Accepting request 509216 from devel:libraries:c_c++

- Update to version 2.5.1: OBS-URL: https://build.opensuse.org/request/show/509216 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=12
2017-07-21 20:37:14 +00:00 · 2017-07-21 20:37:14 +00:00 · a258e86dc4
commit a258e86dc4
parent a9fd66514d
4 changed files with 34 additions and 9 deletions
--- a/mbedtls-2.4.2-apache.tgz
+++ b/mbedtls-2.4.2-apache.tgz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018
-size 1925368
--- a/mbedtls-2.5.1-apache.tgz
+++ b/mbedtls-2.5.1-apache.tgz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:559aeb8c8941262d6aad96a0286a230e7ff988ba53efbf609230ca1f81cc81f9
+size 1955461
--- a/mbedtls.changes
+++ b/mbedtls.changes
@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Mon Jul 10 14:17:59 UTC 2017 - mpluskal@suse.com
+
+- Update to version 2.5.1:
+  * Adds hardware acceleration support for the Elliptic Curve Point
+    module. This has involved exposing parts of the internal
+    interface to enable replacing the core functions and adding an
+    alternative, module level replacement to support for enabling
+    the extension of the interface.
+  * Adds a new configuration option to mbedtls_ssl_config() to
+    enable suppressing the CA list in Certificate Request messages.
+    The default behaviour has not changed, namely every configured
+    CA's name is included.
+  * Fixes an unlimited overread of heap-based buffers in
+    mbedtls_ssl_read(). The issue could only happen client-side
+    with renegotiation enabled. This could result in a Denial of
+    Service (such as crashing the application) or information leak.
+  * Adds exponent blinding to RSA private operations as a
+    countermeasure against side-channel attacks like the cache
+    attack described in https://arxiv.org/abs/1702.08719v2.
+  * Wipes stack buffers in RSA private key operations
+    (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()).
+  * Removes SHA-1 and RIPEMD-160 from the default hash algorithms
+    for certificate verification. SHA-1 can be turned back on with
+    a compile-time option if needed.
+  * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to
+    fail to detect it sometimes. Reported by Hugo Leisink.
+  * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+    potential Bleichenbacher/BERserk-style attack.
+
 -------------------------------------------------------------------
 Sat Mar 11 15:50:12 UTC 2017 - mpluskal@suse.com

--- a/mbedtls.spec
+++ b/mbedtls.spec
@ -20,7 +20,7 @@
 %define lib_crypto libmbedcrypto0
 %define lib_x509   libmbedx509-0
 Name:           mbedtls
-Version:        2.4.2
+Version:        2.5.1
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0
@ -32,7 +32,6 @@ BuildRequires:  cmake
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(libpkcs11-helper-1)
 BuildRequires:  pkgconfig(zlib)
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
 mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
@ -119,7 +118,6 @@ make -C build test %{?_smp_mflags}
 %postun -n %{lib_x509}   -p /sbin/ldconfig

 %files devel
-%defattr(-,root,root)
 %doc ChangeLog README.md LICENSE
 %dir %{_includedir}/mbedtls
 %{_includedir}/mbedtls/*.h
@ -128,17 +126,14 @@ make -C build test %{?_smp_mflags}
 %{_libdir}/libmbedx509.so

 %files -n %{lib_tls}
-%defattr(-,root,root)
 %doc LICENSE
 %{_libdir}/libmbedtls.so.*

 %files -n %{lib_crypto}
-%defattr(-,root,root)
 %doc LICENSE
 %{_libdir}/libmbedcrypto.so.*

 %files -n %{lib_x509}
-%defattr(-,root,root)
 %doc LICENSE
 %{_libdir}/libmbedx509.so.*