diff --git a/mbedtls-2.4.2-apache.tgz b/mbedtls-2.4.2-apache.tgz deleted file mode 100644 index 78b4d44..0000000 --- a/mbedtls-2.4.2-apache.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018 -size 1925368 diff --git a/mbedtls-2.5.1-apache.tgz b/mbedtls-2.5.1-apache.tgz new file mode 100644 index 0000000..f6685a6 --- /dev/null +++ b/mbedtls-2.5.1-apache.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:559aeb8c8941262d6aad96a0286a230e7ff988ba53efbf609230ca1f81cc81f9 +size 1955461 diff --git a/mbedtls.changes b/mbedtls.changes index 9237aa4..2ea64ad 100644 --- a/mbedtls.changes +++ b/mbedtls.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Mon Jul 10 14:17:59 UTC 2017 - mpluskal@suse.com + +- Update to version 2.5.1: + * Adds hardware acceleration support for the Elliptic Curve Point + module. This has involved exposing parts of the internal + interface to enable replacing the core functions and adding an + alternative, module level replacement to support for enabling + the extension of the interface. + * Adds a new configuration option to mbedtls_ssl_config() to + enable suppressing the CA list in Certificate Request messages. + The default behaviour has not changed, namely every configured + CA's name is included. + * Fixes an unlimited overread of heap-based buffers in + mbedtls_ssl_read(). The issue could only happen client-side + with renegotiation enabled. This could result in a Denial of + Service (such as crashing the application) or information leak. + * Adds exponent blinding to RSA private operations as a + countermeasure against side-channel attacks like the cache + attack described in https://arxiv.org/abs/1702.08719v2. + * Wipes stack buffers in RSA private key operations + (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()). + * Removes SHA-1 and RIPEMD-160 from the default hash algorithms + for certificate verification. SHA-1 can be turned back on with + a compile-time option if needed. + * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to + fail to detect it sometimes. Reported by Hugo Leisink. + * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a + potential Bleichenbacher/BERserk-style attack. + ------------------------------------------------------------------- Sat Mar 11 15:50:12 UTC 2017 - mpluskal@suse.com diff --git a/mbedtls.spec b/mbedtls.spec index 7a770f1..c9011b1 100644 --- a/mbedtls.spec +++ b/mbedtls.spec @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto0 %define lib_x509 libmbedx509-0 Name: mbedtls -Version: 2.4.2 +Version: 2.5.1 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 @@ -32,7 +32,6 @@ BuildRequires: cmake BuildRequires: pkgconfig BuildRequires: pkgconfig(libpkcs11-helper-1) BuildRequires: pkgconfig(zlib) -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It @@ -119,7 +118,6 @@ make -C build test %{?_smp_mflags} %postun -n %{lib_x509} -p /sbin/ldconfig %files devel -%defattr(-,root,root) %doc ChangeLog README.md LICENSE %dir %{_includedir}/mbedtls %{_includedir}/mbedtls/*.h @@ -128,17 +126,14 @@ make -C build test %{?_smp_mflags} %{_libdir}/libmbedx509.so %files -n %{lib_tls} -%defattr(-,root,root) %doc LICENSE %{_libdir}/libmbedtls.so.* %files -n %{lib_crypto} -%defattr(-,root,root) %doc LICENSE %{_libdir}/libmbedcrypto.so.* %files -n %{lib_x509} -%defattr(-,root,root) %doc LICENSE %{_libdir}/libmbedx509.so.*