jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

import UBI openssl-1.1.1k-15.el8_6

Browse Source
This commit is contained in:
eabdullin 2026-02-23 06:39:45 +00:00
parent 3d00f6b13e
commit bb374ab820
4 changed files with 557 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch
View File

@ -1,13 +1,11 @@
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
#ifndef OPENSSL_NO_SRP
static int init_srp(SSL *s, unsigned int context);
#endif
+#ifndef OPENSSL_NO_EC
+static int init_ec_point_formats(SSL *s, unsigned int context);
+#endif
static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent);
@ -20,11 +18,10 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
},
@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
}
#endif
+#ifndef OPENSSL_NO_EC
+static int init_ec_point_formats(SSL *s, unsigned int context)
+{
+ OPENSSL_free(s->ext.peer_ecpointformats);
@ -33,7 +30,6 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
+
+ return 1;
+}
+#endif
+
static int init_etm(SSL *s, unsigned int context)
{

80
SOURCES/openssl-1.1.1-cve-2025-69419.patch Normal file
View File

@ -0,0 +1,80 @@
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 17f7372026c3b..01e2269444cba 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -198,8 +198,10 @@ static int do_buf(unsigned char *buf, int buflen,
orflags = CHARTYPE_LAST_ESC_2253;
if (type & BUF_TYPE_CONVUTF8) {
unsigned char utfbuf[6];
- int utflen;
- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
+ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
+
+ if (utflen < 0)
+ return -1; /* error happened with UTF8 */
for (i = 0; i < utflen; i++) {
/*
* We don't need to worry about setting orflags correctly
diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index 50adce6b26fd2..8b5f2909e8d96 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -213,6 +213,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
/* re-run the loop emitting UTF-8 string */
for (asclen = 0, i = 0; i < unilen; ) {
j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
+ /* when UTF8_putc fails */
+ if (j < 0) {
+ OPENSSL_free(asctmp);
+ return NULL;
+ }
if (j == 4) i += 4;
else i += 2;
asclen += j;
From 06f1b7338403a56a645de93b95fc68f3ab165fd5 Mon Sep 17 00:00:00 2001
From: Maurizio Barbaro <mbarbaro@redhat.com>
Date: Tue, 10 Feb 2026 10:39:46 +0100
Subject: [PATCH 1/1] asn1_internal_test
Signed-off-by: Maurizio Barbaro <mbarbaro@redhat.com>
---
test/asn1_internal_test.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c
index ccfb75a..92ed921 100644
--- a/test/asn1_internal_test.c
+++ b/test/asn1_internal_test.c
@@ -147,10 +147,27 @@ static int test_unicode_range(void)
return ok;
}
+static int test_mbstring_ncopy(void)
+{
+ ASN1_STRING *str = NULL;
+ const unsigned char in[] = { 0xFF, 0xFE, 0xFF, 0xFE };
+ int inlen = 4;
+ int inform = MBSTRING_UNIV;
+
+ if (!TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALSTRING, 0, 0), -1)
+ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VISIBLESTRING, 0, 0), -1)
+ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VIDEOTEXSTRING, 0, 0), -1)
+ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALIZEDTIME, 0, 0), -1))
+ return 0;
+
+ return 1;
+}
+
int setup_tests(void)
{
ADD_TEST(test_tbl_standard);
ADD_TEST(test_standard_methods);
ADD_TEST(test_unicode_range);
+ ADD_TEST(test_mbstring_ncopy);
return 1;
}
--
2.52.0

387
SOURCES/openssl-1.1.1-hardening-from-openssl-3.0.1.patch Normal file
View File

@ -0,0 +1,387 @@
From 23c0f08fa39a825003c9d7eb0c28260939e0d3ef Mon Sep 17 00:00:00 2001
From: Maurizio Barbaro <mbarbaro@redhat.com>
Date: Tue, 10 Feb 2026 11:48:41 +0100
Subject: [PATCH 1/1] hardening-from-openssl-3.0.1
Signed-off-by: Maurizio Barbaro <mbarbaro@redhat.com>
---
crypto/asn1/a_mbstr.c | 58 ++++++++++++++++++++++++----
crypto/asn1/a_utf8.c | 77 +++++++-------------------------------
include/internal/unicode.h | 31 +++++++++++++++
test/asn1_internal_test.c | 41 ++++++++++++++++++++
4 files changed, 135 insertions(+), 72 deletions(-)
create mode 100644 include/internal/unicode.h
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index bdb697a..6ef4137 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -1,7 +1,7 @@
/*
- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
@@ -10,6 +10,7 @@
#include <stdio.h>
#include "crypto/ctype.h"
#include "internal/cryptlib.h"
+#include "internal/unicode.h"
#include <openssl/asn1.h>
static int traverse_string(const unsigned char *p, int len, int inform,
@@ -49,12 +50,15 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
ASN1_STRING *dest;
unsigned char *p;
int nchar;
- char strbuf[32];
+ char strbuf[32];
+
int (*cpyfunc) (unsigned long, void *) = NULL;
if (len == -1)
len = strlen((const char *)in);
if (!mask)
mask = DIRSTRING_TYPE;
+ if (len < 0)
+ return -1;
/* First do a string check and work out the number of characters */
switch (inform) {
@@ -116,7 +120,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
return -1;
}
- /* Now work out output format and string type */
+ /*
+ * Now work out output format and string type.
+ * These checks should be in sync with the checks in type_str.
+ */
outform = MBSTRING_ASC;
if (mask & B_ASN1_NUMERICSTRING)
str_type = V_ASN1_NUMERICSTRING;
@@ -182,7 +189,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
case MBSTRING_UTF8:
outlen = 0;
- traverse_string(in, len, inform, out_utf8, &outlen);
+ ret = traverse_string(in, len, inform, out_utf8, &outlen);
+ if (ret < 0) {
+ ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_INVALID_UTF8STRING);
+ return -1;
+ }
cpyfunc = cpy_utf8;
break;
}
@@ -247,6 +258,9 @@ static int traverse_string(const unsigned char *p, int len, int inform,
static int in_utf8(unsigned long value, void *arg)
{
int *nchar;
+
+ if (!is_unicode_valid(value))
+ return -2;
nchar = arg;
(*nchar)++;
return 1;
@@ -256,9 +270,13 @@ static int in_utf8(unsigned long value, void *arg)
static int out_utf8(unsigned long value, void *arg)
{
- int *outlen;
+ int *outlen, len;
+
+ len = UTF8_putc(NULL, -1, value);
+ if (len <= 0)
+ return len;
outlen = arg;
- *outlen += UTF8_putc(NULL, -1, value);
+ *outlen += len;
return 1;
}
@@ -269,9 +287,29 @@ static int out_utf8(unsigned long value, void *arg)
static int type_str(unsigned long value, void *arg)
{
- unsigned long types = *((unsigned long *)arg);
+ unsigned long usable_types = *((unsigned long *)arg);
+ unsigned long types = usable_types;
const int native = value > INT_MAX ? INT_MAX : ossl_fromascii(value);
+ /*
+ * Clear out all the types which are not checked later. If any of those
+ * is present in the mask, then the UTF8 type will be added and checked
+ * below.
+ */
+ types &= B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING
+ | B_ASN1_IA5STRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING
+ | B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING;
+
+ /*
+ * If any other types were in the input mask, they're effectively treated
+ * as UTF8
+ */
+ if (types != usable_types)
+ types |= B_ASN1_UTF8STRING;
+
+ /*
+ * These checks should be in sync with ASN1_mbstring_ncopy.
+ */
if ((types & B_ASN1_NUMERICSTRING) && !(ossl_isdigit(native)
|| native == ' '))
types &= ~B_ASN1_NUMERICSTRING;
@@ -283,6 +321,8 @@ static int type_str(unsigned long value, void *arg)
types &= ~B_ASN1_T61STRING;
if ((types & B_ASN1_BMPSTRING) && (value > 0xffff))
types &= ~B_ASN1_BMPSTRING;
+ if ((types & B_ASN1_UTF8STRING) && !is_unicode_valid(value))
+ types &= ~B_ASN1_UTF8STRING;
if (!types)
return -1;
*((unsigned long *)arg) = types;
@@ -338,6 +378,8 @@ static int cpy_utf8(unsigned long value, void *arg)
p = arg;
/* We already know there is enough room so pass 0xff as the length */
ret = UTF8_putc(*p, 0xff, value);
+ if (ret < 0)
+ return ret;
*p += ret;
return 1;
}
diff --git a/crypto/asn1/a_utf8.c b/crypto/asn1/a_utf8.c
index e2dc09f..6572726 100644
--- a/crypto/asn1/a_utf8.c
+++ b/crypto/asn1/a_utf8.c
@@ -1,7 +1,7 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "internal/unicode.h"
#include <openssl/asn1.h>
/* UTF8 utilities */
@@ -58,6 +59,8 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
value |= *p++ & 0x3f;
if (value < 0x800)
return -4;
+ if (is_unicode_surrogate(value))
+ return -2;
ret = 3;
} else if ((*p & 0xf8) == 0xf0) {
if (len < 4)
@@ -73,40 +76,6 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
if (value < 0x10000)
return -4;
ret = 4;
- } else if ((*p & 0xfc) == 0xf8) {
- if (len < 5)
- return -1;
- if (((p[1] & 0xc0) != 0x80)
- || ((p[2] & 0xc0) != 0x80)
- || ((p[3] & 0xc0) != 0x80)
- || ((p[4] & 0xc0) != 0x80))
- return -3;
- value = ((unsigned long)(*p++ & 0x3)) << 24;
- value |= ((unsigned long)(*p++ & 0x3f)) << 18;
- value |= ((unsigned long)(*p++ & 0x3f)) << 12;
- value |= (*p++ & 0x3f) << 6;
- value |= *p++ & 0x3f;
- if (value < 0x200000)
- return -4;
- ret = 5;
- } else if ((*p & 0xfe) == 0xfc) {
- if (len < 6)
- return -1;
- if (((p[1] & 0xc0) != 0x80)
- || ((p[2] & 0xc0) != 0x80)
- || ((p[3] & 0xc0) != 0x80)
- || ((p[4] & 0xc0) != 0x80)
- || ((p[5] & 0xc0) != 0x80))
- return -3;
- value = ((unsigned long)(*p++ & 0x1)) << 30;
- value |= ((unsigned long)(*p++ & 0x3f)) << 24;
- value |= ((unsigned long)(*p++ & 0x3f)) << 18;
- value |= ((unsigned long)(*p++ & 0x3f)) << 12;
- value |= (*p++ & 0x3f) << 6;
- value |= *p++ & 0x3f;
- if (value < 0x4000000)
- return -4;
- ret = 6;
} else
return -2;
*val = value;
@@ -116,15 +85,15 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
/*
* This takes a character 'value' and writes the UTF8 encoded value in 'str'
* where 'str' is a buffer containing 'len' characters. Returns the number of
- * characters written or -1 if 'len' is too small. 'str' can be set to NULL
- * in which case it just returns the number of characters. It will need at
- * most 6 characters.
+ * characters written, -1 if 'len' is too small or -2 if 'value' is out of
+ * range. 'str' can be set to NULL in which case it just returns the number of
+ * characters. It will need at most 4 characters.
*/
int UTF8_putc(unsigned char *str, int len, unsigned long value)
{
if (!str)
- len = 6; /* Maximum we will need */
+ len = 4; /* Maximum we will need */
else if (len <= 0)
return -1;
if (value < 0x80) {
@@ -142,6 +111,8 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value)
return 2;
}
if (value < 0x10000) {
+ if (is_unicode_surrogate(value))
+ return -2;
if (len < 3)
return -1;
if (str) {
@@ -151,7 +122,7 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value)
}
return 3;
}
- if (value < 0x200000) {
+ if (value < UNICODE_LIMIT) {
if (len < 4)
return -1;
if (str) {
@@ -162,27 +133,5 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value)
}
return 4;
}
- if (value < 0x4000000) {
- if (len < 5)
- return -1;
- if (str) {
- *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8);
- *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
- *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
- *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
- *str = (unsigned char)((value & 0x3f) | 0x80);
- }
- return 5;
- }
- if (len < 6)
- return -1;
- if (str) {
- *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc);
- *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80);
- *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
- *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
- *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
- *str = (unsigned char)((value & 0x3f) | 0x80);
- }
- return 6;
+ return -2;
}
diff --git a/include/internal/unicode.h b/include/internal/unicode.h
new file mode 100644
index 0000000..a6de835
--- /dev/null
+++ b/include/internal/unicode.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_UNICODE_H
+# define OSSL_INTERNAL_UNICODE_H
+# pragma once
+
+typedef enum {
+ SURROGATE_MIN = 0xd800UL,
+ SURROGATE_MAX = 0xdfffUL,
+ UNICODE_MAX = 0x10ffffUL,
+ UNICODE_LIMIT
+} UNICODE_CONSTANTS;
+
+static ossl_unused ossl_inline int is_unicode_surrogate(unsigned long value)
+{
+ return value >= SURROGATE_MIN && value <= SURROGATE_MAX;
+}
+
+static ossl_unused ossl_inline int is_unicode_valid(unsigned long value)
+{
+ return value <= UNICODE_MAX && !is_unicode_surrogate(value);
+}
+
+#endif
diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c
index 865e058..ccfb75a 100644
--- a/test/asn1_internal_test.c
+++ b/test/asn1_internal_test.c
@@ -107,9 +107,50 @@ static int test_standard_methods(void)
return 0;
}
+/**********************************************************************
+ *
+ * Tests of the Unicode code point range
+ *
+ ***/
+
+static int test_unicode(const unsigned char *univ, size_t len, int expected)
+{
+ const unsigned char *end = univ + len;
+ int ok = 1;
+
+ for (; univ < end; univ += 4) {
+ if (!TEST_int_eq(ASN1_mbstring_copy(NULL, univ, 4, MBSTRING_UNIV,
+ B_ASN1_UTF8STRING),
+ expected))
+ ok = 0;
+ }
+ return ok;
+}
+
+static int test_unicode_range(void)
+{
+ const unsigned char univ_ok[] = "\0\0\0\0"
+ "\0\0\xd7\xff"
+ "\0\0\xe0\x00"
+ "\0\x10\xff\xff";
+ const unsigned char univ_bad[] = "\0\0\xd8\x00"
+ "\0\0\xdf\xff"
+ "\0\x11\x00\x00"
+ "\x80\x00\x00\x00"
+ "\xff\xff\xff\xff";
+ int ok = 1;
+
+ if (!test_unicode(univ_ok, sizeof univ_ok - 1, V_ASN1_UTF8STRING))
+ ok = 0;
+ if (!test_unicode(univ_bad, sizeof univ_bad - 1, -1))
+ ok = 0;
+ return ok;
+}
+
int setup_tests(void)
{
ADD_TEST(test_tbl_standard);
ADD_TEST(test_standard_methods);
+ ADD_TEST(test_unicode_range);
return 1;
}
--
2.52.0

168
SPECS/openssl.spec
View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1k
Release: 14%{?dist}
Release: 15%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -99,11 +99,15 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
# Backport from OpenSSL 3.2/RHEL 9
# Proper fix for CVE-2020-25659
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
# Backport from OpenSSL 3.0
# Backport from OpenSSL 3.2
# Fix for CVE-2024-5535
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
# Fix for CVE-2025-9230
Patch110: openssl-1.1.1-cve-2025-9230.patch
Patch111: openssl-1.1.1-ticket_lifetime_hint.patch
# Fix for CVE-2025-69419 (next two)
Patch112: openssl-1.1.1-hardening-from-openssl-3.0.1.patch
Patch113: openssl-1.1.1-cve-2025-69419.patch
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
@ -182,64 +186,66 @@ from other formats to the formats used by the OpenSSL toolkit.
cp %{SOURCE12} crypto/ec/
cp %{SOURCE13} test/
%patch1 -p1 -b .build %{?_rawbuild}
%patch2 -p1 -b .defaults
%patch3 -p1 -b .no-html %{?_rawbuild}
%patch4 -p1 -b .man-rename
%patch -P1 -p1 -b .build %{?_rawbuild}
%patch -P2 -p1 -b .defaults
%patch -P3 -p1 -b .no-html %{?_rawbuild}
%patch -P4 -p1 -b .man-rename
%patch31 -p1 -b .conf-paths
%patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst
%patch36 -p1 -b .no-brainpool
%patch37 -p1 -b .curves
%patch38 -p1 -b .no-weak-verify
%patch40 -p1 -b .sslv3-abi
%patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
%patch47 -p1 -b .ts-sha256-default
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .intel-cet
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch55 -p1 -b .arm-update
%patch56 -p1 -b .s390x-ecc
%patch60 -p1 -b .krb5-kdf
%patch61 -p1 -b .edk2-build
%patch62 -p1 -b .fips-curves
%patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
%patch74 -p1 -b .addrconfig
%patch75 -p1 -b .tls13-curves
%patch76 -p1 -b .cleanup-reneg
%patch77 -p1 -b .s390x-aes
%patch78 -p1 -b .addr-ipv6
%patch79 -p1 -b .servername-cb
%patch80 -p1 -b .s390x-test-aes
%patch81 -p1 -b .read-buff
%patch82 -p1 -b .cve-2022-0778
%patch83 -p1 -b .replace-expired-certs
%patch84 -p1 -b .cve-2022-1292
%patch85 -p1 -b .cve-2022-2068
%patch86 -p1 -b .cve-2022-2097
%patch101 -p1 -b .cve-2022-4304
%patch102 -p1 -b .cve-2022-4450
%patch103 -p1 -b .cve-2023-0215
%patch104 -p1 -b .cve-2023-0286
%patch105 -p1 -b .cve-2023-3446
%patch106 -p1 -b .cve-2023-3817
%patch107 -p1 -b .cve-2023-5678
%patch108 -p1 -b .pkcs15imprejection
%patch109 -p1 -b .cve-2024-5535
%patch110 -p1 -b .cve-2025-9230
%patch111 -p1 -b .ticket_lifetime_hint
%patch -P31 -p1 -b .conf-paths
%patch -P32 -p1 -b .version-add-engines
%patch -P33 -p1 -b .dgst
%patch -P36 -p1 -b .no-brainpool
%patch -P37 -p1 -b .curves
%patch -P38 -p1 -b .no-weak-verify
%patch -P40 -p1 -b .sslv3-abi
%patch -P41 -p1 -b .system-cipherlist
%patch -P42 -p1 -b .fips
%patch -P44 -p1 -b .version-override
%patch -P45 -p1 -b .weak-ciphers
%patch -P46 -p1 -b .seclevel
%patch -P47 -p1 -b .ts-sha256-default
%patch -P48 -p1 -b .fips-post-rand
%patch -P49 -p1 -b .evp-kdf
%patch -P50 -p1 -b .ssh-kdf
%patch -P51 -p1 -b .intel-cet
%patch -P52 -p1 -b .s390x-update
%patch -P53 -p1 -b .crng-test
%patch -P55 -p1 -b .arm-update
%patch -P56 -p1 -b .s390x-ecc
%patch -P60 -p1 -b .krb5-kdf
%patch -P61 -p1 -b .edk2-build
%patch -P62 -p1 -b .fips-curves
%patch -P65 -p1 -b .drbg-selftest
%patch -P66 -p1 -b .fips-dh
%patch -P67 -p1 -b .kdf-selftest
%patch -P69 -p1 -b .alpn-cb
%patch -P70 -p1 -b .rewire-fips-drbg
%patch -P74 -p1 -b .addrconfig
%patch -P75 -p1 -b .tls13-curves
%patch -P76 -p1 -b .cleanup-reneg
%patch -P77 -p1 -b .s390x-aes
%patch -P78 -p1 -b .addr-ipv6
%patch -P79 -p1 -b .servername-cb
%patch -P80 -p1 -b .s390x-test-aes
%patch -P81 -p1 -b .read-buff
%patch -P82 -p1 -b .cve-2022-0778
%patch -P83 -p1 -b .replace-expired-certs
%patch -P84 -p1 -b .cve-2022-1292
%patch -P85 -p1 -b .cve-2022-2068
%patch -P86 -p1 -b .cve-2022-2097
%patch -P101 -p1 -b .cve-2022-4304
%patch -P102 -p1 -b .cve-2022-4450
%patch -P103 -p1 -b .cve-2023-0215
%patch -P104 -p1 -b .cve-2023-0286
%patch -P105 -p1 -b .cve-2023-3446
%patch -P106 -p1 -b .cve-2023-3817
%patch -P107 -p1 -b .cve-2023-5678
%patch -P108 -p1 -b .pkcs15imprejection
%patch -P109 -p1 -b .cve-2024-5535
%patch -P110 -p1 -b .cve-2025-9230
%patch -P111 -p1 -b .ticket_lifetime_hint
%patch -P112 -p1 -b .cve-2025-69419-1
%patch -P113 -p1 -b .cve-2025-69419-2
%build
# Figure out which flags we want to use.
@ -523,61 +529,63 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
* Mon Dec 08 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14
- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap
Fix CVE-2025-9230
Resolves: RHEL-128613
- Fix bug for ticket_lifetime_hint exceed issue
Resolves: RHEL-119891
* Thu Feb 12 2026 Antonio Vieiro <avieirov@redhat.com> - 1:1.1.1k-15
- Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing
ticket_lifetime_hint exceed 1 week in TLSv1.3 and breaks compliant clients
Resolves: RHEL-149165
Resolves: RHEL-142715
* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
- Backport fix SSL_select_next proto from OpenSSL 3.2
* Mon Dec 22 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14.1
- Backport fix for openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
Fix CVE-2025-9230
Resolves: RHEL-128615
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
- Backport fix SSL_select_next proto from OpenSSL 3.2
Fix CVE-2024-5535
Resolves: RHEL-45654
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
(a proper fix for CVE-2020-25659)
Resolves: RHEL-17696
Resolves: RHEL-17694
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow
Resolves: RHEL-16538
Resolves: RHEL-16536
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
Resolves: RHEL-14245
Resolves: RHEL-14243
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
Resolves: RHEL-14239
Resolves: RHEL-14237
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
- Fixed Timing Oracle in RSA Decryption
Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex
Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF
Resolves: CVE-2023-0215
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
- Fixed X.400 address type confusion in X.509 GeneralName
Resolves: CVE-2023-0286
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
- Fix no-ec build
Resolves: rhbz#2071020
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097
- Update expired certificates used in the testsuite
Resolves: rhbz#2092462
Resolves: rhbz#2100554
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
Resolves: rhbz#2090372
Resolves: rhbz#2090371
- Fix CVE-2022-2068: the c_rehash script allows command injection
Resolves: rhbz#2098279
Resolves: rhbz#2098278
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
- Resolves: rhbz#2067146
- Resolves: rhbz#2067145
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings