SHA256
1
0
forked from pool/Botan

Accepting request 323035 from devel:libraries:c_c++

- Fix Source0 URL

- bump SONAME to libbotan-1_10-1
- Update to 1.10.10
  * SECURITY: The BER decoder would crash due to reading from offset 0
    of an empty vector if it encountered a BIT STRING which did not
    contain any data at all. As the type requires a 1 byte field this
    is not valid BER but could occur in malformed data. Found with
    afl. CVE-2015-5726
  * SECURITY: The BER decoder would allocate a fairly arbitrary amount
    of memory in a length field, even if there was no chance the read
    request would succeed. This might cause the process to run out of
    memory or invoke the OOM killer. Found with afl. CVE-2015-5727
  * Due to an ABI incompatible (though not API incompatible) change in
    this release, the version number of the shared object has been
    increased.
  * The default TLS policy no longer allows RC4.
  * Fix a signed integer overflow in Blue Midnight Wish that may cause
    incorrect computations or undefined behavior.
- Update to 1.10.9
  * Fixed EAX tag verification to run in constant time
  * The default TLS policy now disables SSLv3.
  * A crash could occur when reading from a blocking random device if
    the device initially indicated that entropy was available but a
    concurrent process drained the entropy pool before the read was
    initiated.
  * Fix decoding indefinite length BER constructs that contain a
    context sensitive tag of zero. Github pull 26 from Janusz Chorko.
  * The botan-config script previously tried to guess its prefix from
    the location of the binary. However this was error prone, and now

OBS-URL: https://build.opensuse.org/request/show/323035
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/Botan?expand=0&rev=36
This commit is contained in:
Dominique Leuenberger 2015-08-15 09:38:55 +00:00 committed by Git OBS Bridge
commit dff41aed89
5 changed files with 49 additions and 9 deletions

3
Botan-1.10.10.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b67b14746410461fe4a8ce6a625e7eef789243454fe30eab7329d5984be4163
size 2706592

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bc2fd5fe904bba7cd688df021689f53a2d2f87ae728b647196a6b5954d184ea0
size 2211993

View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Fri Aug 14 08:54:09 UTC 2015 - mvyskocil@opensuse.org
- Fix Source0 URL
-------------------------------------------------------------------
Tue Aug 11 22:49:31 UTC 2015 - netsroth@opensuse.org
- bump SONAME to libbotan-1_10-1
- Update to 1.10.10
* SECURITY: The BER decoder would crash due to reading from offset 0
of an empty vector if it encountered a BIT STRING which did not
contain any data at all. As the type requires a 1 byte field this
is not valid BER but could occur in malformed data. Found with
afl. CVE-2015-5726
* SECURITY: The BER decoder would allocate a fairly arbitrary amount
of memory in a length field, even if there was no chance the read
request would succeed. This might cause the process to run out of
memory or invoke the OOM killer. Found with afl. CVE-2015-5727
* Due to an ABI incompatible (though not API incompatible) change in
this release, the version number of the shared object has been
increased.
* The default TLS policy no longer allows RC4.
* Fix a signed integer overflow in Blue Midnight Wish that may cause
incorrect computations or undefined behavior.
- Update to 1.10.9
* Fixed EAX tag verification to run in constant time
* The default TLS policy now disables SSLv3.
* A crash could occur when reading from a blocking random device if
the device initially indicated that entropy was available but a
concurrent process drained the entropy pool before the read was
initiated.
* Fix decoding indefinite length BER constructs that contain a
context sensitive tag of zero. Github pull 26 from Janusz Chorko.
* The botan-config script previously tried to guess its prefix from
the location of the binary. However this was error prone, and now
the script assumes the final installation prefix matches the value
set during the build. Github issue 29.
-------------------------------------------------------------------
Wed Jun 24 16:19:12 UTC 2015 - liujianfeng1994@gmail.com

View File

@ -1,7 +1,7 @@
#
# spec file for package Botan
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -16,17 +16,17 @@
#
%define version_suffix 1_10-0
%define version_suffix 1_10-1
%define short_version 1.10
Name: Botan
Version: 1.10.8
Version: 1.10.10
Release: 0
Url: http://botan.randombit.net
Summary: A C++ Crypto Library
License: BSD-2-Clause
Group: Development/Libraries/C and C++
Source: https://files.randombit.net/botan/%{name}-%{version}.tbz
Source0: http://botan.randombit.net/releases/%{name}-%{version}.tgz
Source2: baselibs.conf
Patch0: Botan-inttypes.patch
Patch1: Botan-ull_constants.patch.bz2

View File

@ -1,4 +1,4 @@
libbotan-1_10-0
libbotan-1_10-1
libbotan-devel
requires -libbotan-<targettype> = <version>
requires "libbotan-1_10-0-<targettype> = <version>"
requires "libbotan-1_10-1-<targettype> = <version>"