|
|
|
|
Changelog for openssl3-devel-3.0.7-5.el8.1.x86_64.rpm :
* Thu Feb 09 2023 Michel Alexandre Salim 3.0.7-5.1- Merge c9s openssl changes to pick up CVE fixes- Back out f2a49ef424f831aac988356fc8b2b910e443dc42 as that caused test failures * Wed Feb 08 2023 Dmitry Belyavskiy - 1:3.0.7-5- Fixed X.509 Name Constraints Read Buffer Overflow Resolves: CVE-2022-4203- Fixed Timing Oracle in RSA Decryption Resolves: CVE-2022-4304- Fixed Double free after calling PEM_read_bio_ex Resolves: CVE-2022-4450- Fixed Use-after-free following BIO_new_NDEF Resolves: CVE-2023-0215- Fixed Invalid pointer dereference in d2i_PKCS7 functions Resolves: CVE-2023-0216- Fixed NULL dereference validating DSA public key Resolves: CVE-2023-0217- Fixed X.400 address type confusion in X.509 GeneralName Resolves: CVE-2023-0286- Fixed NULL dereference during PKCS7 data verification Resolves: CVE-2023-0401 * Wed Jan 11 2023 Clemens Lang - 1:3.0.7-4- Disallow SHAKE in RSA-OAEP decryption in FIPS mode Resolves: rhbz#2142121 * Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-3- Refactor OpenSSL fips module MAC verification Resolves: rhbz#2157965 * Thu Nov 24 2022 Dmitry Belyavskiy - 1:3.0.7-2- Various provider-related imrovements necessary for PKCS#11 provider correct operations Resolves: rhbz#2142517- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream Resolves: rhbz#2133809- Removed recommended package for openssl-libs Resolves: rhbz#2093804- Adjusting include for the FIPS_mode macro Resolves: rhbz#2083879- Backport of ppc64le Montgomery multiply enhancement Resolves: rhbz#2130708- Fix explicit indicator for PSS salt length in FIPS mode when used with negative magic values Resolves: rhbz#2142087- Update change to default PSS salt length with patch state from upstream Related: rhbz#2142087 * Tue Nov 22 2022 Dmitry Belyavskiy - 1:3.0.7-1- Rebasing to OpenSSL 3.0.7 Resolves: rhbz#2129063 * Mon Nov 14 2022 Dmitry Belyavskiy - 1:3.0.1-44- SHAKE-128/256 are not allowed with RSA in FIPS mode Resolves: rhbz#2144010- Avoid memory leaks in TLS Resolves: rhbz#2144008- FIPS RSA CRT tests must use correct parameters Resolves: rhbz#2144006- FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC Resolves: rhbz#2144017- Remove support for X9.31 signature padding in FIPS mode Resolves: rhbz#2144015- Add explicit indicator for SP 800-108 KDFs with short key lengths Resolves: rhbz#2144019- Add explicit indicator for HMAC with short key lengths Resolves: rhbz#2144000- Set minimum password length for PBKDF2 in FIPS mode Resolves: rhbz#2144003- Add explicit indicator for PSS salt length in FIPS mode Resolves: rhbz#2144012- Clamp default PSS salt length to digest size for FIPS 186-4 compliance Related: rhbz#2144012- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode Resolves: rhbz#2145170 * Tue Nov 01 2022 Michel Alexandre Salim 3.0.1-43.1- Merge c9s openssl changes to pick up CVE fixes * Tue Nov 01 2022 Dmitry Belyavskiy - 1:3.0.1-43- CVE-2022-3602: X.509 Email Address Buffer Overflow- CVE-2022-3786: X.509 Email Address Buffer Overflow Resolves: CVE-2022-3602 * Wed Oct 26 2022 Dmitry Belyavskiy - 1:3.0.1-42- CVE-2022-3602: X.509 Email Address Buffer Overflow Resolves: CVE-2022-3602 (rhbz#2137723) * Tue Sep 27 2022 Michel Alexandre Salim 3.0.1-41.1- Merge c9s openssl changes to pick up CVE fixes * Thu Aug 11 2022 Clemens Lang - 1:3.0.1-41- Zeroize public keys as required by FIPS 140-3 Related: rhbz#2102542- Add FIPS indicator for HKDF Related: rhbz#2114772 * Fri Aug 05 2022 Dmitry Belyavskiy - 1:3.0.1-40- Deal with DH keys in FIPS mode according FIPS-140-3 requirements Related: rhbz#2102536- Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements Related: rhbz#2102537- Use signature for RSA pairwise test according FIPS-140-3 requirements Related: rhbz#2102540- Reseed all the parent DRBGs in chain on reseeding a DRBG Related: rhbz#2102541 * Mon Aug 01 2022 Clemens Lang - 1:3.0.1-39- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test- Use Use digest_sign & digest_verify in FIPS signature self test- Use FFDHE2048 in Diffie-Hellman FIPS self-test Resolves: rhbz#2102535 * Thu Jul 14 2022 Clemens Lang - 1:3.0.1-38- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously initialized. Resolves: rhbz#2103289- Improve AES-GCM performance on Power9 and Power10 ppc64le Resolves: rhbz#2051312- Improve ChaCha20 performance on Power10 ppc64le Resolves: rhbz#2051312 * Tue Jul 05 2022 Clemens Lang - 1:3.0.1-37- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 Resolves: CVE-2022-2097 * Thu Jun 16 2022 Dmitry Belyavskiy - 1:3.0.1-36- Ciphersuites with RSAPSK KX should be filterd in FIPS mode- Related: rhbz#2085088- FIPS provider should block RSA encryption for key transport.- Other RSA encryption options should still be available if key length is enough- Related: rhbz#2053289- Improve diagnostics when passing unsupported groups in TLS- Related: rhbz#2070197- Fix PPC64 Montgomery multiplication bug- Related: rhbz#2098199- Strict certificates validation shouldn\'t allow explicit EC parameters- Related: rhbz#2058663- CVE-2022-2068: the c_rehash script allows command injection- Related: rhbz#2098277 * Wed Jun 08 2022 Clemens Lang - 1:3.0.1-35- Add explicit indicators for signatures in FIPS mode and mark signature primitives as unapproved. Resolves: rhbz#2087147 * Fri Jun 03 2022 Dmitry Belyavskiy - 1:3.0.1-34- Some OpenSSL test certificates are expired, updating- Resolves: rhbz#2092456 * Thu May 26 2022 Dmitry Belyavskiy - 1:3.0.1-33- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory- Resolves: rhbz#2089444- CVE-2022-1343 openssl: Signer certificate verification returned inaccurate response when using OCSP_NOCHECKS- Resolves: rhbz#2087911- CVE-2022-1292 openssl: c_rehash script allows command injection- Resolves: rhbz#2090362- Revert \"Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode\" Related: rhbz#2087147- Use KAT for ECDSA signature tests, s390 arch- Resolves: rhbz#2069235 * Thu May 19 2022 Dmitry Belyavskiy - 1:3.0.1-32- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode- Resolves: rhbz#2083240- Ciphersuites with RSA KX should be filterd in FIPS mode- Related: rhbz#2085088- In FIPS mode, signature verification works with keys of arbitrary size above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys below 2048 bits- Resolves: rhbz#2077884 * Wed May 18 2022 Clemens Lang - 1:3.0.1-31- Disable SHA-1 signature verification in FIPS mode- Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode Resolves: rhbz#2087147 * Mon May 16 2022 Dmitry Belyavskiy - 1:3.0.1-30- Use KAT for ECDSA signature tests- Resolves: rhbz#2069235 * Thu May 12 2022 Dmitry Belyavskiy - 1:3.0.1-29- `-config` argument of openssl app should work properly in FIPS mode- Resolves: rhbz#2083274- openssl req defaults on PKCS#8 encryption changed to AES-256-CBC- Resolves: rhbz#2063947 * Fri May 06 2022 Dmitry Belyavskiy - 1:3.0.1-28- OpenSSL should not accept custom elliptic curve parameters- Resolves rhbz#2066412- OpenSSL should not accept explicit curve parameters in FIPS mode- Resolves rhbz#2058663 * Fri May 06 2022 Clemens Lang - 1:3.0.1-27- Change FIPS module version to include hash of specfile, patches and sources Resolves: rhbz#2070550 * Thu May 05 2022 Dmitry Belyavskiy - 1:3.0.1-26- OpenSSL FIPS module should not build in non-approved algorithms- Resolves: rhbz#2081378 * Mon May 02 2022 Dmitry Belyavskiy - 1:3.0.1-25- FIPS provider should block RSA encryption for key transport.- Other RSA encryption options should still be available- Resolves: rhbz#2053289 * Thu Apr 28 2022 Clemens Lang - 1:3.0.1-24- Fix regression in evp_pkey_name2type caused by tr_TR locale fix Resolves: rhbz#2071631 * Wed Apr 20 2022 Dmitry Belyavskiy - 1:3.0.1-23- Fix openssl curl error with LANG=tr_TR.utf8- Resolves: rhbz#2071631 * Mon Mar 28 2022 Dmitry Belyavskiy - 1:3.0.1-22- FIPS provider should block RSA encryption for key transport- Resolves: rhbz#2053289 * Tue Mar 22 2022 Clemens Lang - 1:3.0.1-21- Fix occasional internal error in TLS when DHE is used- Resolves: rhbz#2004915 * Fri Mar 18 2022 Clemens Lang - 1:3.0.1-20- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when no OpenSSL library context is set- Resolves: rhbz#2065400 * Fri Mar 18 2022 Clemens Lang - 1:3.0.1-19- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes- Resolves: rhbz#2065400 * Wed Mar 16 2022 Michel Alexandre Salim 3.0.1-18.1- Merge c9s openssl changes to pick up CVE-2022-0778 fix * Wed Mar 16 2022 Dmitry Belyavskiy - 1:3.0.1-18- CVE-2022-0778 fix- Resolves: rhbz#2062315 * Thu Mar 10 2022 Clemens Lang - 1:3.0.1-17- Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()- Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch- Resolves: rhbz#2062640 * Tue Mar 01 2022 Clemens Lang - 1:3.0.1-15- Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes- Resolves: rhbz#2060510 * Fri Feb 25 2022 Clemens Lang - 1:3.0.1-14- Prevent use of SHA1 with ECDSA- Resolves: rhbz#2031742 * Fri Feb 25 2022 Dmitry Belyavskiy - 1:3.0.1-13- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters- Resolves: rhbz#1977867 * Thu Feb 24 2022 Peter Robinson - 1:3.0.1-12- Support KBKDF (NIST SP800-108) with an R value of 8bits- Resolves: rhbz#2027261 * Wed Feb 23 2022 Clemens Lang - 1:3.0.1-11- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures- Resolves: rhbz#2031742 * Wed Feb 23 2022 Dmitry Belyavskiy - 1:3.0.1-10- rebuilt * Tue Feb 22 2022 Clemens Lang - 1:3.0.1-9- Allow SHA1 usage in HMAC in TLS- Resolves: rhbz#2031742 * Tue Feb 22 2022 Dmitry Belyavskiy - 1:3.0.1-8- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters- Resolves: rhbz#1977867- pkcs12 export broken in FIPS mode- Resolves: rhbz#2049265 * Tue Feb 22 2022 Clemens Lang - 1:3.0.1-8- Disable SHA1 signature creation and verification by default- Set rh-allow-sha1-signatures = yes to re-enable- Resolves: rhbz#2031742 * Thu Feb 03 2022 Sahana Prasad - 1:3.0.1-7- s_server: correctly handle 2^14 byte long records- Resolves: rhbz#2042011 * Tue Feb 01 2022 Dmitry Belyavskiy - 1:3.0.1-6- Adjust FIPS provider version- Related: rhbz#2026445 * Wed Jan 26 2022 Dmitry Belyavskiy - 1:3.0.1-5- On the s390x, zeroize all the copies of TLS premaster secret- Related: rhbz#2040448 * Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-4- rebuilt * Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-3- KATS tests should be executed before HMAC verification- Restoring fips=yes for SHA1- Related: rhbz#2026445, rhbz#2041994 * Thu Jan 20 2022 Sahana Prasad - 1:3.0.1-2- Add enable-buildtest-c++ to the configure options.- Related: rhbz#1990814 * Tue Jan 18 2022 Sahana Prasad - 1:3.0.1-1- Rebase to upstream version 3.0.1- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl- Resolves: rhbz#2038910, rhbz#2035148 * Mon Jan 17 2022 Dmitry Belyavskiy - 1:3.0.0-7- Remove algorithms we don\'t plan to certify from fips module- Remove native fipsmodule.cnf- Related: rhbz#2026445 * Tue Dec 21 2021 Dmitry Belyavskiy - 1:3.0.0-6- openssl speed should run in FIPS mode- Related: rhbz#1977318 * Wed Nov 24 2021 Dmitry Belyavskiy - 1:3.0.0-5- rebuilt for spec cleanup- Related: rhbz#1985362 * Thu Nov 18 2021 Dmitry Belyavskiy - 1:3.0.0-4- Embed FIPS HMAC in fips.so- Enforce loading FIPS provider when FIPS kernel flag is on- Related: rhbz#1985362 * Wed Nov 17 2021 Michel Alexandre Salim - 3.0.0-3.1- Fork c9s\' openssl to openssl3 for epel8 (and possibly Fedora <= 35) * Thu Oct 07 2021 Dmitry Belyavskiy - 1:3.0.0-3- Fix memory leak in s_client- Related: rhbz#1996092 * Mon Sep 20 2021 Dmitry Belyavskiy - 1:3.0.0-2- Avoid double-free on error seeding the RNG.- KTLS and FIPS may interfere, so tests need to be tuned- Resolves: rhbz#1952844, rhbz#1961643 * Thu Sep 09 2021 Sahana Prasad - 1:3.0.0-1- Rebase to upstream version 3.0.0- Related: rhbz#1990814 * Wed Aug 25 2021 Sahana Prasad - 1:3.0.0-0.beta2.7- Removes the dual-abi build as it not required anymore. The mass rebuild was completed and all packages are rebuilt against Beta version.- Resolves: rhbz#1984097 * Mon Aug 23 2021 Dmitry Belyavskiy - 1:3.0.0-0.beta2.6- Correctly process CMS reading from /dev/stdin- Resolves: rhbz#1986315 * Mon Aug 16 2021 Sahana Prasad - 3.0.0-0.beta2.5- Add instruction for loading legacy provider in openssl.cnf- Resolves: rhbz#1975836 * Mon Aug 16 2021 Sahana Prasad - 3.0.0-0.beta2.4- Adds support for IDEA encryption.- Resolves: rhbz#1990602 * Tue Aug 10 2021 Sahana Prasad - 3.0.0-0.beta2.3- Fixes core dump in openssl req -modulus- Fixes \'openssl req\' to not ask for password when non-encrypted private key is used- cms: Do not try to check binary format on stdin and -rctform fix- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137 * Mon Aug 09 2021 Mohan Boddu - 1:3.0.0-0.beta2.2.1- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Wed Aug 04 2021 Dmitry Belyavskiy - 3.0.0-0.beta2.2- When signature_algorithm extension is omitted, use more relevant alerts- Resolves: rhbz#1965017 * Tue Aug 03 2021 Sahana Prasad 3.0.0-0.beta2.1- Rebase to upstream version beta2- Related: rhbz#1903209 * Thu Jul 22 2021 Sahana Prasad 3.0.0-0.beta1.5- Prevents creation of duplicate cert entries in PKCS #12 files- Resolves: rhbz#1978670 * Wed Jul 21 2021 Sahana Prasad 3.0.0-0.beta1.4- NVR bump to update to OpenSSL 3.0 Beta1 * Mon Jul 19 2021 Sahana Prasad 3.0.0-0.beta1.3- Update patch dual-abi.patch to add the #define macros in implementation files instead of public header files * Wed Jul 14 2021 Sahana Prasad 3.0.0-0.beta1.2- Removes unused patch dual-abi.patch * Wed Jul 14 2021 Sahana Prasad 3.0.0-0.beta1.1- Update to Beta1 version- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16 * Tue Jul 06 2021 Sahana Prasad 3.0.0-0.alpha16.7- Fixes override of openssl_conf in openssl.cnf- Use AI_ADDRCONFIG only when explicit host name is given- Temporarily remove fipsmodule.cnf for arch i686- Fixes segmentation fault in BN_lebin2bn- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855 * Fri Jul 02 2021 Sahana Prasad 3.0.0-0.alpha16.6- Adds FIPS mode compatibility patch (sahanaAATTredhat.com)- Related: rhbz#1977318 * Fri Jul 02 2021 Sahana Prasad 3.0.0-0.alpha16.5- Fixes system hang issue when booted in FIPS mode (sahanaAATTredhat.com)- Temporarily disable downstream FIPS patches- Related: rhbz#1977318 * Fri Jun 11 2021 Mohan Boddu 3.0.0-0.alpha16.4- Speeding up building openssl (dbelyavsAATTredhat.com) Resolves: rhbz#1903209 * Fri Jun 04 2021 Sahana Prasad 3.0.0-0.alpha16.3- Fix reading SPKAC data from stdin- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448- Return 0 after cleanup in OPENSSL_init_crypto()- Cleanup the peer point formats on regotiation- Fix default digest to SHA256 * Thu May 27 2021 Sahana Prasad 3.0.0-0.alpha16.2- Enable FIPS via config options * Mon May 17 2021 Sahana Prasad 3.0.0-0.alpha16.1- Update to alpha 16 version Resolves: rhbz#1952901 openssl sends alert after orderly connection close * Mon Apr 26 2021 Sahana Prasad 3.0.0-0.alpha15.1- Update to alpha 15 version Resolves: rhbz#1903209, rhbz#1952598, * Fri Apr 16 2021 Mohan Boddu - 1:3.0.0-0.alpha13.1.1- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Fri Apr 09 2021 Sahana Prasad 3.0.0-0.alpha13.1- Update to new major release OpenSSL 3.0.0 alpha 13 Resolves: rhbz#1903209
|
|
|