SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for vortex-2024-05-openssl-3.0.7-17.14.x86_64.rpm :

* Thu Jul 13 2023 Dmitry Belyavskiy - 1:3.0.7-17- Add a workaround for lack of EMS in FIPS mode Resolves: rhbz#2222593
* Wed May 31 2023 Dmitry Belyavskiy - 1:3.0.7-16- Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650- Release the DRBG in global default libctx early Resolves: rhbz#2211396
* Tue May 23 2023 Clemens Lang - 1:3.0.7-15.1- Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode Resolves: rhbz#2178030
* Fri May 05 2023 Dmitry Belyavskiy - 1:3.0.7-15- Enforce using EMS in FIPS mode - alerts tuning Related: rhbz#2157951
* Fri Apr 21 2023 Dmitry Belyavskiy - 1:3.0.7-14- Input buffer over-read in AES-XTS implementation on 64 bit ARM Resolves: rhbz#2188554
* Tue Apr 18 2023 Dmitry Belyavskiy - 1:3.0.7-13- Enforce using EMS in FIPS mode Resolves: rhbz#2157951- Fix excessive resource usage in verifying X509 policy constraints Resolves: rhbz#2186661- Fix invalid certificate policies in leaf certificates check Resolves: rhbz#2187429- Certificate policy check not enabled Resolves: rhbz#2187431- OpenSSL rsa_verify_recover key length checks in FIPS mode Resolves: rhbz#2186819
* Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12- Change explicit FIPS indicator for RSA decryption to unapproved Resolves: rhbz#2179379
* Mon Mar 20 2023 Clemens Lang - 1:3.0.7-11- Add missing reference to patchfile to add explicit FIPS indicator to RSA encryption and RSASVE and fix the gettable parameter list for the RSA asymmetric cipher implementation. Resolves: rhbz#2179379
* Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10- Add explicit FIPS indicator to RSA encryption and RSASVE Resolves: rhbz#2179379
* Thu Mar 16 2023 Clemens Lang - 1:3.0.7-9- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes Resolves: rhbz#2175864
* Thu Mar 16 2023 Clemens Lang - 1:3.0.7-8- Fix Wpointer-sign compiler warning Resolves: rhbz#2178034
* Tue Mar 14 2023 Clemens Lang - 1:3.0.7-7- Add explicit FIPS indicators to key derivation functions Resolves: rhbz#2175860 rhbz#2175864- Zeroize FIPS module integrity check MAC after check Resolves: rhbz#2175873- Add explicit FIPS indicator for IV generation in AES-GCM Resolves: rhbz#2175868- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test Resolves: rhbz#2178137- Limit RSA_NO_PADDING for encryption and signature in FIPS mode Resolves: rhbz#2178029- Pairwise consistency tests should use Digest+Sign/Verify Resolves: rhbz#2178034- Forbid DHX keys import in FIPS mode Resolves: rhbz#2178030- DH PCT should abort on failure Resolves: rhbz#2178039- Increase RNG seeding buffer size to 32 Related: rhbz#2168224
* Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6- Fixes RNG slowdown in FIPS mode Resolves: rhbz#2168224
* Wed Feb 08 2023 Dmitry Belyavskiy - 1:3.0.7-5- Fixed X.509 Name Constraints Read Buffer Overflow Resolves: CVE-2022-4203- Fixed Timing Oracle in RSA Decryption Resolves: CVE-2022-4304- Fixed Double free after calling PEM_read_bio_ex Resolves: CVE-2022-4450- Fixed Use-after-free following BIO_new_NDEF Resolves: CVE-2023-0215- Fixed Invalid pointer dereference in d2i_PKCS7 functions Resolves: CVE-2023-0216- Fixed NULL dereference validating DSA public key Resolves: CVE-2023-0217- Fixed X.400 address type confusion in X.509 GeneralName Resolves: CVE-2023-0286- Fixed NULL dereference during PKCS7 data verification Resolves: CVE-2023-0401
* Wed Jan 11 2023 Clemens Lang - 1:3.0.7-4- Disallow SHAKE in RSA-OAEP decryption in FIPS mode Resolves: rhbz#2142121
* Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-3- Refactor OpenSSL fips module MAC verification Resolves: rhbz#2157965
* Thu Nov 24 2022 Dmitry Belyavskiy - 1:3.0.7-2- Various provider-related imrovements necessary for PKCS#11 provider correct operations Resolves: rhbz#2142517- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream Resolves: rhbz#2133809- Removed recommended package for openssl-libs Resolves: rhbz#2093804- Adjusting include for the FIPS_mode macro Resolves: rhbz#2083879- Backport of ppc64le Montgomery multiply enhancement Resolves: rhbz#2130708- Fix explicit indicator for PSS salt length in FIPS mode when used with negative magic values Resolves: rhbz#2142087- Update change to default PSS salt length with patch state from upstream Related: rhbz#2142087
* Tue Nov 22 2022 Dmitry Belyavskiy - 1:3.0.7-1- Rebasing to OpenSSL 3.0.7 Resolves: rhbz#2129063
* Mon Nov 14 2022 Dmitry Belyavskiy - 1:3.0.1-44- SHAKE-128/256 are not allowed with RSA in FIPS mode Resolves: rhbz#2144010- Avoid memory leaks in TLS Resolves: rhbz#2144008- FIPS RSA CRT tests must use correct parameters Resolves: rhbz#2144006- FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC Resolves: rhbz#2144017- Remove support for X9.31 signature padding in FIPS mode Resolves: rhbz#2144015- Add explicit indicator for SP 800-108 KDFs with short key lengths Resolves: rhbz#2144019- Add explicit indicator for HMAC with short key lengths Resolves: rhbz#2144000- Set minimum password length for PBKDF2 in FIPS mode Resolves: rhbz#2144003- Add explicit indicator for PSS salt length in FIPS mode Resolves: rhbz#2144012- Clamp default PSS salt length to digest size for FIPS 186-4 compliance Related: rhbz#2144012- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode Resolves: rhbz#2145170
* Tue Nov 01 2022 Dmitry Belyavskiy - 1:3.0.1-43- CVE-2022-3602: X.509 Email Address Buffer Overflow- CVE-2022-3786: X.509 Email Address Buffer Overflow Resolves: CVE-2022-3602
* Wed Oct 26 2022 Dmitry Belyavskiy - 1:3.0.1-42- CVE-2022-3602: X.509 Email Address Buffer Overflow Resolves: CVE-2022-3602 (rhbz#2137723)
* Thu Aug 11 2022 Clemens Lang - 1:3.0.1-41- Zeroize public keys as required by FIPS 140-3 Related: rhbz#2102542- Add FIPS indicator for HKDF Related: rhbz#2114772
* Fri Aug 05 2022 Dmitry Belyavskiy - 1:3.0.1-40- Deal with DH keys in FIPS mode according FIPS-140-3 requirements Related: rhbz#2102536- Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements Related: rhbz#2102537- Use signature for RSA pairwise test according FIPS-140-3 requirements Related: rhbz#2102540- Reseed all the parent DRBGs in chain on reseeding a DRBG Related: rhbz#2102541
* Mon Aug 01 2022 Clemens Lang - 1:3.0.1-39- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test- Use Use digest_sign & digest_verify in FIPS signature self test- Use FFDHE2048 in Diffie-Hellman FIPS self-test Resolves: rhbz#2102535
* Thu Jul 14 2022 Clemens Lang - 1:3.0.1-38- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously initialized. Resolves: rhbz#2103289- Improve AES-GCM performance on Power9 and Power10 ppc64le Resolves: rhbz#2051312- Improve ChaCha20 performance on Power10 ppc64le Resolves: rhbz#2051312
* Tue Jul 05 2022 Clemens Lang - 1:3.0.1-37- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 Resolves: CVE-2022-2097
* Thu Jun 16 2022 Dmitry Belyavskiy - 1:3.0.1-36- Ciphersuites with RSAPSK KX should be filterd in FIPS mode- Related: rhbz#2085088- FIPS provider should block RSA encryption for key transport.- Other RSA encryption options should still be available if key length is enough- Related: rhbz#2053289- Improve diagnostics when passing unsupported groups in TLS- Related: rhbz#2070197- Fix PPC64 Montgomery multiplication bug- Related: rhbz#2098199- Strict certificates validation shouldn\'t allow explicit EC parameters- Related: rhbz#2058663- CVE-2022-2068: the c_rehash script allows command injection- Related: rhbz#2098277
* Wed Jun 08 2022 Clemens Lang - 1:3.0.1-35- Add explicit indicators for signatures in FIPS mode and mark signature primitives as unapproved. Resolves: rhbz#2087147
* Fri Jun 03 2022 Dmitry Belyavskiy - 1:3.0.1-34- Some OpenSSL test certificates are expired, updating- Resolves: rhbz#2092456
* Thu May 26 2022 Dmitry Belyavskiy - 1:3.0.1-33- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory- Resolves: rhbz#2089444- CVE-2022-1343 openssl: Signer certificate verification returned inaccurate response when using OCSP_NOCHECKS- Resolves: rhbz#2087911- CVE-2022-1292 openssl: c_rehash script allows command injection- Resolves: rhbz#2090362- Revert \"Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode\" Related: rhbz#2087147- Use KAT for ECDSA signature tests, s390 arch- Resolves: rhbz#2069235
* Thu May 19 2022 Dmitry Belyavskiy - 1:3.0.1-32- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode- Resolves: rhbz#2083240- Ciphersuites with RSA KX should be filterd in FIPS mode- Related: rhbz#2085088- In FIPS mode, signature verification works with keys of arbitrary size above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys below 2048 bits- Resolves: rhbz#2077884
* Wed May 18 2022 Clemens Lang - 1:3.0.1-31- Disable SHA-1 signature verification in FIPS mode- Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode Resolves: rhbz#2087147
* Mon May 16 2022 Dmitry Belyavskiy - 1:3.0.1-30- Use KAT for ECDSA signature tests- Resolves: rhbz#2069235
* Thu May 12 2022 Dmitry Belyavskiy - 1:3.0.1-29- `-config` argument of openssl app should work properly in FIPS mode- Resolves: rhbz#2083274- openssl req defaults on PKCS#8 encryption changed to AES-256-CBC- Resolves: rhbz#2063947
* Fri May 06 2022 Dmitry Belyavskiy - 1:3.0.1-28- OpenSSL should not accept custom elliptic curve parameters- Resolves rhbz#2066412- OpenSSL should not accept explicit curve parameters in FIPS mode- Resolves rhbz#2058663
* Fri May 06 2022 Clemens Lang - 1:3.0.1-27- Change FIPS module version to include hash of specfile, patches and sources Resolves: rhbz#2070550
* Thu May 05 2022 Dmitry Belyavskiy - 1:3.0.1-26- OpenSSL FIPS module should not build in non-approved algorithms- Resolves: rhbz#2081378
* Mon May 02 2022 Dmitry Belyavskiy - 1:3.0.1-25- FIPS provider should block RSA encryption for key transport.- Other RSA encryption options should still be available- Resolves: rhbz#2053289
* Thu Apr 28 2022 Clemens Lang - 1:3.0.1-24- Fix regression in evp_pkey_name2type caused by tr_TR locale fix Resolves: rhbz#2071631
* Wed Apr 20 2022 Dmitry Belyavskiy - 1:3.0.1-23- Fix openssl curl error with LANG=tr_TR.utf8- Resolves: rhbz#2071631
* Mon Mar 28 2022 Dmitry Belyavskiy - 1:3.0.1-22- FIPS provider should block RSA encryption for key transport- Resolves: rhbz#2053289
* Tue Mar 22 2022 Clemens Lang - 1:3.0.1-21- Fix occasional internal error in TLS when DHE is used- Resolves: rhbz#2004915
* Fri Mar 18 2022 Clemens Lang - 1:3.0.1-20- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when no OpenSSL library context is set- Resolves: rhbz#2065400
* Fri Mar 18 2022 Clemens Lang - 1:3.0.1-19- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes- Resolves: rhbz#2065400
* Wed Mar 16 2022 Dmitry Belyavskiy - 1:3.0.1-18- CVE-2022-0778 fix- Resolves: rhbz#2062315
* Thu Mar 10 2022 Clemens Lang - 1:3.0.1-17- Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()- Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch- Resolves: rhbz#2062640
* Tue Mar 01 2022 Clemens Lang - 1:3.0.1-15- Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes- Resolves: rhbz#2060510
* Fri Feb 25 2022 Clemens Lang - 1:3.0.1-14- Prevent use of SHA1 with ECDSA- Resolves: rhbz#2031742
* Fri Feb 25 2022 Dmitry Belyavskiy - 1:3.0.1-13- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters- Resolves: rhbz#1977867
* Thu Feb 24 2022 Peter Robinson - 1:3.0.1-12- Support KBKDF (NIST SP800-108) with an R value of 8bits- Resolves: rhbz#2027261
* Wed Feb 23 2022 Clemens Lang - 1:3.0.1-11- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures- Resolves: rhbz#2031742
* Wed Feb 23 2022 Dmitry Belyavskiy - 1:3.0.1-10- rebuilt
* Tue Feb 22 2022 Clemens Lang - 1:3.0.1-9- Allow SHA1 usage in HMAC in TLS- Resolves: rhbz#2031742
* Tue Feb 22 2022 Dmitry Belyavskiy - 1:3.0.1-8- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters- Resolves: rhbz#1977867- pkcs12 export broken in FIPS mode- Resolves: rhbz#2049265
* Tue Feb 22 2022 Clemens Lang - 1:3.0.1-8- Disable SHA1 signature creation and verification by default- Set rh-allow-sha1-signatures = yes to re-enable- Resolves: rhbz#2031742
* Thu Feb 03 2022 Sahana Prasad - 1:3.0.1-7- s_server: correctly handle 2^14 byte long records- Resolves: rhbz#2042011
* Tue Feb 01 2022 Dmitry Belyavskiy - 1:3.0.1-6- Adjust FIPS provider version- Related: rhbz#2026445
* Wed Jan 26 2022 Dmitry Belyavskiy - 1:3.0.1-5- On the s390x, zeroize all the copies of TLS premaster secret- Related: rhbz#2040448
* Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-4- rebuilt
* Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-3- KATS tests should be executed before HMAC verification- Restoring fips=yes for SHA1- Related: rhbz#2026445, rhbz#2041994
* Thu Jan 20 2022 Sahana Prasad - 1:3.0.1-2- Add enable-buildtest-c++ to the configure options.- Related: rhbz#1990814
* Tue Jan 18 2022 Sahana Prasad - 1:3.0.1-1- Rebase to upstream version 3.0.1- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl- Resolves: rhbz#2038910, rhbz#2035148
* Mon Jan 17 2022 Dmitry Belyavskiy - 1:3.0.0-7- Remove algorithms we don\'t plan to certify from fips module- Remove native fipsmodule.cnf- Related: rhbz#2026445
* Tue Dec 21 2021 Dmitry Belyavskiy - 1:3.0.0-6- openssl speed should run in FIPS mode- Related: rhbz#1977318
* Wed Nov 24 2021 Dmitry Belyavskiy - 1:3.0.0-5- rebuilt for spec cleanup- Related: rhbz#1985362
* Thu Nov 18 2021 Dmitry Belyavskiy - 1:3.0.0-4- Embed FIPS HMAC in fips.so- Enforce loading FIPS provider when FIPS kernel flag is on- Related: rhbz#1985362
* Thu Oct 07 2021 Dmitry Belyavskiy - 1:3.0.0-3- Fix memory leak in s_client- Related: rhbz#1996092
* Mon Sep 20 2021 Dmitry Belyavskiy - 1:3.0.0-2- Avoid double-free on error seeding the RNG.- KTLS and FIPS may interfere, so tests need to be tuned- Resolves: rhbz#1952844, rhbz#1961643
* Thu Sep 09 2021 Sahana Prasad - 1:3.0.0-1- Rebase to upstream version 3.0.0- Related: rhbz#1990814
* Wed Aug 25 2021 Sahana Prasad - 1:3.0.0-0.beta2.7- Removes the dual-abi build as it not required anymore. The mass rebuild was completed and all packages are rebuilt against Beta version.- Resolves: rhbz#1984097
* Mon Aug 23 2021 Dmitry Belyavskiy - 1:3.0.0-0.beta2.6- Correctly process CMS reading from /dev/stdin- Resolves: rhbz#1986315
* Mon Aug 16 2021 Sahana Prasad - 3.0.0-0.beta2.5- Add instruction for loading legacy provider in openssl.cnf- Resolves: rhbz#1975836
* Mon Aug 16 2021 Sahana Prasad - 3.0.0-0.beta2.4- Adds support for IDEA encryption.- Resolves: rhbz#1990602
* Tue Aug 10 2021 Sahana Prasad - 3.0.0-0.beta2.3- Fixes core dump in openssl req -modulus- Fixes \'openssl req\' to not ask for password when non-encrypted private key is used- cms: Do not try to check binary format on stdin and -rctform fix- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
* Mon Aug 09 2021 Mohan Boddu - 1:3.0.0-0.beta2.2.1- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688
* Wed Aug 04 2021 Dmitry Belyavskiy - 3.0.0-0.beta2.2- When signature_algorithm extension is omitted, use more relevant alerts- Resolves: rhbz#1965017
* Tue Aug 03 2021 Sahana Prasad 3.0.0-0.beta2.1- Rebase to upstream version beta2- Related: rhbz#1903209
* Thu Jul 22 2021 Sahana Prasad 3.0.0-0.beta1.5- Prevents creation of duplicate cert entries in PKCS #12 files- Resolves: rhbz#1978670
* Wed Jul 21 2021 Sahana Prasad 3.0.0-0.beta1.4- NVR bump to update to OpenSSL 3.0 Beta1
* Mon Jul 19 2021 Sahana Prasad 3.0.0-0.beta1.3- Update patch dual-abi.patch to add the #define macros in implementation files instead of public header files
* Wed Jul 14 2021 Sahana Prasad 3.0.0-0.beta1.2- Removes unused patch dual-abi.patch
* Wed Jul 14 2021 Sahana Prasad 3.0.0-0.beta1.1- Update to Beta1 version- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
  
ICM