SHA256
1
0
forked from pool/mbedtls-2

Accepting request 1163794 from home:jaimeMF:branches:security:tls

- Update to version 2.28.8:
  Features
  * AES-NI is now supported in Windows builds with clang and clang-cl.
    Resolves gh#Mbed-TLS/mbedtls#8372.
  * Add pc files for pkg-config, e.g.:
    pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
  Security
  * Passing buffers that are stored in untrusted memory as arguments
    to PSA functions is now secure by default.
    The PSA core now protects against modification of inputs or exposure
    of intermediate outputs during operations. This is currently implemented
    by copying buffers.
    This feature increases code size and memory usage. If buffers passed to
    PSA functions are owned exclusively by the PSA core for the duration of
    the function call (i.e. no buffer parameters are in shared memory),
    copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
    Note that setting this option will cause input-output buffer overlap to
    be only partially supported (gh#Mbed-TLS/mbedtls#3266).
    Fixes CVE-2024-28960 boo#1222157 .
  Bugfix
  * Fix the build with CMake when Everest is enabled through
    a user configuration file or the compiler command line. Fixes gh#Mbed-TLS/mbedtls#8165.
  * Fix an inconsistency between implementations and usages of __cpuid,
    which mainly causes failures when building Windows target using
    mingw or clang. Fixes gh#Mbed-TLS/mbedtls#8334 & gh#Mbed-TLS/mbedtls#8332.
  * Correct initial capacities for key derivation algorithms: TLS12_PRF,
    TLS12_PSK_TO_MS.
  * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
    multiple of 8. Fixes gh#Mbed-TLS/mbedtls#868.
  * Avoid segmentation fault caused by releasing not initialized
    entropy resource in gen_key example. Fixes gh#Mbed-TLS/mbedtls#8809.
  * Fix missing bitflags in SSL session serialization headers. Their absence
    allowed SSL sessions saved in one configuration to be loaded in a
    different, incompatible configuration.
  * Fix the restoration of the ALPN when loading serialized connection with
    the mbedtls_ssl_context_load() API.
  * Fully support arbitrary overlap between inputs and outputs of PSA
    functions. Note that overlap is still only partially supported when
    MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (gh#Mbed-TLS/mbedtls#3266).
  Changes
  * Use heap memory to allocate DER encoded public/private key.
    This reduces stack usage significantly for writing a public/private
    key to a PEM string.
  * cmake: Use GnuInstallDirs to customize install directories
    Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
    variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
    LIB_INSTALL_DIR is set.

OBS-URL: https://build.opensuse.org/request/show/1163794
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=14
This commit is contained in:
Jaime Marquínez Ferrándiz 2024-03-31 17:55:44 +00:00 committed by Git OBS Bridge
parent b3c106dbd1
commit 36179365f2
4 changed files with 66 additions and 4 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a
size 3990451

3
mbedtls-2.28.8.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
size 4039097

View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Sun Mar 31 12:10:53 UTC 2024 - Jaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@fastmail.net>
- Update to version 2.28.8:
Features
* AES-NI is now supported in Windows builds with clang and clang-cl.
Resolves gh#Mbed-TLS/mbedtls#8372.
* Add pc files for pkg-config, e.g.:
pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
Security
* Passing buffers that are stored in untrusted memory as arguments
to PSA functions is now secure by default.
The PSA core now protects against modification of inputs or exposure
of intermediate outputs during operations. This is currently implemented
by copying buffers.
This feature increases code size and memory usage. If buffers passed to
PSA functions are owned exclusively by the PSA core for the duration of
the function call (i.e. no buffer parameters are in shared memory),
copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
Note that setting this option will cause input-output buffer overlap to
be only partially supported (gh#Mbed-TLS/mbedtls#3266).
Fixes CVE-2024-28960 boo#1222157 .
Bugfix
* Fix the build with CMake when Everest is enabled through
a user configuration file or the compiler command line. Fixes gh#Mbed-TLS/mbedtls#8165.
* Fix an inconsistency between implementations and usages of __cpuid,
which mainly causes failures when building Windows target using
mingw or clang. Fixes gh#Mbed-TLS/mbedtls#8334 & gh#Mbed-TLS/mbedtls#8332.
* Correct initial capacities for key derivation algorithms: TLS12_PRF,
TLS12_PSK_TO_MS.
* Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
multiple of 8. Fixes gh#Mbed-TLS/mbedtls#868.
* Avoid segmentation fault caused by releasing not initialized
entropy resource in gen_key example. Fixes gh#Mbed-TLS/mbedtls#8809.
* Fix missing bitflags in SSL session serialization headers. Their absence
allowed SSL sessions saved in one configuration to be loaded in a
different, incompatible configuration.
* Fix the restoration of the ALPN when loading serialized connection with
the mbedtls_ssl_context_load() API.
* Fully support arbitrary overlap between inputs and outputs of PSA
functions. Note that overlap is still only partially supported when
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (gh#Mbed-TLS/mbedtls#3266).
Changes
* Use heap memory to allocate DER encoded public/private key.
This reduces stack usage significantly for writing a public/private
key to a PEM string.
* cmake: Use GnuInstallDirs to customize install directories
Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
LIB_INSTALL_DIR is set.
-------------------------------------------------------------------
Wed Jan 31 08:19:59 UTC 2024 - Martin Pluskal <mpluskal@suse.com>

View File

@ -21,7 +21,7 @@
%define lib_x509 libmbedx509-1
%define _rname mbedtls
Name: mbedtls-2
Version: 2.28.7
Version: 2.28.8
Release: 0
Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0 OR GPL-2.0-or-later
@ -135,8 +135,19 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
%doc ChangeLog README.md
%dir %{_includedir}/mbedtls
%dir %{_includedir}/psa
%dir %{_includedir}/everest
%dir %{_includedir}/everest/kremlib
%dir %{_includedir}/everest/kremlin
%dir %{_includedir}/everest/kremlin/internal
%dir %{_includedir}/everest/vs2010
%{_libdir}/pkgconfig/*.pc
%{_includedir}/mbedtls/*.h
%{_includedir}/psa/*.h
%{_includedir}/everest/*.h
%{_includedir}/everest/kremlib/*.h
%{_includedir}/everest/kremlin/*.h
%{_includedir}/everest/kremlin/internal/*.h
%{_includedir}/everest/vs2010/*.h
%{_libdir}/libmbedtls.so
%{_libdir}/libmbedcrypto.so
%{_libdir}/libmbedx509.so