openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openssl-3

Dominique Leuenberger (dimstar_suse) accepted request 1153155 from

Otto Hollmann (ohollmann) 2 months ago (revision 21)

Ana Guerrero (anag+factory) accepted request 1144625 from

Otto Hollmann (ohollmann) 3 months ago (revision 20)

- Add migration script to move old files (bsc#1219562)
  /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d.rpmsave
  /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d.rpmsave
  They will be later restored by openssl-1_1 package
  to engines1.1.d and engdef1.1.d

- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch

Ana Guerrero (anag+factory) accepted request 1142584 from

Pedro Monreal Gonzalez (pmonrealgonzalez) 3 months ago (revision 19)

- Encapsulate the fips provider into a new package called
  libopenssl-3-fips-provider.

- Added openssl-3-use-include-directive.patch so that the default
  /etc/ssl/openssl.cnf file will include any configuration files that
  other packages might place into /etc/ssl/engines3.d/ and
  /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/
  and /etc/ssl/engdef.d/ to above versioned directories.
- Updated spec file to create the two new necessary directores for
  the above patch and two symbolic links to above directories.
  [bsc#1194187, bsc#1207472, bsc#1218933]

- Security fix: [bsc#1218810, CVE-2023-6237]
  * Limit the execution time of RSA public key check
  * Add openssl-CVE-2023-6237.patch

- Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch
  to openssl-crypto-policies-support.patch

- Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch

- Load the FIPS provider and set FIPS properties implicitly.
  * Add openssl-Force-FIPS.patch [bsc#1217934]
- Disable the fipsinstall command-line utility.
  * Add openssl-disable-fipsinstall.patch
- Add instructions to load legacy provider in openssl.cnf.
  * openssl-load-legacy-provider.patch
- Disable the default provider for the test suite.
  * openssl-Disable-default-provider-for-test-suite.patch

Ana Guerrero (anag+factory) accepted request 1126784 from

Otto Hollmann (ohollmann) 6 months ago (revision 18)

- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch

Ana Guerrero (anag+factory) accepted request 1120189 from

Otto Hollmann (ohollmann) 6 months ago (revision 17)

- Update to 3.1.4:
  * Fix incorrect key and IV resizing issues when calling
    EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
    with OSSL_PARAM parameters that alter the key or IV length
    [bsc#1216163, CVE-2023-5363].

- Performance enhancements for cryptography from OpenSSL 3.2
  [jsc#PED-5086, jsc#PED-3514]
  * Add patches:
    - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
    - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
    - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
    - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
    - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
    - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch

- FIPS: Add the FIPS_mode() compatibility macro and flag support.
  * Add patches:
    - openssl-Add-FIPS_mode-compatibility-macro.patch
    - openssl-Add-Kernel-FIPS-mode-flag-support.patch

Ana Guerrero (anag+factory) accepted request 1118892 from

Factory Maintainer (factory-maintainer) 6 months ago (revision 16)

Automatic submission by obs-autosubmit

Ana Guerrero (anag+factory) accepted request 1113690 from

Factory Maintainer (factory-maintainer) 7 months ago (revision 15)

Automatic submission by obs-autosubmit

Dominique Leuenberger (dimstar_suse) accepted request 1101934 from

Pedro Monreal Gonzalez (pmonrealgonzalez) 9 months ago (revision 14)

Ana Guerrero (anag+factory) accepted request 1099669 from

Pedro Monreal Gonzalez (pmonrealgonzalez) 9 months ago (revision 13)

Dominique Leuenberger (dimstar_suse) accepted request 1095607 from

Otto Hollmann (ohollmann) 10 months ago (revision 12)

- Improve cross-package provides/conflicts [boo#1210313]
  * Add Provides/Conflicts: ssl-devel
  * Remove explicit conflicts with other devel-libraries
  * Remove Provides: openssl(cli) - it's managed by meta package

Dominique Leuenberger (dimstar_suse) accepted request 1089933 from

Otto Hollmann (ohollmann) 11 months ago (revision 11)

- Update to 3.1.1:
  * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
    (CVE-2023-2650, bsc#1211430)
  * Multiple algorithm implementation fixes for ARM BE platforms.
  * Added a -pedantic option to fipsinstall that adjusts the various settings
    to ensure strict FIPS compliance rather than backwards compatibility.
  * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
    happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
    trigger a crash of an application using AES-XTS decryption if the memory
    just after the buffer being decrypted is not mapped. Thanks to Anton
    Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714)
  * Add FIPS provider configuration option to disallow the use of truncated
    digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The
    option '-no_drbg_truncated_digests' can optionally be supplied
    to 'openssl fipsinstall'.
  * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that
    it does not enable policy checking. Thanks to David Benjamin for
    discovering this issue. (CVE-2023-0466, bsc#1209873)
  * Fixed an issue where invalid certificate policies in leaf certificates are
    silently ignored by OpenSSL and other certificate policy checks are
    skipped for that certificate. A malicious CA could use this to
    deliberately assert invalid certificate policies in order to circumvent
    policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878)
  * Limited the number of nodes created in a policy tree to mitigate against
    CVE-2023-0464. The default limit is set to 1000 nodes, which should be
    sufficient for most installations. If required, the limit can be adjusted
    by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a
    desired maximum number of nodes or zero to allow unlimited growth.
    (CVE-2023-0464, bsc#1209624)
  * Update openssl.keyring with key

Dominique Leuenberger (dimstar_suse) accepted request 1070585 from

Otto Hollmann (ohollmann) about 1 year ago (revision 10)

Dominique Leuenberger (dimstar_suse) accepted request 1063740 from