SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for libopenssl0_9_8-0.9.8j-79.3.x86_64.rpm :
Mon Jun 15 14:00:00 2015 vcizekAATTsuse.com
- remove libopenssl0_9_8-hmac from baselibs.conf

Mon Jun 15 14:00:00 2015 vcizekAATTsuse.com
- disable EXPORT ciphers by default (bnc#931698, comment #3)

* added openssl-disable_EXPORT_ciphers_by_default.patch

Fri Jun 12 14:00:00 2015 vcizekAATTsuse.com
- CVE-2015-4000 (boo#931698)

* The Logjam Attack / weakdh.org

* reject connections with DH parameters shorter than 1024 bits

* generates 2048-bit DH parameters by default
- CVE-2015-1788 (boo#934487)

* Malformed ECParameters causes infinite loop
- CVE-2015-1789 (boo#934489)

* Exploitable out-of-bounds read in X509_cmp_time
- CVE-2015-1790 (boo#934491)

* PKCS7 crash with missing EnvelopedContent
- CVE-2015-1792 (boo#934493)

* CMS verify infinite loop with unknown hash function
- CVE-2015-1791 (boo#933911)

* race condition in NewSessionTicket
- CVE-2015-3216 (boo#933898)

* Crash in ssleay_rand_bytes due to locking regression

* modified openssl-1.0.1i-fipslocking.patch
- fix timing side channel in RSA decryption (bnc#929678)
- newly added patches:

* 0001-s_server-Use-2048-bit-DH-parameters-by-default.patch

* 0002-dhparam-set-the-default-to-2048-bits.patch

* 0003-dhparam-fix-documentation.patch

* 0004-Update-documentation-with-Diffie-Hellman-best-practi.patch

* 0005-client-reject-handshakes-with-DH-parameters-1024-bits.patch

* openssl-CVE-2015-1788.patch

* openssl-CVE-2015-1789.patch

* openssl-CVE-2015-1790.patch

* openssl-CVE-2015-1791.patch

* openssl-CVE-2015-1792.patch

* openssl-RSA_premaster_secret_in_constant_time.patch

Thu Apr 16 14:00:00 2015 vcizekAATTsuse.com
- add ECC ciphersuites to DEFAULT (bnc#879179)

* modified openssl-enable-ecdh.patch

Mon Mar 16 13:00:00 2015 vcizekAATTsuse.com
- security update:

* CVE-2015-0209 (bnc#919648)
- Fix a failure to NULL a pointer freed on error

* CVE-2015-0286 (bnc#922496)
- Segmentation fault in ASN1_TYPE_cmp

* CVE-2015-0287 (bnc#922499)
- ASN.1 structure reuse memory corruption

* CVE-2015-0288 x509: (bnc#920236)
- added missing public key is not NULL check

* CVE-2015-0289 (bnc#922500)
- PKCS7 NULL pointer dereferences

* CVE-2015-0292 (bnc#922501)
- Base64 decode

* CVE-2015-0293 (bnc#922488)
- Fix reachable assert in SSLv2 servers

* added patches:
openssl-CVE-2015-0209.patch
openssl-CVE-2015-0286.patch
openssl-CVE-2015-0287.patch
openssl-CVE-2015-0288.patch
openssl-CVE-2015-0289.patch
openssl-CVE-2015-0292.patch
openssl-CVE-2015-0293.patch

Wed Feb 4 13:00:00 2015 vcizekAATTsuse.com
- fix a memory leak in ssl_lib.c (CVE-2009-5146) (bnc#915976)

* added openssl-CVE-2009-5146.patch

Fri Jan 9 13:00:00 2015 vcizekAATTsuse.com
- fix for several security vulnerabilities:

* CVE-2014-3570 (bnc#912296)
- Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64.
- added openssl-CVE-2014-3570.patch

* CVE-2014-3571 (bnc#912294)
- Fix crash in dtls1_get_record whilst in the listen state where
you get two separate reads performed - one for the header and
one for the body of the handshake record.
- added openssl-CVE-2014-3571.patch

* CVE-2014-3572 (bnc#912015)
- don\'t accept a handshake using an ephemeral ECDH ciphersuites
with the server key exchange message omitted.
- added openssl-CVE-2014-3572.patch

* CVE-2014-8275 (bnc#912018)
- fix various certificate fingerprint issues
- added openssl-CVE-2014-8275.patch

* CVE-2015-0204 (bnc#912014)
- Only allow ephemeral RSA keys in export ciphersuites
- added openssl-CVE-2015-0204.patch

* CVE-2015-0205 (bnc#912293)
- OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn\'t
support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway.
- patch only fixes the wrong condition
- added openssl-CVE-2015-0205.patch

Wed Oct 22 14:00:00 2014 vcizekAATTsuse.com
- fix regression caused by CVE-2014-0224.patch (bnc#892403)
- added patches:

* Fix-stateless-session-resumption-so-it-can-coexist-with-SNI.patch

* Generate-stateless-session-ID-just-after-the-ticket-is-r.patch

Tue Oct 21 14:00:00 2014 vcizekAATTsuse.com
- security fixes for bnc#901277 and bnc#901223
- NOTE: this update alone DOESN\'T FIX the POODLE SSL protocol vulnerability.
OpenSSL only adds downgrade detection support for client applications.
See https://www.suse.com/support/kb/doc.php?id=7015773 for mitigations.
- details of the addressed vulnerabilities:

* ) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)

* ) Build option no-ssl3 is incomplete.
When OpenSSL is configured with \"no-ssl3\" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)

* ) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)

Mon Aug 18 14:00:00 2014 vcizekAATTsuse.com
- Double Free when processing DTLS packets (CVE-2014-3505)

* added openssl-CVE-2014-3505.patch

* bnc#890767
- DTLS memory exhaustion (CVE-2014-3506)

* added openssl-CVE-2014-3506.patch

* bnc#890768
- DTLS memory leak from zero-length fragments (CVE-2014-3507)

* added openssl-CVE-2014-3507.patch

* bnc#890769
- Information leak in pretty printing functions (CVE-2014-3508)

* added openssl-CVE-2014-3508.patch

* bnc#890764
- OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)

* added openssl-CVE-2014-3510.patch

* bnc#890770

Tue Jul 8 14:00:00 2014 meissnerAATTsuse.com
- exclusivearch for SLE11 architectures still in in SLE12

Mon Jul 7 14:00:00 2014 meissnerAATTsuse.com
- compat library taken from SLE11 openssl 0.9.8j. FATE#316925
- only the shared objects are included, no development
headers.
- engines directory is /usr/lib(64)/engines098

Mon Jun 2 14:00:00 2014 shchangAATTsuse.com
- Fixed bug[ bnc#880891], prevent buffer overread, by Sebastian Krahmer

* Add patch file: prevent_buffer_overread.patch

Mon Jun 2 14:00:00 2014 shchangAATTsuse.com
- Fixed bug[ bnc#880891], multiple OpenSSL CVE issues
Add patch files: CVE-2014-3470.patch, CVE-2014-0221.patch, CVE-2014-0224.patch

Tue Mar 25 13:00:00 2014 shchangAATTsuse.com
- Fix bug[ bnc#870192], Some libraries like libcrypto.so.0.9.8 (32bit) has the execstack flag set
Add compile option \"-Wa,--noexecstack\" to make the stack non-executable

Tue Mar 25 13:00:00 2014 shchangAATTsuse.com
- Fix bug[ bnc#869945] CVE-2014-0076: openssl: Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack
Add file: CVE-2014-0076.patch

Wed Feb 19 13:00:00 2014 shchangAATTsuse.com
- add file: fix-pod-number.patch

Fri Feb 7 13:00:00 2014 meissnerAATTsuse.com
- openssl-0.9.8b-ipv6-apps.patch: enable ipv6 in the openssl
commandline tool. bnc#859228

Fri Feb 7 13:00:00 2014 meissnerAATTsuse.com
- openssl-enable-ecdh.patch:
Enable ECDH / ECDHE key exchanges. (already available, but
previously disabled as it was only a draft standard).
bnc#859924

Fri Feb 7 13:00:00 2014 meissnerAATTsuse.com
- openssl-0.9.8j-c_rehash-with-openssl1.patch:
If we have an (optional) openssl1 binary installed, use this to
generate both openssl 0 and openssl 1 style certificate hashes.
bnc#862181

Thu Jan 23 13:00:00 2014 shchangAATTsuse.com
- Fix bug[ bnc#860332] openssl cmdline does not check certs
Add file: bug860332-cmdline-check-certs.patch

Fri Mar 22 13:00:00 2013 shchangAATTsuse.com
- Fix bug[ bnc#802648] CVE-2013-0169( openssl): Luck-13 issue
Since DTLS 1.0 is based on TLS 1.1 we should never return a decryption_failed alert.
modify patch file: CVE-2013-0169.patch

Thu Mar 14 13:00:00 2013 shchangAATTsuse.com
- Fix bug[ bnc#808942] Remove patch file: CVE-2011-4354.patch, because
it\'s not affect on SLE-9/10/11

Fri Mar 8 13:00:00 2013 shchangAATTsuse.com
- Fix bug[ bnc#779952] CVE-2012-4929: avoid the openssl CRIME attack
Modify patch file: compression_methods_switch.patch

Thu Mar 7 13:00:00 2013 shchangAATTsuse.com
- Fix bug[ bnc#733252] CVE-2011-4354: 0.9.8g 32bit leaks ECC private keys
Add patch file: CVE-2011-4354.patch

Tue Feb 12 13:00:00 2013 shchangAATTsuse.com
- Fix bug[ bnc#802648] CVE-2013-0169( openssl): Luck-13 issue
Add patch file: CVE-2013-0169.patch

Fri Feb 8 13:00:00 2013 shchangAATTsuse.com
- FIX BUG[ bnc#802746] CVE-2013-0166( openssl): OCSP invalid key Dos issue
Add patch file: CVE-2013-0166.patch

Tue Jul 10 14:00:00 2012 drahtAATTsuse.de
- correction of openssl-fips__0300_run
*.diff: Add check with
FIPS_mode() if FIPS was already initialized to avoid an abort
due to FIPS_mode_set(1) twice, and to avoid a mode change by
env or kernel cmdline back to 0 after initialization via
FIPS_mode_set(1) from the calling app.

Tue Jun 26 14:00:00 2012 meissnerAATTsuse.com
- fix bug[bnc#768097] missing parameter validity checking in
FIPS Diffie-Hellman code. (CVE-2011-5095)

Mon Jun 18 14:00:00 2012 drahtAATTsuse.de
- openssl-fips__0300_run_selftests_if_hmac_files_present.diff:
if fips mode is given, run as usual. If fips is not on, see
if the .hmac files are there. If not, abort the self-tests and
continue. If yes, go through all the fips self-tests, but do
not set FIPS mode.
- package split: new sub-package libopenssl0_9_8-hmac that contains
the two HMAC hashes for the library binaries only.
- baselibs.conf: libopenssl0_9_8-hmac-32bit must require
libopenssl0_9_8-32bit (exact version and release), not
libopenssl0_9_8.
- .spec change: added FIPSCANLIB=\"\" to make test, or SSLv3 fails
because forbidden in FIPS mode.
- updated /usr/share/doc/packages/openssl/README-FIPS.txt with the
information above.
- [bnc#767256]

Thu May 24 14:00:00 2012 meissnerAATTsuse.de
- bug[bnc#749735] fixed a deadlock condition caused by entering a
lock twice

Wed May 23 14:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#761838] - denial of service via cbc mode handling
CVE-2012-2333

Fri May 11 14:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#761324] - TP-L3: enable cms feature in openssl
backport cms\'s latest updates from the latest stable version 0.9.8x.

Thu May 3 14:00:00 2012 gjheAATTsuse.com
- fix [bug#759008] - valgrind showing different output on 32/64bit
for the same test program

Thu May 3 14:00:00 2012 gjheAATTsuse.com
- The fix for CVE-2012-2110 did not take into account that the
\'len\' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.
CVE-2012-2131

Mon Apr 23 14:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#758060] - incorrect integer conversions in OpenSSL
can result in memory corruption.
and bug[bnc#755395] - libcrypto.so.0.9.8 requires executable stack
CVE-2012-2110

Tue Mar 27 14:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#749735] - Memory leak when creating public keys.

Tue Mar 27 14:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack
CVE-2012-0884

Thu Mar 22 13:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#751946] - S/MIME verification may erroneously fail
CVE-2012-1165

Wed Mar 21 13:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#749213]-Free headers after use in error message
and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt

Fri Feb 24 13:00:00 2012 gjheAATTsuse.com
- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl\'s
asn1 parser.
CVE-2006-7250

Thu Feb 9 13:00:00 2012 drahtAATTsuse.de
- openssl-add_sha256_sha512.diff: Add the SHA256 and SHA512 families
to the hash algos by default to avoid explicit initialization by
applications. [bnc#743344]

Thu Feb 9 13:00:00 2012 gjheAATTsuse.com
- fix security bug [bnc#742821] - DTLS DoS Attack
CVE-2012-0050

Tue Jan 10 13:00:00 2012 gjheAATTsuse.com
- fix security bug [bnc#739719] - various security issues
DTLS Plaintext Recovery Attack (CVE-2011-4108)
Double-free in Policy Checks (CVE-2011-4109)
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)

Tue Dec 27 13:00:00 2011 dmuellerAATTsuse.de
- revert disablement of profile feedback driven optimisation, as
it causes noticeable performance regressions

Wed Dec 7 13:00:00 2011 drahtAATTsuse.de
- openssl package must require and prerequire libopenssl0_9_8 of
same version [bnc#735199].

Wed Dec 7 13:00:00 2011 drahtAATTsuse.de
- README-FIPS.txt: change occurrences of SP2 to SP1 due to release
of package in SP1/GU.

Thu Nov 3 13:00:00 2011 drahtAATTsuse.de
- /usr/share/doc/packages/openssl/README-FIPS.txt added

Tue Nov 1 13:00:00 2011 drahtAATTsuse.de
- back out unused openssl-fips__0100_FPE_in_tests.diff; fixed by
openssl-fips__0100_aes_EVP_CIPH_FLAG_FIPS_-_the_fenzke_code.diff
- openssl-fips__0220_make_hmac_path_return_value_check.diff: failure
to construct library pathname must result in immediate termination
in fips mode.
- openssl-fips__0222_dsa_pqver_fixes.diff: fix for failure in tests:
format of pqgver dsa test and bignum hex output
- openssl-fips__0230_sha256_sha512_selftests.diff adds selftests for
sha2 family sha256 and sha512.

Thu Oct 20 14:00:00 2011 drahtAATTsuse.de
- openssl-fips__0210_ignore_testvectors_rsa_salt_62.diff replaced
by openssl-fips__0211_cavs_rsa_testvector_path_adoptions.diff
adoptions because supplied testvector format is different.
- openssl-fips__0212_cavs_dsa_missing_PQGVer.diff
DSA CAVS test PQGVer.req must be executed.
- endianness compensation for CFB1 not needed after bitlength
adoption; causes failure in CAVS tests. See
openssl-fips__0200_CFB1_enable.diff

Thu Oct 6 14:00:00 2011 drahtAATTsuse.de
- openssl-fips__0220_make_hmac_path_return_value_check.diff makes
sure that fopen(3) will not receive NULL as argument.
- indentation in get_library_path(). :)

Fri Sep 23 14:00:00 2011 drahtAATTsuse.de
- openssl-fips__0200_CFB1_enable.diff turns on CFB1 for CAVS tests.
- openssl-fips__0210_ignore_testvectors_rsa_salt_62.diff ignore rsa_salt_62

Tue Sep 20 14:00:00 2011 gjheAATTsuse.com
- fix bug[bnc#716144] - VUL-0: openssl ECDH crash.
CVE-2011-3210

Thu Sep 15 14:00:00 2011 drahtAATTsuse.de
- openssl-fips__0110_aes_EVP_CIPH_FLAG_FIPS_-_the_fenzke_code.diff
allows the AES-NI ASM optimizations to work in FIPS mode.

Sat Aug 13 14:00:00 2011 dmuellerAATTsuse.de
- add baselibs.conf to sources

Thu Aug 11 14:00:00 2011 drahtAATTsuse.de
- create .hmac files next to the shared libraries for FIPS mode
integrity check.

Tue Aug 9 14:00:00 2011 drahtAATTsuse.de
- re-seed the RNG via openssl-fips__0020_rng-seeding.patch
- openssl-fips__0040_use_fipscheck_internal.diff: Don\'t do integrity
checks of the library by hashing portions of object code inside
a shlib, but do a hash on the entire library.
- use a sha256, not a sha1, via
openssl-fips__0045_fipscheck_sha1_sha256.diff
- fix build of fips/sha/fips_standalone_sha1 by linking to .o files
that are a result of \"enable ASM\" above, for x86_64 and x86 only.
Via openssl-fips__0050_fips_sha_Makefile_CPUID_OBJ.diff
- for debugging purposes included:
openssl-fips__0080_fips_fips_c_OPENSSL_FIPS_DEBUG_FIPSCHECK_DISABLE.diff
- hmac key set to ppaksykemnsecgtsttplmamstKMEs in
openssl-fips__0090_hmac_key_change.diff . Note: compiled into binaries.

Tue Aug 9 14:00:00 2011 drahtAATTsuse.de
- enable ASM
- remove BuildRequires: openssl-fips-objectmodule and build own
fips code. Package is now code-selfcontained.
- rename openssl-fipsmode.diff to openssl-fips__0000_fipsmode.diff
- remove fips vs asm conflict in ./Configure via
openssl-fips__0010_enable_shared_fips_Configure.diff

Thu Aug 4 14:00:00 2011 mlsAATTsuse.de
- Update to version 0.9.8j

* support build with fips container module

* multiple security fixes

* enable TLS extensions by default

Tue Jul 26 14:00:00 2011 gjheAATTnovell.com
- add a switch to AESNI implementation, the environment variable is
OPENSSL_DISABLE_AESNI, if defined, AESNI is disabled, else AESNI
is enabled.

Mon Jul 18 14:00:00 2011 xwhuAATTnovell.com
- fate#311769, fate#311938, optimization for AES-NI, SHA-1, RC4

Fri Jun 10 14:00:00 2011 gjheAATTnovell.com
- Add a switch to compression methords.Switch truned on ,
compression methods are available;Turn off, compression
methods are not available.And this is a temporary feature,and
may be changed by the following updates.

Mon May 30 14:00:00 2011 gjheAATTnovell.com
- fix bug[bnc#693027].
Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]

Thu Feb 10 13:00:00 2011 gjheAATTnovell.com
- fix bug [bnc#670526]
CVE-2011-0014,OCSP stapling vulnerability

Tue Dec 7 13:00:00 2010 gjheAATTnovell.com
- fix bug [bnc#657663]
CVE-2010-4180
for CVE-2010-4252,no patch is added(for the J-PAKE
implementaion is not compiled in by default).

Tue Nov 16 13:00:00 2010 gjheAATTnovell.com
- fix bug [bnc#651003]
CVE-2010-3864

Mon Sep 27 14:00:00 2010 gjheAATTnovell.com
- fix bug [bnc#608666]

Sun Sep 26 14:00:00 2010 gjheAATTnovell.com
- fix bug [bnc#629905]
CVE-2010-2939

Wed Mar 31 14:00:00 2010 meissnerAATTsuse.de
- fixed enable-renegoation feature patch, disabled
old patch for CVE-2009-3555. [bnc#584292]

Thu Mar 25 13:00:00 2010 gjheAATTnovell.com
- fix security bug [bnc#590833]
CVE-2010-0740

Fri Mar 12 13:00:00 2010 gjheAATTnovell.com
- fix security bug [bnc#587379]
CVE-2009-3245

Thu Mar 11 13:00:00 2010 gjheAATTnovell.com
- fix security bug [bnc#584292]
enable security renegotiation
and add support for DTLS renegotiation.

Wed Mar 10 13:00:00 2010 gjheAATTnovell.com
- fix security bug [bnc#467437]
this patch fix both bug [bnc#467437] and bug [bnc#430141],
and backport patch func-parm-err.patch

Thu Feb 18 13:00:00 2010 rguentherAATTsuse.de
- fix bogus inline assembly for s390x [bnc#457410, bnc#442740]
- re-enable optimization of md4 and ripemd

Fri Jan 15 13:00:00 2010 gjheAATTsuse.de
- fix security bug [bnc#566238]
CVE-2009-4355

Thu Nov 12 13:00:00 2009 gjheAATTsuse.de
- fix security bug [bnc#553641]
CVE-2009-3555

Wed Jun 10 14:00:00 2009 gjheAATTsuse.de
- fix security bug [bnc#509031]
CVE-2009-1386
CVE-2009-1387

Fri May 22 14:00:00 2009 gjheAATTsuse.de
- fix security bug [bnc#504687]
CVE-2009-1377
CVE-2009-1378
CVE-2009-1379

Wed Apr 15 14:00:00 2009 gjheAATTsuse.de
- fix security bug [bnc#489641]
CVE-2009-0591
CVE-2009-0590
CVE-2009-0789


  
ICM