Overview
Request 1075557 superseded
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Fix regression in the OBJ_nid2obj() function: [bsc#1209430]
* Upstream https://github.com/openssl/openssl/issues/20555
* Add openssl-Fix-OBJ_nid2obj-regression.patch
- Fix compiler error "initializer element is not constant" on s390
* Add openssl-z16-s390x.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- Pass over with spec-cleaner
- Update to 3.1.0:
* Add FIPS provider configuration option to enforce the Extended Master
Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can
optionally be supplied to 'openssl fipsinstall'.
* The FIPS provider includes a few non-approved algorithms for backward
compatibility purposes and the "fips=yes" property query must be used for
all algorithm fetches to ensure FIPS compliance. The algorithms that are
included but not approved are Triple DES ECB, Triple DES CBC and EdDSA.
* Added support for KMAC in KBKDF.
* RNDR and RNDRRS support in provider functions to provide random number
- Created by ohollmann
- In state superseded
- Supersedes 1074930
- Superseded by 1089933
- Open review for openSUSE:Factory:Staging:C
Request History
ohollmann created request
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Fix regression in the OBJ_nid2obj() function: [bsc#1209430]
* Upstream https://github.com/openssl/openssl/issues/20555
* Add openssl-Fix-OBJ_nid2obj-regression.patch
- Fix compiler error "initializer element is not constant" on s390
* Add openssl-z16-s390x.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- Pass over with spec-cleaner
- Update to 3.1.0:
* Add FIPS provider configuration option to enforce the Extended Master
Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can
optionally be supplied to 'openssl fipsinstall'.
* The FIPS provider includes a few non-approved algorithms for backward
compatibility purposes and the "fips=yes" property query must be used for
all algorithm fetches to ensure FIPS compliance. The algorithms that are
included but not approved are Triple DES ECB, Triple DES CBC and EdDSA.
* Added support for KMAC in KBKDF.
* RNDR and RNDRRS support in provider functions to provide random number
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
dimstar_suse set openSUSE:Factory:Staging:C as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:C"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:C"
licensedigger accepted review
ok
dimstar accepted review
- Update to 3.1.1:
* Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
(CVE-2023-2650, bsc#1211430)
* Multiple algorithm implementation fixes for ARM BE platforms.
* Added a -pedantic option to fipsinstall that adjusts the various settings
to ensure strict FIPS compliance rather than backwards compatibility.
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
trigger a crash of an application using AES-XTS decryption if the memory
just after the buffer being decrypted is not mapped. Thanks to Anton
Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714)
* Add FIPS provider configuration option to disallow the use of truncated
digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The
option '-no_drbg_truncated_digests' can optionally be supplied
to 'openssl fipsinstall'.
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that
it does not enable policy checking. Thanks to David Benjamin for
discovering this issue. (CVE-2023-0466, bsc#1209873)
* Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are
skipped for that certificate. A malicious CA could use this to
deliberately assert invalid certificate policies in order to circumvent
policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878)
* Limited the number of nodes created in a policy tree to mitigate against
CVE-2023-0464. The default limit is set to 1000 nodes, which should be
sufficient for most installations. If required, the limit can be adjusted
by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a
desired maximum number of nodes or zero to allow unlimited growth.
(CVE-2023-0464, bsc#1209624)
* Update openssl.keyring with key
