Revisions of openssl-3
Ana Guerrero (anag+factory)
accepted
request 1202944
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 30)
Ana Guerrero (anag+factory)
accepted
request 1198659
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 29)
Dominique Leuenberger (dimstar_suse)
accepted
request 1192379
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 28)
Dominique Leuenberger (dimstar_suse)
accepted
request 1189313
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 27)
Ana Guerrero (anag+factory)
accepted
request 1187470
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 26)
Dominique Leuenberger (dimstar_suse)
accepted
request 1172941
from
Otto Hollmann (ohollmann)
(revision 23)
Dominique Leuenberger (dimstar_suse)
accepted
request 1172431
from
Otto Hollmann (ohollmann)
(revision 22)
Dominique Leuenberger (dimstar_suse)
accepted
request 1153155
from
Otto Hollmann (ohollmann)
(revision 21)
Ana Guerrero (anag+factory)
accepted
request 1144625
from
Otto Hollmann (ohollmann)
(revision 20)
- Add migration script to move old files (bsc#1219562) /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d.rpmsave /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d.rpmsave They will be later restored by openssl-1_1 package to engines1.1.d and engdef1.1.d - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch
Ana Guerrero (anag+factory)
accepted
request 1142584
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 19)
- Encapsulate the fips provider into a new package called libopenssl-3-fips-provider. - Added openssl-3-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines3.d/ and /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ to above versioned directories. - Updated spec file to create the two new necessary directores for the above patch and two symbolic links to above directories. [bsc#1194187, bsc#1207472, bsc#1218933] - Security fix: [bsc#1218810, CVE-2023-6237] * Limit the execution time of RSA public key check * Add openssl-CVE-2023-6237.patch - Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch to openssl-crypto-policies-support.patch - Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch - Load the FIPS provider and set FIPS properties implicitly. * Add openssl-Force-FIPS.patch [bsc#1217934] - Disable the fipsinstall command-line utility. * Add openssl-disable-fipsinstall.patch - Add instructions to load legacy provider in openssl.cnf. * openssl-load-legacy-provider.patch - Disable the default provider for the test suite. * openssl-Disable-default-provider-for-test-suite.patch
Ana Guerrero (anag+factory)
accepted
request 1126784
from
Otto Hollmann (ohollmann)
(revision 18)
- Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch
Ana Guerrero (anag+factory)
accepted
request 1120189
from
Otto Hollmann (ohollmann)
(revision 17)
- Update to 3.1.4: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length [bsc#1216163, CVE-2023-5363]. - Performance enhancements for cryptography from OpenSSL 3.2 [jsc#PED-5086, jsc#PED-3514] * Add patches: - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch - FIPS: Add the FIPS_mode() compatibility macro and flag support. * Add patches: - openssl-Add-FIPS_mode-compatibility-macro.patch - openssl-Add-Kernel-FIPS-mode-flag-support.patch
Ana Guerrero (anag+factory)
accepted
request 1118892
from
Factory Maintainer (factory-maintainer)
(revision 16)
Automatic submission by obs-autosubmit
Ana Guerrero (anag+factory)
accepted
request 1113690
from
Factory Maintainer (factory-maintainer)
(revision 15)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1101934
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 14)
Ana Guerrero (anag+factory)
accepted
request 1099669
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 13)
Dominique Leuenberger (dimstar_suse)
accepted
request 1095607
from
Otto Hollmann (ohollmann)
(revision 12)
- Improve cross-package provides/conflicts [boo#1210313] * Add Provides/Conflicts: ssl-devel * Remove explicit conflicts with other devel-libraries * Remove Provides: openssl(cli) - it's managed by meta package
Dominique Leuenberger (dimstar_suse)
accepted
request 1089933
from
Otto Hollmann (ohollmann)
(revision 11)
- Update to 3.1.1: * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate (CVE-2023-2650, bsc#1211430) * Multiple algorithm implementation fixes for ARM BE platforms. * Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility. * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) * Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The option '-no_drbg_truncated_digests' can optionally be supplied to 'openssl fipsinstall'. * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466, bsc#1209873) * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464, bsc#1209624) * Update openssl.keyring with key
Displaying revisions 1 - 20 of 30