->current_issuer=NULL;
+ ctx->current_crl=NULL;
+ ctx->current_crl_score=0;
+ ctx->current_reasons=0;
ctx->tree = NULL;
ctx->parent = NULL;
++ CVE-2011-3210.patch ++
Index: openssl-1.0.0c/ssl/d1_srvr.c
===
--- openssl-1.0.0c.orig/ssl/d1_srvr.c
+++ openssl-1.0.0c/ssl/d1_srvr.c
@@ -1017,12 +1017,11 @@ int dtls1_send_server_key_exchange(SSL *
SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
goto err;
}
- if (!EC_KEY_up_ref(ecdhp))
+ if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
{
SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
goto err;
}
- ecdh = ecdhp;
s->s3->tmp.ecdh=ecdh;
if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
Index: openssl-1.0.0c/ssl/s3_lib.c
===
--- openssl-1.0.0c.orig/ssl/s3_lib.c
+++ openssl-1.0.0c/ssl/s3_lib.c
@@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s)
}
#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
+ {
DH_free(s->s3->tmp.dh);
+ s->s3->tmp.dh = NULL;
+ }
#endif
#ifndef OPENSSL_NO_ECDH
if (s->s3->tmp.ecdh != NULL)
+ {
EC_KEY_free(s->s3->tmp.ecdh);
+ s->s3->tmp.ecdh = NULL;
+ }
#endif
rp = s->s3->rbuf.buf;
Index: openssl-1.0.0c/ssl/s3_srvr.c
===
--- openssl-1.0.0c.orig/ssl/s3_srvr.c
+++ openssl-1.0.0c/ssl/s3_srvr.c
@@ -778,6 +778,13 @@ int ssl3_check_client_hello(SSL *s)
s->s3->tmp.dh = NULL;
}
#endif
+#ifndef OPENSSL_NO_ECDH
+ if (s->s3->tmp.ecdh != NULL)
+ {
+ EC_KEY_free(s->s3->tmp.ecdh);
+ s->s3->tmp.ecdh = NULL;
+ }
+#endif
return 2;
}
return
commit openssl for openSUSE:11.3
Hello community,
here is the log from the commit of package openssl for openSUSE:11.3
checked in at Mon Jun 6 19:05:19 CEST 2011.
--- old-versions/11.3/UPDATES/all/openssl/openssl.changes 2011-02-10
08:31:19.0 +0100
+++ 11.3/openssl/openssl.changes2011-05-31 09:52:17.0 +0200
@@ -1,0 +2,9 @@
+Tue May 31 07:50:20 UTC 2011 - g...@novell.com
+
+- fix bug[bnc#693027].
+ Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+ http://eprint.iacr.org/2011/232.pdf
+ [Billy Bob Brumley and Nicola Tuveri]
+
+---
calling whatdependson for 11.3-i586
New:
ECDSA_signatures_timing_attack.patch
Other differences:
--
++ openssl.spec ++
--- /var/tmp/diff_new_pack.y04zGt/_old 2011-06-06 19:03:09.0 +0200
+++ /var/tmp/diff_new_pack.y04zGt/_new 2011-06-06 19:03:09.0 +0200
@@ -32,7 +32,7 @@
%endif
#
Version:1.0.0
-Release:6.
+Release:6.
Summary:Secure Sockets and Transport Layer Security
Url:http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -48,6 +48,7 @@
Patch5: CVE-2010-3864.patch
Patch6: CVE-2010-4180.patch
Patch7: CVE-2011-0014.patch
+Patch8: ECDSA_signatures_timing_attack.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -182,6 +183,7 @@
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
cp -p %{S:10} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
++ ECDSA_signatures_timing_attack.patch ++
Index: openssl-1.0.0/crypto/ecdsa/ecs_ossl.c
===
--- openssl-1.0.0.orig/crypto/ecdsa/ecs_ossl.c
+++ openssl-1.0.0/crypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke
}
while (BN_is_zero(k));
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+ /* We do not want timing information to leak the length of k,
+* so we compute G*k using an equivalent scalar of fixed
+* bit-length. */
+
+ if (!BN_add(k, k, order)) goto err;
+ if (BN_num_bits(k) <= BN_num_bits(order))
+ if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
Index: openssl-1.0.0/crypto/ocsp/ocsp_lib.c
===
--- openssl-1.0.0.orig/crypto/ocsp/ocsp_lib.c
+++ openssl-1.0.0/crypto/ocsp/ocsp_lib.c
@@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho
char *host, *port;
+ *phost = NULL;
+ *pport = NULL;
+ *ppath = NULL;
+
/* dup the buffer since we are going to mess with it */
buf = BUF_strdup(url);
if (!buf) goto mem_err;
- *phost = NULL;
- *pport = NULL;
- *ppath = NULL;
/* Check for initial colon */
p = strchr(buf, ':');
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
