Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2017-03-15 01:04:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mbedtls" Wed Mar 15 01:04:37 2017 rev:11 rq:478689 version:2.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2016-11-15 17:53:03.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mbedtls.new/mbedtls.changes 2017-03-15 01:59:44.281057929 +0100 @@ -1,0 +2,24 @@ +Sat Mar 11 15:50:12 UTC 2017 - mpluskal@suse.com + +- Update to version 2.4.2: + * Add checks to prevent signature forgeries for very large messages while + using RSA through the PK module in 64-bit systems. The issue was caused by + some data loss when casting a size_t to an unsigned int value in the + functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and + mbedtls_pk_sign(). Found by Jean-Philippe Aumasson. + * Fixed potential livelock during the parsing of a CRL in PEM format in + mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing + characters after the footer could result in the execution of an infinite + loop. The issue can be triggered remotely. Found by Greg Zaverucha, + Microsoft. + * Removed MD5 from the allowed hash algorithms for CertificateRequest and + CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. + Introduced by interoperability fix for #513. + * Fixed a bug that caused freeing a buffer that was allocated on the stack, + when verifying the validity of a key on secp224k1. This could be + triggered remotely for example with a maliciously constructed certificate + and potentially could lead to remote code execution on some platforms. + Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos + team. #569 CVE-2017-2784 (boo#1029017) + +------------------------------------------------------------------- Old: ---- mbedtls-2.4.0-apache.tgz New: ---- mbedtls-2.4.2-apache.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.SGgXko/_old 2017-03-15 01:59:44.916968027 +0100 +++ /var/tmp/diff_new_pack.SGgXko/_new 2017-03-15 01:59:44.916968027 +0100 @@ -1,7 +1,7 @@ # # spec file for package mbedtls # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto0 %define lib_x509 libmbedx509-0 Name: mbedtls -Version: 2.4.0 +Version: 2.4.2 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 ++++++ mbedtls-2.4.0-apache.tgz -> mbedtls-2.4.2-apache.tgz ++++++ ++++ 4953 lines of diff (skipped)