|
|
|
|
Changelog for libopenssl1_0_0-1.0.2u-security.132.44.i586.rpm :
* Mon Feb 26 2024 Dominique Leuenberger - Use %patch -P N instead of deprecated %patchN. * Tue Jan 30 2024 Otto Hollmann - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch * Mon Nov 13 2023 Otto Hollmann - Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch * Mon Aug 07 2023 Otto Hollmann - Security fix: (bsc#1213853, CVE-2023-3817) * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Add openssl-1_0-CVE-2023-3817.patch * Thu Jul 20 2023 Pedro Monreal - Security fix: [bsc#1213487, CVE-2023-3446] * Fix DH_check() excessive time with over sized modulus. * The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus (\"p\" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Add openssl-CVE-2023-3446.patch * Tue Jun 20 2023 Otto Hollmann - Improve cross-package provides/conflicts [boo#1210313] * Remove Conflicts: ssl * Add Conflicts: openssl(cli) * Wed Jun 14 2023 Otto Hollmann - Security Fix: [bsc#1207534, CVE-2022-4304] * Reworked the Fix for the Timing Oracle in RSA Decryption The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 1.1.1s. * Reworked openssl-CVE-2022-4304.patch * Refreshed patches: - openssl-CVE-2023-0286.patch - openssl-CVE-2023-0464.patch - openssl-CVE-2023-0465.patch * Mon Jun 05 2023 Pedro Monreal - FIPS: Merge libopenssl1_0_0-hmac package into the library [bsc#1185116] * Mon May 22 2023 Otto Hollmann - Security Fix: [CVE-2023-2650, bsc#1211430] * Possible DoS translating ASN.1 object identifiers * Add openssl-CVE-2023-2650.patch * Mon Apr 03 2023 Otto Hollmann - Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored * Add openssl-CVE-2023-0465.patch- Security Fix: [CVE-2023-0466, bsc#1209873] * Certificate policy check not enabled * Add openssl-CVE-2023-0466.patch * Mon Mar 27 2023 Otto Hollmann - Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints * Add openssl-CVE-2023-0464.patch * Wed Mar 15 2023 Otto Hollmann - Pass over with spec-cleaner * Fri Feb 17 2023 Otto Hollmann - Fix DH key generation in FIPS mode, add support for constant BN for DH parameters [bsc#1202062] * Add patch: openssl-fips_fix_DH_key_generation.patch * Tue Feb 07 2023 Otto Hollmann - Security Fix: [bsc#1207533, CVE-2023-0286] * Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address * Add openssl-CVE-2023-0286.patch- Security Fix: [bsc#1207536, CVE-2023-0215] * Use-after-free following BIO_new_NDEF() * Add patches: - openssl-CVE-2023-0215-1of4.patch - openssl-CVE-2023-0215-3of4.patch - openssl-CVE-2023-0215-4of4.patch- Security Fix: [bsc#1207534, CVE-2022-4304] * Timing Oracle in RSA Decryption * Add openssl-CVE-2022-4304.patch- Security Fix: [bsc#1179491, CVE-2020-1971] * Fix EDIPARTYNAME NULL pointer dereference * Add openssl-CVE-2020-1971.patch * Mon Jan 02 2023 Otto Hollmann - Update further expiring certificates that affect tests [bsc#1201627] * Add openssl-Update-further-expiring-certificates.patch * Sat Sep 24 2022 Jason Sikes - Added openssl-1_0_0-paramgen-default_to_rfc7919.patch * bsc#1180995 * Default to RFC7919 groups when generating ECDH parameters using \'genpkey\' or \'dhparam\' in FIPS mode. * Tue Jun 28 2022 Andreas Schwab - openssl-riscv64-config.patch: backport of riscv64 config support * Thu Jun 23 2022 Jason Sikes - Added openssl-1_0_0-Fix-file-operations-in-c_rehash.patch * bsc#1200550 * CVE-2022-2068 * Fixed more shell code injection issues in c_rehash * Tue Jun 21 2022 Jan Engelhardt - Adjust rpmlintrc to apply to all arches. * Mon May 30 2022 Jason Sikes - Security fix: [bsc#1199166, CVE-2022-1292] * Added: openssl-CVE-2022-1292.patch * properly sanitise shell metacharacters in c_rehash script. * Fri May 13 2022 Jan Engelhardt - Add an rpmlintrc for shlib-policy-name-error/multibuild case. * Thu Apr 21 2022 Dirk Müller - update openssl-fips_cavs_aes_keywrap.patch to avoid (nonexploitable) format-string vulnerability * Sun Aug 29 2021 Jason Sikes - Several OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. * CVE-2021-3712 continued * bsc#1189521 * Add CVE-2021-3712-ASN1_STRING-issues.patch * Sourced from openssl-CVE-2021-3712.tar.bz2 posted on bsc-1189521 2021-08-24 00:47 PDT by Marcus Meissner and from https://github.com/openssl/openssl/commit/d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 * Mon Jul 12 2021 Jason Sikes - Add safe primes to DH parameter generation * RFC7919 and RFC3526 * bsc#1180995 * Added openssl-add_rfc3526_rfc7919.patch * Added openssl-DH.patch * Genpkey: \"-pkeyopt dh_param:\" can now choose modp_ * (rfc3526) and ffdhe * (rfc7919) groups. Example: $ openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:ffdhe4096 * Sat Jun 26 2021 Jason Sikes - link binaries as position independent executables * added openssl-1.0.0-pic-pie.patch * bsc#1186495 * Wed Mar 03 2021 Pedro Monreal - Security fixes: * Integer overflow in CipherUpdate: Incorrect SSLv2 rollback protection [bsc#1182333, CVE-2021-23840] * Null pointer deref in X509_issuer_and_serial_hash() [bsc#1182331, CVE-2021-23841]- Add openssl-CVE-2021-23840.patch openssl-CVE-2021-23841.patch
|
|
|