From 36179365f2fde5be303da446b644510d9509aeb1f04b98e9fb083bfd59b03d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Marqu=C3=ADnez=20Ferr=C3=A1ndiz?= Date: Sun, 31 Mar 2024 17:55:44 +0000 Subject: [PATCH] Accepting request 1163794 from home:jaimeMF:branches:security:tls - Update to version 2.28.8: Features * AES-NI is now supported in Windows builds with clang and clang-cl. Resolves gh#Mbed-TLS/mbedtls#8372. * Add pc files for pkg-config, e.g.: pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) Security * Passing buffers that are stored in untrusted memory as arguments to PSA functions is now secure by default. The PSA core now protects against modification of inputs or exposure of intermediate outputs during operations. This is currently implemented by copying buffers. This feature increases code size and memory usage. If buffers passed to PSA functions are owned exclusively by the PSA core for the duration of the function call (i.e. no buffer parameters are in shared memory), copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. Note that setting this option will cause input-output buffer overlap to be only partially supported (gh#Mbed-TLS/mbedtls#3266). Fixes CVE-2024-28960 boo#1222157 . Bugfix * Fix the build with CMake when Everest is enabled through a user configuration file or the compiler command line. Fixes gh#Mbed-TLS/mbedtls#8165. * Fix an inconsistency between implementations and usages of __cpuid, which mainly causes failures when building Windows target using mingw or clang. Fixes gh#Mbed-TLS/mbedtls#8334 & gh#Mbed-TLS/mbedtls#8332. * Correct initial capacities for key derivation algorithms: TLS12_PRF, TLS12_PSK_TO_MS. * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a multiple of 8. Fixes gh#Mbed-TLS/mbedtls#868. * Avoid segmentation fault caused by releasing not initialized entropy resource in gen_key example. Fixes gh#Mbed-TLS/mbedtls#8809. * Fix missing bitflags in SSL session serialization headers. Their absence allowed SSL sessions saved in one configuration to be loaded in a different, incompatible configuration. * Fix the restoration of the ALPN when loading serialized connection with the mbedtls_ssl_context_load() API. * Fully support arbitrary overlap between inputs and outputs of PSA functions. Note that overlap is still only partially supported when MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (gh#Mbed-TLS/mbedtls#3266). Changes * Use heap memory to allocate DER encoded public/private key. This reduces stack usage significantly for writing a public/private key to a PEM string. * cmake: Use GnuInstallDirs to customize install directories Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if LIB_INSTALL_DIR is set. OBS-URL: https://build.opensuse.org/request/show/1163794 OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=14 --- mbedtls-2.28.7.tar.gz | 3 --- mbedtls-2.28.8.tar.gz | 3 +++ mbedtls-2.changes | 51 +++++++++++++++++++++++++++++++++++++++++++ mbedtls-2.spec | 13 ++++++++++- 4 files changed, 66 insertions(+), 4 deletions(-) delete mode 100644 mbedtls-2.28.7.tar.gz create mode 100644 mbedtls-2.28.8.tar.gz diff --git a/mbedtls-2.28.7.tar.gz b/mbedtls-2.28.7.tar.gz deleted file mode 100644 index b7e9122..0000000 --- a/mbedtls-2.28.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a -size 3990451 diff --git a/mbedtls-2.28.8.tar.gz b/mbedtls-2.28.8.tar.gz new file mode 100644 index 0000000..429ae0e --- /dev/null +++ b/mbedtls-2.28.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213 +size 4039097 diff --git a/mbedtls-2.changes b/mbedtls-2.changes index cba6eae..f0c3278 100644 --- a/mbedtls-2.changes +++ b/mbedtls-2.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Sun Mar 31 12:10:53 UTC 2024 - Jaime Marquínez Ferrándiz + +- Update to version 2.28.8: + Features + * AES-NI is now supported in Windows builds with clang and clang-cl. + Resolves gh#Mbed-TLS/mbedtls#8372. + * Add pc files for pkg-config, e.g.: + pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) + Security + * Passing buffers that are stored in untrusted memory as arguments + to PSA functions is now secure by default. + The PSA core now protects against modification of inputs or exposure + of intermediate outputs during operations. This is currently implemented + by copying buffers. + This feature increases code size and memory usage. If buffers passed to + PSA functions are owned exclusively by the PSA core for the duration of + the function call (i.e. no buffer parameters are in shared memory), + copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. + Note that setting this option will cause input-output buffer overlap to + be only partially supported (gh#Mbed-TLS/mbedtls#3266). + Fixes CVE-2024-28960 boo#1222157 . + Bugfix + * Fix the build with CMake when Everest is enabled through + a user configuration file or the compiler command line. Fixes gh#Mbed-TLS/mbedtls#8165. + * Fix an inconsistency between implementations and usages of __cpuid, + which mainly causes failures when building Windows target using + mingw or clang. Fixes gh#Mbed-TLS/mbedtls#8334 & gh#Mbed-TLS/mbedtls#8332. + * Correct initial capacities for key derivation algorithms: TLS12_PRF, + TLS12_PSK_TO_MS. + * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a + multiple of 8. Fixes gh#Mbed-TLS/mbedtls#868. + * Avoid segmentation fault caused by releasing not initialized + entropy resource in gen_key example. Fixes gh#Mbed-TLS/mbedtls#8809. + * Fix missing bitflags in SSL session serialization headers. Their absence + allowed SSL sessions saved in one configuration to be loaded in a + different, incompatible configuration. + * Fix the restoration of the ALPN when loading serialized connection with + the mbedtls_ssl_context_load() API. + * Fully support arbitrary overlap between inputs and outputs of PSA + functions. Note that overlap is still only partially supported when + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (gh#Mbed-TLS/mbedtls#3266). + Changes + * Use heap memory to allocate DER encoded public/private key. + This reduces stack usage significantly for writing a public/private + key to a PEM string. + * cmake: Use GnuInstallDirs to customize install directories + Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR + variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if + LIB_INSTALL_DIR is set. + ------------------------------------------------------------------- Wed Jan 31 08:19:59 UTC 2024 - Martin Pluskal diff --git a/mbedtls-2.spec b/mbedtls-2.spec index 320aa66..5eee90c 100644 --- a/mbedtls-2.spec +++ b/mbedtls-2.spec @@ -21,7 +21,7 @@ %define lib_x509 libmbedx509-1 %define _rname mbedtls Name: mbedtls-2 -Version: 2.28.7 +Version: 2.28.8 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 OR GPL-2.0-or-later @@ -135,8 +135,19 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} \ %doc ChangeLog README.md %dir %{_includedir}/mbedtls %dir %{_includedir}/psa +%dir %{_includedir}/everest +%dir %{_includedir}/everest/kremlib +%dir %{_includedir}/everest/kremlin +%dir %{_includedir}/everest/kremlin/internal +%dir %{_includedir}/everest/vs2010 +%{_libdir}/pkgconfig/*.pc %{_includedir}/mbedtls/*.h %{_includedir}/psa/*.h +%{_includedir}/everest/*.h +%{_includedir}/everest/kremlib/*.h +%{_includedir}/everest/kremlin/*.h +%{_includedir}/everest/kremlin/internal/*.h +%{_includedir}/everest/vs2010/*.h %{_libdir}/libmbedtls.so %{_libdir}/libmbedcrypto.so %{_libdir}/libmbedx509.so