Hello community,
here is the log from the commit of package openssl.1939 for openSUSE:12.3:Update checked in at 2013-08-19 15:07:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/openssl.1939 (Old)
and /work/SRC/openSUSE:12.3:Update/.openssl.1939.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl.1939"
Changes:
--------
New Changes file:
--- /dev/null 2013-07-23 23:44:04.804033756 +0200
+++ /work/SRC/openSUSE:12.3:Update/.openssl.1939.new/openssl.changes 2013-08-19 15:07:37.000000000 +0200
@@ -0,0 +1,1417 @@
+-------------------------------------------------------------------
+Mon Aug 12 06:16:31 UTC 2013 - shchang@suse.com
+
+- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken
+ modify patch file: SSL_get_certificate-broken.patch
+
+-------------------------------------------------------------------
+Tue Feb 12 00:08:06 UTC 2013 - hrvoje.senjan@gmail.com
+
+- Update to 1.0.1e
+ o Bugfix release (bnc#803004)
+- Drop openssl-1.0.1d-s3-packet.patch, included upstream
+
+-------------------------------------------------------------------
+Sun Feb 10 20:33:51 UTC 2013 - hrvoje.senjan@gmail.com
+
+- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
+ bnc#803004, openssl ticket#2975
+
+-------------------------------------------------------------------
+Tue Feb 5 16:00:17 UTC 2013 - meissner@suse.com
+
+- update to version 1.0.1d, fixing security issues
+ o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
+ o Include the fips configuration module.
+ o Fix OCSP bad key DoS attack CVE-2013-0166
+ o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+ bnc#802184
+ o Fix for TLS AESNI record handling flaw CVE-2012-2686
+
+-------------------------------------------------------------------
+Mon Nov 12 08:39:31 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#784994] - VIA padlock support on 64 systems
+ e_padlock: add support for x86_64 gcc
+
+-------------------------------------------------------------------
+Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org
+
+- Open Internal file descriptors with O_CLOEXEC, leaving
+ those open across fork()..execve() makes a perfect
+ vector for a side-channel attack...
+
+-------------------------------------------------------------------
+Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com
+
+- fix build on armv5 (bnc#774710)
+
+-------------------------------------------------------------------
+Thu May 10 19:18:06 UTC 2012 - crrodriguez@opensuse.org
+
+- Update to version 1.0.1c for the complete list of changes see
+ NEWS, this only list packaging changes.
+- Drop aes-ni patch, no longer needed as it is builtin in openssl
+ now.
+- Define GNU_SOURCE and use -std=gnu99 to build the package.
+- Use LFS_CFLAGS in platforms where it matters.
+
+-------------------------------------------------------------------
+Fri May 4 12:09:57 UTC 2012 - lnussel@suse.de
+
+- don't install any demo or expired certs at all
+
+-------------------------------------------------------------------
+Mon Apr 23 05:57:35 UTC 2012 - gjhe@suse.com
+
+- update to latest stable verison 1.0.0i
+ including the following patches:
+ CVE-2012-2110.path
+ Bug748738_Tolerate_bad_MIME_headers.patch
+ bug749213-Free-headers-after-use.patch
+ bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+ CVE-2012-1165.patch
+ CVE-2012-0884.patch
+ bug749735.patch
+
+-------------------------------------------------------------------
+Tue Mar 27 09:16:37 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#749735] - Memory leak when creating public keys.
+ fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack
+ CVE-2012-0884
+
+-------------------------------------------------------------------
+Thu Mar 22 03:24:20 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#751946] - S/MIME verification may erroneously fail
+ CVE-2012-1165
+
+-------------------------------------------------------------------
+Wed Mar 21 02:44:41 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#749213]-Free headers after use in error message
+ and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt
+
+-------------------------------------------------------------------
+Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com
+
+- license update: OpenSSL
+
+-------------------------------------------------------------------
+Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+ asn1 parser.
+ CVE-2006-7250
+
+-------------------------------------------------------------------
+Thu Feb 2 06:55:12 UTC 2012 - gjhe@suse.com
+
+- Update to version 1.0.0g fix the following:
+ DTLS DoS attack (CVE-2012-0050)
+
+-------------------------------------------------------------------
+Wed Jan 11 05:35:18 UTC 2012 - gjhe@suse.com
+
+- Update to version 1.0.0f fix the following:
+ DTLS Plaintext Recovery Attack (CVE-2011-4108)
+ Uninitialized SSL 3.0 Padding (CVE-2011-4576)
+ Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
+ SGC Restart DoS Attack (CVE-2011-4619)
+ Invalid GOST parameters DoS Attack (CVE-2012-0027)
+
+-------------------------------------------------------------------
+Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org
+
+- AES-NI: Check the return value of Engine_add()
+ if the ENGINE_add() call fails: it ends up adding a reference
+ to a freed up ENGINE which is likely to subsequently contain garbage
+ This will happen if an ENGINE with the same name is added multiple
+ times,for example different libraries. [bnc#720601]
+
+-------------------------------------------------------------------
+Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org
+
+- Build with -DSSL_FORBID_ENULL so servers are not
+ able to use the NULL encryption ciphers (Those offering no
+ encryption whatsoever).
+
+-------------------------------------------------------------------
+Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org
+
+- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210
+ see http://openssl.org/news/secadv_20110906.txt for details.
+
+-------------------------------------------------------------------
+Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org
+
+- Add upstream patch that calls ENGINE_register_all_complete()
+ in ENGINE_load_builtin_engines() saving us from adding dozens
+ of calls to such function to calling applications.
+
+-------------------------------------------------------------------
+Fri Aug 5 19:09:42 UTC 2011 - crrodriguez@opensuse.org
+
+- remove -fno-strict-aliasing from CFLAGS no longer needed
+ and is likely to slow down stuff.
+
+-------------------------------------------------------------------
+Mon Jul 25 19:07:32 UTC 2011 - jengelh@medozas.de
+
+- Edit baselibs.conf to provide libopenssl-devel-32bit too
+
+-------------------------------------------------------------------
+Fri Jun 24 04:51:50 UTC 2011 - gjhe@novell.com
+
+- update to latest stable version 1.0.0d.
+ patch removed(already in the new package):
+ CVE-2011-0014
+ patch added:
+ ECDSA_signatures_timing_attack.patch
+
+-------------------------------------------------------------------
+Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com
+
+- fix bug[bnc#693027].
+ Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+ http://eprint.iacr.org/2011/232.pdf
+ [Billy Bob Brumley and Nicola Tuveri]
+
+-------------------------------------------------------------------
+Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org
+
+- added openssl as dependency in the devel package
+
+-------------------------------------------------------------------
+Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com
+
+- fix bug [bnc#670526]
+ CVE-2011-0014,OCSP stapling vulnerability
+
+-------------------------------------------------------------------
+Sat Jan 15 19:58:51 UTC 2011 - cristian.rodriguez@opensuse.org
+
+- Add patch from upstream in order to support AES-NI instruction
+ set present on current Intel and AMD processors
++++ 1220 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.openssl.1939.new/openssl.changes
New:
----
README.SuSE
SSL_get_certificate-broken.patch
VIA_padlock_support_on_64systems.patch
baselibs.conf
bug610223.patch
merge_from_0.9.8k.patch
openssl-1.0.0-c_rehash-compat.diff
openssl-1.0.1e.tar.gz
openssl-1.0.1e.tar.gz.asc
openssl-ocloexec.patch
openssl.changes
openssl.spec
openssl.test
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
#
# spec file for package openssl
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: openssl
BuildRequires: bc
BuildRequires: ed
BuildRequires: pkg-config
BuildRequires: zlib-devel
%define ssletcdir %{_sysconfdir}/ssl
#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
%define num_version 1.0.0
Provides: ssl
# bug437293
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
Version: 1.0.1e
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
Group: Productivity/Networking/Security
Url: http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz
Source42: http://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
# to get mtime of file:
Source1: openssl.changes
Source2: baselibs.conf
Source10: README.SuSE
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
Patch4: VIA_padlock_support_on_64systems.patch
Patch5: SSL_get_certificate-broken.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and open source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols with full-strength cryptography. The project is managed
by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
Derivation and License
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
Authors:
--------
Mark J. Cox
Ralf S. Engelschall
From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel
Date: Wed, 21 Apr 2010 15:52:10 +0200 Subject: [PATCH] also create old hash for compatibility
--- tools/c_rehash.in | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in index bfc4a69..f8d0ce1 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -83,6 +83,7 @@ sub hash_dir { next; } link_hash_cert($fname) if($cert); + link_hash_cert_old($fname) if($cert); link_hash_crl($fname) if($crl); } } @@ -116,8 +117,9 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; + my $hashopt = $_[1] || '-subject_hash'; $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; + my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; @@ -147,6 +149,10 @@ sub link_hash_cert { $hashlist{$hash} = $fprint; } +sub link_hash_cert_old { + link_hash_cert($_[0], '-subject_hash_old'); +} + # Same as above except for a CRL. CRL links are of the form <hash>.r<n> sub link_hash_crl { -- 1.6.4.2 ++++++ openssl-ocloexec.patch ++++++ --- crypto/bio/b_sock.c.orig +++ crypto/bio/b_sock.c @@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in } again: - s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); + s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); if (s == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET,get_last_socket_error()); @@ -784,7 +784,7 @@ again: } else goto err; } - cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); + cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); if (cs != INVALID_SOCKET) { int ii; --- crypto/bio/bss_conn.c.orig +++ crypto/bio/bss_conn.c @@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC c->them.sin_addr.s_addr=htonl(l); c->state=BIO_CONN_S_CREATE_SOCKET; - ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); + ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); if (ret == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET,get_last_socket_error()); --- crypto/bio/bss_dgram.c.orig +++ crypto/bio/bss_dgram.c @@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char msg.msg_control = cmsgbuf; msg.msg_controllen = 512; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, 0); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); if (msg.msg_controllen > 0) { @@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) msg.msg_controllen = 0; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, MSG_PEEK); + n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC); if (n <= 0) { if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) @@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) msg.msg_controllen = 0; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, 0); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); if (n <= 0) { if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) @@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) fcntl(b->num, F_SETFL, O_NONBLOCK); } - n = recvmsg(b->num, &msg, MSG_PEEK); + n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); if (is_dry) { @@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) sockflags = fcntl(b->num, F_GETFL, 0); fcntl(b->num, F_SETFL, O_NONBLOCK); - n = recvmsg(b->num, &msg, MSG_PEEK); + n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); fcntl(b->num, F_SETFL, sockflags); /* if notification, process and try again */ @@ -1709,7 +1709,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) msg.msg_control = NULL; msg.msg_controllen = 0; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, 0); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); if (data->handle_notifications != NULL) data->handle_notifications(b, data->notification_context, (void*) &snp); --- crypto/bio/bss_file.c.orig +++ crypto/bio/bss_file.c @@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename, { BIO *ret; FILE *file=NULL; + size_t modelen = strlen (mode); + char newmode[modelen + 2]; + + memcpy (mempcpy (newmode, mode, modelen), "e", 2); #if defined(_WIN32) && defined(CP_UTF8) int sz, len_0 = (int)strlen(filename)+1; @@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename, file = fopen(filename,mode); } #else - file=fopen(filename,mode); + file=fopen(filename,newmode); #endif if (file == NULL) { @@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b long ret=1; FILE *fp=(FILE *)b->ptr; FILE **fpp; - char p[4]; + char p[5]; switch (cmd) { @@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b else strcat(p,"t"); #endif + strcat(p, "e"); + fp=fopen(ptr,p); if (fp == NULL) { --- crypto/rand/rand_unix.c.orig +++ crypto/rand/rand_unix.c @@ -262,7 +262,7 @@ int RAND_poll(void) for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) && (n < ENTROPY_NEEDED); i++) { - if ((fd = open(randomfiles[i], O_RDONLY + if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC #ifdef O_NONBLOCK |O_NONBLOCK #endif --- crypto/rand/randfile.c.orig +++ crypto/rand/randfile.c @@ -134,7 +134,7 @@ int RAND_load_file(const char *file, lon #ifdef OPENSSL_SYS_VMS in=vms_fopen(file,"rb",VMS_OPEN_ATTRS); #else - in=fopen(file,"rb"); + in=fopen(file,"rbe"); #endif if (in == NULL) goto err; #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO) @@ -207,7 +207,7 @@ int RAND_write_file(const char *file) #endif /* chmod(..., 0600) is too late to protect the file, * permissions should be restrictive from the start */ - int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600); + int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600); if (fd != -1) out = fdopen(fd, "wb"); } @@ -238,7 +238,7 @@ int RAND_write_file(const char *file) out = vms_fopen(file,"wb",VMS_OPEN_ATTRS); #else if (out == NULL) - out = fopen(file,"wb"); + out = fopen(file,"wbe"); #endif if (out == NULL) goto err; ++++++ openssl.test ++++++ openssl autmatically tests iteslf, no further testing needed -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org