From a9fd66514ddda3f3459ea05bf228d1597acba5689c7fd7d1945ca07ec605b3da Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 15 Mar 2017 00:04:37 +0000 Subject: [PATCH] Accepting request 478689 from devel:libraries:c_c++ - Update to version 2.4.2: OBS-URL: https://build.opensuse.org/request/show/478689 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=11 --- mbedtls-2.4.0-apache.tgz | 3 --- mbedtls-2.4.2-apache.tgz | 3 +++ mbedtls.changes | 24 ++++++++++++++++++++++++ mbedtls.spec | 4 ++-- 4 files changed, 29 insertions(+), 5 deletions(-) delete mode 100644 mbedtls-2.4.0-apache.tgz create mode 100644 mbedtls-2.4.2-apache.tgz diff --git a/mbedtls-2.4.0-apache.tgz b/mbedtls-2.4.0-apache.tgz deleted file mode 100644 index 21f7009..0000000 --- a/mbedtls-2.4.0-apache.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c1c3559ed39f7a1b1550c4cf4ccb918bf239301a3311d98dda92bed8a25b7f0d -size 1917968 diff --git a/mbedtls-2.4.2-apache.tgz b/mbedtls-2.4.2-apache.tgz new file mode 100644 index 0000000..78b4d44 --- /dev/null +++ b/mbedtls-2.4.2-apache.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018 +size 1925368 diff --git a/mbedtls.changes b/mbedtls.changes index 8eedffd..9237aa4 100644 --- a/mbedtls.changes +++ b/mbedtls.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Sat Mar 11 15:50:12 UTC 2017 - mpluskal@suse.com + +- Update to version 2.4.2: + * Add checks to prevent signature forgeries for very large messages while + using RSA through the PK module in 64-bit systems. The issue was caused by + some data loss when casting a size_t to an unsigned int value in the + functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and + mbedtls_pk_sign(). Found by Jean-Philippe Aumasson. + * Fixed potential livelock during the parsing of a CRL in PEM format in + mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing + characters after the footer could result in the execution of an infinite + loop. The issue can be triggered remotely. Found by Greg Zaverucha, + Microsoft. + * Removed MD5 from the allowed hash algorithms for CertificateRequest and + CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. + Introduced by interoperability fix for #513. + * Fixed a bug that caused freeing a buffer that was allocated on the stack, + when verifying the validity of a key on secp224k1. This could be + triggered remotely for example with a maliciously constructed certificate + and potentially could lead to remote code execution on some platforms. + Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos + team. #569 CVE-2017-2784 (boo#1029017) + ------------------------------------------------------------------- Sun Nov 13 18:18:58 UTC 2016 - mpluskal@suse.com diff --git a/mbedtls.spec b/mbedtls.spec index bf8cf50..7a770f1 100644 --- a/mbedtls.spec +++ b/mbedtls.spec @@ -1,7 +1,7 @@ # # spec file for package mbedtls # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto0 %define lib_x509 libmbedx509-0 Name: mbedtls -Version: 2.4.0 +Version: 2.4.2 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0