diff options
| author | Anas Nashif <anas.nashif@intel.com> | 2012-11-28 08:32:17 -0800 |
|---|---|---|
| committer | John L. Whiteman <john.l.whiteman@intel.com> | 2014-06-20 11:22:26 -0700 |
| commit | 302fd50a9e5e1db25c5a401983bd0ee190304ad2 (patch) | |
| tree | a999558652b9a112b6b4e416c1b740a7cf4ad9ef | |
| parent | b335cde01728e4250999bbc5144f5632c3b8d1bb (diff) | |
| download | openssl-302fd50a9e5e1db25c5a401983bd0ee190304ad2.tar.gz openssl-302fd50a9e5e1db25c5a401983bd0ee190304ad2.tar.bz2 openssl-302fd50a9e5e1db25c5a401983bd0ee190304ad2.zip | |
remove patches
| -rw-r--r-- | packaging/baselibs.conf | 4 | ||||
| -rw-r--r-- | packaging/bug610223.patch | 14 | ||||
| -rw-r--r-- | packaging/merge_from_0.9.8k.patch | 70 | ||||
| -rw-r--r-- | packaging/openssl-1.0.0-c_rehash-compat.diff | 45 | ||||
| -rw-r--r-- | packaging/openssl-ocloexec.patch | 166 | ||||
| -rw-r--r-- | packaging/openssl.changes | 1384 | ||||
| -rw-r--r-- | packaging/openssl.test | 2 |
7 files changed, 6 insertions, 1679 deletions
diff --git a/packaging/baselibs.conf b/packaging/baselibs.conf index aee4346..8686b26 100644 --- a/packaging/baselibs.conf +++ b/packaging/baselibs.conf @@ -1,5 +1,5 @@ -libopenssl1_0_0 +libopenssl obsoletes "openssl-<targettype> <= <version>" libopenssl-devel requires -libopenssl-<targettype> - requires "libopenssl1_0_0-<targettype> = <version>" + requires "libopenssl-<targettype> = <version>" diff --git a/packaging/bug610223.patch b/packaging/bug610223.patch deleted file mode 100644 index ba4f062..0000000 --- a/packaging/bug610223.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: openssl-1.0.0/Configure -=================================================================== ---- openssl-1.0.0.orig/Configure -+++ openssl-1.0.0/Configure -@@ -1673,7 +1673,8 @@ while (<IN>) - } - elsif (/^#define\s+ENGINESDIR/) - { -- my $foo = "$prefix/$libdir/engines"; -+ #my $foo = "$prefix/$libdir/engines"; -+ my $foo = "/$libdir/engines"; - $foo =~ s/\\/\\\\/g; - print OUT "#define ENGINESDIR \"$foo\"\n"; - } diff --git a/packaging/merge_from_0.9.8k.patch b/packaging/merge_from_0.9.8k.patch deleted file mode 100644 index 55d9f04..0000000 --- a/packaging/merge_from_0.9.8k.patch +++ /dev/null @@ -1,70 +0,0 @@ ---- openssl-1.0.1c.orig/Configure -+++ openssl-1.0.1c/Configure -@@ -931,7 +931,7 @@ PROCESS_ARGS: - } - else - { -- die "target already defined - $target (offending arg: $_)\n" if ($target ne ""); -+ warn "target already defined - $target (offending arg: $_)\n" if ($target ne ""); - $target=$_; - } - -@@ -1204,7 +1204,7 @@ if ($target =~ /^mingw/ && `$cc --target - my $no_shared_warn=0; - my $no_user_cflags=0; - --if ($flags ne "") { $cflags="$flags$cflags"; } -+if ($flags ne "") { $cflags="$cflags $flags"; } - else { $no_user_cflags=1; } - - # Kerberos settings. The flavor must be provided from outside, either through ---- openssl-1.0.1c.orig/config -+++ openssl-1.0.1c/config -@@ -573,7 +573,8 @@ case "$GUESSOS" in - options="$options -arch%20${MACHINE}" - OUT="iphoneos-cross" ;; - alpha-*-linux2) -- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` -+ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` -+ ISA=EV56 - case ${ISA:-generic} in - *[678]) OUT="linux-alpha+bwx-$CC" ;; - *) OUT="linux-alpha-$CC" ;; -@@ -593,7 +594,8 @@ case "$GUESSOS" in - echo " You have about 5 seconds to press Ctrl-C to abort." - (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 - fi -- OUT="linux-ppc" -+ # we have the target and force it here -+ OUT="linux-ppc64" - ;; - ppc-*-linux2) OUT="linux-ppc" ;; - ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;; -@@ -614,10 +616,10 @@ case "$GUESSOS" in - sparc-*-linux2) - KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` - case ${KARCH:-sun4} in -- sun4u*) OUT="linux-sparcv9" ;; -- sun4m) OUT="linux-sparcv8" ;; -- sun4d) OUT="linux-sparcv8" ;; -- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; -+# sun4u*) OUT="linux-sparcv9" ;; -+# sun4m) OUT="linux-sparcv8" ;; -+# sun4d) OUT="linux-sparcv8" ;; -+ *) OUT="linux-sparcv8" ;; - esac ;; - parisc*-*-linux2) - # 64-bit builds under parisc64 linux are not supported and -@@ -636,7 +638,11 @@ case "$GUESSOS" in - # PA8500 -> 8000 (2.0) - # PA8600 -> 8000 (2.0) - -- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'` -+ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` -+ # lets have CPUSCHEDULE for 1.1: -+ CPUSCHEDULE=7100LC -+ # we want to support 1.1 CPUs as well: -+ CPUARCH=1.1 - # Finish Model transformations - - options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH" diff --git a/packaging/openssl-1.0.0-c_rehash-compat.diff b/packaging/openssl-1.0.0-c_rehash-compat.diff deleted file mode 100644 index ec618e2..0000000 --- a/packaging/openssl-1.0.0-c_rehash-compat.diff +++ /dev/null @@ -1,45 +0,0 @@ -From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001 -From: Ludwig Nussel <ludwig.nussel@suse.de> -Date: Wed, 21 Apr 2010 15:52:10 +0200 -Subject: [PATCH] also create old hash for compatibility - ---- - tools/c_rehash.in | 8 +++++++- - 1 files changed, 7 insertions(+), 1 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index bfc4a69..f8d0ce1 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -83,6 +83,7 @@ sub hash_dir { - next; - } - link_hash_cert($fname) if($cert); -+ link_hash_cert_old($fname) if($cert); - link_hash_crl($fname) if($crl); - } - } -@@ -116,8 +117,9 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -+ my $hashopt = $_[1] || '-subject_hash'; - $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; -@@ -147,6 +149,10 @@ sub link_hash_cert { - $hashlist{$hash} = $fprint; - } - -+sub link_hash_cert_old { -+ link_hash_cert($_[0], '-subject_hash_old'); -+} -+ - # Same as above except for a CRL. CRL links are of the form <hash>.r<n> - - sub link_hash_crl { --- -1.6.4.2 diff --git a/packaging/openssl-ocloexec.patch b/packaging/openssl-ocloexec.patch deleted file mode 100644 index e3c723c..0000000 --- a/packaging/openssl-ocloexec.patch +++ /dev/null @@ -1,166 +0,0 @@ ---- crypto/bio/b_sock.c.orig -+++ crypto/bio/b_sock.c -@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in - } - - again: -- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); -+ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); - if (s == INVALID_SOCKET) - { - SYSerr(SYS_F_SOCKET,get_last_socket_error()); -@@ -784,7 +784,7 @@ again: - } - else goto err; - } -- cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); -+ cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); - if (cs != INVALID_SOCKET) - { - int ii; ---- crypto/bio/bss_conn.c.orig -+++ crypto/bio/bss_conn.c -@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC - c->them.sin_addr.s_addr=htonl(l); - c->state=BIO_CONN_S_CREATE_SOCKET; - -- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -+ ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); - if (ret == INVALID_SOCKET) - { - SYSerr(SYS_F_SOCKET,get_last_socket_error()); ---- crypto/bio/bss_dgram.c.orig -+++ crypto/bio/bss_dgram.c -@@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char - msg.msg_control = cmsgbuf; - msg.msg_controllen = 512; - msg.msg_flags = 0; -- n = recvmsg(b->num, &msg, 0); -+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); - - if (msg.msg_controllen > 0) - { -@@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) - msg.msg_controllen = 0; - msg.msg_flags = 0; - -- n = recvmsg(b->num, &msg, MSG_PEEK); -+ n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC); - if (n <= 0) - { - if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) -@@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) - msg.msg_controllen = 0; - msg.msg_flags = 0; - -- n = recvmsg(b->num, &msg, 0); -+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); - if (n <= 0) - { - if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) -@@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) - fcntl(b->num, F_SETFL, O_NONBLOCK); - } - -- n = recvmsg(b->num, &msg, MSG_PEEK); -+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); - - if (is_dry) - { -@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) - - sockflags = fcntl(b->num, F_GETFL, 0); - fcntl(b->num, F_SETFL, O_NONBLOCK); -- n = recvmsg(b->num, &msg, MSG_PEEK); -+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); - fcntl(b->num, F_SETFL, sockflags); - - /* if notification, process and try again */ -@@ -1709,7 +1709,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) - msg.msg_control = NULL; - msg.msg_controllen = 0; - msg.msg_flags = 0; -- n = recvmsg(b->num, &msg, 0); -+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); - - if (data->handle_notifications != NULL) - data->handle_notifications(b, data->notification_context, (void*) &snp); ---- crypto/bio/bss_file.c.orig -+++ crypto/bio/bss_file.c -@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename, - { - BIO *ret; - FILE *file=NULL; -+ size_t modelen = strlen (mode); -+ char newmode[modelen + 2]; -+ -+ memcpy (mempcpy (newmode, mode, modelen), "e", 2); - - #if defined(_WIN32) && defined(CP_UTF8) - int sz, len_0 = (int)strlen(filename)+1; -@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename, - file = fopen(filename,mode); - } - #else -- file=fopen(filename,mode); -+ file=fopen(filename,newmode); - #endif - if (file == NULL) - { -@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b - long ret=1; - FILE *fp=(FILE *)b->ptr; - FILE **fpp; -- char p[4]; -+ char p[5]; - - switch (cmd) - { -@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b - else - strcat(p,"t"); - #endif -+ strcat(p, "e"); -+ - fp=fopen(ptr,p); - if (fp == NULL) - { ---- crypto/rand/rand_unix.c.orig -+++ crypto/rand/rand_unix.c -@@ -262,7 +262,7 @@ int RAND_poll(void) - for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) && - (n < ENTROPY_NEEDED); i++) - { -- if ((fd = open(randomfiles[i], O_RDONLY -+ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC - #ifdef O_NONBLOCK - |O_NONBLOCK - #endif ---- crypto/rand/randfile.c.orig -+++ crypto/rand/randfile.c -@@ -134,7 +134,7 @@ int RAND_load_file(const char *file, lon - #ifdef OPENSSL_SYS_VMS - in=vms_fopen(file,"rb",VMS_OPEN_ATTRS); - #else -- in=fopen(file,"rb"); -+ in=fopen(file,"rbe"); - #endif - if (in == NULL) goto err; - #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO) -@@ -207,7 +207,7 @@ int RAND_write_file(const char *file) - #endif - /* chmod(..., 0600) is too late to protect the file, - * permissions should be restrictive from the start */ -- int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600); -+ int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600); - if (fd != -1) - out = fdopen(fd, "wb"); - } -@@ -238,7 +238,7 @@ int RAND_write_file(const char *file) - out = vms_fopen(file,"wb",VMS_OPEN_ATTRS); - #else - if (out == NULL) -- out = fopen(file,"wb"); -+ out = fopen(file,"wbe"); - #endif - if (out == NULL) goto err; diff --git a/packaging/openssl.changes b/packaging/openssl.changes index 4b957b7..f6e46d1 100644 --- a/packaging/openssl.changes +++ b/packaging/openssl.changes @@ -1,1381 +1,5 @@ -------------------------------------------------------------------- -Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org +* Wed Nov 28 2012 Anas Nashif <anas.nashif@intel.com> upstream/1.0.1c@bc70029 +- remove patches +- enable md2 +- Imported Upstream version 1.0.1c -- Open Internal file descriptors with O_CLOEXEC, leaving - those open across fork()..execve() makes a perfect - vector for a side-channel attack... - -------------------------------------------------------------------- -Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com - -- fix build on armv5 (bnc#774710) - -------------------------------------------------------------------- -Thu May 10 19:18:06 UTC 2012 - crrodriguez@opensuse.org - -- Update to version 1.0.1c for the complete list of changes see - NEWS, this only list packaging changes. -- Drop aes-ni patch, no longer needed as it is builtin in openssl - now. -- Define GNU_SOURCE and use -std=gnu99 to build the package. -- Use LFS_CFLAGS in platforms where it matters. - -------------------------------------------------------------------- -Fri May 4 12:09:57 UTC 2012 - lnussel@suse.de - -- don't install any demo or expired certs at all - -------------------------------------------------------------------- -Mon Apr 23 05:57:35 UTC 2012 - gjhe@suse.com - -- update to latest stable verison 1.0.0i - including the following patches: - CVE-2012-2110.path - Bug748738_Tolerate_bad_MIME_headers.patch - bug749213-Free-headers-after-use.patch - bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch - CVE-2012-1165.patch - CVE-2012-0884.patch - bug749735.patch - -------------------------------------------------------------------- -Tue Mar 27 09:16:37 UTC 2012 - gjhe@suse.com - -- fix bug[bnc#749735] - Memory leak when creating public keys. - fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack - CVE-2012-0884 - -------------------------------------------------------------------- -Thu Mar 22 03:24:20 UTC 2012 - gjhe@suse.com - -- fix bug[bnc#751946] - S/MIME verification may erroneously fail - CVE-2012-1165 - -------------------------------------------------------------------- -Wed Mar 21 02:44:41 UTC 2012 - gjhe@suse.com - -- fix bug[bnc#749213]-Free headers after use in error message - and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt - -------------------------------------------------------------------- -Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com - -- license update: OpenSSL - -------------------------------------------------------------------- -Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com - -- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's - asn1 parser. - CVE-2006-7250 - -------------------------------------------------------------------- -Thu Feb 2 06:55:12 UTC 2012 - gjhe@suse.com - -- Update to version 1.0.0g fix the following: - DTLS DoS attack (CVE-2012-0050) - -------------------------------------------------------------------- -Wed Jan 11 05:35:18 UTC 2012 - gjhe@suse.com - -- Update to version 1.0.0f fix the following: - DTLS Plaintext Recovery Attack (CVE-2011-4108) - Uninitialized SSL 3.0 Padding (CVE-2011-4576) - Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) - SGC Restart DoS Attack (CVE-2011-4619) - Invalid GOST parameters DoS Attack (CVE-2012-0027) - -------------------------------------------------------------------- -Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org - -- AES-NI: Check the return value of Engine_add() - if the ENGINE_add() call fails: it ends up adding a reference - to a freed up ENGINE which is likely to subsequently contain garbage - This will happen if an ENGINE with the same name is added multiple - times,for example different libraries. [bnc#720601] - -------------------------------------------------------------------- -Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org - -- Build with -DSSL_FORBID_ENULL so servers are not - able to use the NULL encryption ciphers (Those offering no - encryption whatsoever). - -------------------------------------------------------------------- -Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org - -- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210 - see http://openssl.org/news/secadv_20110906.txt for details. - -------------------------------------------------------------------- -Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org - -- Add upstream patch that calls ENGINE_register_all_complete() - in ENGINE_load_builtin_engines() saving us from adding dozens - of calls to such function to calling applications. - -------------------------------------------------------------------- -Fri Aug 5 19:09:42 UTC 2011 - crrodriguez@opensuse.org - -- remove -fno-strict-aliasing from CFLAGS no longer needed - and is likely to slow down stuff. - -------------------------------------------------------------------- -Mon Jul 25 19:07:32 UTC 2011 - jengelh@medozas.de - -- Edit baselibs.conf to provide libopenssl-devel-32bit too - -------------------------------------------------------------------- -Fri Jun 24 04:51:50 UTC 2011 - gjhe@novell.com - -- update to latest stable version 1.0.0d. - patch removed(already in the new package): - CVE-2011-0014 - patch added: - ECDSA_signatures_timing_attack.patch - -------------------------------------------------------------------- -Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com - -- fix bug[bnc#693027]. - Add protection against ECDSA timing attacks as mentioned in the paper - by Billy Bob Brumley and Nicola Tuveri, see: - http://eprint.iacr.org/2011/232.pdf - [Billy Bob Brumley and Nicola Tuveri] - -------------------------------------------------------------------- -Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org - -- added openssl as dependency in the devel package - -------------------------------------------------------------------- -Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com - -- fix bug [bnc#670526] - CVE-2011-0014,OCSP stapling vulnerability - -------------------------------------------------------------------- -Sat Jan 15 19:58:51 UTC 2011 - cristian.rodriguez@opensuse.org - -- Add patch from upstream in order to support AES-NI instruction - set present on current Intel and AMD processors - -------------------------------------------------------------------- -Mon Jan 10 11:45:27 CET 2011 - meissner@suse.de - -- enable -DPURIFY to avoid valgrind errors. - -------------------------------------------------------------------- -Thu Dec 9 07:04:32 UTC 2010 - gjhe@novell.com - -- update to stable version 1.0.0c. - patch included: - CVE-2010-1633_and_CVE-2010-0742.patch - patchset-19727.diff - CVE-2010-2939.patch - CVE-2010-3864.patch - -------------------------------------------------------------------- -Thu Nov 18 07:53:12 UTC 2010 - gjhe@novell.com - -- fix bug [bnc#651003] - CVE-2010-3864 - -------------------------------------------------------------------- -Sat Sep 25 08:55:02 UTC 2010 - gjhe@novell.com - -- fix bug [bnc#629905] - CVE-2010-2939 - -------------------------------------------------------------------- -Wed Jul 28 20:55:18 UTC 2010 - cristian.rodriguez@opensuse.org - -- Exclude static libraries, see what breaks and fix that - instead - -------------------------------------------------------------------- -Wed Jun 30 08:47:39 UTC 2010 - jengelh@medozas.de - -- fix two compile errors on SPARC - -------------------------------------------------------------------- -Tue Jun 15 09:53:54 UTC 2010 - bg@novell.com - -- -fstack-protector is not supported on hppa - -------------------------------------------------------------------- -Fri Jun 4 07:11:28 UTC 2010 - gjhe@novell.com - -- fix bnc #610642 - CVE-2010-0742 - CVE-2010-1633 - -------------------------------------------------------------------- -Mon May 31 03:06:39 UTC 2010 - gjhe@novell.com - -- fix bnc #610223,change Configure to tell openssl to load engines - from /%{_lib} instead of %{_libdir} - -------------------------------------------------------------------- -Mon May 10 16:11:54 UTC 2010 - aj@suse.de - -- Do not compile in build time but use mtime of changes file instead. - This allows build-compare to identify that no changes have happened. - -------------------------------------------------------------------- -Tue May 4 02:55:52 UTC 2010 - gjhe@novell.com - -- build libopenssl to /%{_lib} dir,and keep only one - libopenssl-devel for new developping programs. - -------------------------------------------------------------------- -Tue Apr 27 05:44:32 UTC 2010 - gjhe@novell.com - -- build libopenssl and libopenssl-devel to a version directory - -------------------------------------------------------------------- -Sat Apr 24 09:46:37 UTC 2010 - coolo@novell.com - -- buildrequire pkg-config to fix provides - -------------------------------------------------------------------- -Wed Apr 21 13:54:15 UTC 2010 - lnussel@suse.de - -- also create old certificate hash in /etc/ssl/certs for - compatibility with applications that still link against 0.9.8 - -------------------------------------------------------------------- -Mon Apr 12 16:12:08 CEST 2010 - meissner@suse.de - -- Disable our own build targets, instead use the openSSL provided ones - as they are now good (or should be good at least). - -- add -Wa,--noexecstack to the Configure call, this is the upstream - approved way to avoid exec-stack marking - -------------------------------------------------------------------- -Mon Apr 12 04:57:17 UTC 2010 - gjhe@novell.com - -- update to 1.0.0 - Merge the following patches from 0.9.8k: - openssl-0.9.6g-alpha.diff - openssl-0.9.7f-ppc64.diff - openssl-0.9.8-flags-priority.dif - openssl-0.9.8-sparc.dif - openssl-allow-arch.diff - openssl-hppa-config.diff - -------------------------------------------------------------------- -Fri Apr 9 11:42:51 CEST 2010 - meissner@suse.de - -- fixed "exectuable stack" for libcrypto.so issue on i586 by - adjusting the assembler output during MMX builds. - -------------------------------------------------------------------- -Wed Apr 7 14:08:05 CEST 2010 - meissner@suse.de - -- Openssl is now partially converted to libdir usage upstream, - merge that in to fix lib64 builds. - -------------------------------------------------------------------- -Thu Mar 25 02:18:22 UTC 2010 - gjhe@novell.com - -- fix security bug [bnc#590833] - CVE-2010-0740 - -------------------------------------------------------------------- -Mon Mar 22 06:29:14 UTC 2010 - gjhe@novell.com - -- update to version 0.9.8m - Merge the following patches from 0.9.8k: - bswap.diff - non-exec-stack.diff - openssl-0.9.6g-alpha.diff - openssl-0.9.7f-ppc64.diff - openssl-0.9.8-flags-priority.dif - openssl-0.9.8-sparc.dif - openssl-allow-arch.diff - openssl-hppa-config.diff - -------------------------------------------------------------------- -Fri Feb 5 01:24:55 UTC 2010 - jengelh@medozas.de - -- build openssl for sparc64 - -------------------------------------------------------------------- -Mon Dec 14 16:11:11 CET 2009 - jengelh@medozas.de - -- add baselibs.conf as a source -- package documentation as noarch - -------------------------------------------------------------------- -Tue Nov 3 19:09:35 UTC 2009 - coolo@novell.com - -- updated patches to apply with fuzz=0 - -------------------------------------------------------------------- -Tue Sep 1 10:21:16 CEST 2009 - gjhe@novell.com - -- fix Bug [bnc#526319] - -------------------------------------------------------------------- -Wed Aug 26 11:24:16 CEST 2009 - coolo@novell.com - -- use %patch0 for Patch0 - -------------------------------------------------------------------- -Fri Jul 3 11:53:48 CEST 2009 - gjhe@novell.com - -- update to version 0.9.8k -- patches merged upstream: - openssl-CVE-2008-5077.patch - openssl-CVE-2009-0590.patch - openssl-CVE-2009-0591.patch - openssl-CVE-2009-0789.patch - openssl-CVE-2009-1377.patch - openssl-CVE-2009-1378.patch - openssl-CVE-2009-1379.patch - openssl-CVE-2009-1386.patch - openssl-CVE-2009-1387.patch - -------------------------------------------------------------------- -Tue Jun 30 05:17:26 CEST 2009 - gjhe@novell.com - -- fix security bug [bnc#509031] - CVE-2009-1386 - CVE-2009-1387 - -------------------------------------------------------------------- -Tue Jun 30 05:16:39 CEST 2009 - gjhe@novell.com - -- fix security bug [bnc#504687] - CVE-2009-1377 - CVE-2009-1378 - CVE-2009-1379 - -------------------------------------------------------------------- -Wed Apr 15 12:28:29 CEST 2009 - gjhe@suse.de - -- fix security bug [bnc#489641] - CVE-2009-0590 - CVE-2009-0591 - CVE-2009-0789 - -------------------------------------------------------------------- -Wed Jan 7 12:34:56 CET 2009 - olh@suse.de - -- obsolete old -XXbit packages (bnc#437293) - -------------------------------------------------------------------- -Thu Dec 18 08:15:12 CET 2008 - jshi@suse.de - -- fix security bug [bnc#459468] - CVE-2008-5077 - -------------------------------------------------------------------- -Tue Dec 9 11:32:50 CET 2008 - xwhu@suse.de - -- Disable optimization for s390x - -------------------------------------------------------------------- -Mon Dec 8 12:12:14 CET 2008 - xwhu@suse.de - -- Disable optimization of md4 - -------------------------------------------------------------------- -Mon Nov 10 10:22:04 CET 2008 - xwhu@suse.de - -- Disable optimization of ripemd [bnc#442740] - -------------------------------------------------------------------- -Tue Oct 14 09:08:47 CEST 2008 - xwhu@suse.de - -- Passing string as struct cause openssl segment-fault [bnc#430141] - -------------------------------------------------------------------- -Wed Jul 16 12:02:37 CEST 2008 - mkoenig@suse.de - -- do not require openssl-certs, but rather recommend it - to avoid dependency cycle [bnc#408865] - -------------------------------------------------------------------- -Wed Jul 9 12:53:27 CEST 2008 - mkoenig@suse.de - -- remove the certs subpackage from the openssl package - and move the CA root certificates into a package of its own - -------------------------------------------------------------------- -Tue Jun 24 09:09:04 CEST 2008 - mkoenig@suse.de - -- update to version 0.9.8h -- openssl does not ship CA root certificates anymore - keep certificates that SuSE is already shipping -- resolves bad array index (function has been removed) [bnc#356549] -- removed patches - openssl-0.9.8g-fix_dh_for_certain_moduli.patch - openssl-CVE-2008-0891.patch - openssl-CVE-2008-1672.patch - -------------------------------------------------------------------- -Wed May 28 15:04:08 CEST 2008 - mkoenig@suse.de - -- fix OpenSSL Server Name extension crash (CVE-2008-0891) - and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672) - [bnc#394317] - -------------------------------------------------------------------- -Wed May 21 20:48:39 CEST 2008 - cthiel@suse.de - -- fix baselibs.conf - -------------------------------------------------------------------- -Tue Apr 22 14:39:35 CEST 2008 - mkoenig@suse.de - -- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844] - -------------------------------------------------------------------- -Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de - -- added baselibs.conf file to build xxbit packages - for multilib support - -------------------------------------------------------------------- -Mon Nov 5 14:27:06 CET 2007 - mkoenig@suse.de - -- fix Diffie-Hellman failure with certain prime lengths - -------------------------------------------------------------------- -Mon Oct 22 15:00:21 CEST 2007 - mkoenig@suse.de - -- update to version 0.9.8g: - * fix some bugs introduced with 0.9.8f - -------------------------------------------------------------------- -Mon Oct 15 11:17:14 CEST 2007 - mkoenig@suse.de - -- update to version 0.9.8f: - * fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995 -- patches merged upstream: - openssl-0.9.8-key_length.patch - openssl-CVE-2007-3108-bug296511 - openssl-CVE-2007-5135.patch - openssl-gcc42.patch - openssl-gcc42_b.patch - openssl-s390-config.diff - -------------------------------------------------------------------- -Mon Oct 1 11:29:55 CEST 2007 - mkoenig@suse.de - -- fix buffer overflow CVE-2007-5135 [#329208] - -------------------------------------------------------------------- -Wed Sep 5 11:39:26 CEST 2007 - mkoenig@suse.de - -- fix another gcc 4.2 build problem [#307669] - -------------------------------------------------------------------- -Fri Aug 3 14:17:27 CEST 2007 - coolo@suse.de - -- provide the version obsoleted (#293401) - -------------------------------------------------------------------- -Wed Aug 1 18:01:45 CEST 2007 - werner@suse.de - -- Add patch from CVS for RSA key reconstruction vulnerability - (CVE-2007-3108, VU#724968, bug #296511) - -------------------------------------------------------------------- -Thu May 24 16:18:50 CEST 2007 - mkoenig@suse.de - -- fix build with gcc-4.2 - openssl-gcc42.patch -- do not install example scripts with executable permissions - -------------------------------------------------------------------- -Mon Apr 30 01:32:44 CEST 2007 - ro@suse.de - -- adapt requires - -------------------------------------------------------------------- -Fri Apr 27 15:25:13 CEST 2007 - mkoenig@suse.de - -- Do not use dots in package name -- explicitly build with gcc-4.1 because of currently unresolved - failures with gcc-4.2 - -------------------------------------------------------------------- -Wed Apr 25 12:32:44 CEST 2007 - mkoenig@suse.de - -- Split/rename package to follow library packaging policy [#260219] - New package libopenssl0.9.8 containing shared libs - openssl-devel package renamed to libopenssl-devel - New package openssl-certs containing certificates -- add zlib-devel to Requires of devel package -- remove old Obsoletes and Conflicts - openssls (Last used Nov 2000) - ssleay (Last used 6.2) - -------------------------------------------------------------------- -Mon Apr 23 11:17:57 CEST 2007 - mkoenig@suse.de - -- Fix key length [#254905,#262477] - -------------------------------------------------------------------- -Tue Mar 6 10:38:10 CET 2007 - mkoenig@suse.de - -- update to version 0.9.8e: - * patches merged upstream: - openssl-CVE-2006-2940-fixup.patch - openssl-0.9.8d-padlock-static.patch - -------------------------------------------------------------------- -Tue Jan 9 14:30:28 CET 2007 - mkoenig@suse.de - -- fix PadLock support [#230823] - -------------------------------------------------------------------- -Thu Nov 30 14:33:51 CET 2006 - mkoenig@suse.de - -- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198 - -------------------------------------------------------------------- -Mon Nov 6 18:35:10 CET 2006 - poeml@suse.de - -- configure with 'zlib' instead of 'zlib-dynamic'. Build with the - latter, there are problems opening the libz when running on the - Via Epia or vmware platforms. [#213305] - -------------------------------------------------------------------- -Wed Oct 4 15:07:55 CEST 2006 - poeml@suse.de - -- add patch for the CVE-2006-2940 fix: the newly introduced limit - on DH modulus size could lead to a crash when exerted. [#208971] - Discovered and fixed after the 0.9.8d release. - -------------------------------------------------------------------- -Fri Sep 29 18:37:01 CEST 2006 - poeml@suse.de - -- update to 0.9.8d - *) Introduce limits to prevent malicious keys being able to - cause a denial of service. (CVE-2006-2940) - *) Fix ASN.1 parsing of certain invalid structures that can result - in a denial of service. (CVE-2006-2937) - *) Fix buffer overflow in SSL_get_shared_ciphers() function. - (CVE-2006-3738) - *) Fix SSL client code which could crash if connecting to a - malicious SSLv2 server. (CVE-2006-4343) - *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites - match only those. Before that, "AES256-SHA" would be interpreted - as a pattern and match "AES128-SHA" too (since AES128-SHA got - the same strength classification in 0.9.7h) as we currently only - have a single AES bit in the ciphersuite description bitmap. - That change, however, also applied to ciphersuite strings such as - "RC4-MD5" that intentionally matched multiple ciphersuites -- - namely, SSL 2.0 ciphersuites in addition to the more common ones - from SSL 3.0/TLS 1.0. - So we change the selection algorithm again: Naming an explicit - ciphersuite selects this one ciphersuite, and any other similar - ciphersuite (same bitmap) from *other* protocol versions. - Thus, "RC4-MD5" again will properly select both the SSL 2.0 - ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. - Since SSL 2.0 does not have any ciphersuites for which the - 128/256 bit distinction would be relevant, this works for now. - The proper fix will be to use different bits for AES128 and - AES256, which would have avoided the problems from the beginning; - however, bits are scarce, so we can only do this in a new release - (not just a patchlevel) when we can change the SSL_CIPHER - definition to split the single 'unsigned long mask' bitmap into - multiple values to extend the available space. -- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected - [openssl.org #1397] - -------------------------------------------------------------------- -Fri Sep 8 20:33:40 CEST 2006 - schwab@suse.de - -- Fix inverted logic. - -------------------------------------------------------------------- -Wed Sep 6 17:56:08 CEST 2006 - poeml@suse.de - -- update to 0.9.8c - Changes between 0.9.8b and 0.9.8c [05 Sep 2006] - *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher - (CVE-2006-4339) [Ben Laurie and Google Security Team] - *) Add AES IGE and biIGE modes. [Ben Laurie] - *) Change the Unix randomness entropy gathering to use poll() when - possible instead of select(), since the latter has some - undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller] - *) Disable "ECCdraft" ciphersuites more thoroughly. Now special - treatment in ssl/ssl_ciph.s makes sure that these ciphersuites - cannot be implicitly activated as part of, e.g., the "AES" alias. - However, please upgrade to OpenSSL 0.9.9[-dev] for - non-experimental use of the ECC ciphersuites to get TLS extension - support, which is required for curve and point format negotiation - to avoid potential handshake problems. [Bodo Moeller] - *) Disable rogue ciphersuites: - - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") - - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") - - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") - The latter two were purportedly from - draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really - appear there. - Also deactive the remaining ciphersuites from - draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as - unofficial, and the ID has long expired. [Bodo Moeller] - *) Fix RSA blinding Heisenbug (problems sometimes occured on - dual-core machines) and other potential thread-safety issues. - [Bodo Moeller] - *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key - versions), which is now available for royalty-free use - (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). - Also, add Camellia TLS ciphersuites from RFC 4132. - To minimize changes between patchlevels in the OpenSSL 0.9.8 - series, Camellia remains excluded from compilation unless OpenSSL - is configured with 'enable-camellia'. [NTT] - *) Disable the padding bug check when compression is in use. The padding - bug check assumes the first packet is of even length, this is not - necessarily true if compresssion is enabled and can result in false - positives causing handshake failure. The actual bug test is ancient - code so it is hoped that implementations will either have fixed it by - now or any which still have the bug do not support compression. - [Steve Henson] - Changes between 0.9.8a and 0.9.8b [04 May 2006] - *) When applying a cipher rule check to see if string match is an explicit - cipher suite and only match that one cipher suite if it is. [Steve Henson] - *) Link in manifests for VC++ if needed. [Austin Ziegler <halostatue@gmail.com>] - *) Update support for ECC-based TLS ciphersuites according to - draft-ietf-tls-ecc-12.txt with proposed changes (but without - TLS extensions, which are supported starting with the 0.9.9 - branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila] - *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support - opaque EVP_CIPHER_CTX handling. [Steve Henson] - *) Fixes and enhancements to zlib compression code. We now only use - "zlib1.dll" and use the default __cdecl calling convention on Win32 - to conform with the standards mentioned here: - http://www.zlib.net/DLL_FAQ.txt - Static zlib linking now works on Windows and the new --with-zlib-include - --with-zlib-lib options to Configure can be used to supply the location - of the headers and library. Gracefully handle case where zlib library - can't be loaded. [Steve Henson] - *) Several fixes and enhancements to the OID generation code. The old code - sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't - handle numbers larger than ULONG_MAX, truncated printing and had a - non standard OBJ_obj2txt() behaviour. [Steve Henson] - *) Add support for building of engines under engine/ as shared libraries - under VC++ build system. [Steve Henson] - *) Corrected the numerous bugs in the Win32 path splitter in DSO. - Hopefully, we will not see any false combination of paths any more. - [Richard Levitte] -- enable Camellia cipher. There is a royalty free license to the - patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html. - NOTE: the license forbids patches to the cipher. -- build with zlib-dynamic and add zlib-devel to BuildRequires. - Allows compression of data in TLS, although few application would - actually use it since there is no standard for negotiating the - compression method. The only one I know if is stunnel. - -------------------------------------------------------------------- -Fri Jun 2 15:00:58 CEST 2006 - poeml@suse.de - -- fix built-in ENGINESDIR for 64 bit architectures. We change only - the builtin search path for engines, not the path where engines - are packaged. Path can be overridden with the OPENSSL_ENGINES - environment variable. [#179094] - -------------------------------------------------------------------- -Wed Jan 25 21:30:41 CET 2006 - mls@suse.de - -- converted neededforbuild to BuildRequires - -------------------------------------------------------------------- -Mon Jan 16 13:13:13 CET 2006 - mc@suse.de - -- fix build problems on s390x (openssl-s390-config.diff) -- build with -fstack-protector - -------------------------------------------------------------------- -Mon Nov 7 16:30:49 CET 2005 - dmueller@suse.de - -- build with non-executable stack - -------------------------------------------------------------------- -Thu Oct 20 17:37:47 CEST 2005 - poeml@suse.de - -- fix unguarded free() which can cause a segfault in the ca - commandline app [#128655] - -------------------------------------------------------------------- -Thu Oct 13 15:10:28 CEST 2005 - poeml@suse.de - -- add Geotrusts Equifax Root1 CA certificate, which needed to - verify the authenticity of you.novell.com [#121966] - -------------------------------------------------------------------- -Tue Oct 11 15:34:07 CEST 2005 - poeml@suse.de - -- update to 0.9.8a - *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING - (part of SSL_OP_ALL). This option used to disable the - countermeasure against man-in-the-middle protocol-version - rollback in the SSL 2.0 server implementation, which is a bad - idea. (CAN-2005-2969) - *) Add two function to clear and return the verify parameter flags. - *) Keep cipherlists sorted in the source instead of sorting them at - runtime, thus removing the need for a lock. - *) Avoid some small subgroup attacks in Diffie-Hellman. - *) Add functions for well-known primes. - *) Extended Windows CE support. - *) Initialize SSL_METHOD structures at compile time instead of during - runtime, thus removing the need for a lock. - *) Make PKCS7_decrypt() work even if no certificate is supplied by - attempting to decrypt each encrypted key in turn. Add support to - smime utility. - -------------------------------------------------------------------- -Thu Sep 29 18:53:08 CEST 2005 - poeml@suse.de - -- update to 0.9.8 - see CHANGES file or http://www.openssl.org/news/changelog.html -- adjust patches -- drop obsolete openssl-no-libc.diff -- disable libica patch until it has been ported - -------------------------------------------------------------------- -Fri May 20 11:27:12 CEST 2005 - poeml@suse.de - -- update to 0.9.7g. The significant changes are: - *) Fixes for newer kerberos headers. NB: the casts are needed because - the 'length' field is signed on one version and unsigned on another - with no (?) obvious way to tell the difference, without these VC++ - complains. Also the "definition" of FAR (blank) is no longer included - nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up - some needed definitions. - *) Added support for proxy certificates according to RFC 3820. - Because they may be a security thread to unaware applications, - they must be explicitely allowed in run-time. See - docs/HOWTO/proxy_certificates.txt for further information. - -------------------------------------------------------------------- -Tue May 17 16:28:51 CEST 2005 - schwab@suse.de - -- Include %cflags_profile_generate in ${CC} since it is required for - linking as well. -- Remove explicit reference to libc. - -------------------------------------------------------------------- -Fri Apr 8 17:27:27 CEST 2005 - poeml@suse.de - -- update to 0.9.7f. The most significant changes are: - o Several compilation issues fixed. - o Many memory allocation failure checks added. - o Improved comparison of X509 Name type. - o Mandatory basic checks on certificates. - o Performance improvements. - (for a complete list see http://www.openssl.org/source/exp/CHANGES) -- adjust openssl-0.9.7f-ppc64.diff -- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435] - -------------------------------------------------------------------- -Tue Jan 4 16:47:02 CET 2005 - poeml@suse.de - -- update to 0.9.7e - *) Avoid a race condition when CRLs are checked in a multi - threaded environment. This would happen due to the reordering - of the revoked entries during signature checking and serial - number lookup. Now the encoding is cached and the serial - number sort performed under a lock. Add new STACK function - sk_is_sorted(). - *) Add Delta CRL to the extension code. - *) Various fixes to s3_pkt.c so alerts are sent properly. - *) Reduce the chances of duplicate issuer name and serial numbers - (in violation of RFC3280) using the OpenSSL certificate - creation utilities. This is done by creating a random 64 bit - value for the initial serial number when a serial number file - is created or when a self signed certificate is created using - 'openssl req -x509'. The initial serial number file is created - using 'openssl x509 -next_serial' in CA.pl rather than being - initialized to 1. -- remove obsolete patches -- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch - Makefile, not Makefile.ssl -- fixup for spaces in names of man pages not needed now -- pack /usr/bin/openssl_fips_fingerprint -- in rpm post/postun script, run /sbin/ldconfig directly (the macro - is deprecated) - -------------------------------------------------------------------- -Mon Oct 18 15:03:28 CEST 2004 - poeml@suse.de - -- don't install openssl.doxy file [#45210] - -------------------------------------------------------------------- -Thu Jul 29 16:56:44 CEST 2004 - poeml@suse.de - -- apply patch from CVS to fix segfault in S/MIME encryption - (http://cvs.openssl.org/chngview?cn=12081, regression in - openssl-0.9.7d) [#43386] - -------------------------------------------------------------------- -Mon Jul 12 15:22:31 CEST 2004 - mludvig@suse.cz - -- Updated VIA PadLock engine. - -------------------------------------------------------------------- -Wed Jun 30 21:45:01 CEST 2004 - mludvig@suse.cz - -- Updated openssl-0.9.7d-padlock-engine.diff with support for - AES192, AES256 and RNG. - -------------------------------------------------------------------- -Tue Jun 15 16:18:36 CEST 2004 - poeml@suse.de - -- update IBM ICA patch to last night's version. Fixes ibmca_init() - to reset ibmca_dso=NULL after calling DSO_free(), if the device - driver could not be loaded. The bug lead to a segfault triggered - by stunnel, which does autoload available engines [#41874] -- patch from CVS: make stack API more robust (return NULL for - out-of-range indexes). Fixes another possible segfault during - engine detection (could also triggered by stunnel) -- add patch from Michal Ludvig for VIA PadLock support - -------------------------------------------------------------------- -Wed Jun 2 20:44:40 CEST 2004 - poeml@suse.de - -- add root certificate for the ICP-Brasil CA [#41546] - -------------------------------------------------------------------- -Thu May 13 19:53:48 CEST 2004 - poeml@suse.de - -- add patch to use default_md for CRLs too [#40435] - -------------------------------------------------------------------- -Tue May 4 20:45:19 CEST 2004 - poeml@suse.de - -- update ICA patch to apr292004 release [#39695] - -------------------------------------------------------------------- -Thu Mar 18 13:47:09 CET 2004 - poeml@suse.de - -- update to 0.9.7d - o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug - (CAN-2004-0112) - o Security: Fix null-pointer assignment in do_change_cipher_spec() - (CAN-2004-0079) - o Allow multiple active certificates with same subject in CA index - o Multiple X590 verification fixes - o Speed up HMAC and other operations -- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around - IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has - OPENSSL_NO_IDEA around it -- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the - pod file) -- permissions of lib/pkgconfig fixed - -------------------------------------------------------------------- -Wed Feb 25 20:42:39 CET 2004 - poeml@suse.de - -- update to 0.9.7c - *) Fix various bugs revealed by running the NISCC test suite: - Stop out of bounds reads in the ASN1 code when presented with - invalid tags (CAN-2003-0543 and CAN-2003-0544). - Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). - If verify callback ignores invalid public key errors don't try to check - certificate signature with the NULL public key. - *) New -ignore_err option in ocsp application to stop the server - exiting on the first error in a request. - *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate - if the server requested one: as stated in TLS 1.0 and SSL 3.0 - specifications. - *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional - extra data after the compression methods not only for TLS 1.0 - but also for SSL 3.0 (as required by the specification). - *) Change X509_certificate_type() to mark the key as exported/exportable - when it's 512 *bits* long, not 512 bytes. - *) Change AES_cbc_encrypt() so it outputs exact multiple of - blocks during encryption. - *) Various fixes to base64 BIO and non blocking I/O. On write - flushes were not handled properly if the BIO retried. On read - data was not being buffered properly and had various logic bugs. - This also affects blocking I/O when the data being decoded is a - certain size. - *) Various S/MIME bugfixes and compatibility changes: - output correct application/pkcs7 MIME type if - PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. - Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening - of files as .eml work). Correctly handle very long lines in MIME - parser. -- update ICA patch - quote: This version of the engine patch has updated error handling in - the DES/SHA code, and turns RSA blinding off for hardware - accelerated RSA ops. -- filenames of some man pages contain spaces now. Replace them with - underscores -- fix compiler warnings in showciphers.c -- fix permissions of /usr/%_lib/pkgconfig - -------------------------------------------------------------------- -Sat Jan 10 10:55:59 CET 2004 - adrian@suse.de - -- add %run_ldconfig -- remove unneeded PreRequires - -------------------------------------------------------------------- -Tue Nov 18 14:07:53 CET 2003 - poeml@suse.de - -- ditch annoying mail to root about moved locations [#31969] - -------------------------------------------------------------------- -Wed Aug 13 22:30:13 CEST 2003 - poeml@suse.de - -- enable profile feedback based optimizations (except AES which - becomes slower) -- add -fno-strict-aliasing, due to warnings about code where - dereferencing type-punned pointers will break strict aliasing -- make a readlink function if readlink is not available - -------------------------------------------------------------------- -Mon Aug 4 16:16:57 CEST 2003 - ro@suse.de - -- fixed manpages symlinks - -------------------------------------------------------------------- -Wed Jul 30 15:37:37 CEST 2003 - meissner@suse.de - -- Fix Makefile to create pkgconfig file with lib64 on lib64 systems. - -------------------------------------------------------------------- -Sun Jul 27 15:51:04 CEST 2003 - poeml@suse.de - -- don't explicitely strip binaries since RPM handles it, and may - keep the stripped information somewhere - -------------------------------------------------------------------- -Tue Jul 15 16:29:16 CEST 2003 - meissner@suse.de - -- -DMD32_REG_T=int for ppc64 and s390x. - -------------------------------------------------------------------- -Thu Jul 10 23:14:22 CEST 2003 - poeml@suse.de - -- update ibm ICA patch to 20030708 release (libica-1.3) - -------------------------------------------------------------------- -Mon May 12 23:27:07 CEST 2003 - poeml@suse.de - -- package the openssl.pc file for pkgconfig - -------------------------------------------------------------------- -Wed Apr 16 16:04:32 CEST 2003 - poeml@suse.de - -- update to 0.9.7b. The most significant changes are: - o New library section OCSP. - o Complete rewrite of ASN1 code. - o CRL checking in verify code and openssl utility. - o Extension copying in 'ca' utility. - o Flexible display options in 'ca' utility. - o Provisional support for international characters with UTF8. - o Support for external crypto devices ('engine') is no longer - a separate distribution. - o New elliptic curve library section. - o New AES (Rijndael) library section. - o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, - Linux x86_64, Linux 64-bit on Sparc v9 - o Extended support for some platforms: VxWorks - o Enhanced support for shared libraries. - o Now only builds PIC code when shared library support is requested. - o Support for pkg-config. - o Lots of new manuals. - o Makes symbolic links to or copies of manuals to cover all described - functions. - o Change DES API to clean up the namespace (some applications link also - against libdes providing similar functions having the same name). - Provide macros for backward compatibility (will be removed in the - future). - o Unify handling of cryptographic algorithms (software and engine) - to be available via EVP routines for asymmetric and symmetric ciphers. - o NCONF: new configuration handling routines. - o Change API to use more 'const' modifiers to improve error checking - and help optimizers. - o Finally remove references to RSAref. - o Reworked parts of the BIGNUM code. - o Support for new engines: Broadcom ubsec, Accelerated Encryption - Processing, IBM 4758. - o A few new engines added in the demos area. - o Extended and corrected OID (object identifier) table. - o PRNG: query at more locations for a random device, automatic query for - EGD style random sources at several locations. - o SSL/TLS: allow optional cipher choice according to server's preference. - o SSL/TLS: allow server to explicitly set new session ids. - o SSL/TLS: support Kerberos cipher suites (RFC2712). - Only supports MIT Kerberos for now. - o SSL/TLS: allow more precise control of renegotiations and sessions. - o SSL/TLS: add callback to retrieve SSL/TLS messages. - o SSL/TLS: support AES cipher suites (RFC3268). -- adapt the ibmca patch -- remove openssl-nocrypt.diff, openssl's crypt() vanished -- configuration syntax has changed ($sys_id added before $lflags) - -------------------------------------------------------------------- -Thu Feb 20 11:55:34 CET 2003 - poeml@suse.de - -- update to bugfix release 0.9.6i: - - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize - information leaked via timing by performing a MAC computation - even if incorrrect block cipher padding has been found. This - is a countermeasure against active attacks where the attacker - has to distinguish between bad padding and a MAC verification - error. (CAN-2003-0078) - - a few more small bugfixes (mainly missing assertions) - -------------------------------------------------------------------- -Fri Dec 6 10:07:20 CET 2002 - poeml@suse.de - -- update to 0.9.6h (last release in the 0.9.6 series) - o New configuration targets for Tandem OSS and A/UX. - o New OIDs for Microsoft attributes. - o Better handling of SSL session caching. - o Better comparison of distinguished names. - o Better handling of shared libraries in a mixed GNU/non-GNU environment. - o Support assembler code with Borland C. - o Fixes for length problems. - o Fixes for uninitialised variables. - o Fixes for memory leaks, some unusual crashes and some race conditions. - o Fixes for smaller building problems. - o Updates of manuals, FAQ and other instructive documents. -- add a call to make depend -- fix sed expression (lib -> lib64) to replace multiple occurences - on one line - -------------------------------------------------------------------- -Mon Nov 4 13:16:09 CET 2002 - stepan@suse.de - -- fix openssl for alpha ev56 cpus - -------------------------------------------------------------------- -Thu Oct 24 12:57:36 CEST 2002 - poeml@suse.de - -- own the /usr/share/ssl directory [#20849] -- openssl-hppa-config.diff can be applied on all architectures - -------------------------------------------------------------------- -Mon Sep 30 16:07:49 CEST 2002 - bg@suse.de - -- enable hppa distribution; use only pa1.1 architecture. - -------------------------------------------------------------------- -Tue Sep 17 17:13:46 CEST 2002 - froh@suse.de - -- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953) - -------------------------------------------------------------------- -Mon Aug 12 18:34:58 CEST 2002 - poeml@suse.de - -- update to 0.9.6g and drop the now included ASN1 check patch. - Other change: - - Use proper error handling instead of 'assertions' in buffer - overflow checks added in 0.9.6e. This prevents DoS (the - assertions could call abort()). - -------------------------------------------------------------------- -Fri Aug 9 19:49:59 CEST 2002 - kukuk@suse.de - -- Fix requires of openssl-devel subpackage - -------------------------------------------------------------------- -Tue Aug 6 15:18:59 MEST 2002 - draht@suse.de - -- Correction for changes in the ASN1 code, assembled in - openssl-0.9.6e-cvs-20020802-asn1_lib.diff - -------------------------------------------------------------------- -Thu Aug 1 00:53:33 CEST 2002 - poeml@suse.de - -- update to 0.9.6e. Major changes: - o Various security fixes (sanity checks to asn1_get_length(), - various remote buffer overflows) - o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the - countermeasure against a vulnerability in the CBC ciphersuites - in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to - be incompatible with buggy SSL implementations -- update ibmca crypto hardware patch (security issues fixed) -- gcc 3.1 version detection is fixed, we can drop the patch -- move the most used man pages from the -doc to the main package - [#9913] and resolve man page conflicts by putting them into ssl - sections [#17239] -- spec file: use PreReq for %post script - -------------------------------------------------------------------- -Fri Jul 12 17:59:10 CEST 2002 - poeml@suse.de - -- update to 0.9.6d. Major changes: - o Various SSL/TLS library bugfixes. - o Fix DH parameter generation for 'non-standard' generators. - Complete Changelog: http://www.openssl.org/news/changelog.html -- supposed to fix a session caching failure occuring with postfix -- simplify local configuration for the architectures -- there's a new config variable: $shared_ldflag -- use RPM_OPT_FLAGS in favor of predifined cflags by appending them - at the end -- validate config data (config --check-sanity) -- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982] -- move configuration to /etc/ssl [#14387] -- mark openssl.cnf %config (noreplace) - -------------------------------------------------------------------- -Sat Jul 6 20:28:56 CEST 2002 - schwab@suse.de - -- Include <crypt.h> to get crypt prototype. - -------------------------------------------------------------------- -Fri Jul 5 08:51:16 CEST 2002 - kukuk@suse.de - -- Remove crypt prototype from des.h header file, too. - -------------------------------------------------------------------- -Mon Jun 10 11:38:16 CEST 2002 - meissner@suse.de - -- enhanced ppc64 support (needs seperate config), reenabled make check - -------------------------------------------------------------------- -Fri May 31 14:54:06 CEST 2002 - olh@suse.de - -- add ppc64 support, temporary disable make check - -------------------------------------------------------------------- -Thu Apr 18 16:30:01 CEST 2002 - meissner@suse.de - -- fixed x86_64 build, added bc to needed_for_build (used by tests) - -------------------------------------------------------------------- -Wed Apr 17 16:56:34 CEST 2002 - ro@suse.de - -- fixed gcc version determination -- drop sun4c support/always use sparcv8 -- ignore return code from showciphers - -------------------------------------------------------------------- -Fri Mar 15 16:54:44 CET 2002 - poeml@suse.de - -- add settings for sparc to build shared objects. Note that all - sparcs (sun4[mdu]) are recognized as linux-sparcv7 - -------------------------------------------------------------------- -Wed Feb 6 14:23:44 CET 2002 - kukuk@suse.de - -- Remove crypt function from libcrypto.so.0 [Bug #13056] - -------------------------------------------------------------------- -Sun Feb 3 22:32:16 CET 2002 - poeml@suse.de - -- add settings for mips to build shared objects -- print out all settings to the build log - -------------------------------------------------------------------- -Tue Jan 29 12:42:58 CET 2002 - poeml@suse.de - -- update to 0.9.6c: - o bug fixes - o support for hardware crypto devices (Cryptographic Appliances, - Broadcom, and Accelerated Encryption Processing) -- add IBMCA patch for IBM eServer Cryptographic Accelerator Device - Driver (#12565) (forward ported from 0.9.6b) - (http://www-124.ibm.com/developerworks/projects/libica/) -- tell Configure how to build shared libs for s390 and s390x -- tweak Makefile.org to use %_libdir -- clean up spec file -- add README.SuSE as source file instead of in a patch - -------------------------------------------------------------------- -Wed Dec 5 10:59:59 CET 2001 - uli@suse.de - -- disabled "make test" for ARM (destest segfaults, the other tests - seem to succeed) - -------------------------------------------------------------------- -Wed Dec 5 02:39:16 CET 2001 - ro@suse.de - -- removed subpackage src - -------------------------------------------------------------------- -Wed Nov 28 13:28:42 CET 2001 - uli@suse.de - -- needs -ldl on ARM, too - -------------------------------------------------------------------- -Mon Nov 19 17:48:31 MET 2001 - mls@suse.de - -- made mips big endian, fixed shared library creation for mips - -------------------------------------------------------------------- -Fri Aug 31 11:19:46 CEST 2001 - rolf@suse.de - -- added root certificates [BUG#9913] -- move from /usr/ssh to /usr/share/ssl - -------------------------------------------------------------------- -Wed Jul 18 10:27:54 CEST 2001 - rolf@suse.de - -- update to 0.9.6b -- switch to engine version of openssl, which supports hardware - encryption for a few popular devices -- check wether shared libraries have been generated - -------------------------------------------------------------------- -Thu Jul 5 15:06:03 CEST 2001 - rolf@suse.de - -- appliy PRNG security patch - -------------------------------------------------------------------- -Tue Jun 12 10:52:34 EDT 2001 - bk@suse.de - -- added support for s390x - -------------------------------------------------------------------- -Mon May 7 21:02:30 CEST 2001 - kukuk@suse.de - -- Fix building of shared libraries on SPARC, too. - -------------------------------------------------------------------- -Mon May 7 11:36:53 MEST 2001 - rolf@suse.de - -- Fix ppc and s390 shared library builds -- resolved conflict in manpage naming: - rand.3 is now sslrand.3 [BUG#7643] - -------------------------------------------------------------------- -Tue May 1 22:32:48 CEST 2001 - schwab@suse.de - -- Fix ia64 configuration. -- Fix link command. - -------------------------------------------------------------------- -Thu Apr 26 03:17:52 CEST 2001 - bjacke@suse.de - -- updated to 0.96a - -------------------------------------------------------------------- -Wed Apr 18 12:56:48 CEST 2001 - kkaempf@suse.de - -- provide .so files in -devel package only - -------------------------------------------------------------------- -Tue Apr 17 02:45:36 CEST 2001 - bjacke@suse.de - -- resolve file name conflict (#6966) - -------------------------------------------------------------------- -Wed Mar 21 10:12:59 MET 2001 - rolf@suse.de - -- new subpackage openssl-src [BUG#6383] -- added README.SuSE which explains where to find the man pages [BUG#6717] - -------------------------------------------------------------------- -Fri Dec 15 18:09:16 CET 2000 - sf@suse.de - -- changed CFLAG to -O1 to make the tests run successfully - -------------------------------------------------------------------- -Mon Dec 11 13:33:55 CET 2000 - rolf@suse.de - -- build openssl with no-idea and no-rc5 to meet US & RSA regulations -- build with -fPIC on all platforms (especially IA64) - -------------------------------------------------------------------- -Wed Nov 22 11:27:39 MET 2000 - rolf@suse.de - -- rename openssls to openssl-devel and add shared libs and header files -- new subpackge openssl-doc for manpages and documentation -- use BuildRoot - -------------------------------------------------------------------- -Fri Oct 27 16:53:45 CEST 2000 - schwab@suse.de - -- Add link-time links for libcrypto and libssl. -- Make sure that LD_LIBRARY_PATH is passed down to sub-makes. - -------------------------------------------------------------------- -Mon Oct 2 17:33:07 MEST 2000 - rolf@suse.de - -- update to 0.9.6 - -------------------------------------------------------------------- -Mon Apr 10 23:04:15 CEST 2000 - bk@suse.de - -- fix support for s390-linux - -------------------------------------------------------------------- -Mon Apr 10 18:01:46 MEST 2000 - rolf@suse.de - -- new version 0.9.5a - -------------------------------------------------------------------- -Sun Apr 9 02:51:42 CEST 2000 - bk@suse.de - -- add support for s390-linux - -------------------------------------------------------------------- -Mon Mar 27 19:25:25 CEST 2000 - kukuk@suse.de - -- Use sparcv7 for SPARC - -------------------------------------------------------------------- -Wed Mar 1 16:42:00 MET 2000 - rolf@suse.de - -- move manpages back, as too many conflict with system manuals - -------------------------------------------------------------------- -Wed Mar 1 11:23:21 MET 2000 - rolf@suse.de - -- move manpages to %{_mandir} -- include static libraries - -------------------------------------------------------------------- -Wed Mar 1 02:52:17 CET 2000 - bk@suse.de - -- added subpackage source openssls, needed for ppp_ssl - -------------------------------------------------------------------- -Tue Feb 29 12:50:48 MET 2000 - rolf@suse.de - -- new version 0.9.5 - -------------------------------------------------------------------- -Thu Feb 24 15:43:38 CET 2000 - schwab@suse.de - -- add support for ia64-linux - -------------------------------------------------------------------- -Mon Jan 31 13:05:59 CET 2000 - kukuk@suse.de - -- Create and add libcrypto.so.0 and libssl.so.0 - -------------------------------------------------------------------- -Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de - -- ran old prepare_spec on spec file to switch to new prepare_spec. - -------------------------------------------------------------------- -Wed Sep 1 12:30:08 MEST 1999 - rolf@suse.de - -- new version 0.9.4 - -------------------------------------------------------------------- -Wed May 26 16:26:49 MEST 1999 - rolf@suse.de - -- new version 0.9.3 with new layout -- alpha asm disabled by default now, no patch needed - -------------------------------------------------------------------- -Thu May 20 09:38:09 MEST 1999 - ro@suse.de - -- disable asm for alpha: seems incomplete - -------------------------------------------------------------------- -Mon May 17 17:43:34 MEST 1999 - rolf@suse.de - -- don't use -DNO_IDEA - -------------------------------------------------------------------- -Wed May 12 16:10:03 MEST 1999 - rolf@suse.de - -- first version 0.9.2b diff --git a/packaging/openssl.test b/packaging/openssl.test deleted file mode 100644 index 5206b79..0000000 --- a/packaging/openssl.test +++ /dev/null @@ -1,2 +0,0 @@ - -openssl autmatically tests iteslf, no further testing needed |