03cf96452ef941841a0e162fb62de83b0.9.8dunknown4d5c36fe5bead14c4abda1caf727724a0.9.8dunknowna17826df13a212adf2ea48be9fda2e1d0.9.8eunknown27d45064cd205b04fc3acc1c55b54ae90.9.8eunknownd1ad4c25a4d46816edea7e731720a5ff0.9.8eunknownc52c0d5b36519b902528ded1fd540a3b0.9.8eunknowne3362f643098a7cfff15ddfc1e948dfe0.9.8eunknowne6543772082aec9feb126763bf834a950.9.8eunknown6fd78928c8f33a5edac07abc8527072f0.9.8eunknown49de88fee30d781f86ac2278b75599350.9.8funknown25cb13532a7ea9a16d8ae575b5d165c90.9.8gunknown16c556de7ec0715ffb38e28ddf267bd50.9.8gunknownbac247bd44cd537b4a9fe571c23121380.9.8gunknown50ebaf8c5557c293b93061f73ed1b15c0.9.8gunknown661c3cce9478f8e50c347f6bbd629efa0.9.8gunknowndf927785c7b56ff2bc03dfe5e653cfc70.9.8gunknowndfdf2af951e9a333a70d58b9d8650d630.9.8hunknown94d5d09281b61d28fa9c37385b53a85f0.9.8hunknown83d5ab7e1142c52615b668dcc22ef6a80.9.8hunknown952ca9103d5ba7d720b5f8316699edbe0.9.8hunknowneda01e643f083d33803f0f7f46e87b790.9.8hunknown6efa286f458ca211daeb667bddc8ac5c0.9.8hunknown6e2376962c7e59ec2317e12fd91f7fd40.9.8hunknowna95d09783f1e4b8eb858001bc58d247e0.9.8hunknownc9d8b2344198ffeedd55a9c0ee0337dc0.9.8kunknown8ab48c441a63ad00834f8c421ff6e21d0.9.8kautobuildCopy from Base:System/openssl based on submit request 19418 from user coolo
8ab48c441a63ad00834f8c421ff6e21d0.9.8kautobuildCopy from Base:System/openssl based on submit request 19418 from user coolo
7a2036a2a70892aaa0ec94be11f24c1a0.9.8kautobuildCopy from Base:System/openssl based on submit request 24437 from user msmeissn
025ca510411075b9502cd40e95aa05350.9.8kautobuildCopy from Base:System/openssl based on submit request 28053 from user msmeissn
b839269c533c61c5b540d861918a28450.9.8kautobuildCopy from Base:System/openssl based on submit request 32358 from user coolo
e12dad05862bd6e3ea9ae32075f4b2d80.9.8kautobuild1b9c101c91e1f948a051db2bfdd126340.9.8mautobuildCopy from Base:System/openssl based on submit request 36001 from user msmeissn
36001a483b41e8e322d884550493d92f58b271.0.0autobuildCopy from Base:System/openssl based on submit request 37809 from user msmeissn
378097f3797c4fc76e5e47afba0f619eb9c2f1.0.0autobuildCopy from Base:System/openssl based on submit request 38656 from user coolo
3865696f82b89f31bb10242b7de20ef0142e11.0.0autobuildCopy from Base:System/openssl based on submit request 40076 from user msmeissn
4007686e59a932d5725b9c581ec38a806d72a1.0.0autobuildCopy from Base:System/openssl based on submit request 40913 from user msmeissn
4091372a391a7adc96fbf30b1ac4931f6f76d1.0.0autobuildCopy from Base:System/openssl based on submit request 41504 from user prusnak
4150472a391a7adc96fbf30b1ac4931f6f76d1.0.0autobuildrelease number sync72a391a7adc96fbf30b1ac4931f6f76d1.0.0autobuildrelease number sync33fe7de258465b6b1b92fc326b653c551.0.0autobuildCopy from Base:System/openssl based on submit request 43713 from user coolo
4371373a9d635435ad3fe08a2e0de7cc56ab01.0.0autobuildCopy from Base:System/openssl based on submit request 44144 from user elvigia
4414463f7deadd6ae530d2d4d10c7dea158831.0.0autobuildCopy from Base:System/openssl based on submit request 49880 from user coolo
498804de016bcf8cdb425cb6b41759e503ab91.0.0cdarixAccepted submit request 55363 from user a_jaeger
5536364731838ebe8cf773f475b2ac3800d331.0.0cdarixAutobuild autoformatter for 55363
b9eb4d8c11947deaf6c2cc7c4c379d871.0.0cdarixAccepted submit request 57693 from user msmeissn
576932552bcb950dcae2a53dc50cb5d447fb51.0.0cdarixAutobuild autoformatter for 57693
a9f4715a77fd79349229da5b57d85c661.0.0cdarixAccepted submit request 58423 from user elvigia
584234700625739f706cd092fb1b47f4d73e91.0.0cdarixAutobuild autoformatter for 58423
4700625739f706cd092fb1b47f4d73e91.0.0cautobuild11.4 source split67e6e0ca326a086af7e7d4908b86533d1.0.0csaschpeAccepted submit request 63797 from user coolo
637979a2c58f45e86de0af960ab4cc851b77c1.0.0csaschpeAutobuild autoformatter for 63797
bd3a9ed0461f0cbb8a784aea66c9cac31.0.0dsaschpeAccepted submit request 67324 from user coolo
673242d18cf1b0dbe449b01863eb0f1f0e9c81.0.0dsaschpeAutobuild autoformatter for 67324
9a2c58f45e86de0af960ab4cc851b77c1.0.0ccoolorevert to #51 to make factory a usable system again9a2c58f45e86de0af960ab4cc851b77c1.0.0coertelAccepted submit request 68054 from user licensedigger
6805486d87738369cbb3071c05a4946b200c31.0.0coertelAutobuild autoformatter for 68054
f64d4ede549437d8a2084ce2d294c6541.0.0csaschpeadded openssl as dependency in the devel package, or for packages linking to libopenssl there can be failures like : undefined reference to 'get_dh1024' because openssl binary is used during code generation (forwarded request 70339 from anubisg1)71772a31e486a1b9f1de5857e2a9d31f925751.0.0csaschpeAutobuild autoformatter for 71772
afd4a6ace0258c78bad06fb1b188740b1.0.0dsaschpeupdate to latest stable version 1.0.0d.7471575a614689299f9454b9a5834b4d1ead41.0.0dsaschpeAutobuild autoformatter for 74715
477ff60e60f5cc32f944c2ca4cdfe0e71.0.0dsaschpe- Edit baselibs.conf to provide libopenssl-devel-32bit too (forwarded request 77000 from jengelh)770549bbcbc7461c4221849b5ab6e5a0d0e431.0.0dsaschpeAutobuild autoformatter for 77054
f84dc1459e68055ae0c3512c944a06fd1.0.0dsaschpe- remove -fno-strict-aliasing from CFLAGS no longer needed
and is likely to slow down stuff. (forwarded request 78147 from elvigia)78150a5c6dc7dfef1251907e6cbe2cb1471071.0.0dsaschpeAutobuild autoformatter for 78150
89031ab7b75691ed882c92831880d6a81.0.0dsaschpe- Add upstream patch that calls ENGINE_register_all_complete()
in ENGINE_load_builtin_engines() saving us from adding dozens
of calls to such function to calling applications. (forwarded request 78169 from elvigia)78686bc1c77273dd16c848f05fc6fb1e9cf821.0.0dsaschpeAutobuild autoformatter for 78686
3ac76b4b768527fd9728da21c8ba3bdd1.0.0esaschpe- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210
see http://openssl.org/news/secadv_20110906.txt for details. (forwarded request 81347 from elvigia)81348422a99076c479f6eadce805b2d89d2a81.0.0esaschpeAutobuild autoformatter for 81348
af12189d1b4f248339324ac515295a3f1.0.0ecoolo- AES-NI: Check the return value of Engine_add()
if the ENGINE_add() call fails: it ends up adding a reference
to a freed up ENGINE which is likely to subsequently contain garbage
This will happen if an ENGINE with the same name is added multiple
times,for example different libraries. [bnc#720601] (forwarded request 88590 from elvigia)88591af12189d1b4f248339324ac515295a3f1.0.0eadrianSuSEf7c6d6859373b6dc703d9e2fbd1304b61.0.0ecooloreplace license with spdx.org variantebf70eafd1c8883f659034d051a0b8121.0.0gcooloupdate to 1.0.0g1024431ca9b6132668d4849aaef383b7f1b3521.0.0gcooloAutomatic submission by obs-autosubmit107790ca5a1d3617fa6b17f3c7d3a3b8ce4b2e1.0.0gcoololicense update: OpenSSL
(forwarded request 110174 from babelworx)11017697ea40e2518ec69db9b146e3fa4b1f6d1.0.0gcooloAutomatic submission by obs-autosubmit1137392934e4551259d7de0d4ab3e6cd78c3931.0.0icooloupdate to 1.0.0i115109957d621a93a6476a745fa8f5c1ecdb531.0.0icoolo- don't install any demo or expired certs at all11643367992622f8db9c93ef6ed6e7632672df1.0.1ccoolo- Update to version 1.0.1c for the complete list of changes see
NEWS, this only list packaging changes.
- Drop aes-ni patch, no longer needed as it is builtin in openssl
now.
- Define GNU_SOURCE and use -std=gnu99 to build the package.
- Use LFS_CFLAGS in platforms where it matters. (forwarded request 120643 from elvigia)12125667992622f8db9c93ef6ed6e7632672df1.0.1cadrianSuSEbranched from openSUSE:Factoryd2647c8651afa6e55bacf3c1a23426ea1.0.1ccoolo- fix build on armv5 (bnc#774710) (forwarded request 130344 from dirkmueller)1303584b75bf571498caa45380812a24529c071.0.1cnamtrac- Open Internal file descriptors with O_CLOEXEC, leaving
those open across fork()..execve() makes a perfect
vector for a side-channel attack... (forwarded request 131190 from elvigia)1316903f23e9bff3f4023bdfa78f4596027c5e1.0.1ccooloAutomatic submission by obs-autosubmit1419903f23e9bff3f4023bdfa78f4596027c5e1.0.1cadrianSuSESplit 12.3 from Factory317f3f5a2484cdb261cb4834fd27fe891.0.1dcoolo- update to version 1.0.1d, fixing security issues
o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
o Include the fips configuration module.
o Fix OCSP bad key DoS attack CVE-2013-0166
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
bnc#802184
o Fix for TLS AESNI record handling flaw CVE-2012-26861513059a6e7edba444e39c36e02e300c5c08541.0.1dcooloFix nasty 1.0.1d regression (forwarded request 155056 from sumski)1550591d9e864160edf5357eaa7ec67b093bb71.0.1ecoolo- Update to 1.0.1e
o Bugfix release (bnc#803004)
- Drop openssl-1.0.1d-s3-packet.patch, included upstream155179e233487e1e805e31435b91d53134997f1.0.1ecoolo- disable fstack-protector on aarch64 (forwarded request 156130 from dirkmueller)1561673ef2b7e07be8ced0c78cb51a3f5b0f551.0.1ecooloadd %if tag for BuildArch. someone may need to fork it to SLE (forwarded request 176549 from MargueriteSu)176587d7180415f5a488869424d2adca5af4541.0.1ecoolo- pick openssl-fix-pod-syntax.diff out of the upstream RT to fix
build with perl 5.18 (forwarded request 180092 from coolo)18021560fc37ea7a2f506a9cbe8e9a997375751.0.1ecoolo- Build enable-ec_nistp_64_gcc_128, ecdh is many times faster
but only works in x86_64.
According to the openSSL team
"it is superior to the default in multiple regards (speed, and also
security as the new implementations are secure against timing
attacks)"
It is not enabled by default due to the build system being unable
to detect if the compiler supports __uint128_t. (forwarded request 181467 from elvigia)1815377326b54eed760633cc3b97dc29f906301.0.1ecoolo- Don't use the legacy /etc/ssl/certs directory anymore but rather
the p11-kit generated /var/lib/ca-certificates/openssl one
(fate#314991, openssl-1.0.1e-truststore.diff)1821474bfc69edc39951802b692d3db2e0e6701.0.1ecoolo- compression_methods_switch.patch: Disable compression by default to
avoid the CRIME attack (CVE-2012-4929 bnc#793420)
Can be override by setting environment variable
OPENSSL_NO_DEFAULT_ZLIB=no184582003348c57b97e54e85427f5bc47b393f1.0.1ecoolo- 0005-libssl-Hide-library-private-symbols.patch: hide
private symbols, this *only* applies to libssl where
it is straightforward to do so as applications should
not be using any of the symbols declared/defined in headers
that the library does not install.
A separate patch MAY be provided in the future for libcrypto
where things are much more complicated and threfore requires
careful testing. (forwarded request 185819 from elvigia)18582726c8b7c8157299519e9f13dc0c65ac8f1.0.1escarabeus_factoryFix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012)18671099b8184943b123be51f169ef93f51d2e1.0.1ecooloFix armv6l arch (armv7 was previously used to build armv6 which lead to illegal instruction when used) (forwarded request 197443 from Guillaume_G)19745199b8184943b123be51f169ef93f51d2e1.0.1eadrianSuSESplit 13.1 from Factory434db4fd20f6784cd452704502c127c61.0.1ecoolo- VPN openconnect problem (DTLS handshake failed)
(git 9fe4603b8, bnc#822642, openssl ticket#2984) (forwarded request 201079 from dmacvicar)2010946bf056b4165ef4b4a1660f7c750f19631.0.1escarabeus_factory- openssl-1.0.1c-ipv6-apps.patch:
Support ipv6 in the openssl s_client / s_server commandline app. (forwarded request 203361 from msmeissn)2034284e14c34b2260fce929264e3561949d5e1.0.1escarabeus_factory (forwarded request 204370 from elvigia)204475e39fe1f83740a903f8c0821b38abffb01.0.1ecooloPatches for OpenSSL FIPS-140-2/3 certification; Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,openssl-1.0.1e-fips-ctor.patch (forwarded request 208378 from shawn2012)208487f91320871619e58ed01899ac7849395e1.0.1ecooloosc copypac from project:openSUSE:Factory package:openssl revision:99a01efd2c17f9a39ca08ac651d39e7a7b1.0.1ecooloAdjust the installation path; Modify files: README-FIPS.txt openssl.spec (forwarded request 210984 from shawn2012)210985662eb09be4f717dc44d6f8c4f5ea86821.0.1ecoolo- compression_methods_switch.patch: setenv might not be successful
if a surrounding library or application filters it, like e.g. sudo.
As setenv() does not seem to be useful anyway, remove it.
bnc#849377 (forwarded request 211400 from msmeissn)2114216f0fc2b4f5cd890b9caf29b7d6d9a99d1.0.1ecooloFixed bnc#856687, openssl: crash when using TLS 1.2; Add file: CVE-2013-6449.patch (forwarded request 212077 from shawn2012)212087ad88b80e73ddd393773782e704b8bd801.0.1escarabeus_factoryFixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss; Add file: CVE-2013-6450.patch (forwarded request 212653 from shawn2012)212714feaaaea80a038e0dfa29a3d792ac2fe91.0.1ecooloFixed bnc#857850, openssl doesn't load engine; Modify file: openssl.spec (forwarded request 213131 from shawn2012)2131328338b1fa4a8280f14cf88366bed504641.0.1fcooloRemove GCC option -O3 for compiliation issue of ARM version; Modify: openssl.spec (forwarded request 213627 from shawn2012)213629037e9fe37e6efdb1c825f40e2a3f9eb21.0.1fcooloadditional changes required for FIPS validation( from Fedora repo); Add patch file: openssl-1.0.1e-new-fips-reqs.patch (forwarded request 224375 from shawn2012)224423bf174b7b6631d08856caece501c959001.0.1fcooloFix bug[ bnc#869945] CVE-2014-0076: openssl: Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack; Add file: CVE-2014-0076.patch (forwarded request 227417 from shawn2012)2275083ea1f9b1a7fe72b1bdd4b899ad3f59c81.0.1gcoolo- update to 1.0.1g:
* fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299)
* Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945)
* Workaround for the "TLS hang bug" (see FAQ and PR#2771)
- remove CVE-2014-0076.patch
- openssl.keyring: upstream changed to:
pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org>
uid Dr Stephen Henson <shenson@drh-consultancy.co.uk>
uid Dr Stephen Henson <shenson@opensslfoundation.com>229370c423310e5fd02adf5ff2a2e56db0a1f41.0.1gcoolo- openssl-gcc-attributes.patch
* annotate memory allocation wrappers with attribute(alloc_size)
so the compiler can tell us if it knows they are being misused
* OPENSSL_showfatal is annotated with attribute printf to detect
format string problems.
- It is time to try to disable SSLv2 again, it was tried a while
ago but broke too many things, nowadays Debian, Ubuntu, the BSDs
all have disabled it, most components are already fixed.
I will fix the remaining fallout if any. (email me) (forwarded request 229674 from elvigia)22971522fa7d9f52ebed40cf9d0003b5f65e651.0.1gscarabeus_factoryosc copypac from project:openSUSE:Factory package:openssl revision:11052053653ab272885a3bd1f9876bdbdf71.0.1gscarabeus_factoryosc copypac from project:openSUSE:Factory package:openssl revision:111c22ba0e40034554234d11faec8c50ed21.0.1gcoolo- Build everything with full RELRO (-Wl,-z,relro,-z,now)
- Remove -fstack-protector from the hardcoded build options
it is already in RPM_OPT_FLAGS and is replaced by
-fstack-protector-strong with gcc 4.9
- Remove the "gmp" and "capi" shared engines, nobody noticed
but they are just dummies that do nothing.
- Use enable-rfc3779 to allow projects such as rpki.net
to work in openSUSE and match the functionality
available in Debian/Fedora/etc
- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
CVE-2010-5298 and disable the internal BUF_FREELISTS
functionality. it hides bugs like heartbleed and is
there only for systems on which malloc() free() are slow.
- ensure we export MALLOC_CHECK and PERTURB during the test
suite, now that the freelist functionality is disabled it
will help to catch bugs before they hit users.
- openssl-libssl-noweakciphers.patch do not offer "export"
or "low" quality ciphers by default. using such ciphers
is not forbidden but requires an explicit request
- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
not return memory of "num * old_num" but only "num" size
fortunately this function is currently unused. (forwarded request 230868 from elvigia)23110840204cea4e84b7bcf96ee549105394d91.0.1gcooloFixed bug[ bnc#876282], CVE-2014-0198 openssl: OpenSSL NULL pointer dereference in do_ssl3_write; Add file: CVE-2014-0198.patch (forwarded request 232650 from shawn2012)2326532c319034517beffdfcdb449162b5a6ac1.0.1gcoolo- 0005-libssl-Hide-library-private-symbols.patch
Update to hide more symbols that are not part of
the public API
- openssl-gcc-attributes.patch BUF_memdup also
needs attribute alloc_size as it returns memory
of size of the second parameter.
- openssl-ocloexec.patch Update, accept()
also needs O_CLOEXEC.
- 0009-Fix-double-frees.patch, 0017-Double-free-in-i2o_ECPublicKey.patch
fix various double frees (from upstream)
- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
return an error inmediately on failure of i2d_ECPrivateKey (from upstream)
- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
From libressl, modified to work on linux systems that do not have
funopen() but fopencookie() instead.
Once upon a time, OS didn't have snprintf, which caused openssl to
bundle a *printf implementation. We know better nowadays, the glibc
implementation has buffer overflow checking, has sane failure modes
deal properly with threads, signals..etc..
- build with -fno-common as well. (forwarded request 232752 from elvigia)2328890847edbebd1fd1a8e1d52a0ffc3858ca1.0.1gcoolo- Add upstream patches fixing coverity scan issues:
* 0018-fix-coverity-issues-966593-966596.patch
* 0020-Initialize-num-properly.patch
* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
* 0023-evp-prevent-underflow-in-base64-decoding.patch
* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
- Update 0001-libcrypto-Hide-library-private-symbols.patch
to cover more private symbols, now 98% complete and probably
not much more can be done to fix the rest of the ill-defined API.
- openssl-fips-hidden.patch new, hides private symbols added by the
FIPS patches.
- openssl-no-egd.patch disable the EGD (entropy gathering daemon)
interface, we have no EGD in the distro and obtaining entropy from
a place other than /dev/*random, the hardware rng or the openSSL
internal PRNG is an extremely bad & dangerous idea.
- use secure_getenv instead of getenv everywhere. (forwarded request 233217 from elvigia)233553a2e1d6cf1230c215d32370500b7a51cf1.0.1hcooloNOTE:
I submitted perl-Net-SSLeay 1.64 update to devel:languages:perl which
fixes its regression.
- updated openssl to 1.0.1h (bnc#880891):
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to
an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous
ECDH ciphersuites are subject to a denial of service attack.
- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream
- CVE-2014-0198.patch: removed, upstream
- 0009-Fix-double-frees.patch: removed, upstream
- 0012-Fix-eckey_priv_encode.patch: removed, upstream
- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream
- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream
- 0020-Initialize-num-properly.patch: removed, upstream
- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream
- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream
- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream
- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream
- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase
- openssl-1.0.1c-ipv6-apps.patch: refreshed
- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed
- Added new SUSE default cipher suite
openssl-1.0.1e-add-suse-default-cipher.patch2369893cbf7d8a761c645048b1661e2c89e4e71.0.1hcoolo- recommend: ca-certificates-mozilla instead of openssl-certs238467c7d1bbd3277954bffac609e0f40886df1.0.1hcoolo- Move manpages around such that .3 is in openssl-doc
and .1 in openssl (forwarded request 241758 from jengelh)2417633a1843c63ba8d6bc2b359a33132c8c6e1.0.1icoolo- openssl.keyring: the 1.0.1i release was done by
Matt Caswell <matt@openssl.org> UK 0E604491
- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)
- update to 1.0.1i
* Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
(CVE-2014-3512)
* A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
(CVE-2014-3511)
* OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
(CVE-2014-3510)
* By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
(CVE-2014-3507)
* An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
(CVE-2014-3506)
* An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This2456423a1843c63ba8d6bc2b359a33132c8c6e1.0.1iadrianSuSESplit 13.2 from Factory4c159d3d38e9e232ca97ac0317ed8d961.0.1jdimstar_suseI also submitted libcamgm that matches this submit
- suse_version 10.1 & 10.2 x86_64 can not enable-ec_nistp_64_gcc_128
- openssl-1.0.1i-noec2m-fix.patch: only report the Elliptic Curves
we actually support (not the binary ones) (bnc#905037)
- openSUSE < 11.2 doesn't have accept4()
- openSSL 1.0.1j
* Fix SRTP Memory Leak (CVE-2014-3513)
* Session Ticket Memory Leak (CVE-2014-3567)
* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV)
* Build option no-ssl3 is incomplete (CVE-2014-3568)264696ac7744d4225e338a4e5a2c26723b07d41.0.1kdimstar_suse- openssl 1.0.1k release
bsc#912294 CVE-2014-3571: Fix DTLS segmentation fault in dtls1_get_record.
bsc#912292 CVE-2015-0206: Fix DTLS memory leak in dtls1_buffer_record.
bsc#911399 CVE-2014-3569: Fix issue where no-ssl3 configuration sets method to NULL.
bsc#912015 CVE-2014-3572: Abort handshake if server key exchange
message is omitted for ephemeral ECDH ciphersuites.
bsc#912014 CVE-2015-0204: Remove non-export ephemeral RSA code on client and server.
bsc#912293 CVE-2015-0205: Fixed issue where DH client certificates are accepted without verification.
bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues.
bsc#912296 CVE-2014-3570: Correct Bignum squaring.
and other bugfixes.
- openssl.keyring: use Matt Caswells current key.
pub 2048R/0E604491 2013-04-30
uid Matt Caswell <frodo@baggins.org>
uid Matt Caswell <matt@openssl.org>
sub 2048R/E3C21B70 2013-04-30
- openssl-1.0.1e-fips.patch: rediffed
- openssl-1.0.1i-noec2m-fix.patch: removed (upstream)
- openssl-ocloexec.patch: rediffed280570332e659fcab320305aab230a426549b81.0.1kdimstar_suse- The DATE stamp moved from crypto/Makefile to crypto/buildinf.h,
replace it there (bsc#915947)28400324555af95614deb9cc4a9b32394042881.0.1kdimstar_suse- security update:
* CVE-2015-0209 (bnc#919648)
- Fix a failure to NULL a pointer freed on error
* CVE-2015-0286 (bnc#922496)
- Segmentation fault in ASN1_TYPE_cmp
* CVE-2015-0287 (bnc#922499)
- ASN.1 structure reuse memory corruption
* CVE-2015-0288 x509: (bnc#920236)
- added missing public key is not NULL check
* CVE-2015-0289 (bnc#922500)
- PKCS7 NULL pointer dereferences
* CVE-2015-0293 (bnc#922488)
- Fix reachable assert in SSLv2 servers
* added patches:
openssl-CVE-2015-0209.patch
openssl-CVE-2015-0286.patch
openssl-CVE-2015-0287.patch
openssl-CVE-2015-0288.patch
openssl-CVE-2015-0289.patch
openssl-CVE-2015-0293.patch (forwarded request 291606 from vitezslav_cizek)29160742e82217a764c14e09dadc5dda1a8bb41.0.2adimstar_suse- update to 1.0.2a
* Major changes since 1.0.1:
- Suite B support for TLS 1.2 and DTLS 1.2
- Support for DTLS 1.2
- TLS automatic EC curve selection.
- API to set TLS supported signature algorithms and curves
- SSL_CONF configuration API.
- TLS Brainpool support.
- ALPN support.
- CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
- packaging changes:
* merged patches modifying CIPHER_LIST into one, dropping:
- openssl-1.0.1e-add-suse-default-cipher-header.patch
- openssl-libssl-noweakciphers.patch
* fix a manpage with invalid name
- added openssl-fix_invalid_manpage_name.patch
* remove a missing fips function
- openssl-missing_FIPS_ec_group_new_by_curve_name.patch
* reimported patches from Fedora
dropped patches:
- openssl-1.0.1c-default-paths.patch
- openssl-1.0.1c-ipv6-apps.patch
- openssl-1.0.1e-fips-ctor.patch
- openssl-1.0.1e-fips-ec.patch
- openssl-1.0.1e-fips.patch
- openssl-1.0.1e-new-fips-reqs.patch
- VIA_padlock_support_on_64systems.patch
added patches:
- openssl-1.0.2a-default-paths.patch
- openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek)310849780b50a7c66ad4819a88ab574338fd321.0.2dcoolo- update to 1.0.2d
* fixes CVE-2015-1793 (bsc#936746)
Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
- drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek)315685addbbd040599e7d384514eb02fb58e521.0.2ecoolo- update to 1.0.2e
* fixes five security vulnerabilities
* Anon DH ServerKeyExchange with 0 p parameter
(CVE-2015-1794) (bsc#957984)
* BN_mod_exp may produce incorrect results on x86_64
(CVE-2015-3193) (bsc#957814)
* Certificate verify crash with missing PSS parameter
(CVE-2015-3194) (bsc#957815)
* X509_ATTRIBUTE memory leak
(CVE-2015-3195) (bsc#957812)
* Race condition handling PSK identify hint
(CVE-2015-3196) (bsc#957813)
- pulled a refreshed fips patch from Fedora
* openssl-1.0.2a-fips.patch was replaced by
openssl-1.0.2e-fips.patch
- refresh openssl-ocloexec.patch3475049b3d4acca137d27f17ea6776044812c41.0.2gdimstar_suse- update to 1.0.2g (bsc#968044)
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
provide any "EXPORT" or "LOW" strength ciphers.
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
(CVE-2016-0800)
* Fix a double-free in DSA code
(CVE-2016-0705)
* Disable SRP fake user seed to address a server memory leak.
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
(CVE-2016-0798)
* Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
(CVE-2016-0797)
*) Side channel attack on modular exponentiation
http://cachebleed.info.
(CVE-2016-0702)
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
if no keysize is specified with default_bits. This fixes an
omission in an earlier change that changed all RSA/DSA key generation
apps to use 2048 bits by default. (forwarded request 363599 from vitezslav_cizek)363602c230ab3495cc8ec2fbce05c12cae6eaf1.0.2gdimstar_suse1390473eab2447be03661aa650767015dd07c4f1.0.2hdimstar_suse- OpenSSL Security Advisory [3rd May 2016]
- update to 1.0.2h (boo#977584, boo#977663)
* Prevent padding oracle in AES-NI CBC MAC check
A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.
(CVE-2016-2107, boo#977616)
* Fix EVP_EncodeUpdate overflow
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.
(CVE-2016-2105, boo#977614)
* Fix EVP_EncryptUpdate overflow
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
is able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate() with a partial block then a length check can overflow
resulting in a heap corruption.
(CVE-2016-2106, boo#977615)
* Prevent ASN.1 BIO excessive memory allocation
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
(CVE-2016-2109, boo#976942)
* EBCDIC overread
ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. This could result
in arbitrary stack data being returned in the buffer.
(CVE-2016-2176, boo#978224)
* Modify behavior of ALPN to invoke callback after SNI/servername (forwarded request 393446 from vitezslav_cizek)393456b3b921db92f436d9070b5705b6aa14841.0.2jdimstar_suse- update to openssl-1.0.2j
* Missing CRL sanity check (CVE-2016-7052 bsc#1001148)
- OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)
Severity: High
* OCSP Status Request extension unbounded memory growth
(CVE-2016-6304) (bsc#999666)
Severity: Low
* Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
* Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249)
* DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)
* DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
* OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
* Birthday attack against 64-bit block ciphers (SWEET32)
(CVE-2016-2183) (bsc#995359)
* Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
* OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
* Certificate message OOB reads (CVE-2016-6306) (bsc#999668)
- update to openssl-1.0.2i
* remove patches:
openssl-1.0.2a-new-fips-reqs.patch
openssl-1.0.2e-fips.patch
* add patches:
openssl-1.0.2i-fips.patch
openssl-1.0.2i-new-fips-reqs.patch
- fix crash in print_notice (bsc#998190)
* add openssl-print_notice-NULL_crash.patch430498a3c976e7d725e24e71b25e0ac586f7821.0.2jdimstar_suse- resume reading from /dev/urandom when interrupted by a signal
(bsc#995075)
* add openssl-randfile_fread_interrupt.patch
- add FIPS changes from SP2:
- fix problems with locking in FIPS mode (bsc#992120)
* duplicates: bsc#991877, bsc#991193, bsc#990392, bsc#990428
and bsc#990207
* bring back openssl-fipslocking.patch
- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream)
(bsc#984323)
- don't check for /etc/system-fips (bsc#982268)
* add openssl-fips-dont_run_FIPS_module_installed.patch
- refresh openssl-fips-rsagen-d-bits.patch (forwarded request 431508 from vitezslav_cizek)43306310372cbb26dc15bdf25e7080487b073c1.0.2kdimstar_suse- Updated to openssl 1.0.2k
- bsc#1009528 / CVE-2016-7055: openssl: Montgomery multiplication may produce incorrect results
- bsc#1019334 / CVE-2016-7056: openssl: ECSDA P-256 timing attack key recovery
- bsc#1022085 / CVE-2017-3731: openssl: Truncated packet could crash via OOB read
- bsc#1022086 / CVE-2017-3732: openssl: BN_mod_exp may produce incorrect results on x86_64452919bfa0cbbd4c5f6dd6971b8408fb353a5e1.0.2kdimstar_suse- fix X509_CERT_FILE path (bsc#1022271) and rename
updated openssl-1.0.1e-truststore.diff to openssl-truststore.patch (forwarded request 454258 from vitezslav_cizek)4542601b37b9c7736aef8a1bea076a71b66de81.0.2kmaxlin_factory- Remove O3 from optflags, no need to not rely on distro wide settings
- Remove conditions for sle10 and sle11, we care only about sle12+
- USE SUSE instead of SuSE in readme
- Pass over with spec-cleaner (forwarded request 485192 from scarabeus_iv)48521949bfcd24ef5e3337e06641fa34fe3a7e1.0.2kdimstar_suse- Provide pkgconfig(openssl)
- Provide basic baselibs.conf for 32bit subpackages
- Specify this package as noarch (as we just provide README files)
- Fix typo in openssl requires
- Add dependency on the branched devel package
- Provide all pkgconfig symbols to hide them in versioned subpkgs
- This allows us to propagate only the preffered version of openssl
while allowing us to add extra openssl only as additional dependency
- Remove the ssl provides as it is applicable for only those that
really provide it
- Prepare to split to various subpackages converting main one to
dummy package
- Reduce to only provide main pkg and devel and depend on proper
soversioned package
- Version in this package needs to be synced with the one provided
by the split package
- Remove all the patches, now in the proper versioned namespace:
* merge_from_0.9.8k.patch
* openssl-1.0.0-c_rehash-compat.diff
* bug610223.patch
* openssl-ocloexec.patch
* openssl-1.0.2a-padlock64.patch
* openssl-fix-pod-syntax.diff
* openssl-truststore.patch
* compression_methods_switch.patch
* 0005-libssl-Hide-library-private-symbols.patch4929856d4c0ee13d6ae6473c4540a0923efa191.0.2ldimstar_suse- Revert back to 1.0.2l for now so we get new fixes of 1.0 openssl
to tumbleweed
- Update to 1.1.0f release
- Switch default to openssl-1.1.0506205420691b3063d180842c88f404b1423491.0.2ldimstar_suse1509431d679a1f1a20b339e00b4ed7d1193d1431.0.2mdimstar_suse538750962b16a0f97a404e4a6ad0d397f725601.1.0gdimstar_suseAutomatic submission by obs-autosubmit541546ccd341dddd21b3c329245fc070b5c8811.1.0gdimstar_suse578326aeb9ecc59b468cd70c61b8ba6104ce741.1.0hdimstar_suse591688552bbaf3c489a11a71c9a963154936091.1.1bdimstar_suse- Update to 1.1.1b release
68171532d018ea6404aeb092dc1ad135af0b901.1.1cdimstar_suse706515cd6009452b423d18f780b13c6cc764291.1.1ddimstar_suse73020788140c1ed06c78f4d374477be554c7e61.1.1ddimstar_suse753239b3c0fb888a7dad0e6de11fbde46f832f1.1.1fdimstar_suse7901859eb206bc2e7c52de270d5c0f203475031.1.1gdimstar_suse796089a8f91a521d4574a665f865832908b9a91.1.1hdimstar_suse836221cdd968430a0a6bce1e6b7ba6063809881.1.1jRBrownSUSE874307e498085be66d70bc9c20956f7acd58811.1.1kRBrownSUSE88211993349cb1a1009cfd99003be053a749e11.1.1kdimstar_suse8971778938867221b2faa7f5436b6ccdb3ee0c1.1.1ldimstar_suse914577086203210b712f8494185dcaddff4b901.1.1mdimstar_suse9435416f4d8a6d2f25d5c92089a1585a68536f1.1.1ndimstar_suse961993a649378c6629e9a0f379fbf18444a3c21.1.1ndimstar_suse975775ed35964ecd3a16bbd06e8bfb9272439e1.1.1odimstar_suse- Update to 1.1.1o release (forwarded request 981125 from msmeissn)981143228ac55d863d68b138b4a75eef200f501.1.1pdimstar_suse- Update to 1.1.1p release9852423f8f7aae5581ed01b02434344366efc31.1.1qdimstar_suse- updated to 1.1.q release9873628318d0f294f3a7955a9119eb5df7ce721.1.1sdimstar_suse103289663ce3e6f76f4f812e9059188133f1e843.0.7dimstar_suse1062223