rpm/mbedtls
SHA256
1
0
Fork 0
forked from pool/mbedtls
Code Pull Requests Activity

Accepting request 478689 from devel:libraries:c_c++

Browse Source 
- Update to version 2.4.2:

OBS-URL: https://build.opensuse.org/request/show/478689
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=11
This commit is contained in:
Dominique Leuenberger 2017-03-15 00:04:37 +00:00 committed by Git OBS Bridge
parent e3558034c2
commit a9fd66514d
4 changed files with 29 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mbedtls-2.4.0-apache.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c1c3559ed39f7a1b1550c4cf4ccb918bf239301a3311d98dda92bed8a25b7f0d
size 1917968

3
mbedtls-2.4.2-apache.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018
size 1925368

24
mbedtls.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Sat Mar 11 15:50:12 UTC 2017 - mpluskal@suse.com
- Update to version 2.4.2:
* Add checks to prevent signature forgeries for very large messages while
using RSA through the PK module in 64-bit systems. The issue was caused by
some data loss when casting a size_t to an unsigned int value in the
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
* Fixed potential livelock during the parsing of a CRL in PEM format in
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
characters after the footer could result in the execution of an infinite
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Microsoft.
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Introduced by interoperability fix for #513.
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
when verifying the validity of a key on secp224k1. This could be
triggered remotely for example with a maliciously constructed certificate
and potentially could lead to remote code execution on some platforms.
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
team. #569 CVE-2017-2784 (boo#1029017)
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Nov 13 18:18:58 UTC 2016 - mpluskal@suse.com Sun Nov 13 18:18:58 UTC 2016 - mpluskal@suse.com

4
mbedtls.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package mbedtls # spec file for package mbedtls
# #
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -20,7 +20,7 @@
%define lib_crypto libmbedcrypto0 %define lib_crypto libmbedcrypto0
%define lib_x509 libmbedx509-0 %define lib_x509 libmbedx509-0
Name: mbedtls Name: mbedtls
Version: 2.4.0 Version: 2.4.2
Release: 0 Release: 0
Summary: Libraries for crypto and SSL/TLS protocols Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0 License: Apache-2.0