- Build everything with full RELRO (-Wl,-z,relro,-z,now)
- Remove -fstack-protector from the hardcoded build options
it is already in RPM_OPT_FLAGS and is replaced by
-fstack-protector-strong with gcc 4.9
- Remove the "gmp" and "capi" shared engines, nobody noticed
but they are just dummies that do nothing.
- Use enable-rfc3779 to allow projects such as rpki.net
to work in openSUSE and match the functionality
available in Debian/Fedora/etc
- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
CVE-2010-5298 and disable the internal BUF_FREELISTS
functionality. it hides bugs like heartbleed and is
there only for systems on which malloc() free() are slow.
- ensure we export MALLOC_CHECK and PERTURB during the test
suite, now that the freelist functionality is disabled it
will help to catch bugs before they hit users.
- openssl-libssl-noweakciphers.patch do not offer "export"
or "low" quality ciphers by default. using such ciphers
is not forbidden but requires an explicit request
- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
not return memory of "num * old_num" but only "num" size
fortunately this function is currently unused. (forwarded request 230868 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/231108
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=114
- openssl-gcc-attributes.patch
* annotate memory allocation wrappers with attribute(alloc_size)
so the compiler can tell us if it knows they are being misused
* OPENSSL_showfatal is annotated with attribute printf to detect
format string problems.
- It is time to try to disable SSLv2 again, it was tried a while
ago but broke too many things, nowadays Debian, Ubuntu, the BSDs
all have disabled it, most components are already fixed.
I will fix the remaining fallout if any. (email me) (forwarded request 229674 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/229715
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=111
