Accepting request 1063743 from security:tls

- Update to 1.1.1t:
  * Fixed X.400 address type confusion in X.509 GeneralName.
    There is a type confusion vulnerability relating to X.400 address processing
    inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
    but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
    vulnerability may allow an attacker who can provide a certificate chain and
    CRL (neither of which need have a valid signature) to pass arbitrary
    pointers to a memcmp call, creating a possible read primitive, subject to
    some constraints. Refer to the advisory for more information. Thanks to
    David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286]
    This issue has been fixed by changing the public header file definition of
    GENERAL_NAME so that x400Address reflects the implementation. It was not
    possible for any existing application to successfully use the existing
    definition; however, if any application references the x400Address field
    (e.g. in dead code), note that the type of this field has changed. There is
    no ABI change.
  * Fixed Use-after-free following BIO_new_NDEF.
    The public API function BIO_new_NDEF is a helper function used for
    streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
    to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
    be called directly by end user applications.
    The function receives a BIO from the caller, prepends a new BIO_f_asn1
    filter BIO onto the front of it to form a BIO chain, and then returns
    the new head of the BIO chain to the caller. Under certain conditions,
    for example if a CMS recipient public key is invalid, the new filter BIO
    is freed and the function returns a NULL result indicating a failure.
    However, in this case, the BIO chain is not properly cleaned up and the
    BIO passed by the caller still retains internal pointers to the previously
    freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
    then a use-after-free will occur. This will most likely result in a crash.

OBS-URL: https://build.opensuse.org/request/show/1063743
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=42
This commit is contained in:
Dominique Leuenberger 2023-02-14 15:44:47 +00:00 committed by Git OBS Bridge
commit 4377a5e5ee
8 changed files with 302 additions and 272 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa
size 9868981

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQJGBAABCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhEsESHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tDTIQAKINCpzYH5Wixo5wvYxo/1x+YugR2FMJ
F7OLFD+HZ+ohrafV+WwGJkjwAEHzoXnho5iPx47RwpJ8lgKzTPgkvUx+LT3/1Shv
2kkiMNV5hJP2kIP7HzrjhbZ72e/gWX8lSM/u5GHzUyEDuM5jyuV+d91csB2tZ9ai
LHS0WzVp5F0E8GqhuQMXklV0eFKeuuUouSdobXVfjFvUs2vQxYY7ARel6b18nQL0
RPcmuil8XOJwZ2r460ZmsTf1FA0b/eoyEjI2140ZffDILZlI5BpLNoLcpH7Gtq+l
qo2yLConF1nQh4STWu/+fm2281xXrHc5BuL3CgHXIPDnTNE1iOZeE+TYWqu5F+qT
f6sxqI9YFkYTlwjoVruYkeA3x+qtJV4NmE6fBZk4JsVQxRf7g0iIDlIm/tXmbT/U
0YPl0sSYc3uvquwkV4de0TX2hfTChvAWjvlets5hHEh9cGfnGBrfzmwBK8mN18F9
bCPf4UYPjnB37D9alGc8VsTSDwbNMebzwj9bo3bUi90U/y/9e55Wq8QoQpaqeAXq
mhHuhN6y21TWvOYmNYvcvjGHd5Ikkivs1mHA06HsM0XV8TeZueo0MXse5fC6t25X
Iy84EL2mas0v6rbYOzgAQcdR4hD2zqeQOOfWFt5CvT+1TbiLFmbW8ZgGzkgkVkZ1
1RMZGNU3T2eU
=0j1K
-----END PGP SIGNATURE-----

BIN
openssl-1.1.1t.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
openssl-1.1.1t.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmPiVA4ACgkQ1enkP335
7owO9Q/+I6mvbNQeSgpOaOu//sVRGVkOD9pfZJsxZJtQuiYPQtXLlwkZyoh3Ft8b
Gty7sC6zXwWA2sbo4LGeum3jnjb7nb/x3+5O8KARPLFRpy2/4okL3uZnAw8Pr5ps
8VjCEIm9l9UmuWNZPWRQZPtup6Uz5u97/kVLQE17qFQW1bwiUixR+Yc+ICyW/hUQ
F13tbV2GVkoVdJKwD9UpwAs6ft0+faXtkEASNyLykcrTbGbBPVVpieXiH/Vuv6BX
1Ax/oBR5Xem9bGSZkCa5KZMDOqR08GUEA1zqa9Hh8VN4hH11w0cjyKPK9U6dQmAH
P6clMEtbNMYPr3pHO4Ufgwf0OzdnLfxIf8qCiqQcNLmBnCG0NHM0/8zJmiGg1O6r
Fy0P9/nSQ5CIT3t27Xcn8RciwTR7YClEyBtNGS1JdDzGJmomTqmxBns/QyZyKtlG
V+7IsNfUBVdCF4AUP7BRC+SkHf/2/fDyCPETg27AQz/iOUC9KU0DgKLQtmnnRKk0
Uz49l/WSVJARzPS5y55o8NUEv/QhnSct2eGjYeO3RiikuHDVQoH9R663G6E1koMq
fahxEs0FX39hALOt/CVisZ/H8trIy3r3Buc7EmqLHj/Q40I5IJA9ZCzi1e8UviQV
pQpkVru5VJVwNsm8KB/aBOm6J00mi2kbXMPrW1zwfmJAwt+iSJ4=
=nNu+
-----END PGP SIGNATURE-----

View File

@ -1,7 +1,44 @@
Index: openssl-1.1.1s/Configurations/unix-Makefile.tmpl ---
=================================================================== Configurations/descrip.mms.tmpl | 4 +--
--- openssl-1.1.1s.orig/Configurations/unix-Makefile.tmpl Configurations/unix-Makefile.tmpl | 22 ++++++++---------
+++ openssl-1.1.1s/Configurations/unix-Makefile.tmpl Configure | 2 -
INSTALL | 2 -
NEWS | 3 ++
VMS/openssl_utils.com.in | 2 -
apps/CA.pl.in | 8 +++---
apps/build.info | 6 ++--
apps/tsget.in | 2 -
doc/HOWTO/certificates.txt | 2 -
doc/man1/CA.pl.pod | 36 ++++++++++++++---------------
doc/man1/ca.pod | 4 +--
doc/man1/rehash.pod | 10 ++++----
doc/man1/tsget.pod | 4 +--
doc/man1/verify.pod | 2 -
doc/man1/x509.pod | 2 -
doc/man3/OPENSSL_config.pod | 2 -
doc/man3/SSL_CTX_load_verify_locations.pod | 4 +--
doc/man5/config.pod | 2 -
include/internal/cryptlib.h | 2 -
test/recipes/80-test_ca.t | 10 ++++----
tools/build.info | 2 -
tools/c_rehash.in | 6 ++--
23 files changed, 71 insertions(+), 68 deletions(-)
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -140,8 +140,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
{- output_off() if $disabled{apps}; "" -}
-BIN_SCRIPTS=[.tools]c_rehash.pl
-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
+BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
+MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
{- output_on() if $disabled{apps}; "" -}
APPS_OPENSSL={- use File::Spec::Functions;
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\ @@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\
INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -} INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -} INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -}
@ -45,10 +82,8 @@ Index: openssl-1.1.1s/Configurations/unix-Makefile.tmpl
generate_crypto_bn: generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h ) ( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
Index: openssl-1.1.1s/Configure --- a/Configure
=================================================================== +++ b/Configure
--- openssl-1.1.1s.orig/Configure
+++ openssl-1.1.1s/Configure
@@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher> @@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher>
# directories bin, lib, include, share/man, share/doc/openssl # directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile # This becomes the value of INSTALLTOP in Makefile
@ -58,10 +93,8 @@ Index: openssl-1.1.1s/Configure
# If it's a relative directory, it will be added on the directory # If it's a relative directory, it will be added on the directory
# given with --prefix. # given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C. # This becomes the value of OPENSSLDIR in Makefile and in C.
Index: openssl-1.1.1s/INSTALL --- a/INSTALL
=================================================================== +++ b/INSTALL
--- openssl-1.1.1s.orig/INSTALL
+++ openssl-1.1.1s/INSTALL
@@ -296,7 +296,7 @@ @@ -296,7 +296,7 @@
be undesirable if small executable size is an objective. be undesirable if small executable size is an objective.
@ -71,10 +104,8 @@ Index: openssl-1.1.1s/INSTALL
Typically OpenSSL will automatically load a system config Typically OpenSSL will automatically load a system config
file which configures default ssl options. file which configures default ssl options.
Index: openssl-1.1.1s/NEWS --- a/NEWS
=================================================================== +++ b/NEWS
--- openssl-1.1.1s.orig/NEWS
+++ openssl-1.1.1s/NEWS
@@ -5,6 +5,9 @@ @@ -5,6 +5,9 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
@ -82,80 +113,11 @@ Index: openssl-1.1.1s/NEWS
+ IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master + IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master
+ configuration file openssl.cnf has been renamed to openssl-1_1.cnf. + configuration file openssl.cnf has been renamed to openssl-1_1.cnf.
+ +
Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
Index: openssl-1.1.1s/doc/HOWTO/certificates.txt --- a/VMS/openssl_utils.com.in
=================================================================== +++ b/VMS/openssl_utils.com.in
--- openssl-1.1.1s.orig/doc/HOWTO/certificates.txt
+++ openssl-1.1.1s/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
Index: openssl-1.1.1s/doc/man3/OPENSSL_config.pod
===================================================================
--- openssl-1.1.1s.orig/doc/man3/OPENSSL_config.pod
+++ openssl-1.1.1s/doc/man3/OPENSSL_config.pod
@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
+OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
Index: openssl-1.1.1s/doc/man5/config.pod
===================================================================
--- openssl-1.1.1s.orig/doc/man5/config.pod
+++ openssl-1.1.1s/doc/man5/config.pod
@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
=head1 DESCRIPTION
The OpenSSL CONF library can be used to read configuration files.
-It is used for the OpenSSL master configuration file B<openssl.cnf>
+It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility. OpenSSL applications can also use the
CONF library for their own purposes.
Index: openssl-1.1.1s/include/internal/cryptlib.h
===================================================================
--- openssl-1.1.1s.orig/include/internal/cryptlib.h
+++ openssl-1.1.1s/include/internal/cryptlib.h
@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
-# define OPENSSL_CONF "openssl.cnf"
+# define OPENSSL_CONF "openssl-1_1.cnf"
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
Index: openssl-1.1.1s/Configurations/descrip.mms.tmpl
===================================================================
--- openssl-1.1.1s.orig/Configurations/descrip.mms.tmpl
+++ openssl-1.1.1s/Configurations/descrip.mms.tmpl
@@ -140,8 +140,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
{- output_off() if $disabled{apps}; "" -}
-BIN_SCRIPTS=[.tools]c_rehash.pl
-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
+BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
+MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
{- output_on() if $disabled{apps}; "" -}
APPS_OPENSSL={- use File::Spec::Functions;
Index: openssl-1.1.1s/VMS/openssl_utils.com.in
===================================================================
--- openssl-1.1.1s.orig/VMS/openssl_utils.com.in
+++ openssl-1.1.1s/VMS/openssl_utils.com.in
@@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v' @@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v'
$ $
$ IF F$TYPE(PERL) .EQS. "STRING" $ IF F$TYPE(PERL) .EQS. "STRING"
@ -165,10 +127,8 @@ Index: openssl-1.1.1s/VMS/openssl_utils.com.in
$ ELSE $ ELSE
$ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH" $ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
$ ENDIF $ ENDIF
Index: openssl-1.1.1s/apps/CA.pl.in --- a/apps/CA.pl.in
=================================================================== +++ b/apps/CA.pl.in
--- openssl-1.1.1s.orig/apps/CA.pl.in
+++ openssl-1.1.1s/apps/CA.pl.in
@@ -113,10 +113,10 @@ sub run @@ -113,10 +113,10 @@ sub run
@ -184,10 +144,8 @@ Index: openssl-1.1.1s/apps/CA.pl.in
exit 0; exit 0;
} }
if ($WHAT eq '-newcert' ) { if ($WHAT eq '-newcert' ) {
Index: openssl-1.1.1s/apps/build.info --- a/apps/build.info
=================================================================== +++ b/apps/build.info
--- openssl-1.1.1s.orig/apps/build.info
+++ openssl-1.1.1s/apps/build.info
@@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}] @@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}]
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL) GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
DEPEND[progs.h]=../configdata.pm DEPEND[progs.h]=../configdata.pm
@ -199,10 +157,8 @@ Index: openssl-1.1.1s/apps/build.info
+ SOURCE[CA-1_1.pl]=CA.pl.in + SOURCE[CA-1_1.pl]=CA.pl.in
+ SOURCE[tsget-1_1.pl]=tsget.in + SOURCE[tsget-1_1.pl]=tsget.in
ENDIF ENDIF
Index: openssl-1.1.1s/apps/tsget.in --- a/apps/tsget.in
=================================================================== +++ b/apps/tsget.in
--- openssl-1.1.1s.orig/apps/tsget.in
+++ openssl-1.1.1s/apps/tsget.in
@@ -47,7 +47,7 @@ sub create_curl { @@ -47,7 +47,7 @@ sub create_curl {
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
$curl->setopt(CURLOPT_FAILONERROR, 1); $curl->setopt(CURLOPT_FAILONERROR, 1);
@ -212,10 +168,19 @@ Index: openssl-1.1.1s/apps/tsget.in
# Options for POST method. # Options for POST method.
$curl->setopt(CURLOPT_UPLOAD, 1); $curl->setopt(CURLOPT_UPLOAD, 1);
Index: openssl-1.1.1s/doc/man1/CA.pl.pod --- a/doc/HOWTO/certificates.txt
=================================================================== +++ b/doc/HOWTO/certificates.txt
--- openssl-1.1.1s.orig/doc/man1/CA.pl.pod @@ -16,7 +16,7 @@ Certificate authorities should read http
+++ openssl-1.1.1s/doc/man1/CA.pl.pod In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -2,16 +2,16 @@ @@ -2,16 +2,16 @@
=head1 NAME =head1 NAME
@ -318,10 +283,8 @@ Index: openssl-1.1.1s/doc/man1/CA.pl.pod
can be used and the B<OPENSSL_CONF> environment variable changed to point to can be used and the B<OPENSSL_CONF> environment variable changed to point to
the correct path of the configuration file. the correct path of the configuration file.
Index: openssl-1.1.1s/doc/man1/ca.pod --- a/doc/man1/ca.pod
=================================================================== +++ b/doc/man1/ca.pod
--- openssl-1.1.1s.orig/doc/man1/ca.pod
+++ openssl-1.1.1s/doc/man1/ca.pod
@@ -698,7 +698,7 @@ the database has to be kept in memory. @@ -698,7 +698,7 @@ the database has to be kept in memory.
The B<ca> command really needs rewriting or the required functionality The B<ca> command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility exposed at either a command or interface level so a more friendly utility
@ -340,10 +303,8 @@ Index: openssl-1.1.1s/doc/man1/ca.pod
L<config(5)>, L<x509v3_config(5)> L<config(5)>, L<x509v3_config(5)>
=head1 COPYRIGHT =head1 COPYRIGHT
Index: openssl-1.1.1s/doc/man1/rehash.pod --- a/doc/man1/rehash.pod
=================================================================== +++ b/doc/man1/rehash.pod
--- openssl-1.1.1s.orig/doc/man1/rehash.pod
+++ openssl-1.1.1s/doc/man1/rehash.pod
@@ -6,7 +6,7 @@ Original text by James Westby, contribut @@ -6,7 +6,7 @@ Original text by James Westby, contribut
=head1 NAME =head1 NAME
@ -379,10 +340,8 @@ Index: openssl-1.1.1s/doc/man1/rehash.pod
uses the B<openssl> program to compute the hashes and uses the B<openssl> program to compute the hashes and
fingerprints. If not found in the user's B<PATH>, then set the fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname. B<OPENSSL> environment variable to the full pathname.
Index: openssl-1.1.1s/doc/man1/tsget.pod --- a/doc/man1/tsget.pod
=================================================================== +++ b/doc/man1/tsget.pod
--- openssl-1.1.1s.orig/doc/man1/tsget.pod
+++ openssl-1.1.1s/doc/man1/tsget.pod
@@ -35,7 +35,7 @@ line. @@ -35,7 +35,7 @@ line.
The tool sends the following HTTP request for each timestamp request: The tool sends the following HTTP request for each timestamp request:
@ -401,10 +360,8 @@ Index: openssl-1.1.1s/doc/man1/tsget.pod
OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
HTTPS. (Optional) HTTPS. (Optional)
Index: openssl-1.1.1s/doc/man1/verify.pod --- a/doc/man1/verify.pod
=================================================================== +++ b/doc/man1/verify.pod
--- openssl-1.1.1s.orig/doc/man1/verify.pod
+++ openssl-1.1.1s/doc/man1/verify.pod
@@ -75,7 +75,7 @@ The file should contain one or more cert @@ -75,7 +75,7 @@ The file should contain one or more cert
A directory of trusted certificates. The certificates should have names A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this of the form: hash.0 or have symbolic links to them of this
@ -414,10 +371,8 @@ Index: openssl-1.1.1s/doc/man1/verify.pod
create symbolic links to a directory of certificates. create symbolic links to a directory of certificates.
=item B<-no-CAfile> =item B<-no-CAfile>
Index: openssl-1.1.1s/doc/man1/x509.pod --- a/doc/man1/x509.pod
=================================================================== +++ b/doc/man1/x509.pod
--- openssl-1.1.1s.orig/doc/man1/x509.pod
+++ openssl-1.1.1s/doc/man1/x509.pod
@@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec @@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
@ -427,10 +382,19 @@ Index: openssl-1.1.1s/doc/man1/x509.pod
=head1 COPYRIGHT =head1 COPYRIGHT
Index: openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod --- a/doc/man3/OPENSSL_config.pod
=================================================================== +++ b/doc/man3/OPENSSL_config.pod
--- openssl-1.1.1s.orig/doc/man3/SSL_CTX_load_verify_locations.pod @@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
+++ openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
+OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
--- a/doc/man3/SSL_CTX_load_verify_locations.pod
+++ b/doc/man3/SSL_CTX_load_verify_locations.pod
@@ -63,7 +63,7 @@ If more than one CA certificate with the @@ -63,7 +63,7 @@ If more than one CA certificate with the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other is performed in the ordering of the extension number, regardless of other
@ -449,10 +413,30 @@ Index: openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
=head1 SEE ALSO =head1 SEE ALSO
Index: openssl-1.1.1s/test/recipes/80-test_ca.t --- a/doc/man5/config.pod
=================================================================== +++ b/doc/man5/config.pod
--- openssl-1.1.1s.orig/test/recipes/80-test_ca.t @@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
+++ openssl-1.1.1s/test/recipes/80-test_ca.t =head1 DESCRIPTION
The OpenSSL CONF library can be used to read configuration files.
-It is used for the OpenSSL master configuration file B<openssl.cnf>
+It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility. OpenSSL applications can also use the
CONF library for their own purposes.
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
-# define OPENSSL_CONF "openssl.cnf"
+# define OPENSSL_CONF "openssl-1_1.cnf"
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -27,27 +27,27 @@ plan tests => 5; @@ -27,27 +27,27 @@ plan tests => 5;
SKIP: { SKIP: {
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
@ -486,10 +470,8 @@ Index: openssl-1.1.1s/test/recipes/80-test_ca.t
'creating new pre-certificate'); 'creating new pre-certificate');
} }
Index: openssl-1.1.1s/tools/build.info --- a/tools/build.info
=================================================================== +++ b/tools/build.info
--- openssl-1.1.1s.orig/tools/build.info
+++ openssl-1.1.1s/tools/build.info
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
{- our $c_rehash_name = {- our $c_rehash_name =
- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash"; - $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
@ -497,10 +479,8 @@ Index: openssl-1.1.1s/tools/build.info
"" -} "" -}
IF[{- !$disabled{apps} -}] IF[{- !$disabled{apps} -}]
SCRIPTS={- $c_rehash_name -} SCRIPTS={- $c_rehash_name -}
Index: openssl-1.1.1s/tools/c_rehash.in --- a/tools/c_rehash.in
=================================================================== +++ b/tools/c_rehash.in
--- openssl-1.1.1s.orig/tools/c_rehash.in
+++ openssl-1.1.1s/tools/c_rehash.in
@@ -8,7 +8,7 @@ @@ -8,7 +8,7 @@
# in the file LICENSE in the source distribution or at # in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html # https://www.openssl.org/source/license.html

View File

@ -1,3 +1,73 @@
-------------------------------------------------------------------
Tue Feb 7 15:59:21 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Update to 1.1.1t:
* Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286]
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
* Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
[bsc#1207536, CVE-2023-0215]
* Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
[bsc#1207538, CVE-2022-4450]
[Kurt Roeckx, Matt Caswell]
* Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
[bsc#1207534, CVE-2022-4304]
* Rebased openssl-1_1-openssl-config.patch
* Update openssl.keyring with key
7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte)
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Dec 14 12:56:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com> Wed Dec 14 12:56:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

View File

@ -41,7 +41,7 @@
%define _rname openssl %define _rname openssl
Name: openssl-1_1 Name: openssl-1_1
# Don't forget to update the version in the "openssl" meta-package! # Don't forget to update the version in the "openssl" meta-package!
Version: 1.1.1s Version: 1.1.1t
Release: 0 Release: 0
Summary: Secure Sockets and Transport Layer Security Summary: Secure Sockets and Transport Layer Security
License: OpenSSL License: OpenSSL

View File

@ -1,113 +1,94 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
Comment: Richard Levitte <levitte@lp.se>
Comment: Richard Levitte <levitte@openssl.org>
Comment: Richard Levitte <richard@levitte.org>
mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr xsFNBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pXvmqx
55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH 5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+Omvl
F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi G7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGKZMnr
UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag 94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5XTj+B
pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K iVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1KdqlwD
/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv F+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2DsgljQuW
MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8 Sj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gGQTUJ
laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB DeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+t/iH
HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3 3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whitGG+
zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06 y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VPMt2L
YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB 732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQARAQAB
tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK zR9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+wsGPBBMBAgAiBQJUMGwd
o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8
AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy PcizspI5PtXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKjeOx8kXtVCe9+q
U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE CzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNbpClGtXcQHlUt
KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W hjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHOo0B3yNDfV845
nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh +7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0TG0CbxGMgIN5
1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhmzu3CpRtMjmRA
m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj dzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tAuEXpbCVoQ68b
kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD 6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6QehEmiy6UKXl7
IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPFMK05a8QENc66
8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6 M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc6NVh7Zby89r1
z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41 DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+HJIZEhX/YCyQ
xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM N4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqzI8/76Ph1inPb
MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh jbJczSVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5vcmc+wsGPBBMB
BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL AgAiBQJUMGwKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnu
AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk jBYhBHlTrB+8PcizspI5PtXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX
8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY
UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd
FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv
FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue
UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r
Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy
2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp
kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6
T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI
yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX
8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J lRJjjYxIBCnjxtUWzSVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v
AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL cmc+wsGSBBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh AQAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp5D99+e6MmN0P/AmpB8DasBnj
KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo h9fAlBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh
2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ 4V86hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvd
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4 ooy/4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1
yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M C3I+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6
cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A MZPiFBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFA
ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly nwf5MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4
Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y +1WmLxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbY
q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt k81XfXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9
Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj fyZn/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W
hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI 3mDDxJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlF
w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 IEUgucXLOLQHyEl+kEkCLEmSbn71WsM8wsGPBBMBAgAiBQJUMGs2AhsDBgsJCAcD
VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27 AgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp
1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp 5D99+e6MbdMP/1yj/fl/t8sl6ZH8v26uBBLSUeZPJYef9TCoe6akV//x4JLujB8y
djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50 dGGW8bToC680zpuYlNn+avMwmjyocPwe7Cqgev6AyO+CjspoodM9Xai0y10CAHCl
IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK vGAW8mX7c79jtLcMB/Z/0+5u4ErkzfwyURRpB5deLcQ4LhyRVZbLQ72fdCrmPYzO
bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn e6Rhmfr9nWKL/oHDTLDUtRjAXdurI8YQKK9nCtbsM2uytvYkzpD2wx0B16rB7N04
gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w QLJBNDyOUJwnm4K+Xt9LLs8NUJ8JXCdwXKXGrFFbt2b3vmy0y4/NR5AUoS444ao5
NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh 1mybA19WkCcCj5mSKmfZ9Dfbv6K3JCJx4ra5uJT2HP2M3NugtumQ1KPBUlNApVC6
D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H u+Vn7SMqFW/KFRCxOjXDWWU+F4prqzOVc5SYqIUOk7XVxgj1FBryw5Wel5iq1Bn8
a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB La1Fv3Hs/+pUKHRYYIC48kRET7h6oCmBiNn+XmU0A2qZnIyblmVpmfYftj3UWUC0
HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc S86qf/dRi8unTXYl8qEQyOSPz8g6t2RDgEsJOzKhiO+j+wcBYVOgrSgsawC8yxjA
nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv zfVwkprUJognVBJFCv4sKMb9wg99iEacI6O401w3FQy5FyokjmxXzrhn0UPj3t35
Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy wd81WZ5HWaBSLnBo8HklfDyaybPlXODldSI7OGOch/0/CZEQzQwzsmnazsFNBFQw
Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+ azYBEADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpj
otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5 U45kx/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV
SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358 9qT3i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdk
cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0 HsEoMSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHM
8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ el8ZcEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1
vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV nbMQ/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAt
yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A c/+iwMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQ
HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg Je31m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+
K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs sjauCZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbh
aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh ddJBHsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz
uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE 5JTjMkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABwsF2BBgB
cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk AgAJBQJUMGs2AhsMACEJENXp5D99+e6MFiEEeVOsH7w9yLOykjk+1enkP3357ozr
RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F 2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882pPhXfJqX8l8H1zyHbKWy5lLLiv1M
9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/ oNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO37/lQBcpjvAfy9HWpl21FDxn9Ruxn
JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g a/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtHW61L3vbBAcz9VMSay9QVm1f6qzM5
muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3qSeX0CsRB7WF5VYMalpNTHPRIqCWp
86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr zTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnVEVJ07s0nn1yj3q7Ii7av+waGmTf7
HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S 9B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id/M61k0yKOusHdzDcZbCzecyww1w3
DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULATME+TH9J5eNq0A5sRRaayEiA1TDcA
ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro WfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBbfDfh8oRhEsICQ6rs098wiYz8jtZ/
uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKTUnREpH102pg1Cw6v2OcjiXsqU5L7
YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQGWvkObPXEYLld2UF6hK6MH4epkwV
JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u /w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdWExXybKkE2NY=
aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq =1H60
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
TIdjvGbJ/k4qxw==
=Ctij
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----