Commit Graph

5 Commits

Author SHA256 Message Date
Otto Hollmann
7cf818f410 Accepting request 1089971 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/1089971
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=134
2023-05-31 09:13:51 +00:00
Otto Hollmann
8fb8948616 Accepting request 1063668 from home:ohollmann:branches:security:tls
- Update to 1.1.1t:
  * Fixed X.400 address type confusion in X.509 GeneralName.
    There is a type confusion vulnerability relating to X.400 address processing
    inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
    but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
    vulnerability may allow an attacker who can provide a certificate chain and
    CRL (neither of which need have a valid signature) to pass arbitrary
    pointers to a memcmp call, creating a possible read primitive, subject to
    some constraints. Refer to the advisory for more information. Thanks to
    David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286]
    This issue has been fixed by changing the public header file definition of
    GENERAL_NAME so that x400Address reflects the implementation. It was not
    possible for any existing application to successfully use the existing
    definition; however, if any application references the x400Address field
    (e.g. in dead code), note that the type of this field has changed. There is
    no ABI change.
  * Fixed Use-after-free following BIO_new_NDEF.
    The public API function BIO_new_NDEF is a helper function used for
    streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
    to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
    be called directly by end user applications.
    The function receives a BIO from the caller, prepends a new BIO_f_asn1
    filter BIO onto the front of it to form a BIO chain, and then returns
    the new head of the BIO chain to the caller. Under certain conditions,
    for example if a CMS recipient public key is invalid, the new filter BIO
    is freed and the function returns a NULL result indicating a failure.
    However, in this case, the BIO chain is not properly cleaned up and the
    BIO passed by the caller still retains internal pointers to the previously
    freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
    then a use-after-free will occur. This will most likely result in a crash.

OBS-URL: https://build.opensuse.org/request/show/1063668
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 08:03:11 +00:00
4cf96f27f1 Accepting request 1032887 from home:ohollmann:branches:security:tls
- Updated openssl.keyring with key A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C
- Update to 1.1.1s:
  * Fixed a regression introduced in 1.1.1r version not refreshing the
    certificate data to be signed before signing the certificate.
- Update to 1.1.1r:
  * Fixed the linux-mips64 Configure target which was missing the
    SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
    platform.
  * Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
    causing incorrect results in some cases as a result.
  * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
    report correct results in some cases
  * Fixed a regression introduced in 1.1.1o for re-signing certificates with
    different key sizes
  * Added the loongarch64 target
  * Fixed a DRBG seed propagation thread safety issue
  * Fixed a memory leak in tls13_generate_secret
  * Fixed reported performance degradation on aarch64. Restored the
    implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
    32-bit lane assignment in CTR mode") for 64bit targets only, since it is
    reportedly 2-17% slower and the silicon errata only affects 32bit targets.
    The new algorithm is still used for 32 bit targets.
  * Added a missing header for memcmp that caused compilation failure on some
    platforms

OBS-URL: https://build.opensuse.org/request/show/1032887
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=121
2022-11-02 13:56:40 +00:00
Tomáš Chvátal
0bd53d7b5f Accepting request 706506 from home:vitezslav_cizek:branches:o11
- Update openssl-fix_underflow_in_errstr_handling.patch to use
  upstream approved code
  * https://github.com/openssl/openssl/pull/8966
- update openssl.keyring to include Richard Levitte's key

- Update to 1.1.1c
  * Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
    ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
    for every encryption operation. RFC 7539 specifies that the nonce value
    (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
    and front pads the nonce with 0 bytes if it is less than 12
    bytes. However it also incorrectly allows a nonce to be set of up to 16
    bytes. In this case only the last 12 bytes are significant and any
    additional leading bytes are ignored.
  * Add build tests for C++.  These are generated files that only do one
    thing, to include one public OpenSSL head file each.  This tests that
    the public header files can be usefully included in a C++ application.
  * Enable SHA3 pre-hashing for ECDSA and DSA.
  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
    This changes the size when using the genpkey app when no size is given. It
    fixes an omission in earlier changes that changed all RSA, DSA and DH
    generation apps to use 2048 bits by default.
  * Reorganize the manual pages to consistently have RETURN VALUES,
    EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
    util/fix-doc-nits accordingly.
  * Add the missing accessor EVP_PKEY_get0_engine()
  * Have apps like 's_client' and 's_server' output the signature scheme
    along with other cipher suite parameters when debugging.
  * Make OPENSSL_config() error agnostic again.
  * Do the error handling in RSA decryption constant time.

OBS-URL: https://build.opensuse.org/request/show/706506
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=37
2019-05-30 12:30:15 +00:00
Vítězslav Čížek
02427a3414 - Renamed from openssl-1_1_0 (bsc#1081335)
* All the minor versions of the 1.1.x openssl branch have the same
    sonum and keep ABI compatibility

- Remove bit obsolete syntax
- Use %license macro

- Don't disable afalgeng on aarch64

- Add support for s390x CPACF enhancements (fate#321518)
  patches taken from https://github.com/openssl/openssl/pull/2859:
  * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
  * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
  * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
  * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
  * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
  * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
  * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
  * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
  * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
  * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
  * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch

- Do not filter pkgconfig() provides/requires.

- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a
  clean upgrade path as an aid to zypp (boo#1070003).

- Update to 1.1.0g
  OpenSSL Security Advisory [02 Nov 2017]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=2
2018-02-16 12:13:08 +00:00