Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at Thu Apr 21 13:51:13 CEST 2011. -------- --- openssl/openssl.changes 2011-04-13 05:21:06.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssl/openssl.changes 2011-02-10 08:45:42.000000000 +0100 @@ -2,19 +1,0 @@ -Wed Apr 13 02:03:02 UTC 2011 - crrodriguez@opensuse.org - -- Fix engine loading issues [bnc#660452] -- Update AES-NI patch to upstream version 4 -- Drop CVE-2011-0014.patch and replace it with pristine tarball - of 1.0.0d which only fixes this vulnerability. - -------------------------------------------------------------------- -Sat Apr 9 18:18:42 UTC 2011 - crrodriguez@opensuse.org - -- Correct last change - -------------------------------------------------------------------- -Sat Apr 9 15:00:33 UTC 2011 - crrodriguez@opensuse.org - -- Disable SSLv2 support permanently,it must not be used. -- No longer requires -fno-strict-aliasing - -------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- _service _service:download_url:openssl-1.0.0d.tar.gz openssl-1.0.0-aesni-v4.patch openssl-padlock-x86_64-head.patch New: ---- CVE-2011-0014.patch openssl-1.0.0b-aesni.patch openssl-1.0.0c.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.wNQ9BK/_old 2011-04-21 13:50:46.000000000 +0200 +++ /var/tmp/diff_new_pack.wNQ9BK/_new 2011-04-21 13:50:46.000000000 +0200 @@ -32,11 +32,11 @@ %endif # #Version: 1.0.0 -Version: 1.0.0d -Release: 1 +Version: 1.0.0c +Release: 21 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ -Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz +Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 # to get mtime of file: Source1: openssl.changes Source2: baselibs.conf @@ -48,9 +48,8 @@ #Patch4: patchset-19727.diff #Patch5: CVE-2010-2939.patch #Patch6: CVE-2010-3864.patch -Patch7: openssl-1.0.0-aesni-v4.patch -#PATCH_FIX-UPSTREAM Fix padlock engine in x86_64 hosts -Patch8: openssl-padlock-x86_64-head.patch +Patch7: openssl-1.0.0b-aesni.patch +Patch8: CVE-2011-0014.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -179,12 +178,12 @@ %setup -q %patch0 -p1 %patch1 -p1 -%patch2 +%patch2 -p1 #%patch3 -p1 #%patch4 -p1 #%patch5 -p1 #%patch6 -p1 -%patch7 +%patch7 -p1 %patch8 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -225,9 +224,6 @@ ./config --test-sanity # config_flags="threads shared no-rc5 no-idea \ -%if 0%{suse_version} > 1140 -no-ssl2 \ -%endif enable-camellia \ zlib \ --prefix=%{_prefix} \ @@ -236,6 +232,7 @@ $RPM_OPT_FLAGS \ -Wa,--noexecstack \ -fomit-frame-pointer \ +-fno-strict-aliasing \ -DTERMIO \ -DPURIFY \ %ifnarch hppa @@ -340,7 +337,7 @@ SSL_CTX *ctx; SSL *ssl; SSL_METHOD *meth; - meth = SSLv23_client_method(); + meth = SSLv2_client_method(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(meth); if (ctx == NULL) return 0; @@ -373,36 +370,14 @@ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so -#ugly artifact to delete engines that are disabled/unusable in LINUX -#that for some reason the build system insist on creating. - -# CAPI, Windows specific -rm %{buildroot}/%_lib/engines/libcapi.so -# GMP, has been always non-functional -rm %{buildroot}/%_lib/engines/libgmp.so -# Requires propietary Broadcom library, not available -rm %{buildroot}/%_lib/engines/libubsec.so -#Requires library called libnfhwcrhk.so which is not available -rm %{buildroot}/%_lib/engines/libchil.so -#requires library named "SureWareHook" which is not available -rm %{buildroot}/%_lib/engines/libsureware.so -#requires DSO "libswift.so",propietary and not available -rm %{buildroot}/%_lib/engines/libcswift.so -#requires DSO "nuronssl.so", propietary and not available -rm %{buildroot}/%_lib/engines/libnuron.so -#only supported in AIX and Windows... -rm %{buildroot}/%_lib/engines/lib4758cca.so -# deprecated in favor of http://sourceforge.net/projects/opencryptoki/files/ (??) -rm %{buildroot}/%_lib/engines/libaep.so -# HP Atalla AXL600L SSL Accelerator Card, EOL, linux 2.4/SLE8, useless nowdays -rm %{buildroot}/%_lib/engines/libatalla.so - %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi -%post -n libopenssl1_0_0 -p /sbin/ldconfig +%post -n libopenssl1_0_0 +/sbin/ldconfig -%postun -n libopenssl1_0_0 -p /sbin/ldconfig +%postun -n libopenssl1_0_0 +/sbin/ldconfig %files -n libopenssl1_0_0 %defattr(-, root, root) ++++++ CVE-2011-0014.patch ++++++ Index: openssl-1.0.0c/ssl/t1_lib.c =================================================================== --- openssl-1.0.0c.orig/ssl/t1_lib.c +++ openssl-1.0.0c/ssl/t1_lib.c @@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; ++++++ bug610223.patch ++++++ --- /var/tmp/diff_new_pack.wNQ9BK/_old 2011-04-21 13:50:46.000000000 +0200 +++ /var/tmp/diff_new_pack.wNQ9BK/_new 2011-04-21 13:50:46.000000000 +0200 @@ -1,6 +1,8 @@ ---- Configure.orig -+++ Configure -@@ -1688,7 +1688,8 @@ while (<IN>) +Index: openssl-1.0.0/Configure +=================================================================== +--- openssl-1.0.0.orig/Configure ++++ openssl-1.0.0/Configure +@@ -1673,7 +1673,8 @@ while (<IN>) } elsif (/^#define\s+ENGINESDIR/) { ++++++ openssl-1.0.0b-aesni.patch ++++++ ++++ 2388 lines (skipped) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org