- Provide pkgconfig(openssl)
- Provide basic baselibs.conf for 32bit subpackages
- Specify this package as noarch (as we just provide README files)
- Fix typo in openssl requires
- Add dependency on the branched devel package
- Provide all pkgconfig symbols to hide them in versioned subpkgs
- This allows us to propagate only the preffered version of openssl
while allowing us to add extra openssl only as additional dependency
- Remove the ssl provides as it is applicable for only those that
really provide it
- Prepare to split to various subpackages converting main one to
dummy package
- Reduce to only provide main pkg and devel and depend on proper
soversioned package
- Version in this package needs to be synced with the one provided
by the split package
- Remove all the patches, now in the proper versioned namespace:
* merge_from_0.9.8k.patch
* openssl-1.0.0-c_rehash-compat.diff
* bug610223.patch
* openssl-ocloexec.patch
* openssl-1.0.2a-padlock64.patch
* openssl-fix-pod-syntax.diff
* openssl-truststore.patch
* compression_methods_switch.patch
* 0005-libssl-Hide-library-private-symbols.patch
OBS-URL: https://build.opensuse.org/request/show/492985
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=138
- resume reading from /dev/urandom when interrupted by a signal
(bsc#995075)
* add openssl-randfile_fread_interrupt.patch
- add FIPS changes from SP2:
- fix problems with locking in FIPS mode (bsc#992120)
* duplicates: bsc#991877, bsc#991193, bsc#990392, bsc#990428
and bsc#990207
* bring back openssl-fipslocking.patch
- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream)
(bsc#984323)
- don't check for /etc/system-fips (bsc#982268)
* add openssl-fips-dont_run_FIPS_module_installed.patch
- refresh openssl-fips-rsagen-d-bits.patch (forwarded request 431508 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/433063
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=134
- OpenSSL Security Advisory [3rd May 2016]
- update to 1.0.2h (boo#977584, boo#977663)
* Prevent padding oracle in AES-NI CBC MAC check
A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.
(CVE-2016-2107, boo#977616)
* Fix EVP_EncodeUpdate overflow
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.
(CVE-2016-2105, boo#977614)
* Fix EVP_EncryptUpdate overflow
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
is able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate() with a partial block then a length check can overflow
resulting in a heap corruption.
(CVE-2016-2106, boo#977615)
* Prevent ASN.1 BIO excessive memory allocation
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
(CVE-2016-2109, boo#976942)
* EBCDIC overread
ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. This could result
in arbitrary stack data being returned in the buffer.
(CVE-2016-2176, boo#978224)
* Modify behavior of ALPN to invoke callback after SNI/servername (forwarded request 393446 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/393456
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=132
- update to 1.0.2g (bsc#968044)
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
provide any "EXPORT" or "LOW" strength ciphers.
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
(CVE-2016-0800)
* Fix a double-free in DSA code
(CVE-2016-0705)
* Disable SRP fake user seed to address a server memory leak.
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
(CVE-2016-0798)
* Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
(CVE-2016-0797)
*) Side channel attack on modular exponentiation
http://cachebleed.info.
(CVE-2016-0702)
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
if no keysize is specified with default_bits. This fixes an
omission in an earlier change that changed all RSA/DSA key generation
apps to use 2048 bits by default. (forwarded request 363599 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/363602
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=130
- update to 1.0.2d
* fixes CVE-2015-1793 (bsc#936746)
Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
- drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/315685
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128
- update to 1.0.2a
* Major changes since 1.0.1:
- Suite B support for TLS 1.2 and DTLS 1.2
- Support for DTLS 1.2
- TLS automatic EC curve selection.
- API to set TLS supported signature algorithms and curves
- SSL_CONF configuration API.
- TLS Brainpool support.
- ALPN support.
- CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
- packaging changes:
* merged patches modifying CIPHER_LIST into one, dropping:
- openssl-1.0.1e-add-suse-default-cipher-header.patch
- openssl-libssl-noweakciphers.patch
* fix a manpage with invalid name
- added openssl-fix_invalid_manpage_name.patch
* remove a missing fips function
- openssl-missing_FIPS_ec_group_new_by_curve_name.patch
* reimported patches from Fedora
dropped patches:
- openssl-1.0.1c-default-paths.patch
- openssl-1.0.1c-ipv6-apps.patch
- openssl-1.0.1e-fips-ctor.patch
- openssl-1.0.1e-fips-ec.patch
- openssl-1.0.1e-fips.patch
- openssl-1.0.1e-new-fips-reqs.patch
- VIA_padlock_support_on_64systems.patch
added patches:
- openssl-1.0.2a-default-paths.patch
- openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/310849
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127
- openssl.keyring: the 1.0.1i release was done by
Matt Caswell <matt@openssl.org> UK 0E604491
- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)
- update to 1.0.1i
* Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
(CVE-2014-3512)
* A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
(CVE-2014-3511)
* OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
(CVE-2014-3510)
* By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
(CVE-2014-3507)
* An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
(CVE-2014-3506)
* An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
OBS-URL: https://build.opensuse.org/request/show/245642
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=121
NOTE:
I submitted perl-Net-SSLeay 1.64 update to devel:languages:perl which
fixes its regression.
- updated openssl to 1.0.1h (bnc#880891):
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to
an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous
ECDH ciphersuites are subject to a denial of service attack.
- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream
- CVE-2014-0198.patch: removed, upstream
- 0009-Fix-double-frees.patch: removed, upstream
- 0012-Fix-eckey_priv_encode.patch: removed, upstream
- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream
- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream
- 0020-Initialize-num-properly.patch: removed, upstream
- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream
- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream
- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream
- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream
- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase
- openssl-1.0.1c-ipv6-apps.patch: refreshed
- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed
- Added new SUSE default cipher suite
openssl-1.0.1e-add-suse-default-cipher.patch
OBS-URL: https://build.opensuse.org/request/show/236989
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=118
- Add upstream patches fixing coverity scan issues:
* 0018-fix-coverity-issues-966593-966596.patch
* 0020-Initialize-num-properly.patch
* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
* 0023-evp-prevent-underflow-in-base64-decoding.patch
* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
- Update 0001-libcrypto-Hide-library-private-symbols.patch
to cover more private symbols, now 98% complete and probably
not much more can be done to fix the rest of the ill-defined API.
- openssl-fips-hidden.patch new, hides private symbols added by the
FIPS patches.
- openssl-no-egd.patch disable the EGD (entropy gathering daemon)
interface, we have no EGD in the distro and obtaining entropy from
a place other than /dev/*random, the hardware rng or the openSSL
internal PRNG is an extremely bad & dangerous idea.
- use secure_getenv instead of getenv everywhere. (forwarded request 233217 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/233553
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=117
- 0005-libssl-Hide-library-private-symbols.patch
Update to hide more symbols that are not part of
the public API
- openssl-gcc-attributes.patch BUF_memdup also
needs attribute alloc_size as it returns memory
of size of the second parameter.
- openssl-ocloexec.patch Update, accept()
also needs O_CLOEXEC.
- 0009-Fix-double-frees.patch, 0017-Double-free-in-i2o_ECPublicKey.patch
fix various double frees (from upstream)
- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
return an error inmediately on failure of i2d_ECPrivateKey (from upstream)
- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
From libressl, modified to work on linux systems that do not have
funopen() but fopencookie() instead.
Once upon a time, OS didn't have snprintf, which caused openssl to
bundle a *printf implementation. We know better nowadays, the glibc
implementation has buffer overflow checking, has sane failure modes
deal properly with threads, signals..etc..
- build with -fno-common as well. (forwarded request 232752 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/232889
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=116
- Build everything with full RELRO (-Wl,-z,relro,-z,now)
- Remove -fstack-protector from the hardcoded build options
it is already in RPM_OPT_FLAGS and is replaced by
-fstack-protector-strong with gcc 4.9
- Remove the "gmp" and "capi" shared engines, nobody noticed
but they are just dummies that do nothing.
- Use enable-rfc3779 to allow projects such as rpki.net
to work in openSUSE and match the functionality
available in Debian/Fedora/etc
- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
CVE-2010-5298 and disable the internal BUF_FREELISTS
functionality. it hides bugs like heartbleed and is
there only for systems on which malloc() free() are slow.
- ensure we export MALLOC_CHECK and PERTURB during the test
suite, now that the freelist functionality is disabled it
will help to catch bugs before they hit users.
- openssl-libssl-noweakciphers.patch do not offer "export"
or "low" quality ciphers by default. using such ciphers
is not forbidden but requires an explicit request
- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
not return memory of "num * old_num" but only "num" size
fortunately this function is currently unused. (forwarded request 230868 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/231108
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=114
