Hello community,
here is the log from the commit of package compat-openssl097g
checked in at Thu Feb 28 17:56:40 CET 2008.
--------
--- compat-openssl097g/compat-openssl097g.changes 2006-10-04 15:00:13.000000000 +0200
+++ /mounts/work_src_done/STABLE/compat-openssl097g/compat-openssl097g.changes 2008-02-28 12:57:02.000000000 +0100
@@ -1,0 +2,5 @@
+Thu Feb 28 11:46:28 CET 2008 - mkoenig@suse.de
+
+- fix buffer overflow CVE-2007-5135 [#329208]
+
+-------------------------------------------------------------------
@@ -629,5 +633,0 @@
-Wed Mar 1 02:52:17 CET 2000 - bk@suse.de
-
-- added subpackage source openssls, needed for ppp_ssl
-
--------------------------------------------------------------------
@@ -639,0 +640,5 @@
+Wed Mar 1 02:52:17 CET 2000 - bk@suse.de
+
+- added subpackage source openssls, needed for ppp_ssl
+
+-------------------------------------------------------------------
New:
----
openssl-CVE-2007-5135.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ compat-openssl097g.spec ++++++
--- /var/tmp/diff_new_pack.p19595/_old 2008-02-28 17:56:22.000000000 +0100
+++ /var/tmp/diff_new_pack.p19595/_new 2008-02-28 17:56:22.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package compat-openssl097g (Version 0.9.7g)
#
-# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -10,18 +10,19 @@
# norootforbuild
+
Name: compat-openssl097g
BuildRequires: bc ed
%define ssletcdir %{_sysconfdir}/ssl
%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
-License: Other License(s), see package, BSD
+License: BSD 3-Clause
Group: Productivity/Networking/Security
Provides: openssl:/usr/lib/libssl.so.0.9.7 openssl:/usr/lib64/libssl.so.0.9.7
-Autoreqprov: on
+AutoReqProv: on
Version: 0.9.7g
-Release: 20
+Release: 99
Summary: Secure Sockets and Transport Layer Security
-URL: http://www.openssl.org/
+Url: http://www.openssl.org/
Source: http://www.openssl.org/source/openssl-%{version}.tar.bz2
Source10: README.SuSE
Source20: ICP-Brasil.pem
@@ -43,6 +44,7 @@
Patch107: openssl-CVE-2006-3738.patch
Patch108: openssl-CVE-2006-4343.patch
Patch109: openssl-0.9.7-CVE-2006-2940-fixup.patch
+Patch110: openssl-CVE-2007-5135.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -92,6 +94,7 @@
%patch107 -p0
%patch108 -p0
%patch109 -p0
+%patch110 -p1
cp -p %{S:10} .
cp -p %{S:20} certs/
cp -p %{S:21} certs/
@@ -191,8 +194,10 @@
%{_libdir}/libssl.so.%{num_version}
%{_libdir}/libcrypto.so.%{num_version}
-%changelog -n compat-openssl097g
-* Wed Oct 04 2006 - poeml@suse.de
+%changelog
+* Thu Feb 28 2008 mkoenig@suse.de
+- fix buffer overflow CVE-2007-5135 [#329208]
+* Wed Oct 04 2006 poeml@suse.de
- an attacker could send a list of ciphers that would overrun a
buffer in SSL_get_shared_ciphers() CVE-2006-3738 [#202366]
- fix possible crash in SSLv2 client triggerable by a malicious
@@ -207,18 +212,18 @@
on DH modulus size could lead to a crash when exerted. [#208971]
- security vulnerability which could allow RSA Signature Forgery,
fix from 0.9.8c. CVE-2006-4339 [#203595]
-* Wed May 17 2006 - schwab@suse.de
+* Wed May 17 2006 schwab@suse.de
- Don't strip binaries.
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Fri Jan 13 2006 - ro@suse.de
+* Fri Jan 13 2006 ro@suse.de
- rename to compat-openssl097g and package libs only
-* Thu Oct 13 2005 - poeml@suse.de
+* Thu Oct 13 2005 poeml@suse.de
- add Geotrusts Equifax Root1 CA certificate, which needed to
verify the authenticity of you.novell.com [#121966]
-* Tue Oct 11 2005 - poeml@suse.de
+* Tue Oct 11 2005 poeml@suse.de
- security fix: fix SSLv2 rollback (CAN-2005-2969) [#120103]
-* Fri May 20 2005 - poeml@suse.de
+* Fri May 20 2005 poeml@suse.de
- update to 0.9.7g. The significant changes are:
*) Fixes for newer kerberos headers. NB: the casts are needed because
the 'length' field is signed on one version and unsigned on another
@@ -230,11 +235,11 @@
Because they may be a security thread to unaware applications,
they must be explicitely allowed in run-time. See
docs/HOWTO/proxy_certificates.txt for further information.
-* Tue May 17 2005 - schwab@suse.de
+* Tue May 17 2005 schwab@suse.de
- Include %%cflags_profile_generate in ${CC} since it is required for
linking as well.
- Remove explicit reference to libc.
-* Fri Apr 08 2005 - poeml@suse.de
+* Fri Apr 08 2005 poeml@suse.de
- update to 0.9.7f. The most significant changes are:
o Several compilation issues fixed.
o Many memory allocation failure checks added.
@@ -244,7 +249,7 @@
(for a complete list see http://www.openssl.org/source/exp/CHANGES)
- adjust openssl-0.9.7f-ppc64.diff
- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435]
-* Tue Jan 04 2005 - poeml@suse.de
+* Tue Jan 04 2005 poeml@suse.de
- update to 0.9.7e
*) Avoid a race condition when CRLs are checked in a multi
threaded environment. This would happen due to the reordering
@@ -269,18 +274,18 @@
- pack /usr/bin/openssl_fips_fingerprint
- in rpm post/postun script, run /sbin/ldconfig directly (the macro
is deprecated)
-* Mon Oct 18 2004 - poeml@suse.de
+* Mon Oct 18 2004 poeml@suse.de
- don't install openssl.doxy file [#45210]
-* Thu Jul 29 2004 - poeml@suse.de
+* Thu Jul 29 2004 poeml@suse.de
- apply patch from CVS to fix segfault in S/MIME encryption
(http://cvs.openssl.org/chngview?cn=12081, regression in
openssl-0.9.7d) [#43386]
-* Mon Jul 12 2004 - mludvig@suse.cz
+* Mon Jul 12 2004 mludvig@suse.cz
- Updated VIA PadLock engine.
-* Wed Jun 30 2004 - mludvig@suse.cz
+* Wed Jun 30 2004 mludvig@suse.cz
- Updated openssl-0.9.7d-padlock-engine.diff with support for
AES192, AES256 and RNG.
-* Tue Jun 15 2004 - poeml@suse.de
+* Tue Jun 15 2004 poeml@suse.de
- update IBM ICA patch to last night's version. Fixes ibmca_init()
to reset ibmca_dso=NULL after calling DSO_free(), if the device
driver could not be loaded. The bug lead to a segfault triggered
@@ -289,13 +294,13 @@
out-of-range indexes). Fixes another possible segfault during
engine detection (could also triggered by stunnel)
- add patch from Michal Ludvig for VIA PadLock support
-* Wed Jun 02 2004 - poeml@suse.de
+* Wed Jun 02 2004 poeml@suse.de
- add root certificate for the ICP-Brasil CA [#41546]
-* Thu May 13 2004 - poeml@suse.de
+* Thu May 13 2004 poeml@suse.de
- add patch to use default_md for CRLs too [#40435]
-* Tue May 04 2004 - poeml@suse.de
+* Tue May 04 2004 poeml@suse.de
- update ICA patch to apr292004 release [#39695]
-* Thu Mar 18 2004 - poeml@suse.de
+* Thu Mar 18 2004 poeml@suse.de
- update to 0.9.7d
o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
(CAN-2004-0112)
@@ -310,7 +315,7 @@
- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the
pod file)
- permissions of lib/pkgconfig fixed
-* Wed Feb 25 2004 - poeml@suse.de
+* Wed Feb 25 2004 poeml@suse.de
- update to 0.9.7c
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
@@ -349,31 +354,31 @@
underscores
- fix compiler warnings in showciphers.c
- fix permissions of /usr/%%_lib/pkgconfig
-* Sat Jan 10 2004 - adrian@suse.de
+* Sat Jan 10 2004 adrian@suse.de
- add %%run_ldconfig
- remove unneeded PreRequires
-* Tue Nov 18 2003 - poeml@suse.de
+* Tue Nov 18 2003 poeml@suse.de
- ditch annoying mail to root about moved locations [#31969]
-* Wed Aug 13 2003 - poeml@suse.de
+* Wed Aug 13 2003 poeml@suse.de
- enable profile feedback based optimizations (except AES which
becomes slower)
- add -fno-strict-aliasing, due to warnings about code where
dereferencing type-punned pointers will break strict aliasing
- make a readlink function if readlink is not available
-* Mon Aug 04 2003 - ro@suse.de
+* Mon Aug 04 2003 ro@suse.de
- fixed manpages symlinks
-* Wed Jul 30 2003 - meissner@suse.de
+* Wed Jul 30 2003 meissner@suse.de
- Fix Makefile to create pkgconfig file with lib64 on lib64 systems.
-* Sun Jul 27 2003 - poeml@suse.de
+* Sun Jul 27 2003 poeml@suse.de
- don't explicitely strip binaries since RPM handles it, and may
keep the stripped information somewhere
-* Tue Jul 15 2003 - meissner@suse.de
+* Tue Jul 15 2003 meissner@suse.de
- -DMD32_REG_T=int for ppc64 and s390x.
-* Thu Jul 10 2003 - poeml@suse.de
+* Fri Jul 11 2003 poeml@suse.de
- update ibm ICA patch to 20030708 release (libica-1.3)
-* Mon May 12 2003 - poeml@suse.de
+* Tue May 13 2003 poeml@suse.de
- package the openssl.pc file for pkgconfig
-* Wed Apr 16 2003 - poeml@suse.de
+* Wed Apr 16 2003 poeml@suse.de
- update to 0.9.7b. The most significant changes are:
o New library section OCSP.
o Complete rewrite of ASN1 code.
@@ -421,16 +426,16 @@
- adapt the ibmca patch
- remove openssl-nocrypt.diff, openssl's crypt() vanished
- configuration syntax has changed ($sys_id added before $lflags)
-* Thu Feb 20 2003 - poeml@suse.de
+* Thu Feb 20 2003 poeml@suse.de
- update to bugfix release 0.9.6i:
-- security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
+ - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
information leaked via timing by performing a MAC computation
even if incorrrect block cipher padding has been found. This
is a countermeasure against active attacks where the attacker
has to distinguish between bad padding and a MAC verification
error. (CAN-2003-0078)
-- a few more small bugfixes (mainly missing assertions)
-* Fri Dec 06 2002 - poeml@suse.de
+ - a few more small bugfixes (mainly missing assertions)
+* Fri Dec 06 2002 poeml@suse.de
- update to 0.9.6h (last release in the 0.9.6 series)
o New configuration targets for Tandem OSS and A/UX.
o New OIDs for Microsoft attributes.
@@ -446,27 +451,27 @@
- add a call to make depend
- fix sed expression (lib -> lib64) to replace multiple occurences
on one line
-* Mon Nov 04 2002 - stepan@suse.de
+* Mon Nov 04 2002 stepan@suse.de
- fix openssl for alpha ev56 cpus
-* Thu Oct 24 2002 - poeml@suse.de
+* Thu Oct 24 2002 poeml@suse.de
- own the /usr/share/ssl directory [#20849]
- openssl-hppa-config.diff can be applied on all architectures
-* Mon Sep 30 2002 - bg@suse.de
+* Mon Sep 30 2002 bg@suse.de
- enable hppa distribution; use only pa1.1 architecture.
-* Tue Sep 17 2002 - froh@suse.de
+* Tue Sep 17 2002 froh@suse.de
- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953)
-* Mon Aug 12 2002 - poeml@suse.de
+* Mon Aug 12 2002 poeml@suse.de
- update to 0.9.6g and drop the now included ASN1 check patch.
Other change:
-- Use proper error handling instead of 'assertions' in buffer
+ - Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
assertions could call abort()).
-* Fri Aug 09 2002 - kukuk@suse.de
+* Fri Aug 09 2002 kukuk@suse.de
- Fix requires of openssl-devel subpackage
-* Tue Aug 06 2002 - draht@suse.de
+* Tue Aug 06 2002 draht@suse.de
- Correction for changes in the ASN1 code, assembled in
openssl-0.9.6e-cvs-20020802-asn1_lib.diff
-* Thu Aug 01 2002 - poeml@suse.de
+* Thu Aug 01 2002 poeml@suse.de
- update to 0.9.6e. Major changes:
o Various security fixes (sanity checks to asn1_get_length(),
various remote buffer overflows)
@@ -480,7 +485,7 @@
[#9913] and resolve man page conflicts by putting them into ssl
sections [#17239]
- spec file: use PreReq for %%post script
-* Fri Jul 12 2002 - poeml@suse.de
+* Fri Jul 12 2002 poeml@suse.de
- update to 0.9.6d. Major changes:
o Various SSL/TLS library bugfixes.
o Fix DH parameter generation for 'non-standard' generators.
@@ -494,29 +499,29 @@
- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982]
- move configuration to /etc/ssl [#14387]
- mark openssl.cnf %%config (noreplace)
-* Sat Jul 06 2002 - schwab@suse.de
+* Sat Jul 06 2002 schwab@suse.de
- Include