Hello community,
here is the log from the commit of package openssl
checked in at Thu Sep 7 01:37:49 CEST 2006.
--------
--- openssl/openssl.changes 2006-06-02 15:01:05.000000000 +0200
+++ openssl/openssl.changes 2006-09-06 18:09:42.000000000 +0200
@@ -1,0 +2,80 @@
+Wed Sep 6 17:56:08 CEST 2006 - poeml@suse.de
+
+- update to 0.9.8c
+ Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
+ *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+ (CVE-2006-4339) [Ben Laurie and Google Security Team]
+ *) Add AES IGE and biIGE modes. [Ben Laurie]
+ *) Change the Unix randomness entropy gathering to use poll() when
+ possible instead of select(), since the latter has some
+ undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller]
+ *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
+ treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+ cannot be implicitly activated as part of, e.g., the "AES" alias.
+ However, please upgrade to OpenSSL 0.9.9[-dev] for
+ non-experimental use of the ECC ciphersuites to get TLS extension
+ support, which is required for curve and point format negotiation
+ to avoid potential handshake problems. [Bodo Moeller]
+ *) Disable rogue ciphersuites:
+ - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+ - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+ - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+ The latter two were purportedly from
+ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+ appear there.
+ Also deactive the remaining ciphersuites from
+ draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
+ unofficial, and the ID has long expired. [Bodo Moeller]
+ *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ dual-core machines) and other potential thread-safety issues.
+ [Bodo Moeller]
+ *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
+ versions), which is now available for royalty-free use
+ (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+ Also, add Camellia TLS ciphersuites from RFC 4132.
+ To minimize changes between patchlevels in the OpenSSL 0.9.8
+ series, Camellia remains excluded from compilation unless OpenSSL
+ is configured with 'enable-camellia'. [NTT]
+ *) Disable the padding bug check when compression is in use. The padding
+ bug check assumes the first packet is of even length, this is not
+ necessarily true if compresssion is enabled and can result in false
+ positives causing handshake failure. The actual bug test is ancient
+ code so it is hoped that implementations will either have fixed it by
+ now or any which still have the bug do not support compression.
+ [Steve Henson]
+ Changes between 0.9.8a and 0.9.8b [04 May 2006]
+ *) When applying a cipher rule check to see if string match is an explicit
+ cipher suite and only match that one cipher suite if it is. [Steve Henson]
+ *) Link in manifests for VC++ if needed. [Austin Ziegler ]
+ *) Update support for ECC-based TLS ciphersuites according to
+ draft-ietf-tls-ecc-12.txt with proposed changes (but without
+ TLS extensions, which are supported starting with the 0.9.9
+ branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila]
+ *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+ opaque EVP_CIPHER_CTX handling. [Steve Henson]
+ *) Fixes and enhancements to zlib compression code. We now only use
+ "zlib1.dll" and use the default __cdecl calling convention on Win32
+ to conform with the standards mentioned here:
+ http://www.zlib.net/DLL_FAQ.txt
+ Static zlib linking now works on Windows and the new --with-zlib-include
+ --with-zlib-lib options to Configure can be used to supply the location
+ of the headers and library. Gracefully handle case where zlib library
+ can't be loaded. [Steve Henson]
+ *) Several fixes and enhancements to the OID generation code. The old code
+ sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+ handle numbers larger than ULONG_MAX, truncated printing and had a
+ non standard OBJ_obj2txt() behaviour. [Steve Henson]
+ *) Add support for building of engines under engine/ as shared libraries
+ under VC++ build system. [Steve Henson]
+ *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+ Hopefully, we will not see any false combination of paths any more.
+ [Richard Levitte]
+- enable Camellia cipher. There is a royalty free license to the
+ patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
+ NOTE: the license forbids patches to the cipher.
+- build with zlib-dynamic and add zlib-devel to BuildRequires.
+ Allows compression of data in TLS, although few application would
+ actually use it since there is no standard for negotiating the
+ compression method. The only one I know if is stunnel.
+
+-------------------------------------------------------------------
Old:
----
openssl-0.9.8a.tar.bz2
New:
----
openssl-0.9.8c.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.CHAkNY/_old 2006-09-07 01:36:31.000000000 +0200
+++ /var/tmp/diff_new_pack.CHAkNY/_new 2006-09-07 01:36:31.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package openssl (Version 0.9.8a)
+# spec file for package openssl (Version 0.9.8c)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -11,7 +11,7 @@
# norootforbuild
Name: openssl
-BuildRequires: bc ed
+BuildRequires: bc ed zlib-devel
%ifarch s390x
%else
%endif
@@ -23,8 +23,8 @@
Conflicts: ssleay
Obsoletes: ssleay
Autoreqprov: on
-Version: 0.9.8a
-Release: 18
+Version: 0.9.8c
+Release: 1
Summary: Secure Sockets and Transport Layer Security
URL: http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -169,6 +169,8 @@
./config --test-sanity
#
config_flags="threads shared no-rc5 no-idea \
+enable-camellia \
+zlib-dynamic \
--prefix=%{_prefix} \
--openssldir=%{ssletcdir} \
$RPM_OPT_FLAGS \
@@ -330,6 +332,83 @@
%{_libdir}/engines
%changelog -n openssl
+* Wed Sep 06 2006 - poeml@suse.de
+- update to 0.9.8c
+ Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
+ *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+ (CVE-2006-4339) [Ben Laurie and Google Security Team]
+ *) Add AES IGE and biIGE modes. [Ben Laurie]
+ *) Change the Unix randomness entropy gathering to use poll() when
+ possible instead of select(), since the latter has some
+ undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller]
+ *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
+ treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+ cannot be implicitly activated as part of, e.g., the "AES" alias.
+ However, please upgrade to OpenSSL 0.9.9[-dev] for
+ non-experimental use of the ECC ciphersuites to get TLS extension
+ support, which is required for curve and point format negotiation
+ to avoid potential handshake problems. [Bodo Moeller]
+ *) Disable rogue ciphersuites:
+- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+ The latter two were purportedly from
+ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+ appear there.
+ Also deactive the remaining ciphersuites from
+ draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
+ unofficial, and the ID has long expired. [Bodo Moeller]
+ *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ dual-core machines) and other potential thread-safety issues.
+ [Bodo Moeller]
+ *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
+ versions), which is now available for royalty-free use
+ (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+ Also, add Camellia TLS ciphersuites from RFC 4132.
+ To minimize changes between patchlevels in the OpenSSL 0.9.8
+ series, Camellia remains excluded from compilation unless OpenSSL
+ is configured with 'enable-camellia'. [NTT]
+ *) Disable the padding bug check when compression is in use. The padding
+ bug check assumes the first packet is of even length, this is not
+ necessarily true if compresssion is enabled and can result in false
+ positives causing handshake failure. The actual bug test is ancient
+ code so it is hoped that implementations will either have fixed it by
+ now or any which still have the bug do not support compression.
+ [Steve Henson]
+ Changes between 0.9.8a and 0.9.8b [04 May 2006]
+ *) When applying a cipher rule check to see if string match is an explicit
+ cipher suite and only match that one cipher suite if it is. [Steve Henson]
+ *) Link in manifests for VC++ if needed. [Austin Ziegler ]
+ *) Update support for ECC-based TLS ciphersuites according to
+ draft-ietf-tls-ecc-12.txt with proposed changes (but without
+ TLS extensions, which are supported starting with the 0.9.9
+ branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila]
+ *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+ opaque EVP_CIPHER_CTX handling. [Steve Henson]
+ *) Fixes and enhancements to zlib compression code. We now only use
+ "zlib1.dll" and use the default __cdecl calling convention on Win32
+ to conform with the standards mentioned here:
+ http://www.zlib.net/DLL_FAQ.txt
+ Static zlib linking now works on Windows and the new --with-zlib-include
+--with-zlib-lib options to Configure can be used to supply the location
+ of the headers and library. Gracefully handle case where zlib library
+ can't be loaded. [Steve Henson]
+ *) Several fixes and enhancements to the OID generation code. The old code
+ sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+ handle numbers larger than ULONG_MAX, truncated printing and had a
+ non standard OBJ_obj2txt() behaviour. [Steve Henson]
+ *) Add support for building of engines under engine/ as shared libraries
+ under VC++ build system. [Steve Henson]
+ *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+ Hopefully, we will not see any false combination of paths any more.
+ [Richard Levitte]
+- enable Camellia cipher. There is a royalty free license to the
+ patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
+ NOTE: the license forbids patches to the cipher.
+- build with zlib-dynamic and add zlib-devel to BuildRequires.
+ Allows compression of data in TLS, although few application would
+ actually use it since there is no standard for negotiating the
+ compression method. The only one I know if is stunnel.
* Fri Jun 02 2006 - poeml@suse.de
- fix built-in ENGINESDIR for 64 bit architectures. We change only
the builtin search path for engines, not the path where engines
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org