diff --git a/Equifax-root1.pem b/Equifax-root1.pem deleted file mode 100644 index e07f0ca..0000000 --- a/Equifax-root1.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV -UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy -dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 -MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx -dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B -AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f -BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A -cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC -AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ -MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm -aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw -ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj -IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF -MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA -A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y -7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh -1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 ------END CERTIFICATE----- diff --git a/ICP-Brasil.pem b/ICP-Brasil.pem deleted file mode 100644 index 938e3a9..0000000 --- a/ICP-Brasil.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCQlIx -EzARBgNVBAoTCklDUC1CcmFzaWwxPTA7BgNVBAsTNEluc3RpdHV0byBOYWNpb25h -bCBkZSBUZWNub2xvZ2lhIGRhIEluZm9ybWFjYW8gLSBJVEkxETAPBgNVBAcTCEJy -YXNpbGlhMQswCQYDVQQIEwJERjExMC8GA1UEAxMoQXV0b3JpZGFkZSBDZXJ0aWZp -Y2Fkb3JhIFJhaXogQnJhc2lsZWlyYTAeFw0wMTExMzAxMjU4MDBaFw0xMTExMzAy -MzU5MDBaMIG0MQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDE9MDsG -A1UECxM0SW5zdGl0dXRvIE5hY2lvbmFsIGRlIFRlY25vbG9naWEgZGEgSW5mb3Jt -YWNhbyAtIElUSTERMA8GA1UEBxMIQnJhc2lsaWExCzAJBgNVBAgTAkRGMTEwLwYD -VQQDEyhBdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgUmFpeiBCcmFzaWxlaXJhMIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPMudwX/hvm+Uh2b/lQAcHVA -isamaLkWdkwP9/S/tOKIgRrL6Oy+ZIGlOUdd6uYtk9Ma/3pUpgcfNAj0vYm5gsyj -Qo9emsc+x6m4VWwk9iqMZSCK5EQkAq/Ut4n7KuLE1+gdftwdIgxfUsPt4CyNrY50 -QV57KM2UT8x5rrmzEjr7TICGpSUAl2gVqe6xaii+bmYR1QrmWaBSAG59LrkrjrYt -bRhFboUDe1DK+6T8s5L6k8c8okpbHpa9veMztDVC9sPJ60MWXh6anVKo1UcLcbUR -yEeNvZneVRKAAU6ouwdjDvwlsaKydFKwed0ToQ47bmUKgcm+wV3eTRk36UOnTwID -AQABo4HSMIHPME4GA1UdIARHMEUwQwYFYEwBAQAwOjA4BggrBgEFBQcCARYsaHR0 -cDovL2FjcmFpei5pY3BicmFzaWwuZ292LmJyL0RQQ2FjcmFpei5wZGYwPQYDVR0f -BDYwNDAyoDCgLoYsaHR0cDovL2FjcmFpei5pY3BicmFzaWwuZ292LmJyL0xDUmFj -cmFpei5jcmwwHQYDVR0OBBYEFIr68VeEERM1kEL6V0lUaQ2kxPA3MA8GA1UdEwEB -/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAZA5c1 -U/hgIh6OcgLAfiJgFWpvmDZWqlV30/bHFpj8iBobJSm5uDpt7TirYh1Uxe3fQaGl -YjJe+9zd+izPRbBqXPVQA34EXcwk4qpWuf1hHriWfdrx8AcqSqr6CuQFwSr75Fos -SzlwDADa70mT7wZjAmQhnZx2xJ6wfWlT9VQfS//JYeIc7Fue2JNLd00UOSMMaiK/ -t79enKNHEA2fupH3vEigf5Eh4bVAN5VohrTm6MY53x7XQZZr1ME7a55lFEnSeT0u -mlOAjR2mAbvSM5X5oSZNrmetdzyTj2flCM8CC7MLab0kkdngRIlUBGHF1/S5nmPb -K+9A46sd33oqK8n8 ------END CERTIFICATE----- diff --git a/baselibs.conf b/baselibs.conf index b42e6f1..17aae9e 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,3 +1,2 @@ -openssl libopenssl0_9_8 obsoletes "openssl- <= " diff --git a/certs.tar.bz2 b/certs.tar.bz2 new file mode 100644 index 0000000..04d574a --- /dev/null +++ b/certs.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b8dff8e46383f941bc1a6c084e40aad6a67699b9b814c9d1a0b2a17d3b84039 +size 17917 diff --git a/openssl-0.9.8g-fix_dh_for_certain_moduli.patch b/openssl-0.9.8g-fix_dh_for_certain_moduli.patch deleted file mode 100644 index fab4184..0000000 --- a/openssl-0.9.8g-fix_dh_for_certain_moduli.patch +++ /dev/null @@ -1,64 +0,0 @@ ---- a/crypto/bn/bn_mul.c 2007/07/08 18:53:03 1.37 -+++ b/crypto/bn/bn_mul.c 2007/11/03 20:09:04 1.38 -@@ -389,6 +389,7 @@ - * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0]) - * a[1]*b[1] - */ -+/* dnX may not be positive, but n2/2+dnX has to be */ - void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, - int dna, int dnb, BN_ULONG *t) - { -@@ -398,7 +399,7 @@ - BN_ULONG ln,lo,*p; - - # ifdef BN_COUNT -- fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2); -+ fprintf(stderr," bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb); - # endif - # ifdef BN_MUL_COMBA - # if 0 -@@ -545,6 +546,7 @@ - - /* n+tn is the word length - * t needs to be n*4 is size, as does r */ -+/* tnX may not be negative but less than n */ - void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, - int tna, int tnb, BN_ULONG *t) - { -@@ -553,8 +555,8 @@ - BN_ULONG ln,lo,*p; - - # ifdef BN_COUNT -- fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n", -- tna, n, tnb, n); -+ fprintf(stderr," bn_mul_part_recursive (%d%+d) * (%d%+d)\n", -+ n, tna, n, tnb); - # endif - if (n < 8) - { -@@ -655,16 +657,19 @@ - for (;;) - { - i/=2; -- if (i <= tna && tna == tnb) -+ /* these simplified conditions work -+ * exclusively because difference -+ * between tna and tnb is 1 or 0 */ -+ if (i < tna || i < tnb) - { -- bn_mul_recursive(&(r[n2]), -+ bn_mul_part_recursive(&(r[n2]), - &(a[n]),&(b[n]), - i,tna-i,tnb-i,p); - break; - } -- else if (i < tna || i < tnb) -+ else if (i == tna || i == tnb) - { -- bn_mul_part_recursive(&(r[n2]), -+ bn_mul_recursive(&(r[n2]), - &(a[n]),&(b[n]), - i,tna-i,tnb-i,p); - break; - - diff --git a/openssl-0.9.8g.tar.bz2 b/openssl-0.9.8g.tar.bz2 deleted file mode 100644 index 4a0c373..0000000 --- a/openssl-0.9.8g.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0fd6bbd50a17a630f81a0e5e036900c5ac67eec731efd379b8116a48e28405ae -size 2681538 diff --git a/openssl-0.9.8h.tar.bz2 b/openssl-0.9.8h.tar.bz2 new file mode 100644 index 0000000..b425c64 --- /dev/null +++ b/openssl-0.9.8h.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b7d2a06182fa4e821c436dafc8378c63007606bd47bf431974994867043ea4c +size 2734835 diff --git a/openssl-CVE-2008-0891.patch b/openssl-CVE-2008-0891.patch deleted file mode 100644 index e2a3746..0000000 --- a/openssl-CVE-2008-0891.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: ssl/t1_lib.c -=================================================================== -RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v -retrieving revision 1.13.2.8 -diff -u -r1.13.2.8 t1_lib.c ---- ssl/t1_lib.c 18 Oct 2007 11:39:11 -0000 1.13.2.8 -+++ ssl/t1_lib.c 18 Mar 2008 12:06:58 -0000 -@@ -381,6 +381,7 @@ - s->session->tlsext_hostname[len]='\0'; - if (strlen(s->session->tlsext_hostname) != len) { - OPENSSL_free(s->session->tlsext_hostname); -+ s->session->tlsext_hostname = NULL; - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } diff --git a/openssl-CVE-2008-1672.patch b/openssl-CVE-2008-1672.patch deleted file mode 100644 index 79c56f6..0000000 --- a/openssl-CVE-2008-1672.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: ssl/s3_clnt.c -=================================================================== -RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v -retrieving revision 1.88.2.12 -diff -u -r1.88.2.12 s3_clnt.c ---- ssl/s3_clnt.c 3 Nov 2007 13:07:39 -0000 1.88.2.12 -+++ ssl/s3_clnt.c 22 May 2008 09:19:30 -0000 -@@ -2061,6 +2061,13 @@ - { - DH *dh_srvr,*dh_clnt; - -+ if (s->session->sess_cert == NULL) -+ { -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); -+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); -+ goto err; -+ } -+ - if (s->session->sess_cert->peer_dh_tmp != NULL) - dh_srvr=s->session->sess_cert->peer_dh_tmp; - else diff --git a/openssl.changes b/openssl.changes index 4e139c5..a745f53 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Jun 24 09:09:04 CEST 2008 - mkoenig@suse.de + +- update to version 0.9.8h +- openssl does not ship CA root certificates anymore + keep certificates that SuSE is already shipping +- resolves bad array index (function has been removed) [bnc#356549] +- removed patches + openssl-0.9.8g-fix_dh_for_certain_moduli.patch + openssl-CVE-2008-0891.patch + openssl-CVE-2008-1672.patch + ------------------------------------------------------------------- Wed May 28 15:04:08 CEST 2008 - mkoenig@suse.de diff --git a/openssl.spec b/openssl.spec index 0104616..9d608e4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl (Version 0.9.8g) +# spec file for package openssl (Version 0.9.8h) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -19,14 +19,13 @@ License: BSD 3-Clause Group: Productivity/Networking/Security Provides: ssl AutoReqProv: on -Version: 0.9.8g -Release: 46 +Version: 0.9.8h +Release: 1 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 +Source1: certs.tar.bz2 Source10: README.SuSE -Source20: ICP-Brasil.pem -Source21: Equifax-root1.pem Patch0: openssl-0.9.8-sparc.dif Patch1: openssl-0.9.8-flags-priority.dif Patch2: non-exec-stack.diff @@ -37,9 +36,6 @@ Patch5: openssl-0.9.6g-alpha.diff #Patch10: openssl-0.9.7d-ICA_engine-jun142004.patch.bz2 Patch6: openssl-0.9.8a.ca-app-segfault.bug128655.dif Patch7: bswap.diff -Patch8: openssl-0.9.8g-fix_dh_for_certain_moduli.patch -Patch9: openssl-CVE-2008-0891.patch -Patch10: openssl-CVE-2008-1672.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -199,12 +195,8 @@ Authors: #%patch10 -p1 %patch6 -p1 %patch7 -%patch8 -p1 -%patch9 -%patch10 cp -p %{S:10} . -cp -p %{S:20} certs/ -cp -p %{S:21} certs/ +tar xjf %{SOURCE1} # lib64 installation fixes for i in Makefile.org engines/Makefile; do sed -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/%_lib+g" \ @@ -407,6 +399,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private +%{ssletcdir}/certs %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash @@ -417,6 +410,15 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %{ssletcdir}/certs %changelog +* Tue Jun 24 2008 mkoenig@suse.de +- update to version 0.9.8h +- openssl does not ship CA root certificates anymore + keep certificates that SuSE is already shipping +- resolves bad array index (function has been removed) [bnc#356549] +- removed patches + openssl-0.9.8g-fix_dh_for_certain_moduli.patch + openssl-CVE-2008-0891.patch + openssl-CVE-2008-1672.patch * Wed May 28 2008 mkoenig@suse.de - fix OpenSSL Server Name extension crash (CVE-2008-0891) and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672)