openssl

pool/openssl

SHA256

Fork 2

Commit Graph

Author	SHA256	Message	Date
Stephan Kulow	0985bc43b2	Accepting request 245642 from Base:System - openssl.keyring: the 1.0.1i release was done by Matt Caswell <matt@openssl.org> UK 0E604491 - rename README.SuSE (old spelling) to README.SUSE (bnc#889013) - update to 1.0.1i * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the SRP code can be overrun an internal buffer. Add sanity check that g, A, B < N to SRP code. (CVE-2014-3512) * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. (CVE-2014-3511) * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. (CVE-2014-3510) * By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. (CVE-2014-3507) * An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. (CVE-2014-3506) * An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This OBS-URL: https://build.opensuse.org/request/show/245642 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=121	2014-08-25 09:03:07 +00:00
Stephan Kulow	d5a92c035d	Accepting request 229370 from Base:System - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) - remove CVE-2014-0076.patch - openssl.keyring: upstream changed to: pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org> uid Dr Stephen Henson <shenson@drh-consultancy.co.uk> uid Dr Stephen Henson <shenson@opensslfoundation.com> OBS-URL: https://build.opensuse.org/request/show/229370 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=110	2014-04-09 16:17:23 +00:00
Stephan Kulow	ccb7f79a32	Accepting request 224423 from Base:System additional changes required for FIPS validation( from Fedora repo); Add patch file: openssl-1.0.1e-new-fips-reqs.patch (forwarded request 224375 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/224423 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=108	2014-03-06 18:29:26 +00:00

Author

SHA256

Message

Date

Stephan Kulow

0985bc43b2

Accepting request 245642 from Base:System

- openssl.keyring: the 1.0.1i release was done by
Matt Caswell <matt@openssl.org> UK 0E604491

- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)

- update to 1.0.1i
* Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
(CVE-2014-3512)
* A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
(CVE-2014-3511)
* OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
(CVE-2014-3510)
* By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
(CVE-2014-3507)
* An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
(CVE-2014-3506)
* An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This

OBS-URL: https://build.opensuse.org/request/show/245642
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=121

2014-08-25 09:03:07 +00:00

Stephan Kulow

d5a92c035d

Accepting request 229370 from Base:System

- update to 1.0.1g:
  * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299)
  * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945)
  * Workaround for the "TLS hang bug" (see FAQ and PR#2771)
- remove CVE-2014-0076.patch
- openssl.keyring: upstream changed to:
  pub  4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org>
  uid                            Dr Stephen Henson <shenson@drh-consultancy.co.uk>
  uid                            Dr Stephen Henson <shenson@opensslfoundation.com>

OBS-URL: https://build.opensuse.org/request/show/229370
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=110

2014-04-09 16:17:23 +00:00

Stephan Kulow

ccb7f79a32

Accepting request 224423 from Base:System

additional changes required for FIPS validation( from Fedora repo); Add patch file: openssl-1.0.1e-new-fips-reqs.patch (forwarded request 224375 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/224423
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=108

2014-03-06 18:29:26 +00:00

3 Commits