Factory #1

Merged

dgarcia merged 43 commits from factory into main 2025-10-08 12:57:06 +02:00

Conversation 0 Commits 43 Files Changed 90 +6239 -13821

dgarcia commented 2025-10-06 14:28:19 +02:00

Owner

Copy Link

No description provided.

dgarcia added 43 commits 2025-10-06 14:28:19 +02:00

- Security fix: [bsc#1230698, CVE-2024-41996] ... e20eeb46a1

* Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used
  * Added openssl-CVE-2024-41996.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=114

Accepting request 1202944 from security:tls ... 0ed017ed4c

OBS-URL: https://build.opensuse.org/request/show/1202944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=30

- Security fix: [bsc#1231741, CVE-2024-9143] ... aaffc1c436

* Low-level invalid GF(2^m) parameters lead to OOB memory access
  * Add openssl-CVE-2024-9143.patch

- Security fix: [bsc#1220262, CVE-2023-50782]
  * Implicit rejection in PKCS#1 v1.5
  * Add openssl-CVE-2023-50782.patch

  * Validating the order of the public keys in the Diffie-Hellman
    Key Agreement Protocol, when an approved safe prime is used.
  * Added openssl-3-CVE-2024-41996.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=116

* Added openssl-CVE-2024-41996.patch ... 05037720cc

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=117

Accepting request 1208827 from security:tls ... f15b6cf3be

OBS-URL: https://build.opensuse.org/request/show/1208827
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=31

- Update to 3.1.7: ... 6e95485a74

* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
    - Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
    - Fixed possible buffer overread in SSL_select_next_proto()
      (CVE-2024-5535)
  * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
    - Fixed potential use after free after SSL_free_buffers() is
      called (CVE-2024-4741)
    - Fixed an issue where checking excessively long DSA keys or
      parameters may be very slow (CVE-2024-4603)
    - Fixed unbounded memory growth with session handling in TLSv1.3
      (CVE-2024-2511)
  * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
    - Fixed PKCS12 Decoding crashes (CVE-2024-0727)
    - Fixed Excessive time spent checking invalid RSA public keys
      [CVE-2023-6237)
    - Fixed POLY1305 MAC implementation corrupting vector registers
      on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
    - Fix excessive time spent in DH check / generation with large
      Q parameter value (CVE-2023-5678)
  * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
  * Rebase patches:
    - openssl-Force-FIPS.patch
    - openssl-FIPS-embed-hmac.patch
    - openssl-FIPS-services-minimize.patch
    - openssl-FIPS-RSA-disable-shake.patch
    - openssl-CVE-2023-50782.patch
  * Remove patches fixed in the update:
    - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
    - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119

Accepting request 1217013 from security:tls ... dcc7abb986

OBS-URL: https://build.opensuse.org/request/show/1217013
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=32

- Support MSA 11 HMAC on s390x jsc#PED-10273 ... 8c598ed63d

* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
  * Add openssl-3-fix-hmac-digest-detection-s390x.patch
  * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch

- Add hardware acceleration for full AES-XTS  jsc#PED-10273
  * Add openssl-3-hw-acceleration-aes-xts-s390x.patch

- Support MSA 12 SHA3 on s390x jsc#PED-10280
  * Add openssl-3-add_EVP_DigestSqueeze_api.patch
  * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch
  * Add openssl-3-add-xof-state-handling-s3_absorb.patch
  * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch
  * Add openssl-3-fix-state-handling-sha3_final_s390x.patch
  * Add openssl-3-fix-state-handling-shake_final_s390x.patch
  * Add openssl-3-fix-state-handling-keccak_final_s390x.patch
  * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
  * Add openssl-3-add-defines-CPACF-funcs.patch
  * Add openssl-3-add-hw-acceleration-hmac.patch
  * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
  * Add openssl-3-fix-s390x_sha3_absorb.patch
  * Add openssl-3-fix-s390x_shake_squeeze.patch

- Update to 3.2.3:
  * Changes between 3.2.2 and 3.2.3:
    - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119]
    - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535]
  * Changes between 3.2.1 and 3.2.2:
    - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741]
    - Fixed an issue where checking excessively long DSA keys or parameters may

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121

Accepting request 1221596 from security:tls ... 45b932767a

OBS-URL: https://build.opensuse.org/request/show/1221596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=33

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=123 a17015e560

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=124 5683a46d7c

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=125 de90bec471

Accepting request 1223748 from security:tls ... b3fd9c08d5

OBS-URL: https://build.opensuse.org/request/show/1223748
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=34

- Add support for userspace livepatching on ppc64le (jsc#PED-10952). ... 5afc4138ca

- Use gcc-13 for ppc64le.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=127

- Add support for userspace livepatching on ppc64le (jsc#PED-11850). ... b062a1d507

- Fix evp_properties section in the openssl.cnf file [bsc#1234647]
  * Rebase patches:
    - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
    - openssl-TESTS-Disable-default-provider-crypto-policies.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=128

Accepting request 1234617 from security:tls ... 8853ae0bcf

OBS-URL: https://build.opensuse.org/request/show/1234617
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=35

- bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation ... e5f6af2c44

* Add patch openssl-CVE-2024-13176.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=130

Accepting request 1240110 from security:tls ... e1389a0ce1

OBS-URL: https://build.opensuse.org/request/show/1240110
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=36

- Update to 3.2.4: ... ef668cd7fa

* Fixed RFC7250 handshakes with unauthenticated servers don't abort as
    expected. [CVE-2024-12797]
  * Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176]
  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
    curve parameters. [CVE-2024-9143]
- Remove patch openssl-CVE-2024-13176.patch
- Rebase patches:
  * openssl-3-add_EVP_DigestSqueeze_api.patch
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-RSA-encapsulate.patch
  * openssl-disable-fipsinstall.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=132

expected. [bsc#1236599, CVE-2024-12797] ... 76e0808cc2

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=133

Accepting request 1245244 from security:tls ... e992b24c38

OBS-URL: https://build.opensuse.org/request/show/1245244
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=37

- Introduce --without lto. When %{optflags} contains -flto=*, tests cases are ... d801e4b1ff

also built using -flto=* which significantly increases build times, this
  option disables lto which improve iteration times when developing.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=135

Accepting request 1251128 from security:tls ... ab574f714d

OBS-URL: https://build.opensuse.org/request/show/1251128
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=38

Accepting request 1255099 from home:lmulling:branches:security:tls ... fc3cc89792

- FIPS: Mark SHA-1 as non-approved in the SLI. [jsc#PED-12224]
  * Add openssl-FIPS-Mark-SHA1-as-nonapproved.patch

OBS-URL: https://build.opensuse.org/request/show/1255099
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=137

Accepting request 1255522 from security:tls ... a91f523eac

OBS-URL: https://build.opensuse.org/request/show/1255522
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=39

- Update to 3.5.0: ... 8a00581af4

* Changes:
    - Default encryption cipher for the req, cms, and smime applications
      changed from des-ede3-cbc to aes-256-cbc.
    - The default TLS supported groups list has been changed to include
      and prefer hybrid PQC KEM groups. Some practically unused groups
      were removed from the default list.
    - The default TLS keyshares have been changed to offer X25519MLKEM768
      and and X25519.
    - All BIO_meth_get_*() functions were deprecated.
  * New features:
    - Support for server side QUIC (RFC 9000)
    - Support for 3rd party QUIC stacks including 0-RTT support
    - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
    - A new configuration option no-tls-deprecated-ec to disable support
      for TLS groups deprecated in RFC8422
    - A new configuration option enable-fips-jitter to make the FIPS
      provider to use the JITTER seed source
    - Support for central key generation in CMP
    - Support added for opaque symmetric key objects (EVP_SKEY)
    - Support for multiple TLS keyshares and improved TLS key establishment
      group configurability
    - API support for pipelining in provided cipher algorithms
  * Remove patches:
    - openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
    - openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
    - openssl-3-add-defines-CPACF-funcs.patch
    - openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
    - openssl-3-add-xof-state-handling-s3_absorb.patch
    - openssl-3-fix-state-handling-sha3_absorb_s390x.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=139

Accepting request 1270033 from security:tls ... 5d3e6b585a

OBS-URL: https://build.opensuse.org/request/show/1270033
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=40

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=141 002501c0b8

Accepting request 1278744 from security:tls ... 2dc845ffe5

OBS-URL: https://build.opensuse.org/request/show/1278744
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=41

- bsc#1243564 CVE-2025-4575: Fix the x509 application adding trusted use instead of rejected use ... cbc553d55a

* Add openssl-CVE-2025-4575.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=143

- Fixed CVE-2025-27587 ... 24d6d64b5c

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=144

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=145 76538713a2

- Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014] ... 92e37434ce

* Add openssl-Fix-P384-on-P8-targets.patch [a72f753c]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=146

Accepting request 1281096 from security:tls ... 20fff9f8c0

- Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014]
  * Add openssl-Fix-P384-on-P8-targets.patch [a72f753c]

- Security fix: [bsc#1243564, CVE-2025-4575]
  * Fix the x509 application adding trusted use instead of rejected use
  * Add openssl-CVE-2025-4575.patch

  * Security fixes:
    - [bsc#1243459, CVE-2025-27587] Minerva side channel vulnerability in P-384

OBS-URL: https://build.opensuse.org/request/show/1281096
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=42

Accepting request 1291089 from home:lmulling:branches:security:tls ... 2ae28710e3

- Update to 3.5.1:
  * Fix x509 application adds trusted use instead of rejected use.
    [bsc#1243564, CVE-2025-4575]
- Remove patches:
  * openssl-Fix-P384-on-P8-targets.patch
  * openssl-CVE-2025-4575.patch
- Rebase patches:
  * openssl-Allow-disabling-of-SHA1-signatures.patch
  * openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
  * openssl-FIPS-NO-DES-support.patch
- Fix a bogus warning caused by -Wfree-nonheap-object
  * Add patch openssl-Fix-Wfree-nonheap-object-warning.patch

OBS-URL: https://build.opensuse.org/request/show/1291089
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=148

Accepting request 1291169 from security:tls ... 3b25bca574

OBS-URL: https://build.opensuse.org/request/show/1291169
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=43

- Use termios instead of obsolete termio ... 66e88c4add

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=150

- Disable LTO for userspace livepatching [jsc#PED-13245] ... 6046fdcaeb

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=151

Accepting request 1296523 from security:tls ... 97acb0832f

OBS-URL: https://build.opensuse.org/request/show/1296523
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=44

- Update to 3.5.2: ... 30c6de24df

* Miscellaneous minor bug fixes.
  * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
    This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
- Rebase patches:
  * openssl-FIPS-140-3-keychecks.patch
  * openssl-FIPS-NO-DES-support.patch
  * openssl-FIPS-enforce-EMS-support.patch
  * openssl-disable-fipsinstall.patch
- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=153

Accepting request 1297961 from security:tls ... afe8736aba

OBS-URL: https://build.opensuse.org/request/show/1297961
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=45

- Update to 3.5.3: ... f6c710bc56

* Added FIPS 140-3 PCT on DH key generation.
  * Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
  * openssl-FIPS-limit-rsa-encrypt.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=155

Accepting request 1305335 from security:tls ... 00ea7ab7f6

- Update to 3.5.3:
  * Added FIPS 140-3 PCT on DH key generation.
  * Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
  * openssl-FIPS-limit-rsa-encrypt.patch

OBS-URL: https://build.opensuse.org/request/show/1305335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=46

dgarcia merged commit 5f909683e2 into main 2025-10-08 12:57:06 +02:00

dgarcia referenced this issue from a commit 2025-10-08 12:57:08 +02:00

Merge pull request 'Factory' (#1) from factory into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

adamm adrianSuSE autogits-devel dgarcia dirkmueller gitea_test yudaike

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: testing/openssl-3#1

No description provided.