- Update to 3.0.8:
* Fixed NULL dereference during PKCS7 data verification.
A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.
([bsc#1207541, CVE-2023-0401])
PKCS7 data is processed by the SMIME library calls and also by the
time stamp (TS) library calls. The TLS implementation in OpenSSL does
not call these functions however third party applications would be
affected if they call these functions to verify signatures on untrusted
data.
* Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but the public structure definition for GENERAL_NAME incorrectly specified
the type of the x400Address field as ASN1_TYPE. This field is subsequently
interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
than an ASN1_STRING.
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
pass arbitrary pointers to a memcmp call, enabling them to read memory
contents or enact a denial of service.
([bsc#1207533, CVE-2023-0286])
* Fixed NULL dereference validating DSA public key.
An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
OBS-URL: https://build.opensuse.org/request/show/1063662
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=53
- Relax the crypto-policies requirements for the regression tests
- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042]
* Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch
* Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
* Package a copy of the original default config file called
openssl.cnf and name it as openssl-orig.cnf and warn the user
if the files differ.
* Add openssl-3-devel as conflicting with libopenssl-1_1-devel
* Remove patches:
- fix-config-in-tests.patch
- openssl-use-versioned-config.patch
- Create the openssl ca-certificates directory in case the
ca-certificates package is not installed. This directory is
required by the nodejs regression tests. [bsc#1207484]
- Compute the hmac files for FIPS 140-3 integrity checking of the
openssl shared libraries using the brp-50-generate-fips-hmac
script. Also computed for the 32bit package.
OBS-URL: https://build.opensuse.org/request/show/1062222
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=51
