From 156e7a15696ddce2b3dcc87188138932cf2fd657b0e0dc740707da79b1d2229a Mon Sep 17 00:00:00 2001
From: Otto Hollmann <otto.hollmann@suse.com>
Date: Tue, 28 Nov 2023 11:04:46 +0000
Subject: [PATCH 1/2] Accepting request 1129507 from
home:ohollmann:branches:security:tls
- Update to 3.2.0
- Remove a hack for bsc#936563
bsc936563_hack.patch (bsc#936563)
- Build with no-ssl3, for details on why this is needed read
require us to patch dependant packages as the relevant
functions are still available (SSLv3_(client|server)_method)
- openssl.keyring: use Matt Caswells current key.
- openSSL 1.0.1j
- openssl.keyring: the 1.0.1i release was done by
- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
it is already in RPM_OPT_FLAGS and is replaced by
- Remove the "gmp" and "capi" shared engines, nobody noticed
but they are just dummies that do nothing.
- Use enable-rfc3779 to allow projects such as rpki.net
- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
- openssl-gcc-attributes.patch
- additional changes required for FIPS validation( from Fedora repo)
- Remove GCC option "-O3" for compiliation issue of ARM version
Modify files: README-FIPS.txt openssl.spec
Add file: CVE-2013-6450.patch
- Fixed bnc#856687, openssl: crash when using TLS 1.2
Add file: CVE-2013-6449.patch
- 0001-libcrypto-Hide-library-private-symbols.patch
This patch is however not 100% complete, as some private library
symbols are declared in public headers that shall not be touched
- openssl-1.0.1c-ipv6-apps.patch:
- Fix armv6l arch (armv7 was previously used to build armv6 which
OBS-URL: https://build.opensuse.org/request/show/1129507
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl?expand=0&rev=58
---
openssl.changes | 193 +++++++++++++++++++++++++-----------------------
openssl.spec | 2 +-
2 files changed, 100 insertions(+), 95 deletions(-)
diff --git a/openssl.changes b/openssl.changes
index 81452fe..7f7385a 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Nov 23 16:07:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Update to 3.2.0
+
-------------------------------------------------------------------
Tue Oct 24 14:55:05 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
@@ -484,7 +489,7 @@ Tue May 3 14:43:47 UTC 2016 - vcizek@suse.com
-------------------------------------------------------------------
Fri Apr 15 16:55:05 UTC 2016 - dvaleev@suse.com
-- Remove a hack for bsc#936563
+- Remove a hack for bsc#936563
- Drop bsc936563_hack.patch
-------------------------------------------------------------------
@@ -603,7 +608,7 @@ Thu Jul 9 13:32:34 UTC 2015 - vcizek@suse.com
Thu Jul 2 14:46:36 UTC 2015 - dvaleev@suse.com
- Workaround debugit crash on ppc64le with gcc5
- bsc936563_hack.patch (bsc#936563)
+ bsc936563_hack.patch (bsc#936563)
-------------------------------------------------------------------
Wed Jul 1 09:26:26 UTC 2015 - normand@linux.vnet.ibm.com
@@ -615,10 +620,10 @@ Wed Jul 1 09:26:26 UTC 2015 - normand@linux.vnet.ibm.com
-------------------------------------------------------------------
Fri Jun 26 00:11:20 UTC 2015 - crrodriguez@opensuse.org
-- Build with no-ssl3, for details on why this is needed read
+- Build with no-ssl3, for details on why this is needed read
rfc7568. Contrary to the "no-ssl2" option, this does not
- require us to patch dependant packages as the relevant
- functions are still available (SSLv3_(client|server)_method)
+ require us to patch dependant packages as the relevant
+ functions are still available (SSLv3_(client|server)_method)
but will fail to negotiate. if removing SSL3 methods is desired
at a later time, option "no-ssl3-method" needs to be used.
@@ -738,7 +743,7 @@ Fri Jan 9 10:03:37 UTC 2015 - meissner@suse.com
bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues.
bsc#912296 CVE-2014-3570: Correct Bignum squaring.
and other bugfixes.
-- openssl.keyring: use Matt Caswells current key.
+- openssl.keyring: use Matt Caswells current key.
pub 2048R/0E604491 2013-04-30
uid Matt Caswell <frodo@baggins.org>
uid Matt Caswell <matt@openssl.org>
@@ -767,7 +772,7 @@ Fri Nov 7 22:09:27 UTC 2014 - brian@aljex.com
-------------------------------------------------------------------
Tue Oct 21 19:58:31 UTC 2014 - crrodriguez@opensuse.org
-- openSSL 1.0.1j
+- openSSL 1.0.1j
* Fix SRTP Memory Leak (CVE-2014-3513)
* Session Ticket Memory Leak (CVE-2014-3567)
* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV)
@@ -776,7 +781,7 @@ Tue Oct 21 19:58:31 UTC 2014 - crrodriguez@opensuse.org
-------------------------------------------------------------------
Thu Aug 21 15:05:43 UTC 2014 - meissner@suse.com
-- openssl.keyring: the 1.0.1i release was done by
+- openssl.keyring: the 1.0.1i release was done by
Matt Caswell <matt@openssl.org> UK 0E604491
-------------------------------------------------------------------
@@ -930,17 +935,17 @@ Mon May 5 16:25:17 UTC 2014 - crrodriguez@opensuse.org
- 0009-Fix-double-frees.patch, 0017-Double-free-in-i2o_ECPublicKey.patch
fix various double frees (from upstream)
-- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
+- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
return an error inmediately on failure of i2d_ECPrivateKey (from upstream)
-- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
From libressl, modified to work on linux systems that do not have
funopen() but fopencookie() instead.
Once upon a time, OS didn't have snprintf, which caused openssl to
bundle a *printf implementation. We know better nowadays, the glibc
implementation has buffer overflow checking, has sane failure modes
deal properly with threads, signals..etc..
-
+
- build with -fno-common as well.
-------------------------------------------------------------------
@@ -954,26 +959,26 @@ Sun Apr 20 00:53:34 UTC 2014 - crrodriguez@opensuse.org
- Build everything with full RELRO (-Wl,-z,relro,-z,now)
- Remove -fstack-protector from the hardcoded build options
- it is already in RPM_OPT_FLAGS and is replaced by
+ it is already in RPM_OPT_FLAGS and is replaced by
-fstack-protector-strong with gcc 4.9
-------------------------------------------------------------------
Sun Apr 20 00:49:25 UTC 2014 - crrodriguez@opensuse.org
-- Remove the "gmp" and "capi" shared engines, nobody noticed
- but they are just dummies that do nothing.
+- Remove the "gmp" and "capi" shared engines, nobody noticed
+ but they are just dummies that do nothing.
-------------------------------------------------------------------
Sat Apr 19 22:29:10 UTC 2014 - crrodriguez@opensuse.org
-- Use enable-rfc3779 to allow projects such as rpki.net
+- Use enable-rfc3779 to allow projects such as rpki.net
to work in openSUSE and match the functionality
available in Debian/Fedora/etc
-------------------------------------------------------------------
Sat Apr 19 22:22:01 UTC 2014 - crrodriguez@opensuse.org
-- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
+- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
CVE-2010-5298 and disable the internal BUF_FREELISTS
functionality. it hides bugs like heartbleed and is
there only for systems on which malloc() free() are slow.
@@ -992,14 +997,14 @@ Sat Apr 19 03:45:20 UTC 2014 - crrodriguez@opensuse.org
-------------------------------------------------------------------
Fri Apr 18 14:07:47 UTC 2014 - crrodriguez@opensuse.org
-- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
+- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
not return memory of "num * old_num" but only "num" size
fortunately this function is currently unused.
-------------------------------------------------------------------
Fri Apr 11 02:40:34 UTC 2014 - crrodriguez@opensuse.org
-- openssl-gcc-attributes.patch
+- openssl-gcc-attributes.patch
* annotate memory allocation wrappers with attribute(alloc_size)
so the compiler can tell us if it knows they are being misused
* OPENSSL_showfatal is annotated with attribute printf to detect
@@ -1033,20 +1038,20 @@ Tue Mar 25 08:11:11 UTC 2014 - shchang@suse.com
-------------------------------------------------------------------
Mon Mar 3 06:44:52 UTC 2014 - shchang@suse.com
-- additional changes required for FIPS validation( from Fedora repo)
+- additional changes required for FIPS validation( from Fedora repo)
Add patch file: openssl-1.0.1e-new-fips-reqs.patch
-------------------------------------------------------------------
Sat Jan 11 08:42:54 UTC 2014 - shchang@suse.com
-- Remove GCC option "-O3" for compiliation issue of ARM version
+- Remove GCC option "-O3" for compiliation issue of ARM version
Modify: openssl.spec
-------------------------------------------------------------------
Fri Jan 10 14:43:20 UTC 2014 - shchang@suse.com
- Adjust the installation path( libopenssl/hmac into /lib or /lib64)
- Modify files: README-FIPS.txt openssl.spec
+ Modify files: README-FIPS.txt openssl.spec
-------------------------------------------------------------------
Thu Jan 9 23:08:29 UTC 2014 - andreas.stieger@gmx.de
@@ -1080,13 +1085,13 @@ Wed Jan 8 10:57:24 UTC 2014 - shchang@suse.com
Thu Jan 2 17:28:41 UTC 2014 - shchang@suse.com
- Fixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss
- Add file: CVE-2013-6450.patch
+ Add file: CVE-2013-6450.patch
-------------------------------------------------------------------
Sun Dec 22 08:10:55 UTC 2013 - shchang@suse.com
-- Fixed bnc#856687, openssl: crash when using TLS 1.2
- Add file: CVE-2013-6449.patch
+- Fixed bnc#856687, openssl: crash when using TLS 1.2
+ Add file: CVE-2013-6449.patch
-------------------------------------------------------------------
Tue Dec 17 13:57:40 UTC 2013 - meissner@suse.com
@@ -1130,11 +1135,11 @@ Sat Nov 23 08:23:59 UTC 2013 - shchang@suse.com
-------------------------------------------------------------------
Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org
-- 0001-libcrypto-Hide-library-private-symbols.patch
+- 0001-libcrypto-Hide-library-private-symbols.patch
This patch implements the libcrpto part complimentary to
0005-libssl-Hide-library-private-symbols.patch.
- This patch is however not 100% complete, as some private library
- symbols are declared in public headers that shall not be touched
+ This patch is however not 100% complete, as some private library
+ symbols are declared in public headers that shall not be touched
or are defined/declared in "perlasm". (tested in 13.1, 12.3, factory)
- openSSL defaults to -O3 optimization level but we override
@@ -1143,7 +1148,7 @@ Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org
-------------------------------------------------------------------
Fri Oct 11 12:24:14 UTC 2013 - meissner@suse.com
-- openssl-1.0.1c-ipv6-apps.patch:
+- openssl-1.0.1c-ipv6-apps.patch:
Support ipv6 in the openssl s_client / s_server commandline app.
-------------------------------------------------------------------
@@ -1155,7 +1160,7 @@ Fri Sep 27 10:26:43 UTC 2013 - dmacvicar@suse.de
-------------------------------------------------------------------
Wed Sep 4 18:56:38 UTC 2013 - guillaume@opensuse.org
-- Fix armv6l arch (armv7 was previously used to build armv6 which
+- Fix armv6l arch (armv7 was previously used to build armv6 which
lead to illegal instruction when used)
-------------------------------------------------------------------
@@ -1167,7 +1172,7 @@ Mon Aug 12 06:05:03 UTC 2013 - shchang@suse.com
-------------------------------------------------------------------
Fri Aug 9 23:24:14 UTC 2013 - crrodriguez@opensuse.org
-- Via padlock is only found in x86 and x86_64 CPUs, remove
+- Via padlock is only found in x86 and x86_64 CPUs, remove
the shared module for other archs.
-------------------------------------------------------------------
@@ -1179,15 +1184,15 @@ Wed Aug 7 18:30:45 UTC 2013 - crrodriguez@opensuse.org
* libgmp.so --> may help to doing some maths using GMP
* libgost.so --> implements the GOST block cipher
* libpadlock.so --> VIA padlock support
-- Al other are removed because they require third party propietary
+- Al other are removed because they require third party propietary
shared libraries nowhere to be found or that we can test.
-------------------------------------------------------------------
Wed Aug 7 18:30:23 UTC 2013 - crrodriguez@opensuse.org
-- openssl-pkgconfig.patch: Here we go.. For applications
-to benefit fully of features provided by openSSL engines
-(rdrand, aes-ni..etc) either builtin or in DSO form applications
+- openssl-pkgconfig.patch: Here we go.. For applications
+to benefit fully of features provided by openSSL engines
+(rdrand, aes-ni..etc) either builtin or in DSO form applications
have to call ENGINE_load_builtin_engines() or OPENSSL_config()
unfortunately from a total of 68 apps/libraries linked to libcrypto
in a desktop system, only 4 do so, and there is a sea of buggy
@@ -1202,13 +1207,13 @@ not using pkgconfig or using it incorrectly, but it is a good start.
Wed Aug 7 09:33:55 UTC 2013 - dmueller@suse.com
- add openssl-1.0.1c-default-paths.patch:
- Fix from Fedora for openssl s_client not setting
+ Fix from Fedora for openssl s_client not setting
CApath by default
-------------------------------------------------------------------
Sat Aug 3 21:15:07 UTC 2013 - crrodriguez@opensuse.org
-- 0005-libssl-Hide-library-private-symbols.patch: hide
+- 0005-libssl-Hide-library-private-symbols.patch: hide
private symbols, this *only* applies to libssl where
it is straightforward to do so as applications should
not be using any of the symbols declared/defined in headers
@@ -1243,7 +1248,7 @@ Sat Jun 29 22:47:54 UTC 2013 - crrodriguez@opensuse.org
security as the new implementations are secure against timing
attacks)"
It is not enabled by default due to the build system being unable
-to detect if the compiler supports __uint128_t.
+to detect if the compiler supports __uint128_t.
-------------------------------------------------------------------
Thu Jun 20 07:58:33 UTC 2013 - coolo@suse.com
@@ -1271,7 +1276,7 @@ Tue Feb 12 00:08:06 UTC 2013 - hrvoje.senjan@gmail.com
-------------------------------------------------------------------
Sun Feb 10 20:33:51 UTC 2013 - hrvoje.senjan@gmail.com
-- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
+- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
bnc#803004, openssl ticket#2975
-------------------------------------------------------------------
@@ -1296,7 +1301,7 @@ Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org
- Open Internal file descriptors with O_CLOEXEC, leaving
those open across fork()..execve() makes a perfect
- vector for a side-channel attack...
+ vector for a side-channel attack...
-------------------------------------------------------------------
Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com
@@ -1358,7 +1363,7 @@ Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com
-------------------------------------------------------------------
Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com
-- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
asn1 parser.
CVE-2006-7250
@@ -1376,22 +1381,22 @@ Wed Jan 11 05:35:18 UTC 2012 - gjhe@suse.com
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)
- Invalid GOST parameters DoS Attack (CVE-2012-0027)
+ Invalid GOST parameters DoS Attack (CVE-2012-0027)
-------------------------------------------------------------------
Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org
-- AES-NI: Check the return value of Engine_add()
- if the ENGINE_add() call fails: it ends up adding a reference
- to a freed up ENGINE which is likely to subsequently contain garbage
+- AES-NI: Check the return value of Engine_add()
+ if the ENGINE_add() call fails: it ends up adding a reference
+ to a freed up ENGINE which is likely to subsequently contain garbage
This will happen if an ENGINE with the same name is added multiple
times,for example different libraries. [bnc#720601]
-------------------------------------------------------------------
Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org
-- Build with -DSSL_FORBID_ENULL so servers are not
- able to use the NULL encryption ciphers (Those offering no
+- Build with -DSSL_FORBID_ENULL so servers are not
+ able to use the NULL encryption ciphers (Those offering no
encryption whatsoever).
-------------------------------------------------------------------
@@ -1405,12 +1410,12 @@ Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org
- Add upstream patch that calls ENGINE_register_all_complete()
in ENGINE_load_builtin_engines() saving us from adding dozens
- of calls to such function to calling applications.
+ of calls to such function to calling applications.
-------------------------------------------------------------------
Fri Aug 5 19:09:42 UTC 2011 - crrodriguez@opensuse.org
-- remove -fno-strict-aliasing from CFLAGS no longer needed
+- remove -fno-strict-aliasing from CFLAGS no longer needed
and is likely to slow down stuff.
-------------------------------------------------------------------
@@ -1439,7 +1444,7 @@ Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com
-------------------------------------------------------------------
Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org
-- added openssl as dependency in the devel package
+- added openssl as dependency in the devel package
-------------------------------------------------------------------
Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com
@@ -1451,7 +1456,7 @@ Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com
Sat Jan 15 19:58:51 UTC 2011 - cristian.rodriguez@opensuse.org
- Add patch from upstream in order to support AES-NI instruction
- set present on current Intel and AMD processors
+ set present on current Intel and AMD processors
-------------------------------------------------------------------
Mon Jan 10 11:45:27 CET 2011 - meissner@suse.de
@@ -1478,13 +1483,13 @@ Thu Nov 18 07:53:12 UTC 2010 - gjhe@novell.com
Sat Sep 25 08:55:02 UTC 2010 - gjhe@novell.com
- fix bug [bnc#629905]
- CVE-2010-2939
+ CVE-2010-2939
-------------------------------------------------------------------
Wed Jul 28 20:55:18 UTC 2010 - cristian.rodriguez@opensuse.org
- Exclude static libraries, see what breaks and fix that
- instead
+ instead
-------------------------------------------------------------------
Wed Jun 30 08:47:39 UTC 2010 - jengelh@medozas.de
@@ -1501,13 +1506,13 @@ Fri Jun 4 07:11:28 UTC 2010 - gjhe@novell.com
- fix bnc #610642
CVE-2010-0742
- CVE-2010-1633
+ CVE-2010-1633
-------------------------------------------------------------------
Mon May 31 03:06:39 UTC 2010 - gjhe@novell.com
- fix bnc #610223,change Configure to tell openssl to load engines
- from /%{_lib} instead of %{_libdir}
+ from /%{_lib} instead of %{_libdir}
-------------------------------------------------------------------
Mon May 10 16:11:54 UTC 2010 - aj@suse.de
@@ -1518,13 +1523,13 @@ Mon May 10 16:11:54 UTC 2010 - aj@suse.de
-------------------------------------------------------------------
Tue May 4 02:55:52 UTC 2010 - gjhe@novell.com
-- build libopenssl to /%{_lib} dir,and keep only one
+- build libopenssl to /%{_lib} dir,and keep only one
libopenssl-devel for new developping programs.
-------------------------------------------------------------------
Tue Apr 27 05:44:32 UTC 2010 - gjhe@novell.com
-- build libopenssl and libopenssl-devel to a version directory
+- build libopenssl and libopenssl-devel to a version directory
-------------------------------------------------------------------
Sat Apr 24 09:46:37 UTC 2010 - coolo@novell.com
@@ -1549,7 +1554,7 @@ Mon Apr 12 16:12:08 CEST 2010 - meissner@suse.de
-------------------------------------------------------------------
Mon Apr 12 04:57:17 UTC 2010 - gjhe@novell.com
-- update to 1.0.0
+- update to 1.0.0
Merge the following patches from 0.9.8k:
openssl-0.9.6g-alpha.diff
openssl-0.9.7f-ppc64.diff
@@ -1567,19 +1572,19 @@ Fri Apr 9 11:42:51 CEST 2010 - meissner@suse.de
-------------------------------------------------------------------
Wed Apr 7 14:08:05 CEST 2010 - meissner@suse.de
-- Openssl is now partially converted to libdir usage upstream,
+- Openssl is now partially converted to libdir usage upstream,
merge that in to fix lib64 builds.
-------------------------------------------------------------------
Thu Mar 25 02:18:22 UTC 2010 - gjhe@novell.com
-- fix security bug [bnc#590833]
+- fix security bug [bnc#590833]
CVE-2010-0740
-------------------------------------------------------------------
Mon Mar 22 06:29:14 UTC 2010 - gjhe@novell.com
-- update to version 0.9.8m
+- update to version 0.9.8m
Merge the following patches from 0.9.8k:
bswap.diff
non-exec-stack.diff
@@ -1609,7 +1614,7 @@ Tue Nov 3 19:09:35 UTC 2009 - coolo@novell.com
-------------------------------------------------------------------
Tue Sep 1 10:21:16 CEST 2009 - gjhe@novell.com
-- fix Bug [bnc#526319]
+- fix Bug [bnc#526319]
-------------------------------------------------------------------
Wed Aug 26 11:24:16 CEST 2009 - coolo@novell.com
@@ -1619,14 +1624,14 @@ Wed Aug 26 11:24:16 CEST 2009 - coolo@novell.com
-------------------------------------------------------------------
Fri Jul 3 11:53:48 CEST 2009 - gjhe@novell.com
-- update to version 0.9.8k
+- update to version 0.9.8k
- patches merged upstream:
openssl-CVE-2008-5077.patch
- openssl-CVE-2009-0590.patch
+ openssl-CVE-2009-0590.patch
openssl-CVE-2009-0591.patch
- openssl-CVE-2009-0789.patch
+ openssl-CVE-2009-0789.patch
openssl-CVE-2009-1377.patch
- openssl-CVE-2009-1378.patch
+ openssl-CVE-2009-1378.patch
openssl-CVE-2009-1379.patch
openssl-CVE-2009-1386.patch
openssl-CVE-2009-1387.patch
@@ -1678,18 +1683,18 @@ Mon Dec 8 12:12:14 CET 2008 - xwhu@suse.de
-------------------------------------------------------------------
Mon Nov 10 10:22:04 CET 2008 - xwhu@suse.de
-- Disable optimization of ripemd [bnc#442740]
+- Disable optimization of ripemd [bnc#442740]
-------------------------------------------------------------------
Tue Oct 14 09:08:47 CEST 2008 - xwhu@suse.de
-- Passing string as struct cause openssl segment-fault [bnc#430141]
+- Passing string as struct cause openssl segment-fault [bnc#430141]
-------------------------------------------------------------------
Wed Jul 16 12:02:37 CEST 2008 - mkoenig@suse.de
- do not require openssl-certs, but rather recommend it
- to avoid dependency cycle [bnc#408865]
+ to avoid dependency cycle [bnc#408865]
-------------------------------------------------------------------
Wed Jul 9 12:53:27 CEST 2008 - mkoenig@suse.de
@@ -1713,8 +1718,8 @@ Tue Jun 24 09:09:04 CEST 2008 - mkoenig@suse.de
Wed May 28 15:04:08 CEST 2008 - mkoenig@suse.de
- fix OpenSSL Server Name extension crash (CVE-2008-0891)
- and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672)
- [bnc#394317]
+ and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672)
+ [bnc#394317]
-------------------------------------------------------------------
Wed May 21 20:48:39 CEST 2008 - cthiel@suse.de
@@ -1724,7 +1729,7 @@ Wed May 21 20:48:39 CEST 2008 - cthiel@suse.de
-------------------------------------------------------------------
Tue Apr 22 14:39:35 CEST 2008 - mkoenig@suse.de
-- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844]
+- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844]
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
@@ -1735,7 +1740,7 @@ Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
-------------------------------------------------------------------
Mon Nov 5 14:27:06 CET 2007 - mkoenig@suse.de
-- fix Diffie-Hellman failure with certain prime lengths
+- fix Diffie-Hellman failure with certain prime lengths
-------------------------------------------------------------------
Mon Oct 22 15:00:21 CEST 2007 - mkoenig@suse.de
@@ -1759,7 +1764,7 @@ Mon Oct 15 11:17:14 CEST 2007 - mkoenig@suse.de
-------------------------------------------------------------------
Mon Oct 1 11:29:55 CEST 2007 - mkoenig@suse.de
-- fix buffer overflow CVE-2007-5135 [#329208]
+- fix buffer overflow CVE-2007-5135 [#329208]
-------------------------------------------------------------------
Wed Sep 5 11:39:26 CEST 2007 - mkoenig@suse.de
@@ -1774,7 +1779,7 @@ Fri Aug 3 14:17:27 CEST 2007 - coolo@suse.de
-------------------------------------------------------------------
Wed Aug 1 18:01:45 CEST 2007 - werner@suse.de
-- Add patch from CVS for RSA key reconstruction vulnerability
+- Add patch from CVS for RSA key reconstruction vulnerability
(CVE-2007-3108, VU#724968, bug #296511)
-------------------------------------------------------------------
@@ -1782,7 +1787,7 @@ Thu May 24 16:18:50 CEST 2007 - mkoenig@suse.de
- fix build with gcc-4.2
openssl-gcc42.patch
-- do not install example scripts with executable permissions
+- do not install example scripts with executable permissions
-------------------------------------------------------------------
Mon Apr 30 01:32:44 CEST 2007 - ro@suse.de
@@ -1800,12 +1805,12 @@ Fri Apr 27 15:25:13 CEST 2007 - mkoenig@suse.de
Wed Apr 25 12:32:44 CEST 2007 - mkoenig@suse.de
- Split/rename package to follow library packaging policy [#260219]
- New package libopenssl0.9.8 containing shared libs
+ New package libopenssl0.9.8 containing shared libs
openssl-devel package renamed to libopenssl-devel
- New package openssl-certs containing certificates
+ New package openssl-certs containing certificates
- add zlib-devel to Requires of devel package
- remove old Obsoletes and Conflicts
- openssls (Last used Nov 2000)
+ openssls (Last used Nov 2000)
ssleay (Last used 6.2)
-------------------------------------------------------------------
@@ -1853,7 +1858,7 @@ Fri Sep 29 18:37:01 CEST 2006 - poeml@suse.de
cause a denial of service. (CVE-2006-2940)
*) Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service. (CVE-2006-2937)
- *) Fix buffer overflow in SSL_get_shared_ciphers() function.
+ *) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738)
*) Fix SSL client code which could crash if connecting to a
malicious SSLv2 server. (CVE-2006-4343)
@@ -1984,12 +1989,12 @@ Wed Jan 25 21:30:41 CET 2006 - mls@suse.de
Mon Jan 16 13:13:13 CET 2006 - mc@suse.de
- fix build problems on s390x (openssl-s390-config.diff)
-- build with -fstack-protector
+- build with -fstack-protector
-------------------------------------------------------------------
Mon Nov 7 16:30:49 CET 2005 - dmueller@suse.de
-- build with non-executable stack
+- build with non-executable stack
-------------------------------------------------------------------
Thu Oct 20 17:37:47 CEST 2005 - poeml@suse.de
@@ -2129,7 +2134,7 @@ Tue Jun 15 16:18:36 CEST 2004 - poeml@suse.de
- patch from CVS: make stack API more robust (return NULL for
out-of-range indexes). Fixes another possible segfault during
engine detection (could also triggered by stunnel)
-- add patch from Michal Ludvig for VIA PadLock support
+- add patch from Michal Ludvig for VIA PadLock support
-------------------------------------------------------------------
Wed Jun 2 20:44:40 CEST 2004 - poeml@suse.de
@@ -2152,7 +2157,7 @@ Thu Mar 18 13:47:09 CET 2004 - poeml@suse.de
- update to 0.9.7d
o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
(CAN-2004-0112)
- o Security: Fix null-pointer assignment in do_change_cipher_spec()
+ o Security: Fix null-pointer assignment in do_change_cipher_spec()
(CAN-2004-0079)
o Allow multiple active certificates with same subject in CA index
o Multiple X590 verification fixes
@@ -2197,7 +2202,7 @@ Wed Feb 25 20:42:39 CET 2004 - poeml@suse.de
Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
of files as .eml work). Correctly handle very long lines in MIME
parser.
-- update ICA patch
+- update ICA patch
quote: This version of the engine patch has updated error handling in
the DES/SHA code, and turns RSA blinding off for hardware
accelerated RSA ops.
@@ -2255,7 +2260,7 @@ Thu Jul 10 23:14:22 CEST 2003 - poeml@suse.de
-------------------------------------------------------------------
Mon May 12 23:27:07 CEST 2003 - poeml@suse.de
-- package the openssl.pc file for pkgconfig
+- package the openssl.pc file for pkgconfig
-------------------------------------------------------------------
Wed Apr 16 16:04:32 CEST 2003 - poeml@suse.de
@@ -2353,7 +2358,7 @@ Thu Oct 24 12:57:36 CEST 2002 - poeml@suse.de
-------------------------------------------------------------------
Mon Sep 30 16:07:49 CEST 2002 - bg@suse.de
-- enable hppa distribution; use only pa1.1 architecture.
+- enable hppa distribution; use only pa1.1 architecture.
-------------------------------------------------------------------
Tue Sep 17 17:13:46 CEST 2002 - froh@suse.de
@@ -2394,7 +2399,7 @@ Thu Aug 1 00:53:33 CEST 2002 - poeml@suse.de
- gcc 3.1 version detection is fixed, we can drop the patch
- move the most used man pages from the -doc to the main package
[#9913] and resolve man page conflicts by putting them into ssl
- sections [#17239]
+ sections [#17239]
- spec file: use PreReq for %post script
-------------------------------------------------------------------
@@ -2443,14 +2448,14 @@ Thu Apr 18 16:30:01 CEST 2002 - meissner@suse.de
Wed Apr 17 16:56:34 CEST 2002 - ro@suse.de
- fixed gcc version determination
-- drop sun4c support/always use sparcv8
+- drop sun4c support/always use sparcv8
- ignore return code from showciphers
-------------------------------------------------------------------
Fri Mar 15 16:54:44 CET 2002 - poeml@suse.de
- add settings for sparc to build shared objects. Note that all
- sparcs (sun4[mdu]) are recognized as linux-sparcv7
+ sparcs (sun4[mdu]) are recognized as linux-sparcv7
-------------------------------------------------------------------
Wed Feb 6 14:23:44 CET 2002 - kukuk@suse.de
@@ -2473,7 +2478,7 @@ Tue Jan 29 12:42:58 CET 2002 - poeml@suse.de
- add IBMCA patch for IBM eServer Cryptographic Accelerator Device
Driver (#12565) (forward ported from 0.9.6b)
(http://www-124.ibm.com/developerworks/projects/libica/)
-- tell Configure how to build shared libs for s390 and s390x
+- tell Configure how to build shared libs for s390 and s390x
- tweak Makefile.org to use %_libdir
- clean up spec file
- add README.SuSE as source file instead of in a patch
@@ -2487,7 +2492,7 @@ Wed Dec 5 10:59:59 CET 2001 - uli@suse.de
-------------------------------------------------------------------
Wed Dec 5 02:39:16 CET 2001 - ro@suse.de
-- removed subpackage src
+- removed subpackage src
-------------------------------------------------------------------
Wed Nov 28 13:28:42 CET 2001 - uli@suse.de
@@ -2509,7 +2514,7 @@ Fri Aug 31 11:19:46 CEST 2001 - rolf@suse.de
Wed Jul 18 10:27:54 CEST 2001 - rolf@suse.de
- update to 0.9.6b
-- switch to engine version of openssl, which supports hardware
+- switch to engine version of openssl, which supports hardware
encryption for a few popular devices
- check wether shared libraries have been generated
@@ -2532,7 +2537,7 @@ Mon May 7 21:02:30 CEST 2001 - kukuk@suse.de
Mon May 7 11:36:53 MEST 2001 - rolf@suse.de
- Fix ppc and s390 shared library builds
-- resolved conflict in manpage naming:
+- resolved conflict in manpage naming:
rand.3 is now sslrand.3 [BUG#7643]
-------------------------------------------------------------------
@@ -2565,7 +2570,7 @@ Wed Mar 21 10:12:59 MET 2001 - rolf@suse.de
-------------------------------------------------------------------
Fri Dec 15 18:09:16 CET 2000 - sf@suse.de
-- changed CFLAG to -O1 to make the tests run successfully
+- changed CFLAG to -O1 to make the tests run successfully
-------------------------------------------------------------------
Mon Dec 11 13:33:55 CET 2000 - rolf@suse.de
diff --git a/openssl.spec b/openssl.spec
index b7e69b2..272aaea 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -18,7 +18,7 @@
%define _sonum 3
Name: openssl
-Version: 3.1.4
+Version: 3.2.0
Release: 0
Summary: Secure Sockets and Transport Layer Security
# Yes there is no license but to not confuse people keep it aligned to the pkg
From 5fe9d172cea8d0c2d3ad7ee1091cae1f125d668acdad887306e821468e3d4802 Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Mon, 29 Jan 2024 15:53:58 +0000
Subject: [PATCH 2/2] Accepting request 1142575 from
home:pmonrealgonzalez:branches:security:tls
OBS-URL: https://build.opensuse.org/request/show/1142575
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl?expand=0&rev=59
---
openssl.changes | 4 ++--
openssl.spec | 17 +++++++++++++++--
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/openssl.changes b/openssl.changes
index 7f7385a..45fffae 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,7 +1,7 @@
-------------------------------------------------------------------
-Thu Nov 23 16:07:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+Mon Jan 29 15:17:22 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
-- Update to 3.2.0
+- New libopenssl-fips-provider package.
-------------------------------------------------------------------
Tue Oct 24 14:55:05 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
diff --git a/openssl.spec b/openssl.spec
index 272aaea..2339f7d 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -1,7 +1,7 @@
#
# spec file for package openssl
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define _sonum 3
Name: openssl
-Version: 3.2.0
+Version: 3.1.4
Release: 0
Summary: Secure Sockets and Transport Layer Security
# Yes there is no license but to not confuse people keep it aligned to the pkg
@@ -62,6 +62,16 @@ Provides: pkgconfig(openssl) = %{version}
This package contains all necessary include files and libraries needed
to develop applications that require these.
+%package -n libopenssl-fips-provider
+Summary: Include Files and Libraries mandatory for Development
+Group: Development/Libraries/C and C++
+Requires: %{name} >= 3.0.0
+Requires: libopenssl%{_sonum} >= 3.0.0
+Requires: pkgconfig
+
+%description -n libopenssl-fips-provider
+This package contains OpenSSL FIPS provider.
+
%prep
cp %{SOURCE0} .
@@ -77,4 +87,7 @@ cp %{SOURCE0} .
%files -n libopenssl-devel
%doc README.SUSE
+%files -n libopenssl-fips-provider
+%doc README.SUSE
+
%changelog