Accepting request 337106 from devel:libraries:c_c++

- Update to 1.3.14 * Added fix for CVE-2015-5291 (boo#949380) to prevent heap corruption due to buffer overflow of the hostname or session ticket. Found by Guido Vranken, Intelworks. OBS-URL: https://build.opensuse.org/request/show/337106 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=5
2015-10-17 14:38:09 +00:00 · 2015-10-17 14:38:09 +00:00 · 22197980c8
commit 22197980c8
parent 5679e57a39
4 changed files with 79 additions and 4 deletions
--- a/mbedtls-1.3.11-gpl.tgz
+++ b/mbedtls-1.3.11-gpl.tgz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:67a593027b6a442a4fa5b6c224c4ac8cdae5be721f5a28a11d34f10dcda441cb
-size 1731809
--- a/mbedtls-1.3.14-gpl.tgz
+++ b/mbedtls-1.3.14-gpl.tgz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:be76915bc406b4c4109629624baa5bf610a805d9976404e4086d44e5e6c86ff8
+size 1744343
--- a/mbedtls.changes
+++ b/mbedtls.changes
@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Thu Oct  8 06:53:02 UTC 2015 - mpluskal@suse.com
+
+- Update to 1.3.14
+  * Added fix for CVE-2015-5291 (boo#949380) to prevent heap corruption due to buffer
+    overflow of the hostname or session ticket. Found by Guido Vranken,
+    Intelworks.
+  * Fix stack buffer overflow in pkcs12 decryption (used by
+    mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by
+    Guido Vranken, Intelworks. Not triggerable remotely.
+  * Fix potential buffer overflow in mbedtls_mpi_read_string().
+    Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
+    of TLS, but might be in other uses. On 32 bit machines, requires reading a
+    string of close to or larger than 1GB to exploit; on 64 bit machines, would
+    require reading a string of close to or larger than 2^62 bytes.
+  * Fix potential random memory allocation in mbedtls_pem_read_buffer()
+    on crafted PEM input data. Found and fix provided by Guido Vranken,
+    Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
+    accept PEM data from an untrusted source.
+  * Fix potential double-free if ssl_set_psk() is called repeatedly on
+    the same ssl_context object and some memory allocations fail. Found by
+    Guido Vranken, Intelworks. Can not be forced remotely.
+  * Fix possible heap buffer overflow in base64_encode() when the input
+    buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
+    Intelworks. Found by Guido Vranken. Not trigerrable remotely in TLS.
+  * Fix potential heap buffer overflow in servers that perform client
+    authentication against a crafted CA cert. Cannot be triggered remotely
+    unless you allow third parties to pick trust CAs for client auth. Found by
+    Guido Vranken, Intelworks.
+  * Fix compile error in net.c with musl libc. Found and patch provided by
+    zhasha (#278).
+  * Fix macroization of 'inline' keywork when building as C++. (#279)
+  * Added checking of hostname length in ssl_set_hostname() to ensure domain
+    names are compliant with RFC 1035.
+- Changes for 1.3.13
+  * Fix possible client-side NULL pointer dereference (read) when the client
+    tries to continue the handshake after it failed (a misuse of the API).
+    (Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.)
+  * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
+    signatures. (Found by Florian Weimer, Red Hat.)
+    https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
+  * Setting SSL_MIN_DHM_BYTES in config.h had no effect (overriden in ssl.h)
+    (found by Fabio Solari) (#256)
+  * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
+    result trying to unlock an unlocked mutex on invalid input (found by
+    Fredrik Axelsson) (#257)
+  * Fix -Wshadow warnings (found by hnrkp) (#240)
+  * Fix unused function warning when using MBEDTLS_MDx_ALT or
+    MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
+  * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
+  * Fix memory corruption on client with overlong PSK identity, around
+    SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
+    Aleksandrs Saveljevs) (#238)
+  * Fix off-by-one error in parsing Supported Point Format extension that
+    caused some handshakes to fail.
+  * When verifying a certificate chain, if an intermediate certificate is
+    trusted, no later cert is checked. (suggested by hannes-landeholm)
+    (#220).
+- Changes for 1.3.12
+  * Increase the minimum size of Diffie-Hellman parameters accepted by the
+    client to 1024 bits, to protect against Logjam attack.
+  * Increase the size of default Diffie-Hellman parameters on the server to
+    2048 bits. This can be changed with ssl_set_dh_params().
+  * Fix thread-safety issue in SSL debug module (found by Edwin van Vliet).
+  * Some example programs were not built using make, not included in Visual
+    Studio projects (found by Kristian Bendiksen).
+  * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
+    Leisink).
+  * Fix missing -static-ligcc when building shared libraries for Windows with
+    make.
+  * Fix compile error with armcc5 --gnu.
+  * Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the
+    minimum size of Diffie-Hellman parameters accepted by the client.
+  * The PEM parser now accepts a trailing space at end of lines (#226).
+
 -------------------------------------------------------------------
 Wed Jul 29 10:16:37 UTC 2015 - dimstar@opensuse.org

--- a/mbedtls.spec
+++ b/mbedtls.spec
@ -18,7 +18,7 @@

 %define lib_name lib%{name}9
 Name:           mbedtls
-Version:        1.3.11
+Version:        1.3.14
 Release:        0
 Summary:        Open Source embedded SSL/TLS cryptographic library
 License:        GPL-2.0+