30c6de24df
- Update to 3.5.2: * Miscellaneous minor bug fixes. * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. - Rebase patches: * openssl-FIPS-140-3-keychecks.patch * openssl-FIPS-NO-DES-support.patch * openssl-FIPS-enforce-EMS-support.patch * openssl-disable-fipsinstall.patch - Move ssl configuration files to the libopenssl package [bsc#1247463] - Don't install unneeded NOTES
Pedro Monreal Gonzalez2025-08-06 13:16:19 +00:00
cbc553d55a
- bsc#1243564 CVE-2025-4575: Fix the x509 application adding trusted use instead of rejected use * Add openssl-CVE-2025-4575.patch
Pedro Monreal Gonzalez2025-05-27 09:21:22 +00:00
4086df5291
Accepting request 1278744 from security:tls
Ana Guerrero2025-05-23 12:26:45 +00:00
2dc845ffe5
Accepting request 1278744 from security:tls
Ana Guerrero2025-05-23 12:26:45 +00:00
8a00581af4
- Update to 3.5.0: * Changes: - Default encryption cipher for the req, cms, and smime applications changed from des-ede3-cbc to aes-256-cbc. - The default TLS supported groups list has been changed to include and prefer hybrid PQC KEM groups. Some practically unused groups were removed from the default list. - The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519. - All BIO_meth_get_*() functions were deprecated. * New features: - Support for server side QUIC (RFC 9000) - Support for 3rd party QUIC stacks including 0-RTT support - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) - A new configuration option no-tls-deprecated-ec to disable support for TLS groups deprecated in RFC8422 - A new configuration option enable-fips-jitter to make the FIPS provider to use the JITTER seed source - Support for central key generation in CMP - Support added for opaque symmetric key objects (EVP_SKEY) - Support for multiple TLS keyshares and improved TLS key establishment group configurability - API support for pipelining in provided cipher algorithms * Remove patches: - openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch - openssl-3-support-CPACF-sha3-shake-perf-improvement.patch - openssl-3-add-defines-CPACF-funcs.patch - openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch - openssl-3-add-xof-state-handling-s3_absorb.patch - openssl-3-fix-state-handling-sha3_absorb_s390x.patch
Pedro Monreal Gonzalez2025-04-16 13:02:20 +00:00
d24a1a85c7
Accepting request 1255522 from security:tls
Ana Guerrero2025-03-27 21:31:30 +00:00
a91f523eac
Accepting request 1255522 from security:tls
Ana Guerrero2025-03-27 21:31:30 +00:00
d801e4b1ff
- Introduce --without lto. When %{optflags} contains -flto=*, tests cases are also built using -flto=* which significantly increases build times, this option disables lto which improve iteration times when developing.
Pedro Monreal Gonzalez2025-03-07 08:17:54 +00:00
7d987586ad
Accepting request 1245244 from security:tls
Ana Guerrero2025-02-12 20:30:27 +00:00
e992b24c38
Accepting request 1245244 from security:tls
Ana Guerrero2025-02-12 20:30:27 +00:00
50f27fb2ad
Accepting request 1245243 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2025-02-12 07:58:33 +00:00
e5f6af2c44
- bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation * Add patch openssl-CVE-2024-13176.patch
Pedro Monreal Gonzalez2025-01-24 08:48:18 +00:00
124a82228a
Accepting request 1234617 from security:tls
Ana Guerrero2025-01-05 14:27:00 +00:00
8853ae0bcf
Accepting request 1234617 from security:tls
Ana Guerrero2025-01-05 14:27:00 +00:00
34de714067
Accepting request 1234615 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2025-01-02 18:17:13 +00:00
b062a1d507
- Add support for userspace livepatching on ppc64le (jsc#PED-11850). - Fix evp_properties section in the openssl.cnf file [bsc#1234647] * Rebase patches: - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - openssl-TESTS-Disable-default-provider-crypto-policies.patch
Pedro Monreal Gonzalez2025-01-02 18:17:13 +00:00
25ab083387
Accepting request 1233180 from home:gbelinassi:branches:security:tls
Pedro Monreal Gonzalez2025-01-02 08:25:49 +00:00
5afc4138ca
- Add support for userspace livepatching on ppc64le (jsc#PED-10952). - Use gcc-13 for ppc64le.
Pedro Monreal Gonzalez2025-01-02 08:25:49 +00:00
5ef05738b6
Accepting request 1223748 from security:tls
Ana Guerrero2024-11-13 14:26:48 +00:00
b3fd9c08d5
Accepting request 1223748 from security:tls
Ana Guerrero2024-11-13 14:26:48 +00:00
6e95485a74
- Update to 3.1.7: * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) - Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535) * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] - Fixed PKCS12 Decoding crashes (CVE-2024-0727) - Fixed Excessive time spent checking invalid RSA public keys [CVE-2023-6237) - Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) - Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF * Rebase patches: - openssl-Force-FIPS.patch - openssl-FIPS-embed-hmac.patch - openssl-FIPS-services-minimize.patch - openssl-FIPS-RSA-disable-shake.patch - openssl-CVE-2023-50782.patch * Remove patches fixed in the update: - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch
Pedro Monreal Gonzalez2024-10-22 12:02:36 +00:00
8de5f9f15f
Accepting request 1208827 from security:tls
Ana Guerrero2024-10-20 08:02:58 +00:00
f15b6cf3be
Accepting request 1208827 from security:tls
Ana Guerrero2024-10-20 08:02:58 +00:00
e6ed9f2171
Accepting request 1208826 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2024-10-18 08:58:53 +00:00
e20eeb46a1
- Security fix: [bsc#1230698, CVE-2024-41996] * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used * Added openssl-CVE-2024-41996.patch
Pedro Monreal Gonzalez2024-09-24 12:22:05 +00:00
1685dc00d5
Accepting request 1198659 from security:tls
Ana Guerrero2024-09-05 13:45:58 +00:00
625347398c
Accepting request 1198659 from security:tls
Ana Guerrero2024-09-05 13:45:58 +00:00
92f37af083
Accepting request 1198658 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2024-09-04 08:01:42 +00:00
b76e72dd67
- Security fix: [bsc#1229465, CVE-2024-6119] * possible denial of service in X.509 name checks * openssl-CVE-2024-6119.patch
Pedro Monreal Gonzalez2024-09-04 08:01:42 +00:00
46691be39e
Accepting request 1192291 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2024-08-07 21:54:42 +00:00
6bc57d937f
- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365] * SHA-1 is not allowed anymore in FIPS 186-5 for signature verification operations. After 12/31/2030, NIST will disallow SHA-1 for all of its usages. * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
Pedro Monreal Gonzalez2024-08-07 21:54:42 +00:00
Pedro Monreal
slfo-1.2
Lucas Mulling
Ana Guerrero
Pedro Monreal Gonzalez
Angel Yankov
Adrian Schröter
Dominique Leuenberger