- Security fix: [bsc#1216922, CVE-2023-5678]
* Fix excessive time spent in DH check / generation with large Q
parameter value.
* Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise,
applications that use DH_check_pub_key(), DH_check_pub_key_ex
() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an
untrusted source this may lead to a Denial of Service.
* Add openssl-CVE-2023-5678.patch
OBS-URL: https://build.opensuse.org/request/show/1126788
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_0_0?expand=0&rev=41
- Security fix: [bsc#1216922, CVE-2023-5678]
* Fix excessive time spent in DH check / generation with large Q
parameter value.
* Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise,
applications that use DH_check_pub_key(), DH_check_pub_key_ex
() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an
untrusted source this may lead to a Denial of Service.
* Add openssl-CVE-2023-5678.patch
OBS-URL: https://build.opensuse.org/request/show/1126076
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_0_0?expand=0&rev=97
- Security fix: (bsc#1213853, CVE-2023-3817)
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_0-CVE-2023-3817.patch
OBS-URL: https://build.opensuse.org/request/show/1102939
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_0_0?expand=0&rev=40
- Security fix: (bsc#1213853, CVE-2023-3817)
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_0-CVE-2023-3817.patch
OBS-URL: https://build.opensuse.org/request/show/1102830
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_0_0?expand=0&rev=94
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch
OBS-URL: https://build.opensuse.org/request/show/1099701
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_0_0?expand=0&rev=93
- Improve cross-package provides/conflicts [boo#1210313]
* Remove Conflicts: ssl
* Add Conflicts: openssl(cli)
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Reworked openssl-CVE-2022-4304.patch
* Refreshed patches:
- openssl-CVE-2023-0286.patch
- openssl-CVE-2023-0464.patch
- openssl-CVE-2023-0465.patch
OBS-URL: https://build.opensuse.org/request/show/1095610
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_0_0?expand=0&rev=36
- Improve cross-package provides/conflicts [boo#1210313]
* Remove Conflicts: ssl
* Add Conflicts: openssl(cli)
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Reworked openssl-CVE-2022-4304.patch
* Refreshed patches:
- openssl-CVE-2023-0286.patch
- openssl-CVE-2023-0464.patch
- openssl-CVE-2023-0465.patch
OBS-URL: https://build.opensuse.org/request/show/1094356
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_0_0?expand=0&rev=90
