From 412a5012b8ab82ec296ba7daf132ac656b5efe2b312b2abc26f86b6d2d484455 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 9 Jul 2009 08:42:49 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=25 --- openssl-0.9.8h.tar.bz2 | 3 - openssl-0.9.8k.tar.bz2 | 3 + openssl-CVE-2008-5077.patch | 163 -------- openssl-CVE-2009-0590.patch | 64 ---- openssl-CVE-2009-0591.patch | 13 - openssl-CVE-2009-0789.patch | 20 - openssl.changes | 30 ++ openssl.spec | 720 ++---------------------------------- 8 files changed, 60 insertions(+), 956 deletions(-) delete mode 100644 openssl-0.9.8h.tar.bz2 create mode 100644 openssl-0.9.8k.tar.bz2 delete mode 100644 openssl-CVE-2008-5077.patch delete mode 100644 openssl-CVE-2009-0590.patch delete mode 100644 openssl-CVE-2009-0591.patch delete mode 100644 openssl-CVE-2009-0789.patch diff --git a/openssl-0.9.8h.tar.bz2 b/openssl-0.9.8h.tar.bz2 deleted file mode 100644 index b425c64..0000000 --- a/openssl-0.9.8h.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9b7d2a06182fa4e821c436dafc8378c63007606bd47bf431974994867043ea4c -size 2734835 diff --git a/openssl-0.9.8k.tar.bz2 b/openssl-0.9.8k.tar.bz2 new file mode 100644 index 0000000..9f90e39 --- /dev/null +++ b/openssl-0.9.8k.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b51b8d0974be7936545020c096fe6e3bf454fdcc7bf798f7c01c46d492c7438c +size 3092074 diff --git a/openssl-CVE-2008-5077.patch b/openssl-CVE-2008-5077.patch deleted file mode 100644 index 8b53545..0000000 --- a/openssl-CVE-2008-5077.patch +++ /dev/null @@ -1,163 +0,0 @@ - -Index: openssl-0.9.8h/apps/speed.c -=================================================================== ---- openssl-0.9.8h.orig/apps/speed.c -+++ openssl-0.9.8h/apps/speed.c -@@ -2132,7 +2132,7 @@ int MAIN(int argc, char **argv) - { - ret=RSA_verify(NID_md5_sha1, buf,36, buf2, - rsa_num, rsa_key[j]); -- if (ret == 0) -+ if (ret <= 0) - { - BIO_printf(bio_err, - "RSA verify failure\n"); -Index: openssl-0.9.8h/apps/spkac.c -=================================================================== ---- openssl-0.9.8h.orig/apps/spkac.c -+++ openssl-0.9.8h/apps/spkac.c -@@ -285,7 +285,7 @@ bad: - pkey = NETSCAPE_SPKI_get_pubkey(spki); - if(verify) { - i = NETSCAPE_SPKI_verify(spki, pkey); -- if(i) BIO_printf(bio_err, "Signature OK\n"); -+ if (i > 0) BIO_printf(bio_err, "Signature OK\n"); - else { - BIO_printf(bio_err, "Signature Failure\n"); - ERR_print_errors(bio_err); -Index: openssl-0.9.8h/apps/verify.c -=================================================================== ---- openssl-0.9.8h.orig/apps/verify.c -+++ openssl-0.9.8h/apps/verify.c -@@ -266,7 +266,7 @@ static int check(X509_STORE *ctx, char * - - ret=0; - end: -- if (i) -+ if (i > 0) - { - fprintf(stdout,"OK\n"); - ret=1; -@@ -367,4 +367,3 @@ static int MS_CALLBACK cb(int ok, X509_S - ERR_clear_error(); - return(ok); - } -- -Index: openssl-0.9.8h/apps/x509.c -=================================================================== ---- openssl-0.9.8h.orig/apps/x509.c -+++ openssl-0.9.8h/apps/x509.c -@@ -1151,7 +1151,7 @@ static int x509_certify(X509_STORE *ctx, - /* NOTE: this certificate can/should be self signed, unless it was - * a certificate request in which case it is not. */ - X509_STORE_CTX_set_cert(&xsc,x); -- if (!reqfile && !X509_verify_cert(&xsc)) -+ if (!reqfile && X509_verify_cert(&xsc) <= 0) - goto end; - - if (!X509_check_private_key(xca,pkey)) -Index: openssl-0.9.8h/crypto/cms/cms_sd.c -=================================================================== ---- openssl-0.9.8h.orig/crypto/cms/cms_sd.c -+++ openssl-0.9.8h/crypto/cms/cms_sd.c -@@ -830,7 +830,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo - cms_fixup_mctx(&mctx, si->pkey); - r = EVP_VerifyFinal(&mctx, - si->signature->data, si->signature->length, si->pkey); -- if (!r) -+ if (r <= 0) - CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE); - err: - EVP_MD_CTX_cleanup(&mctx); -Index: openssl-0.9.8h/ssl/s2_clnt.c -=================================================================== ---- openssl-0.9.8h.orig/ssl/s2_clnt.c -+++ openssl-0.9.8h/ssl/s2_clnt.c -@@ -1044,7 +1044,7 @@ int ssl2_set_certificate(SSL *s, int typ - - i=ssl_verify_cert_chain(s,sk); - -- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) -+ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) - { - SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); - goto err; -Index: openssl-0.9.8h/ssl/s2_srvr.c -=================================================================== ---- openssl-0.9.8h.orig/ssl/s2_srvr.c -+++ openssl-0.9.8h/ssl/s2_srvr.c -@@ -1054,7 +1054,7 @@ static int request_certificate(SSL *s) - - i=ssl_verify_cert_chain(s,sk); - -- if (i) /* we like the packet, now check the chksum */ -+ if (i > 0) /* we like the packet, now check the chksum */ - { - EVP_MD_CTX ctx; - EVP_PKEY *pkey=NULL; -@@ -1083,7 +1083,7 @@ static int request_certificate(SSL *s) - EVP_PKEY_free(pkey); - EVP_MD_CTX_cleanup(&ctx); - -- if (i) -+ if (i > 0) - { - if (s->session->peer != NULL) - X509_free(s->session->peer); -Index: openssl-0.9.8h/ssl/s3_clnt.c -=================================================================== ---- openssl-0.9.8h.orig/ssl/s3_clnt.c -+++ openssl-0.9.8h/ssl/s3_clnt.c -@@ -965,7 +965,7 @@ int ssl3_get_server_certificate(SSL *s) - } - - i=ssl_verify_cert_chain(s,sk); -- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) -+ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) - #ifndef OPENSSL_NO_KRB5 - && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - != (SSL_aKRB5|SSL_kKRB5) -@@ -1450,7 +1450,7 @@ int ssl3_get_key_exchange(SSL *s) - EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx,param,param_len); -- if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) -+ if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) - { - /* bad signature */ - al=SSL_AD_DECRYPT_ERROR; -@@ -1468,7 +1468,7 @@ int ssl3_get_key_exchange(SSL *s) - EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx,param,param_len); -- if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) -+ if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) - { - /* bad signature */ - al=SSL_AD_DECRYPT_ERROR; -Index: openssl-0.9.8h/ssl/s3_srvr.c -=================================================================== ---- openssl-0.9.8h.orig/ssl/s3_srvr.c -+++ openssl-0.9.8h/ssl/s3_srvr.c -@@ -2558,7 +2558,7 @@ int ssl3_get_client_certificate(SSL *s) - else - { - i=ssl_verify_cert_chain(s,sk); -- if (!i) -+ if (i <= 0) - { - al=ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); -Index: openssl-0.9.8h/ssl/ssltest.c -=================================================================== ---- openssl-0.9.8h.orig/ssl/ssltest.c -+++ openssl-0.9.8h/ssl/ssltest.c -@@ -2072,7 +2072,7 @@ static int MS_CALLBACK app_verify_callba - - if (cb_arg->proxy_auth) - { -- if (ok) -+ if (ok > 0) - { - const char *cond_end = NULL; - diff --git a/openssl-CVE-2009-0590.patch b/openssl-CVE-2009-0590.patch deleted file mode 100644 index 0e028e8..0000000 --- a/openssl-CVE-2009-0590.patch +++ /dev/null @@ -1,64 +0,0 @@ - -Index: openssl-0.9.8h/crypto/asn1/asn1.h -=================================================================== ---- openssl-0.9.8h.orig/crypto/asn1/asn1.h -+++ openssl-0.9.8h/crypto/asn1/asn1.h -@@ -1218,6 +1218,7 @@ - #define ASN1_R_BAD_OBJECT_HEADER 102 - #define ASN1_R_BAD_PASSWORD_READ 103 - #define ASN1_R_BAD_TAG 104 -+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 - #define ASN1_R_BN_LIB 105 - #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 - #define ASN1_R_BUFFER_TOO_SMALL 107 -@@ -1307,6 +1308,7 @@ - #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 - #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 - #define ASN1_R_UNEXPECTED_EOC 159 -+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 - #define ASN1_R_UNKNOWN_FORMAT 160 - #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 - #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 -Index: openssl-0.9.8h/crypto/asn1/asn1_err.c -=================================================================== ---- openssl-0.9.8h.orig/crypto/asn1/asn1_err.c -+++ openssl-0.9.8h/crypto/asn1/asn1_err.c -@@ -195,6 +195,7 @@ - {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, - {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, - {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, -+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, - {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, - {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, - {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, -@@ -284,6 +285,7 @@ - {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, - {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, - {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, -+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, - {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, - {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, - {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, -Index: openssl-0.9.8h/crypto/asn1/tasn_dec.c -=================================================================== ---- openssl-0.9.8h.orig/crypto/asn1/tasn_dec.c -+++ openssl-0.9.8h/crypto/asn1/tasn_dec.c -@@ -1012,6 +1012,18 @@ - case V_ASN1_SET: - case V_ASN1_SEQUENCE: - default: -+ if (utype == V_ASN1_BMPSTRING && (len & 1)) -+ { -+ ASN1err(ASN1_F_ASN1_EX_C2I, -+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH); -+ goto err; -+ } -+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) -+ { -+ ASN1err(ASN1_F_ASN1_EX_C2I, -+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); -+ goto err; -+ } - /* All based on ASN1_STRING and handled the same */ - if (!*pval) - { diff --git a/openssl-CVE-2009-0591.patch b/openssl-CVE-2009-0591.patch deleted file mode 100644 index 39974e1..0000000 --- a/openssl-CVE-2009-0591.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: openssl-0.9.8h/crypto/cms/cms_smime.c -=================================================================== ---- openssl-0.9.8h.orig/crypto/cms/cms_smime.c -+++ openssl-0.9.8h/crypto/cms/cms_smime.c -@@ -425,7 +425,7 @@ - for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) - { - si = sk_CMS_SignerInfo_value(sinfos, i); -- if (!CMS_SignerInfo_verify_content(si, cmsbio)) -+ if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0) - { - CMSerr(CMS_F_CMS_VERIFY, - CMS_R_CONTENT_VERIFY_ERROR); diff --git a/openssl-CVE-2009-0789.patch b/openssl-CVE-2009-0789.patch deleted file mode 100644 index 18b8ace..0000000 --- a/openssl-CVE-2009-0789.patch +++ /dev/null @@ -1,20 +0,0 @@ - -Index: openssl-0.9.8h/crypto/asn1/tasn_dec.c -=================================================================== ---- openssl-0.9.8h.orig/crypto/asn1/tasn_dec.c -+++ openssl-0.9.8h/crypto/asn1/tasn_dec.c -@@ -611,7 +611,6 @@ - - err: - ASN1_template_free(val, tt); -- *val = NULL; - return 0; - } - -@@ -758,7 +757,6 @@ - - err: - ASN1_template_free(val, tt); -- *val = NULL; - return 0; - } diff --git a/openssl.changes b/openssl.changes index 6546a2f..05e0639 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Fri Jul 3 11:53:48 CEST 2009 - gjhe@novell.com + +- update to version 0.9.8k +- patches merged upstream: + openssl-CVE-2008-5077.patch + openssl-CVE-2009-0590.patch + openssl-CVE-2009-0591.patch + openssl-CVE-2009-0789.patch + openssl-CVE-2009-1377.patch + openssl-CVE-2009-1378.patch + openssl-CVE-2009-1379.patch + openssl-CVE-2009-1386.patch + openssl-CVE-2009-1387.patch + +------------------------------------------------------------------- +Tue Jun 30 05:17:26 CEST 2009 - gjhe@novell.com + +- fix security bug [bnc#509031] + CVE-2009-1386 + CVE-2009-1387 + +------------------------------------------------------------------- +Tue Jun 30 05:16:39 CEST 2009 - gjhe@novell.com + +- fix security bug [bnc#504687] + CVE-2009-1377 + CVE-2009-1378 + CVE-2009-1379 + ------------------------------------------------------------------- Wed Apr 15 12:28:29 CEST 2009 - gjhe@suse.de diff --git a/openssl.spec b/openssl.spec index 116dfad..7c22ea1 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl (Version 0.9.8h) +# spec file for package openssl (Version 0.9.8k) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,7 +22,7 @@ Name: openssl BuildRequires: bc ed zlib-devel %define ssletcdir %{_sysconfdir}/ssl %define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g") -License: BSD 3-Clause +License: BSD 3-clause (or similar) Group: Productivity/Networking/Security Provides: ssl AutoReqProv: on @@ -31,8 +31,8 @@ AutoReqProv: on Obsoletes: openssl-64bit %endif # -Version: 0.9.8h -Release: 32 +Version: 0.9.8k +Release: 1 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -51,10 +51,6 @@ Patch8: func-parm-err.patch %ifarch s390x Patch9: disable-optimization-for-s390x.diff %endif -Patch10: openssl-CVE-2008-5077.patch -Patch11: openssl-CVE-2009-0590.patch -Patch12: openssl-CVE-2009-0591.patch -Patch13: openssl-CVE-2009-0789.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -87,7 +83,7 @@ Authors: Paul C. Sutton %package -n libopenssl0_9_8 -License: BSD 3-Clause +License: BSD 3-clause (or similar) Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security Recommends: openssl-certs @@ -127,7 +123,7 @@ Authors: Paul C. Sutton %package -n libopenssl-devel -License: BSD 3-Clause +License: BSD 3-clause (or similar) Summary: Include Files and Libraries mandatory for Development Group: Development/Libraries/C and C++ # openssl-devel last used in openSUSE 10.2 @@ -158,7 +154,7 @@ Authors: Paul C. Sutton %package doc -License: BSD 3-Clause +License: BSD 3-clause (or similar) Summary: Additional Package Documentation Group: Productivity/Networking/Security @@ -194,10 +190,6 @@ Authors: %ifarch s390x %patch9 %endif -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 cp -p %{S:10} . # lib64 installation fixes for i in Makefile.org engines/Makefile; do @@ -249,25 +241,25 @@ $RPM_OPT_FLAGS \ -Wall \ -fstack-protector " # -%{!?do_profiling:%define do_profiling 0} -%if %do_profiling - # generate feedback - ./config $config_flags - make depend CC="gcc %cflags_profile_generate" - make CC="gcc %cflags_profile_generate" - LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate" - LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate" - LD_LIBRARY_PATH=`pwd` apps/openssl speed - make clean - # compile with feedback - # but not if it makes a cipher slower: - #find crypto/aes -name '*.da' | xargs -r rm - ./config $config_flags %cflags_profile_feedback - make depend - make - LD_LIBRARY_PATH=`pwd` make rehash - LD_LIBRARY_PATH=`pwd` make test -%else +#%{!?do_profiling:%define do_profiling 0} +#%if %do_profiling +# # generate feedback +# ./config $config_flags +# make depend CC="gcc %cflags_profile_generate" +# make CC="gcc %cflags_profile_generate" +# LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate" +# LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate" +# LD_LIBRARY_PATH=`pwd` apps/openssl speed +# make clean +# # compile with feedback +# # but not if it makes a cipher slower: +# #find crypto/aes -name '*.da' | xargs -r rm +# ./config $config_flags %cflags_profile_feedback +# make depend +# make +# LD_LIBRARY_PATH=`pwd` make rehash +# LD_LIBRARY_PATH=`pwd` make test +#%else ./config $config_flags make depend make @@ -275,7 +267,7 @@ $RPM_OPT_FLAGS \ %ifnarch armv4l LD_LIBRARY_PATH=`pwd` make test %endif -%endif +#%endif # show settings make TABLE echo $RPM_OPT_FLAGS @@ -409,661 +401,3 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %{_bindir}/%{name} %changelog -* Wed Apr 15 2009 gjhe@suse.de -- fix security bug [bnc#489641] - CVE-2009-0590 - CVE-2009-0591 - CVE-2009-0789 -* Wed Jan 07 2009 olh@suse.de -- obsolete old -XXbit packages (bnc#437293) -* Thu Dec 18 2008 jshi@suse.de -- fix security bug [bnc#459468] - CVE-2008-5077 -* Tue Dec 09 2008 xwhu@suse.de -- Disable optimization for s390x -* Mon Dec 08 2008 xwhu@suse.de -- Disable optimization of md4 -* Mon Nov 10 2008 xwhu@suse.de -- Disable optimization of ripemd [bnc#442740] -* Tue Oct 14 2008 xwhu@suse.de -- Passing string as struct cause openssl segment-fault [bnc#430141] -* Wed Jul 16 2008 mkoenig@suse.de -- do not require openssl-certs, but rather recommend it - to avoid dependency cycle [bnc#408865] -* Wed Jul 09 2008 mkoenig@suse.de -- remove the certs subpackage from the openssl package - and move the CA root certificates into a package of its own -* Tue Jun 24 2008 mkoenig@suse.de -- update to version 0.9.8h -- openssl does not ship CA root certificates anymore - keep certificates that SuSE is already shipping -- resolves bad array index (function has been removed) [bnc#356549] -- removed patches - openssl-0.9.8g-fix_dh_for_certain_moduli.patch - openssl-CVE-2008-0891.patch - openssl-CVE-2008-1672.patch -* Wed May 28 2008 mkoenig@suse.de -- fix OpenSSL Server Name extension crash (CVE-2008-0891) - and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672) - [bnc#394317] -* Wed May 21 2008 cthiel@suse.de -- fix baselibs.conf -* Tue Apr 22 2008 mkoenig@suse.de -- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844] -* Thu Apr 10 2008 ro@suse.de -- added baselibs.conf file to build xxbit packages - for multilib support -* Mon Nov 05 2007 mkoenig@suse.de -- fix Diffie-Hellman failure with certain prime lengths -* Mon Oct 22 2007 mkoenig@suse.de -- update to version 0.9.8g: - * fix some bugs introduced with 0.9.8f -* Mon Oct 15 2007 mkoenig@suse.de -- update to version 0.9.8f: - * fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995 -- patches merged upstream: - openssl-0.9.8-key_length.patch - openssl-CVE-2007-3108-bug296511 - openssl-CVE-2007-5135.patch - openssl-gcc42.patch - openssl-gcc42_b.patch - openssl-s390-config.diff -* Mon Oct 01 2007 mkoenig@suse.de -- fix buffer overflow CVE-2007-5135 [#329208] -* Wed Sep 05 2007 mkoenig@suse.de -- fix another gcc 4.2 build problem [#307669] -* Fri Aug 03 2007 coolo@suse.de -- provide the version obsoleted (#293401) -* Wed Aug 01 2007 werner@suse.de -- Add patch from CVS for RSA key reconstruction vulnerability - (CVE-2007-3108, VU#724968, bug #296511) -* Thu May 24 2007 mkoenig@suse.de -- fix build with gcc-4.2 - openssl-gcc42.patch -- do not install example scripts with executable permissions -* Mon Apr 30 2007 ro@suse.de -- adapt requires -* Fri Apr 27 2007 mkoenig@suse.de -- Do not use dots in package name -- explicitly build with gcc-4.1 because of currently unresolved - failures with gcc-4.2 -* Wed Apr 25 2007 mkoenig@suse.de -- Split/rename package to follow library packaging policy [#260219] - New package libopenssl0.9.8 containing shared libs - openssl-devel package renamed to libopenssl-devel - New package openssl-certs containing certificates -- add zlib-devel to Requires of devel package -- remove old Obsoletes and Conflicts - openssls (Last used Nov 2000) - ssleay (Last used 6.2) -* Mon Apr 23 2007 mkoenig@suse.de -- Fix key length [#254905,#262477] -* Tue Mar 06 2007 mkoenig@suse.de -- update to version 0.9.8e: - * patches merged upstream: - openssl-CVE-2006-2940-fixup.patch - openssl-0.9.8d-padlock-static.patch -* Tue Jan 09 2007 mkoenig@suse.de -- fix PadLock support [#230823] -* Thu Nov 30 2006 mkoenig@suse.de -- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198 -* Mon Nov 06 2006 poeml@suse.de -- configure with 'zlib' instead of 'zlib-dynamic'. Build with the - latter, there are problems opening the libz when running on the - Via Epia or vmware platforms. [#213305] -* Wed Oct 04 2006 poeml@suse.de -- add patch for the CVE-2006-2940 fix: the newly introduced limit - on DH modulus size could lead to a crash when exerted. [#208971] - Discovered and fixed after the 0.9.8d release. -* Fri Sep 29 2006 poeml@suse.de -- update to 0.9.8d - *) Introduce limits to prevent malicious keys being able to - cause a denial of service. (CVE-2006-2940) - *) Fix ASN.1 parsing of certain invalid structures that can result - in a denial of service. (CVE-2006-2937) - *) Fix buffer overflow in SSL_get_shared_ciphers() function. - (CVE-2006-3738) - *) Fix SSL client code which could crash if connecting to a - malicious SSLv2 server. (CVE-2006-4343) - *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites - match only those. Before that, "AES256-SHA" would be interpreted - as a pattern and match "AES128-SHA" too (since AES128-SHA got - the same strength classification in 0.9.7h) as we currently only - have a single AES bit in the ciphersuite description bitmap. - That change, however, also applied to ciphersuite strings such as - "RC4-MD5" that intentionally matched multiple ciphersuites -- - namely, SSL 2.0 ciphersuites in addition to the more common ones - from SSL 3.0/TLS 1.0. - So we change the selection algorithm again: Naming an explicit - ciphersuite selects this one ciphersuite, and any other similar - ciphersuite (same bitmap) from *other* protocol versions. - Thus, "RC4-MD5" again will properly select both the SSL 2.0 - ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. - Since SSL 2.0 does not have any ciphersuites for which the - 128/256 bit distinction would be relevant, this works for now. - The proper fix will be to use different bits for AES128 and - AES256, which would have avoided the problems from the beginning; - however, bits are scarce, so we can only do this in a new release - (not just a patchlevel) when we can change the SSL_CIPHER - definition to split the single 'unsigned long mask' bitmap into - multiple values to extend the available space. -- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected - [openssl.org #1397] -* Fri Sep 08 2006 schwab@suse.de -- Fix inverted logic. -* Wed Sep 06 2006 poeml@suse.de -- update to 0.9.8c - Changes between 0.9.8b and 0.9.8c [05 Sep 2006] - *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher - (CVE-2006-4339) [Ben Laurie and Google Security Team] - *) Add AES IGE and biIGE modes. [Ben Laurie] - *) Change the Unix randomness entropy gathering to use poll() when - possible instead of select(), since the latter has some - undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller] - *) Disable "ECCdraft" ciphersuites more thoroughly. Now special - treatment in ssl/ssl_ciph.s makes sure that these ciphersuites - cannot be implicitly activated as part of, e.g., the "AES" alias. - However, please upgrade to OpenSSL 0.9.9[-dev] for - non-experimental use of the ECC ciphersuites to get TLS extension - support, which is required for curve and point format negotiation - to avoid potential handshake problems. [Bodo Moeller] - *) Disable rogue ciphersuites: - - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") - - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") - - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") - The latter two were purportedly from - draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really - appear there. - Also deactive the remaining ciphersuites from - draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as - unofficial, and the ID has long expired. [Bodo Moeller] - *) Fix RSA blinding Heisenbug (problems sometimes occured on - dual-core machines) and other potential thread-safety issues. - [Bodo Moeller] - *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key - versions), which is now available for royalty-free use - (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). - Also, add Camellia TLS ciphersuites from RFC 4132. - To minimize changes between patchlevels in the OpenSSL 0.9.8 - series, Camellia remains excluded from compilation unless OpenSSL - is configured with 'enable-camellia'. [NTT] - *) Disable the padding bug check when compression is in use. The padding - bug check assumes the first packet is of even length, this is not - necessarily true if compresssion is enabled and can result in false - positives causing handshake failure. The actual bug test is ancient - code so it is hoped that implementations will either have fixed it by - now or any which still have the bug do not support compression. - [Steve Henson] - Changes between 0.9.8a and 0.9.8b [04 May 2006] - *) When applying a cipher rule check to see if string match is an explicit - cipher suite and only match that one cipher suite if it is. [Steve Henson] - *) Link in manifests for VC++ if needed. [Austin Ziegler ] - *) Update support for ECC-based TLS ciphersuites according to - draft-ietf-tls-ecc-12.txt with proposed changes (but without - TLS extensions, which are supported starting with the 0.9.9 - branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila] - *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support - opaque EVP_CIPHER_CTX handling. [Steve Henson] - *) Fixes and enhancements to zlib compression code. We now only use - "zlib1.dll" and use the default __cdecl calling convention on Win32 - to conform with the standards mentioned here: - http://www.zlib.net/DLL_FAQ.txt - Static zlib linking now works on Windows and the new --with-zlib-include - --with-zlib-lib options to Configure can be used to supply the location - of the headers and library. Gracefully handle case where zlib library - can't be loaded. [Steve Henson] - *) Several fixes and enhancements to the OID generation code. The old code - sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't - handle numbers larger than ULONG_MAX, truncated printing and had a - non standard OBJ_obj2txt() behaviour. [Steve Henson] - *) Add support for building of engines under engine/ as shared libraries - under VC++ build system. [Steve Henson] - *) Corrected the numerous bugs in the Win32 path splitter in DSO. - Hopefully, we will not see any false combination of paths any more. - [Richard Levitte] -- enable Camellia cipher. There is a royalty free license to the - patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html. - NOTE: the license forbids patches to the cipher. -- build with zlib-dynamic and add zlib-devel to BuildRequires. - Allows compression of data in TLS, although few application would - actually use it since there is no standard for negotiating the - compression method. The only one I know if is stunnel. -* Fri Jun 02 2006 poeml@suse.de -- fix built-in ENGINESDIR for 64 bit architectures. We change only - the builtin search path for engines, not the path where engines - are packaged. Path can be overridden with the OPENSSL_ENGINES - environment variable. [#179094] -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Mon Jan 16 2006 mc@suse.de -- fix build problems on s390x (openssl-s390-config.diff) -- build with -fstack-protector -* Mon Nov 07 2005 dmueller@suse.de -- build with non-executable stack -* Thu Oct 20 2005 poeml@suse.de -- fix unguarded free() which can cause a segfault in the ca - commandline app [#128655] -* Thu Oct 13 2005 poeml@suse.de -- add Geotrusts Equifax Root1 CA certificate, which needed to - verify the authenticity of you.novell.com [#121966] -* Tue Oct 11 2005 poeml@suse.de -- update to 0.9.8a - *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING - (part of SSL_OP_ALL). This option used to disable the - countermeasure against man-in-the-middle protocol-version - rollback in the SSL 2.0 server implementation, which is a bad - idea. (CAN-2005-2969) - *) Add two function to clear and return the verify parameter flags. - *) Keep cipherlists sorted in the source instead of sorting them at - runtime, thus removing the need for a lock. - *) Avoid some small subgroup attacks in Diffie-Hellman. - *) Add functions for well-known primes. - *) Extended Windows CE support. - *) Initialize SSL_METHOD structures at compile time instead of during - runtime, thus removing the need for a lock. - *) Make PKCS7_decrypt() work even if no certificate is supplied by - attempting to decrypt each encrypted key in turn. Add support to - smime utility. -* Thu Sep 29 2005 poeml@suse.de -- update to 0.9.8 - see CHANGES file or http://www.openssl.org/news/changelog.html -- adjust patches -- drop obsolete openssl-no-libc.diff -- disable libica patch until it has been ported -* Fri May 20 2005 poeml@suse.de -- update to 0.9.7g. The significant changes are: - *) Fixes for newer kerberos headers. NB: the casts are needed because - the 'length' field is signed on one version and unsigned on another - with no (?) obvious way to tell the difference, without these VC++ - complains. Also the "definition" of FAR (blank) is no longer included - nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up - some needed definitions. - *) Added support for proxy certificates according to RFC 3820. - Because they may be a security thread to unaware applications, - they must be explicitely allowed in run-time. See - docs/HOWTO/proxy_certificates.txt for further information. -* Tue May 17 2005 schwab@suse.de -- Include %%cflags_profile_generate in ${CC} since it is required for - linking as well. -- Remove explicit reference to libc. -* Fri Apr 08 2005 poeml@suse.de -- update to 0.9.7f. The most significant changes are: - o Several compilation issues fixed. - o Many memory allocation failure checks added. - o Improved comparison of X509 Name type. - o Mandatory basic checks on certificates. - o Performance improvements. - (for a complete list see http://www.openssl.org/source/exp/CHANGES) -- adjust openssl-0.9.7f-ppc64.diff -- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435] -* Tue Jan 04 2005 poeml@suse.de -- update to 0.9.7e - *) Avoid a race condition when CRLs are checked in a multi - threaded environment. This would happen due to the reordering - of the revoked entries during signature checking and serial - number lookup. Now the encoding is cached and the serial - number sort performed under a lock. Add new STACK function - sk_is_sorted(). - *) Add Delta CRL to the extension code. - *) Various fixes to s3_pkt.c so alerts are sent properly. - *) Reduce the chances of duplicate issuer name and serial numbers - (in violation of RFC3280) using the OpenSSL certificate - creation utilities. This is done by creating a random 64 bit - value for the initial serial number when a serial number file - is created or when a self signed certificate is created using - 'openssl req -x509'. The initial serial number file is created - using 'openssl x509 -next_serial' in CA.pl rather than being - initialized to 1. -- remove obsolete patches -- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch - Makefile, not Makefile.ssl -- fixup for spaces in names of man pages not needed now -- pack /usr/bin/openssl_fips_fingerprint -- in rpm post/postun script, run /sbin/ldconfig directly (the macro - is deprecated) -* Mon Oct 18 2004 poeml@suse.de -- don't install openssl.doxy file [#45210] -* Thu Jul 29 2004 poeml@suse.de -- apply patch from CVS to fix segfault in S/MIME encryption - (http://cvs.openssl.org/chngview?cn=12081, regression in - openssl-0.9.7d) [#43386] -* Mon Jul 12 2004 mludvig@suse.cz -- Updated VIA PadLock engine. -* Wed Jun 30 2004 mludvig@suse.cz -- Updated openssl-0.9.7d-padlock-engine.diff with support for - AES192, AES256 and RNG. -* Tue Jun 15 2004 poeml@suse.de -- update IBM ICA patch to last night's version. Fixes ibmca_init() - to reset ibmca_dso=NULL after calling DSO_free(), if the device - driver could not be loaded. The bug lead to a segfault triggered - by stunnel, which does autoload available engines [#41874] -- patch from CVS: make stack API more robust (return NULL for - out-of-range indexes). Fixes another possible segfault during - engine detection (could also triggered by stunnel) -- add patch from Michal Ludvig for VIA PadLock support -* Wed Jun 02 2004 poeml@suse.de -- add root certificate for the ICP-Brasil CA [#41546] -* Thu May 13 2004 poeml@suse.de -- add patch to use default_md for CRLs too [#40435] -* Tue May 04 2004 poeml@suse.de -- update ICA patch to apr292004 release [#39695] -* Thu Mar 18 2004 poeml@suse.de -- update to 0.9.7d - o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug - (CAN-2004-0112) - o Security: Fix null-pointer assignment in do_change_cipher_spec() - (CAN-2004-0079) - o Allow multiple active certificates with same subject in CA index - o Multiple X590 verification fixes - o Speed up HMAC and other operations -- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around - IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has - OPENSSL_NO_IDEA around it -- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the - pod file) -- permissions of lib/pkgconfig fixed -* Wed Feb 25 2004 poeml@suse.de -- update to 0.9.7c - *) Fix various bugs revealed by running the NISCC test suite: - Stop out of bounds reads in the ASN1 code when presented with - invalid tags (CAN-2003-0543 and CAN-2003-0544). - Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). - If verify callback ignores invalid public key errors don't try to check - certificate signature with the NULL public key. - *) New -ignore_err option in ocsp application to stop the server - exiting on the first error in a request. - *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate - if the server requested one: as stated in TLS 1.0 and SSL 3.0 - specifications. - *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional - extra data after the compression methods not only for TLS 1.0 - but also for SSL 3.0 (as required by the specification). - *) Change X509_certificate_type() to mark the key as exported/exportable - when it's 512 *bits* long, not 512 bytes. - *) Change AES_cbc_encrypt() so it outputs exact multiple of - blocks during encryption. - *) Various fixes to base64 BIO and non blocking I/O. On write - flushes were not handled properly if the BIO retried. On read - data was not being buffered properly and had various logic bugs. - This also affects blocking I/O when the data being decoded is a - certain size. - *) Various S/MIME bugfixes and compatibility changes: - output correct application/pkcs7 MIME type if - PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. - Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening - of files as .eml work). Correctly handle very long lines in MIME - parser. -- update ICA patch - quote: This version of the engine patch has updated error handling in - the DES/SHA code, and turns RSA blinding off for hardware - accelerated RSA ops. -- filenames of some man pages contain spaces now. Replace them with - underscores -- fix compiler warnings in showciphers.c -- fix permissions of /usr/%%_lib/pkgconfig -* Sat Jan 10 2004 adrian@suse.de -- add %%run_ldconfig -- remove unneeded PreRequires -* Tue Nov 18 2003 poeml@suse.de -- ditch annoying mail to root about moved locations [#31969] -* Wed Aug 13 2003 poeml@suse.de -- enable profile feedback based optimizations (except AES which - becomes slower) -- add -fno-strict-aliasing, due to warnings about code where - dereferencing type-punned pointers will break strict aliasing -- make a readlink function if readlink is not available -* Mon Aug 04 2003 ro@suse.de -- fixed manpages symlinks -* Wed Jul 30 2003 meissner@suse.de -- Fix Makefile to create pkgconfig file with lib64 on lib64 systems. -* Sun Jul 27 2003 poeml@suse.de -- don't explicitely strip binaries since RPM handles it, and may - keep the stripped information somewhere -* Tue Jul 15 2003 meissner@suse.de -- -DMD32_REG_T=int for ppc64 and s390x. -* Thu Jul 10 2003 poeml@suse.de -- update ibm ICA patch to 20030708 release (libica-1.3) -* Mon May 12 2003 poeml@suse.de -- package the openssl.pc file for pkgconfig -* Wed Apr 16 2003 poeml@suse.de -- update to 0.9.7b. The most significant changes are: - o New library section OCSP. - o Complete rewrite of ASN1 code. - o CRL checking in verify code and openssl utility. - o Extension copying in 'ca' utility. - o Flexible display options in 'ca' utility. - o Provisional support for international characters with UTF8. - o Support for external crypto devices ('engine') is no longer - a separate distribution. - o New elliptic curve library section. - o New AES (Rijndael) library section. - o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, - Linux x86_64, Linux 64-bit on Sparc v9 - o Extended support for some platforms: VxWorks - o Enhanced support for shared libraries. - o Now only builds PIC code when shared library support is requested. - o Support for pkg-config. - o Lots of new manuals. - o Makes symbolic links to or copies of manuals to cover all described - functions. - o Change DES API to clean up the namespace (some applications link also - against libdes providing similar functions having the same name). - Provide macros for backward compatibility (will be removed in the - future). - o Unify handling of cryptographic algorithms (software and engine) - to be available via EVP routines for asymmetric and symmetric ciphers. - o NCONF: new configuration handling routines. - o Change API to use more 'const' modifiers to improve error checking - and help optimizers. - o Finally remove references to RSAref. - o Reworked parts of the BIGNUM code. - o Support for new engines: Broadcom ubsec, Accelerated Encryption - Processing, IBM 4758. - o A few new engines added in the demos area. - o Extended and corrected OID (object identifier) table. - o PRNG: query at more locations for a random device, automatic query for - EGD style random sources at several locations. - o SSL/TLS: allow optional cipher choice according to server's preference. - o SSL/TLS: allow server to explicitly set new session ids. - o SSL/TLS: support Kerberos cipher suites (RFC2712). - Only supports MIT Kerberos for now. - o SSL/TLS: allow more precise control of renegotiations and sessions. - o SSL/TLS: add callback to retrieve SSL/TLS messages. - o SSL/TLS: support AES cipher suites (RFC3268). -- adapt the ibmca patch -- remove openssl-nocrypt.diff, openssl's crypt() vanished -- configuration syntax has changed ($sys_id added before $lflags) -* Thu Feb 20 2003 poeml@suse.de -- update to bugfix release 0.9.6i: - - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize - information leaked via timing by performing a MAC computation - even if incorrrect block cipher padding has been found. This - is a countermeasure against active attacks where the attacker - has to distinguish between bad padding and a MAC verification - error. (CAN-2003-0078) - - a few more small bugfixes (mainly missing assertions) -* Fri Dec 06 2002 poeml@suse.de -- update to 0.9.6h (last release in the 0.9.6 series) - o New configuration targets for Tandem OSS and A/UX. - o New OIDs for Microsoft attributes. - o Better handling of SSL session caching. - o Better comparison of distinguished names. - o Better handling of shared libraries in a mixed GNU/non-GNU environment. - o Support assembler code with Borland C. - o Fixes for length problems. - o Fixes for uninitialised variables. - o Fixes for memory leaks, some unusual crashes and some race conditions. - o Fixes for smaller building problems. - o Updates of manuals, FAQ and other instructive documents. -- add a call to make depend -- fix sed expression (lib -> lib64) to replace multiple occurences - on one line -* Mon Nov 04 2002 stepan@suse.de -- fix openssl for alpha ev56 cpus -* Thu Oct 24 2002 poeml@suse.de -- own the /usr/share/ssl directory [#20849] -- openssl-hppa-config.diff can be applied on all architectures -* Mon Sep 30 2002 bg@suse.de -- enable hppa distribution; use only pa1.1 architecture. -* Tue Sep 17 2002 froh@suse.de -- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953) -* Mon Aug 12 2002 poeml@suse.de -- update to 0.9.6g and drop the now included ASN1 check patch. - Other change: - - Use proper error handling instead of 'assertions' in buffer - overflow checks added in 0.9.6e. This prevents DoS (the - assertions could call abort()). -* Fri Aug 09 2002 kukuk@suse.de -- Fix requires of openssl-devel subpackage -* Tue Aug 06 2002 draht@suse.de -- Correction for changes in the ASN1 code, assembled in - openssl-0.9.6e-cvs-20020802-asn1_lib.diff -* Thu Aug 01 2002 poeml@suse.de -- update to 0.9.6e. Major changes: - o Various security fixes (sanity checks to asn1_get_length(), - various remote buffer overflows) - o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the - countermeasure against a vulnerability in the CBC ciphersuites - in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to - be incompatible with buggy SSL implementations -- update ibmca crypto hardware patch (security issues fixed) -- gcc 3.1 version detection is fixed, we can drop the patch -- move the most used man pages from the -doc to the main package - [#9913] and resolve man page conflicts by putting them into ssl - sections [#17239] -- spec file: use PreReq for %%post script -* Fri Jul 12 2002 poeml@suse.de -- update to 0.9.6d. Major changes: - o Various SSL/TLS library bugfixes. - o Fix DH parameter generation for 'non-standard' generators. - Complete Changelog: http://www.openssl.org/news/changelog.html -- supposed to fix a session caching failure occuring with postfix -- simplify local configuration for the architectures -- there's a new config variable: $shared_ldflag -- use RPM_OPT_FLAGS in favor of predifined cflags by appending them - at the end -- validate config data (config --check-sanity) -- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982] -- move configuration to /etc/ssl [#14387] -- mark openssl.cnf %%config (noreplace) -* Sat Jul 06 2002 schwab@suse.de -- Include to get crypt prototype. -* Fri Jul 05 2002 kukuk@suse.de -- Remove crypt prototype from des.h header file, too. -* Mon Jun 10 2002 meissner@suse.de -- enhanced ppc64 support (needs seperate config), reenabled make check -* Fri May 31 2002 olh@suse.de -- add ppc64 support, temporary disable make check -* Thu Apr 18 2002 meissner@suse.de -- fixed x86_64 build, added bc to needed_for_build (used by tests) -* Wed Apr 17 2002 ro@suse.de -- fixed gcc version determination -- drop sun4c support/always use sparcv8 -- ignore return code from showciphers -* Fri Mar 15 2002 poeml@suse.de -- add settings for sparc to build shared objects. Note that all - sparcs (sun4[mdu]) are recognized as linux-sparcv7 -* Wed Feb 06 2002 kukuk@suse.de -- Remove crypt function from libcrypto.so.0 [Bug #13056] -* Sun Feb 03 2002 poeml@suse.de -- add settings for mips to build shared objects -- print out all settings to the build log -* Tue Jan 29 2002 poeml@suse.de -- update to 0.9.6c: - o bug fixes - o support for hardware crypto devices (Cryptographic Appliances, - Broadcom, and Accelerated Encryption Processing) -- add IBMCA patch for IBM eServer Cryptographic Accelerator Device - Driver (#12565) (forward ported from 0.9.6b) - (http://www-124.ibm.com/developerworks/projects/libica/) -- tell Configure how to build shared libs for s390 and s390x -- tweak Makefile.org to use %%_libdir -- clean up spec file -- add README.SuSE as source file instead of in a patch -* Wed Dec 05 2001 uli@suse.de -- disabled "make test" for ARM (destest segfaults, the other tests - seem to succeed) -* Wed Dec 05 2001 ro@suse.de -- removed subpackage src -* Wed Nov 28 2001 uli@suse.de -- needs -ldl on ARM, too -* Mon Nov 19 2001 mls@suse.de -- made mips big endian, fixed shared library creation for mips -* Fri Aug 31 2001 rolf@suse.de -- added root certificates [BUG#9913] -- move from /usr/ssh to /usr/share/ssl -* Wed Jul 18 2001 rolf@suse.de -- update to 0.9.6b -- switch to engine version of openssl, which supports hardware - encryption for a few popular devices -- check wether shared libraries have been generated -* Thu Jul 05 2001 rolf@suse.de -- appliy PRNG security patch -* Tue Jun 12 2001 bk@suse.de -- added support for s390x -* Mon May 07 2001 kukuk@suse.de -- Fix building of shared libraries on SPARC, too. -* Mon May 07 2001 rolf@suse.de -- Fix ppc and s390 shared library builds -- resolved conflict in manpage naming: - rand.3 is now sslrand.3 [BUG#7643] -* Tue May 01 2001 schwab@suse.de -- Fix ia64 configuration. -- Fix link command. -* Thu Apr 26 2001 bjacke@suse.de -- updated to 0.96a -* Wed Apr 18 2001 kkaempf@suse.de -- provide .so files in -devel package only -* Tue Apr 17 2001 bjacke@suse.de -- resolve file name conflict (#6966) -* Wed Mar 21 2001 rolf@suse.de -- new subpackage openssl-src [BUG#6383] -- added README.SuSE which explains where to find the man pages [BUG#6717] -* Fri Dec 15 2000 sf@suse.de -- changed CFLAG to -O1 to make the tests run successfully -* Mon Dec 11 2000 rolf@suse.de -- build openssl with no-idea and no-rc5 to meet US & RSA regulations -- build with -fPIC on all platforms (especially IA64) -* Wed Nov 22 2000 rolf@suse.de -- rename openssls to openssl-devel and add shared libs and header files -- new subpackge openssl-doc for manpages and documentation -- use BuildRoot -* Fri Oct 27 2000 schwab@suse.de -- Add link-time links for libcrypto and libssl. -- Make sure that LD_LIBRARY_PATH is passed down to sub-makes. -* Mon Oct 02 2000 rolf@suse.de -- update to 0.9.6 -* Mon Apr 10 2000 bk@suse.de -- fix support for s390-linux -* Mon Apr 10 2000 rolf@suse.de -- new version 0.9.5a -* Sun Apr 09 2000 bk@suse.de -- add support for s390-linux -* Mon Mar 27 2000 kukuk@suse.de -- Use sparcv7 for SPARC -* Wed Mar 01 2000 rolf@suse.de -- move manpages back, as too many conflict with system manuals -* Wed Mar 01 2000 rolf@suse.de -- move manpages to %%{_mandir} -- include static libraries -* Wed Mar 01 2000 bk@suse.de -- added subpackage source openssls, needed for ppp_ssl -* Tue Feb 29 2000 rolf@suse.de -- new version 0.9.5 -* Thu Feb 24 2000 schwab@suse.de -- add support for ia64-linux -* Mon Jan 31 2000 kukuk@suse.de -- Create and add libcrypto.so.0 and libssl.so.0 -* Mon Sep 13 1999 bs@suse.de -- ran old prepare_spec on spec file to switch to new prepare_spec. -* Wed Sep 01 1999 rolf@suse.de -- new version 0.9.4 -* Wed May 26 1999 rolf@suse.de -- new version 0.9.3 with new layout -- alpha asm disabled by default now, no patch needed -* Thu May 20 1999 ro@suse.de -- disable asm for alpha: seems incomplete -* Mon May 17 1999 rolf@suse.de -- don't use -DNO_IDEA -* Wed May 12 1999 rolf@suse.de -- first version 0.9.2b