mbedtls/mbedtls.changes

-------------------------------------------------------------------
Fri Mar 27 16:59:55 UTC 2015 - mpluskal@suse.com

- Update package categories

-------------------------------------------------------------------
Wed Mar 18 18:56:26 UTC 2015 - mpluskal@suse.com

- Create symlink to ensure compatibility with polarssl

-------------------------------------------------------------------
Mon Mar 16 12:54:22 UTC 2015 - mpluskal@suse.com

- Update provides/obsoletes

-------------------------------------------------------------------
Sun Mar 15 21:23:17 UTC 2015 - mpluskal@suse.com

- Fix sed for includes

-------------------------------------------------------------------
Sun Mar 15 11:44:53 UTC 2015 - mpluskal@suse.com

- Rename to mbedtls
- Use cmake macro for building
- Update to 1.3.10
   * NULL pointer dereference in the buffer-based allocator when the buffer is
     full and polarssl_free() is called (found by Mark Hasemeyer)
     (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
     not by default).
   * Fix remotely-triggerable uninitialised pointer dereference caused by
     crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
     client certificate) (found using Codenomicon Defensics).
   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
     (TLS server is not affected if it doesn't ask for a client certificate)
     (found using Codenomicon Defensics).
   * Fix potential stack overflow while parsing crafted X.509 certificates
     (TLS server is not affected if it doesn't ask for a client certificate)
     (found using Codenomicon Defensics).
   * Fix timing difference that could theoretically lead to a
     Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
     (reported by Sebastian Schinzel).
   * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
   * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
   * Add support for Encrypt-then-MAC (RFC 7366).
   * Add function pk_check_pair() to test if public and private keys match.
   * Add x509_crl_parse_der().
   * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
     length of an X.509 verification chain.
   * Support for renegotiation can now be disabled at compile-time
   * Support for 1/n-1 record splitting, a countermeasure against BEAST.
   * Certificate selection based on signature hash, prefering SHA-1 over SHA-2
     for pre-1.2 clients when multiple certificates are available.
   * Add support for getrandom() syscall on recent Linux kernels with Glibc or
     a compatible enough libc (eg uClibc).
   * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
     while using the default ciphersuite list.
   * Added new error codes and debug messages about selection of
     ciphersuite/certificate.

-------------------------------------------------------------------
Tue Jan 20 19:33:12 UTC 2015 - fisiu@opensuse.org

- Add polarssl-CVE-2015-1182.patch: Remote attack using crafted certificates:
  fix boo#913903, CVE-2015-1182.

-------------------------------------------------------------------
Mon Nov  3 12:25:24 UTC 2014 - fisiu@opensuse.org

- Update to 1.3.9, detailed changes available in ChangeLog file:
  * Lowest common hash was selected from signature_algorithms extension in
    TLS 1.2: fix boo#903672, CVE-2014-8627.
  * Remotely-triggerable memory leak when parsing some X.509 certificates,
    CVE-2014-8628.
  * Remotely-triggerable memory leak when parsing crafted ClientHello,
    CVE-2014-8628.
  * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x.
  * Ciphersuites using RSA-PSK key exchange now require TLS 1.x.
  * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA 
    keys.
  * X.509 certificates with more than one AttributeTypeAndValue per 
    RelativeDistinguishedName are not accepted any more.
- Build with POLARSSL_THREADING_PTHREAD: fix boo#903671.

-------------------------------------------------------------------
Fri Aug 15 17:17:05 UTC 2014 - fisiu@opensuse.org

- Update to 1.3.8, detailed changes available in ChangeLog file:
  * Fix length checking for AEAD ciphersuites (found by Codenomicon).
    It was possible to crash the server (and client) using crafted messages
    when a GCM suite was chosen.
  * Add CCM module and cipher mode to Cipher Layer
  * Support for CCM and CCM_8 ciphersuites
  * Support for parsing and verifying RSASSA-PSS signatures in the X.509
    modules (certificates, CRLs and CSRs).
  * Blowfish in the cipher layer now supports variable length keys.
  * Add example config.h for PSK with CCM, optimized for low RAM usage.
  * Optimize for RAM usage in example config.h for NSA Suite B profile.
  * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
    from the default list (inactive by default).
  * Add server-side enforcement of sent renegotiation requests
    (ssl_set_renegotiation_enforced())
  * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
    ciphersuites to use and save some memory if the list is small.

-------------------------------------------------------------------
Sat Mar 29 14:01:16 UTC 2014 - fisiu@opensuse.org

- Update to 1.3.5, detailed changes available in ChangeLog file:
  * Elliptic Curve Cryptography module added
  * Elliptic Curve Diffie Hellman module added
  * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
    (ECDHE-based ciphersuites)
  * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
    (ECDSA-based ciphersuites)
  * Ability to specify allowed ciphersuites based on the protocol version.
  * PSK and DHE-PSK based ciphersuites added
  * Memory allocation abstraction layer added
  * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
  * Threading abstraction layer added (dummy / pthread / alternate)
  * Public Key abstraction layer added
  * Parsing Elliptic Curve keys
  * Parsing Elliptic Curve certificates
  * Support for max_fragment_length extension (RFC 6066)
  * Support for truncated_hmac extension (RFC 6066)
  * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
    (ISO/IEC 7816-4) padding and zero padding in the cipher layer
  * Support for session tickets (RFC 5077)
  * Certificate Request (CSR) generation with extensions (key_usage,
    ns_cert_type)
  * X509 Certificate writing with extensions (basic_constraints,
    issuer_key_identifier, etc)
  * Optional blinding for RSA, DHM and EC
  * Support for multiple active certificate / key pairs in SSL servers for
    the same host (Not to be confused with SNI!)

-------------------------------------------------------------------
Wed May 15 12:21:45 UTC 2013 - fisiu@opensuse.org

- Update to 1.2.7:
  * Ability to specify allowed ciphersuites based on the protocol
    version.
  * Default Blowfish keysize is now 128-bits
  * Test suites made smaller to accommodate Raspberry Pi
  * Fix for MPI assembly for ARM
  * GCM adapted to support sizes > 2^29

-------------------------------------------------------------------
Sat Mar 16 16:03:03 UTC 2013 - fisiu@opensuse.org

- Update to 1.2.6:
  * Fixed memory leak in ssl_free() and ssl_reset()
  * Corrected GCM counter incrementation to use only 32-bits
    instead of 128-bits
  * Fixed net_bind() for specified IP addresses on little endian
    systems
  * Fixed assembly code for ARM (Thumb and regular)
  * Detailed information available in ChangeLog file.

-------------------------------------------------------------------
Fri Mar  8 13:38:43 UTC 2013 - fisiu@opensuse.org

- Update to 1.2.5

-------------------------------------------------------------------
Sun Jan 29 14:29:51 UTC 2012 - jengelh@medozas.de

- Remove redundant tags/sections per specfile guideline suggestions

-------------------------------------------------------------------
Sat Jun 11 04:46:46 UTC 2011 - crrodriguez@opensuse.org

- Update to version 0.99.5

-------------------------------------------------------------------
Sun Apr 10 19:21:16 UTC 2011 - crrodriguez@opensuse.org

- Initial version