Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openssl-1_1

Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1172426 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 160) 
- Security fix: [bsc#1222548, CVE-2024-2511]
  * Fix unconstrained session cache growth in TLSv1.3
  * Add openssl-CVE-2024-2511.patch
buildservice-autocommit accepted request 1146592 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 159) 
auto commit by copy to link target
Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1144956 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 157) 
- Enable running the regression tests in FIPS mode.
Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1144565 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 156) 
- Rename engines directories to the same name like in SLE:
    /etc/ssl/engines1_1.d -> /etc/ssl/engines1.1.d
    /etc/ssl/engdef1_1.d -> /etc/ssl/engdef1.1.d
  * Add migration script to move files (bsc#1219562)
    /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d
    /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d

- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch
buildservice-autocommit accepted request 1141238 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 155) 
auto commit by copy to link target
Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 1141235 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 154) 
- Because OpenSSL 1.1.1 is no longer default, let's rename engine
  directories to contain version of OpenSSL and let unversioned for
  the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933]
  * /etc/ssl/engines.d ->  /etc/ssl/engines1_1.d
  * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d
  * Update patches:
    - openssl-1_1-ossl-sli-002-ran-make-update.patch
    - openssl-1_1-use-include-directive.patch
buildservice-autocommit accepted request 1130033 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 153) 
auto commit by copy to link target
Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1128352 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 152) 
- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
  * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
  * bsc#1190652 - Provide a service to output module name/identifier
    and version
- Sync patches with SLE:
  * Merge openssl-keep_EVP_KDF_functions_version.patch into
    openssl-1.1.1-evp-kdf.patch
  * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
  * Remove openssl-no-date.patch
buildservice-autocommit accepted request 1126787 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 151) 
auto commit by copy to link target
Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1126087 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 150) 
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch
- Remove trailing spaces from changelog

- Remove a hack for bsc#936563
  bsc936563_hack.patch (bsc#936563)
- Build with no-ssl3, for details on why this is needed read
  require us to patch dependant packages as the relevant
  functions are still available (SSLv3_(client|server)_method)
- openssl.keyring: use Matt Caswells current key.
- openSSL 1.0.1j
- openssl.keyring: the 1.0.1i release was done by
- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
  it is already in RPM_OPT_FLAGS and is replaced by
- Remove the "gmp" and "capi" shared engines, nobody noticed
  but they are just dummies that do nothing.
- Use enable-rfc3779 to allow projects such as rpki.net
- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
- openssl-gcc-attributes.patch
buildservice-autocommit accepted request 1120190 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 149) 
auto commit by copy to link target
Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1119558 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 148) 
- Performance enhancements for cryptography from OpenSSL 3.x
  [jsc#PED-5086, jsc#PED-3514]
  * Add patches:
    - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
    - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
    - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
    - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
    - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
    - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
buildservice-autocommit accepted request 1116068 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 147) 
auto commit by copy to link target
Otto Hollmann's avatar Otto Hollmann (ohollmann) accepted request 1116067 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 146) 
- Displays "fips" in the version string (bsc#1215215)
  * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
buildservice-autocommit accepted request 1111406 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 145) 
auto commit by copy to link target
Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 1111331 from Otto Hollmann's avatar Otto Hollmann (ohollmann) (revision 144) 
- Update to 1.1.1w:
 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
   The POLY1305 MAC (message authentication code) implementation in OpenSSL
   does not save the contents of non-volatile XMM registers on Windows 64
   platform when calculating the MAC of data larger than 64 bytes. Before
   returning to the caller all the XMM registers are set to zero rather than
   restoring their previous content. The vulnerable code is used only on newer
   x86_64 processors supporting the AVX512-IFMA instructions.
   The consequences of this kind of internal application state corruption can
   be various - from no consequences, if the calling application does not
   depend on the contents of non-volatile XMM registers at all, to the worst
   consequences, where the attacker could get complete control of the
   application process. However given the contents of the registers are just
   zeroized so the attacker cannot put arbitrary values inside, the most likely
   consequence, if any, would be an incorrect result of some application
   dependent calculations or a crash leading to a denial of service.
   (CVE-2023-4807)

- Add missing FIPS patches from SLE:
  * Add patches:
    - bsc1185319-FIPS-KAT-for-ECDSA.patch
    - bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
    - openssl-1.1.1-fips-fix-memory-leaks.patch
    - openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
    - openssl-1_1-FIPS_drbg-rewire.patch
    - openssl-1_1-Zeroization.patch
    - openssl-1_1-fips-drbg-selftest.patch
    - openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
    - openssl-1_1-jitterentropy-3.4.0.patch
    - openssl-1_1-ossl-sli-000-fix-build-error.patch
Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 1101936 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 142) 
  * Update openssl.keyring with the OTC members that sign releases
Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 1101915 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 141) 
- Update to 1.1.1v:
  * Fix excessive time spent checking DH q parameter value
    (bsc#1213853, CVE-2023-3817). The function DH_check() performs
    various checks on DH parameters. After fixing CVE-2023-3446 it
    was discovered that a large q parameter value can also trigger
    an overly long computation during some of these checks. A
    correct q value, if present, cannot be larger than the modulus
    p parameter, thus it is unnecessary to perform these checks if
    q is larger than p. If DH_check() is called with such q parameter
    value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
    computationally intensive checks are skipped.
  * Fix DH_check() excessive time with over sized modulus
    (bsc#1213487, CVE-2023-3446). The function DH_check() performs
    various checks on DH parameters. One of those checks confirms
    that the modulus ("p" parameter) is not too large. Trying to use
    a very large modulus is slow and OpenSSL will not normally use
    a modulus which is over 10,000 bits in length. However the
    DH_check() function checks numerous aspects of the key or
    parameters that have been supplied. Some of those checks use the
    supplied modulus value even if it has already been found to be
    too large. A new limit has been added to DH_check of 32,768 bits.
    Supplying a key/parameters with a modulus over this size will
    simply cause DH_check() to fail.
  * Rebase openssl-1_1-openssl-config.patch
  * Remove security patches fixed upstream:
    - openssl-CVE-2023-3446.patch
    - openssl-CVE-2023-3446-test.patch
Displaying revisions 1 - 20 of 160
openSUSE Build Service is sponsored by
Places