Hello community, here is the log from the commit of package libopenssl0_9_8 for openSUSE:Factory checked in at Wed Mar 9 17:43:40 CET 2011. -------- --- libopenssl0_9_8/libopenssl0_9_8.changes 2010-04-12 10:19:19.000000000 +0200 +++ /mounts/work_src_done/STABLE/libopenssl0_9_8/libopenssl0_9_8.changes 2010-12-09 06:00:19.000000000 +0100 @@ -1,0 +2,8 @@ +Thu Dec 9 04:59:29 UTC 2010 - gjhe@novell.com + +- fix bug [bnc#657663] + CVE-2010-4180 + for CVE-2010-4252,no patch is added(for the J-PAKE + implementaion is not compiled in by default). + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- CVE-2010-4180.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libopenssl0_9_8.spec ++++++ --- /var/tmp/diff_new_pack.Zro12C/_old 2011-03-09 17:43:19.000000000 +0100 +++ /var/tmp/diff_new_pack.Zro12C/_new 2011-03-09 17:43:19.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package libopenssl0_9_8 (Version 0.9.8m) +# spec file for package libopenssl0_9_8 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ AutoReqProv: on # Version: 0.9.8m -Release: 2 +Release: 8 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.openssl.org/source/openssl-%{version}.tar.bz2 @@ -34,6 +34,7 @@ Source10: README.SuSE Patch0: merge_from_0_9_8k.patch Patch1: openssl-CVE-2010-0740.patch +Patch2: CVE-2010-4180.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Recommends: openssl-certs @@ -57,6 +58,7 @@ %setup -q -n openssl-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++++++ CVE-2010-4180.patch ++++++ Index: openssl-0.9.8m/doc/ssl/SSL_CTX_set_options.pod =================================================================== --- openssl-0.9.8m.orig/doc/ssl/SSL_CTX_set_options.pod +++ openssl-0.9.8m/doc/ssl/SSL_CTX_set_options.pod @@ -78,18 +78,7 @@ this breaks this server so 16 bytes is t =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG -ssl3.netscape.com:443, first a connection is established with RC4-MD5. -If it is then resumed, we end up using DES-CBC3-SHA. It should be -RC4-MD5 according to 7.6.1.3, 'cipher_suite'. - -Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. -It only really shows up when connecting via SSLv2/v3 then reconnecting -via SSLv3. The cipher list changes.... - -NEW INFORMATION. Try connecting with a cipher list of just -DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses -RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when -doing a re-connect, always takes the first cipher in the cipher list. +As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG Index: openssl-0.9.8m/ssl/s3_clnt.c =================================================================== --- openssl-0.9.8m.orig/ssl/s3_clnt.c +++ openssl-0.9.8m/ssl/s3_clnt.c @@ -815,8 +815,11 @@ int ssl3_get_server_hello(SSL *s) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { +/* Workaround is now obsolete */ +#if 0 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) +#endif { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); Index: openssl-0.9.8m/ssl/s3_srvr.c =================================================================== --- openssl-0.9.8m.orig/ssl/s3_srvr.c +++ openssl-0.9.8m/ssl/s3_srvr.c @@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s) break; } } +/* Disabled because it can be used in a ciphersuite downgrade + * attack: CVE-2010-4180. + */ +#if 0 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may @@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s) j = 1; } } +#endif if (j == 0) { /* we need to have the cipher in the cipher ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org