Revisions of openssl-1_1
Otto Hollmann (ohollmann)
accepted
request 1172426
from
Otto Hollmann (ohollmann)
(revision 160)
- Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch
buildservice-autocommit
accepted
request 1146592
from
Factory Maintainer (factory-maintainer)
(revision 159)
auto commit by copy to link target
Otto Hollmann (ohollmann)
committed
(revision 158)
Otto Hollmann (ohollmann)
accepted
request 1144956
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 157)
- Enable running the regression tests in FIPS mode.
Otto Hollmann (ohollmann)
accepted
request 1144565
from
Otto Hollmann (ohollmann)
(revision 156)
- Rename engines directories to the same name like in SLE: /etc/ssl/engines1_1.d -> /etc/ssl/engines1.1.d /etc/ssl/engdef1_1.d -> /etc/ssl/engdef1.1.d * Add migration script to move files (bsc#1219562) /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch
buildservice-autocommit
accepted
request 1141238
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 155)
auto commit by copy to link target
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1141235
from
Otto Hollmann (ohollmann)
(revision 154)
- Because OpenSSL 1.1.1 is no longer default, let's rename engine directories to contain version of OpenSSL and let unversioned for the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933] * /etc/ssl/engines.d -> /etc/ssl/engines1_1.d * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d * Update patches: - openssl-1_1-ossl-sli-002-ran-make-update.patch - openssl-1_1-use-include-directive.patch
buildservice-autocommit
accepted
request 1130033
from
Factory Maintainer (factory-maintainer)
(revision 153)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1128352
from
Otto Hollmann (ohollmann)
(revision 152)
- Skip SHA1 test in 20-test_dgst.t when in FIPS mode * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch - FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch * bsc#1190652 - Provide a service to output module name/identifier and version - Sync patches with SLE: * Merge openssl-keep_EVP_KDF_functions_version.patch into openssl-1.1.1-evp-kdf.patch * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch * Remove openssl-no-date.patch
buildservice-autocommit
accepted
request 1126787
from
Otto Hollmann (ohollmann)
(revision 151)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1126087
from
Otto Hollmann (ohollmann)
(revision 150)
- Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch - Remove trailing spaces from changelog - Remove a hack for bsc#936563 bsc936563_hack.patch (bsc#936563) - Build with no-ssl3, for details on why this is needed read require us to patch dependant packages as the relevant functions are still available (SSLv3_(client|server)_method) - openssl.keyring: use Matt Caswells current key. - openSSL 1.0.1j - openssl.keyring: the 1.0.1i release was done by - 012-Fix-eckey_priv_encode.patch eckey_priv_encode should - 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch it is already in RPM_OPT_FLAGS and is replaced by - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does - openssl-gcc-attributes.patch
buildservice-autocommit
accepted
request 1120190
from
Otto Hollmann (ohollmann)
(revision 149)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1119558
from
Otto Hollmann (ohollmann)
(revision 148)
- Performance enhancements for cryptography from OpenSSL 3.x [jsc#PED-5086, jsc#PED-3514] * Add patches: - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
buildservice-autocommit
accepted
request 1116068
from
Otto Hollmann (ohollmann)
(revision 147)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1116067
from
Otto Hollmann (ohollmann)
(revision 146)
- Displays "fips" in the version string (bsc#1215215) * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
buildservice-autocommit
accepted
request 1111406
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 145)
auto commit by copy to link target
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1111331
from
Otto Hollmann (ohollmann)
(revision 144)
- Update to 1.1.1w: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. (CVE-2023-4807) - Add missing FIPS patches from SLE: * Add patches: - bsc1185319-FIPS-KAT-for-ECDSA.patch - bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch - openssl-1.1.1-fips-fix-memory-leaks.patch - openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch - openssl-1_1-FIPS_drbg-rewire.patch - openssl-1_1-Zeroization.patch - openssl-1_1-fips-drbg-selftest.patch - openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch - openssl-1_1-jitterentropy-3.4.0.patch - openssl-1_1-ossl-sli-000-fix-build-error.patch
Otto Hollmann (ohollmann)
committed
(revision 143)
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1101936
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 142)
* Update openssl.keyring with the OTC members that sign releases
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1101915
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 141)
- Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch
Displaying revisions 1 - 20 of 160