diff --git a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch b/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch index a98d34e..8ea99e0 100644 --- a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch +++ b/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch @@ -1,13 +1,11 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c --- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100 +++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200 -@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori +@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori #ifndef OPENSSL_NO_SRP static int init_srp(SSL *s, unsigned int context); #endif -+#ifndef OPENSSL_NO_EC +static int init_ec_point_formats(SSL *s, unsigned int context); -+#endif static int init_etm(SSL *s, unsigned int context); static int init_ems(SSL *s, unsigned int context); static int final_ems(SSL *s, unsigned int context, int sent); @@ -20,11 +18,10 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, final_ec_pt_formats }, -@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int +@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int } #endif -+#ifndef OPENSSL_NO_EC +static int init_ec_point_formats(SSL *s, unsigned int context) +{ + OPENSSL_free(s->ext.peer_ecpointformats); @@ -33,7 +30,6 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl + + return 1; +} -+#endif + static int init_etm(SSL *s, unsigned int context) { diff --git a/SOURCES/openssl-1.1.1-cve-2025-69419.patch b/SOURCES/openssl-1.1.1-cve-2025-69419.patch new file mode 100644 index 0000000..de141ae --- /dev/null +++ b/SOURCES/openssl-1.1.1-cve-2025-69419.patch @@ -0,0 +1,80 @@ +diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c +index 17f7372026c3b..01e2269444cba 100644 +--- a/crypto/asn1/a_strex.c ++++ b/crypto/asn1/a_strex.c +@@ -198,8 +198,10 @@ static int do_buf(unsigned char *buf, int buflen, + orflags = CHARTYPE_LAST_ESC_2253; + if (type & BUF_TYPE_CONVUTF8) { + unsigned char utfbuf[6]; +- int utflen; +- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); ++ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); ++ ++ if (utflen < 0) ++ return -1; /* error happened with UTF8 */ + for (i = 0; i < utflen; i++) { + /* + * We don't need to worry about setting orflags correctly + +diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c +index 50adce6b26fd2..8b5f2909e8d96 100644 +--- a/crypto/pkcs12/p12_utl.c ++++ b/crypto/pkcs12/p12_utl.c +@@ -213,6 +213,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen) + /* re-run the loop emitting UTF-8 string */ + for (asclen = 0, i = 0; i < unilen; ) { + j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i); ++ /* when UTF8_putc fails */ ++ if (j < 0) { ++ OPENSSL_free(asctmp); ++ return NULL; ++ } + if (j == 4) i += 4; + else i += 2; + asclen += j; + +From 06f1b7338403a56a645de93b95fc68f3ab165fd5 Mon Sep 17 00:00:00 2001 +From: Maurizio Barbaro +Date: Tue, 10 Feb 2026 10:39:46 +0100 +Subject: [PATCH 1/1] asn1_internal_test + +Signed-off-by: Maurizio Barbaro +--- + test/asn1_internal_test.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c +index ccfb75a..92ed921 100644 +--- a/test/asn1_internal_test.c ++++ b/test/asn1_internal_test.c +@@ -147,10 +147,27 @@ static int test_unicode_range(void) + return ok; + } + ++static int test_mbstring_ncopy(void) ++{ ++ ASN1_STRING *str = NULL; ++ const unsigned char in[] = { 0xFF, 0xFE, 0xFF, 0xFE }; ++ int inlen = 4; ++ int inform = MBSTRING_UNIV; ++ ++ if (!TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALSTRING, 0, 0), -1) ++ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VISIBLESTRING, 0, 0), -1) ++ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VIDEOTEXSTRING, 0, 0), -1) ++ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALIZEDTIME, 0, 0), -1)) ++ return 0; ++ ++ return 1; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_tbl_standard); + ADD_TEST(test_standard_methods); + ADD_TEST(test_unicode_range); ++ ADD_TEST(test_mbstring_ncopy); + return 1; + } +-- +2.52.0 + diff --git a/SOURCES/openssl-1.1.1-hardening-from-openssl-3.0.1.patch b/SOURCES/openssl-1.1.1-hardening-from-openssl-3.0.1.patch new file mode 100644 index 0000000..80aa0d7 --- /dev/null +++ b/SOURCES/openssl-1.1.1-hardening-from-openssl-3.0.1.patch @@ -0,0 +1,387 @@ +From 23c0f08fa39a825003c9d7eb0c28260939e0d3ef Mon Sep 17 00:00:00 2001 +From: Maurizio Barbaro +Date: Tue, 10 Feb 2026 11:48:41 +0100 +Subject: [PATCH 1/1] hardening-from-openssl-3.0.1 + +Signed-off-by: Maurizio Barbaro +--- + crypto/asn1/a_mbstr.c | 58 ++++++++++++++++++++++++---- + crypto/asn1/a_utf8.c | 77 +++++++------------------------------- + include/internal/unicode.h | 31 +++++++++++++++ + test/asn1_internal_test.c | 41 ++++++++++++++++++++ + 4 files changed, 135 insertions(+), 72 deletions(-) + create mode 100644 include/internal/unicode.h + +diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c +index bdb697a..6ef4137 100644 +--- a/crypto/asn1/a_mbstr.c ++++ b/crypto/asn1/a_mbstr.c +@@ -1,7 +1,7 @@ + /* +- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * +- * Licensed under the OpenSSL license (the "License"). You may not use ++ * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html +@@ -10,6 +10,7 @@ + #include + #include "crypto/ctype.h" + #include "internal/cryptlib.h" ++#include "internal/unicode.h" + #include + + static int traverse_string(const unsigned char *p, int len, int inform, +@@ -49,12 +50,15 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, + ASN1_STRING *dest; + unsigned char *p; + int nchar; +- char strbuf[32]; ++ char strbuf[32]; ++ + int (*cpyfunc) (unsigned long, void *) = NULL; + if (len == -1) + len = strlen((const char *)in); + if (!mask) + mask = DIRSTRING_TYPE; ++ if (len < 0) ++ return -1; + + /* First do a string check and work out the number of characters */ + switch (inform) { +@@ -116,7 +120,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, + return -1; + } + +- /* Now work out output format and string type */ ++ /* ++ * Now work out output format and string type. ++ * These checks should be in sync with the checks in type_str. ++ */ + outform = MBSTRING_ASC; + if (mask & B_ASN1_NUMERICSTRING) + str_type = V_ASN1_NUMERICSTRING; +@@ -182,7 +189,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, + + case MBSTRING_UTF8: + outlen = 0; +- traverse_string(in, len, inform, out_utf8, &outlen); ++ ret = traverse_string(in, len, inform, out_utf8, &outlen); ++ if (ret < 0) { ++ ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_INVALID_UTF8STRING); ++ return -1; ++ } + cpyfunc = cpy_utf8; + break; + } +@@ -247,6 +258,9 @@ static int traverse_string(const unsigned char *p, int len, int inform, + static int in_utf8(unsigned long value, void *arg) + { + int *nchar; ++ ++ if (!is_unicode_valid(value)) ++ return -2; + nchar = arg; + (*nchar)++; + return 1; +@@ -256,9 +270,13 @@ static int in_utf8(unsigned long value, void *arg) + + static int out_utf8(unsigned long value, void *arg) + { +- int *outlen; ++ int *outlen, len; ++ ++ len = UTF8_putc(NULL, -1, value); ++ if (len <= 0) ++ return len; + outlen = arg; +- *outlen += UTF8_putc(NULL, -1, value); ++ *outlen += len; + return 1; + } + +@@ -269,9 +287,29 @@ static int out_utf8(unsigned long value, void *arg) + + static int type_str(unsigned long value, void *arg) + { +- unsigned long types = *((unsigned long *)arg); ++ unsigned long usable_types = *((unsigned long *)arg); ++ unsigned long types = usable_types; + const int native = value > INT_MAX ? INT_MAX : ossl_fromascii(value); + ++ /* ++ * Clear out all the types which are not checked later. If any of those ++ * is present in the mask, then the UTF8 type will be added and checked ++ * below. ++ */ ++ types &= B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING ++ | B_ASN1_IA5STRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING ++ | B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING; ++ ++ /* ++ * If any other types were in the input mask, they're effectively treated ++ * as UTF8 ++ */ ++ if (types != usable_types) ++ types |= B_ASN1_UTF8STRING; ++ ++ /* ++ * These checks should be in sync with ASN1_mbstring_ncopy. ++ */ + if ((types & B_ASN1_NUMERICSTRING) && !(ossl_isdigit(native) + || native == ' ')) + types &= ~B_ASN1_NUMERICSTRING; +@@ -283,6 +321,8 @@ static int type_str(unsigned long value, void *arg) + types &= ~B_ASN1_T61STRING; + if ((types & B_ASN1_BMPSTRING) && (value > 0xffff)) + types &= ~B_ASN1_BMPSTRING; ++ if ((types & B_ASN1_UTF8STRING) && !is_unicode_valid(value)) ++ types &= ~B_ASN1_UTF8STRING; + if (!types) + return -1; + *((unsigned long *)arg) = types; +@@ -338,6 +378,8 @@ static int cpy_utf8(unsigned long value, void *arg) + p = arg; + /* We already know there is enough room so pass 0xff as the length */ + ret = UTF8_putc(*p, 0xff, value); ++ if (ret < 0) ++ return ret; + *p += ret; + return 1; + } +diff --git a/crypto/asn1/a_utf8.c b/crypto/asn1/a_utf8.c +index e2dc09f..6572726 100644 +--- a/crypto/asn1/a_utf8.c ++++ b/crypto/asn1/a_utf8.c +@@ -1,7 +1,7 @@ + /* +- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * +- * Licensed under the OpenSSL license (the "License"). You may not use ++ * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html +@@ -9,6 +9,7 @@ + + #include + #include "internal/cryptlib.h" ++#include "internal/unicode.h" + #include + + /* UTF8 utilities */ +@@ -58,6 +59,8 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) + value |= *p++ & 0x3f; + if (value < 0x800) + return -4; ++ if (is_unicode_surrogate(value)) ++ return -2; + ret = 3; + } else if ((*p & 0xf8) == 0xf0) { + if (len < 4) +@@ -73,40 +76,6 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) + if (value < 0x10000) + return -4; + ret = 4; +- } else if ((*p & 0xfc) == 0xf8) { +- if (len < 5) +- return -1; +- if (((p[1] & 0xc0) != 0x80) +- || ((p[2] & 0xc0) != 0x80) +- || ((p[3] & 0xc0) != 0x80) +- || ((p[4] & 0xc0) != 0x80)) +- return -3; +- value = ((unsigned long)(*p++ & 0x3)) << 24; +- value |= ((unsigned long)(*p++ & 0x3f)) << 18; +- value |= ((unsigned long)(*p++ & 0x3f)) << 12; +- value |= (*p++ & 0x3f) << 6; +- value |= *p++ & 0x3f; +- if (value < 0x200000) +- return -4; +- ret = 5; +- } else if ((*p & 0xfe) == 0xfc) { +- if (len < 6) +- return -1; +- if (((p[1] & 0xc0) != 0x80) +- || ((p[2] & 0xc0) != 0x80) +- || ((p[3] & 0xc0) != 0x80) +- || ((p[4] & 0xc0) != 0x80) +- || ((p[5] & 0xc0) != 0x80)) +- return -3; +- value = ((unsigned long)(*p++ & 0x1)) << 30; +- value |= ((unsigned long)(*p++ & 0x3f)) << 24; +- value |= ((unsigned long)(*p++ & 0x3f)) << 18; +- value |= ((unsigned long)(*p++ & 0x3f)) << 12; +- value |= (*p++ & 0x3f) << 6; +- value |= *p++ & 0x3f; +- if (value < 0x4000000) +- return -4; +- ret = 6; + } else + return -2; + *val = value; +@@ -116,15 +85,15 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) + /* + * This takes a character 'value' and writes the UTF8 encoded value in 'str' + * where 'str' is a buffer containing 'len' characters. Returns the number of +- * characters written or -1 if 'len' is too small. 'str' can be set to NULL +- * in which case it just returns the number of characters. It will need at +- * most 6 characters. ++ * characters written, -1 if 'len' is too small or -2 if 'value' is out of ++ * range. 'str' can be set to NULL in which case it just returns the number of ++ * characters. It will need at most 4 characters. + */ + + int UTF8_putc(unsigned char *str, int len, unsigned long value) + { + if (!str) +- len = 6; /* Maximum we will need */ ++ len = 4; /* Maximum we will need */ + else if (len <= 0) + return -1; + if (value < 0x80) { +@@ -142,6 +111,8 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value) + return 2; + } + if (value < 0x10000) { ++ if (is_unicode_surrogate(value)) ++ return -2; + if (len < 3) + return -1; + if (str) { +@@ -151,7 +122,7 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value) + } + return 3; + } +- if (value < 0x200000) { ++ if (value < UNICODE_LIMIT) { + if (len < 4) + return -1; + if (str) { +@@ -162,27 +133,5 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value) + } + return 4; + } +- if (value < 0x4000000) { +- if (len < 5) +- return -1; +- if (str) { +- *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8); +- *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); +- *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); +- *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); +- *str = (unsigned char)((value & 0x3f) | 0x80); +- } +- return 5; +- } +- if (len < 6) +- return -1; +- if (str) { +- *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc); +- *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80); +- *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); +- *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); +- *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); +- *str = (unsigned char)((value & 0x3f) | 0x80); +- } +- return 6; ++ return -2; + } +diff --git a/include/internal/unicode.h b/include/internal/unicode.h +new file mode 100644 +index 0000000..a6de835 +--- /dev/null ++++ b/include/internal/unicode.h +@@ -0,0 +1,31 @@ ++/* ++ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OSSL_INTERNAL_UNICODE_H ++# define OSSL_INTERNAL_UNICODE_H ++# pragma once ++ ++typedef enum { ++ SURROGATE_MIN = 0xd800UL, ++ SURROGATE_MAX = 0xdfffUL, ++ UNICODE_MAX = 0x10ffffUL, ++ UNICODE_LIMIT ++} UNICODE_CONSTANTS; ++ ++static ossl_unused ossl_inline int is_unicode_surrogate(unsigned long value) ++{ ++ return value >= SURROGATE_MIN && value <= SURROGATE_MAX; ++} ++ ++static ossl_unused ossl_inline int is_unicode_valid(unsigned long value) ++{ ++ return value <= UNICODE_MAX && !is_unicode_surrogate(value); ++} ++ ++#endif +diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c +index 865e058..ccfb75a 100644 +--- a/test/asn1_internal_test.c ++++ b/test/asn1_internal_test.c +@@ -107,9 +107,50 @@ static int test_standard_methods(void) + return 0; + } + ++/********************************************************************** ++ * ++ * Tests of the Unicode code point range ++ * ++ ***/ ++ ++static int test_unicode(const unsigned char *univ, size_t len, int expected) ++{ ++ const unsigned char *end = univ + len; ++ int ok = 1; ++ ++ for (; univ < end; univ += 4) { ++ if (!TEST_int_eq(ASN1_mbstring_copy(NULL, univ, 4, MBSTRING_UNIV, ++ B_ASN1_UTF8STRING), ++ expected)) ++ ok = 0; ++ } ++ return ok; ++} ++ ++static int test_unicode_range(void) ++{ ++ const unsigned char univ_ok[] = "\0\0\0\0" ++ "\0\0\xd7\xff" ++ "\0\0\xe0\x00" ++ "\0\x10\xff\xff"; ++ const unsigned char univ_bad[] = "\0\0\xd8\x00" ++ "\0\0\xdf\xff" ++ "\0\x11\x00\x00" ++ "\x80\x00\x00\x00" ++ "\xff\xff\xff\xff"; ++ int ok = 1; ++ ++ if (!test_unicode(univ_ok, sizeof univ_ok - 1, V_ASN1_UTF8STRING)) ++ ok = 0; ++ if (!test_unicode(univ_bad, sizeof univ_bad - 1, -1)) ++ ok = 0; ++ return ok; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_tbl_standard); + ADD_TEST(test_standard_methods); ++ ADD_TEST(test_unicode_range); + return 1; + } +-- +2.52.0 + diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index e203464..90f825b 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -99,11 +99,15 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch # Backport from OpenSSL 3.2/RHEL 9 # Proper fix for CVE-2020-25659 Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch -# Backport from OpenSSL 3.0 +# Backport from OpenSSL 3.2 # Fix for CVE-2024-5535 Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch +# Fix for CVE-2025-9230 Patch110: openssl-1.1.1-cve-2025-9230.patch Patch111: openssl-1.1.1-ticket_lifetime_hint.patch +# Fix for CVE-2025-69419 (next two) +Patch112: openssl-1.1.1-hardening-from-openssl-3.0.1.patch +Patch113: openssl-1.1.1-cve-2025-69419.patch License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ @@ -182,64 +186,66 @@ from other formats to the formats used by the OpenSSL toolkit. cp %{SOURCE12} crypto/ec/ cp %{SOURCE13} test/ -%patch1 -p1 -b .build %{?_rawbuild} -%patch2 -p1 -b .defaults -%patch3 -p1 -b .no-html %{?_rawbuild} -%patch4 -p1 -b .man-rename +%patch -P1 -p1 -b .build %{?_rawbuild} +%patch -P2 -p1 -b .defaults +%patch -P3 -p1 -b .no-html %{?_rawbuild} +%patch -P4 -p1 -b .man-rename -%patch31 -p1 -b .conf-paths -%patch32 -p1 -b .version-add-engines -%patch33 -p1 -b .dgst -%patch36 -p1 -b .no-brainpool -%patch37 -p1 -b .curves -%patch38 -p1 -b .no-weak-verify -%patch40 -p1 -b .sslv3-abi -%patch41 -p1 -b .system-cipherlist -%patch42 -p1 -b .fips -%patch44 -p1 -b .version-override -%patch45 -p1 -b .weak-ciphers -%patch46 -p1 -b .seclevel -%patch47 -p1 -b .ts-sha256-default -%patch48 -p1 -b .fips-post-rand -%patch49 -p1 -b .evp-kdf -%patch50 -p1 -b .ssh-kdf -%patch51 -p1 -b .intel-cet -%patch52 -p1 -b .s390x-update -%patch53 -p1 -b .crng-test -%patch55 -p1 -b .arm-update -%patch56 -p1 -b .s390x-ecc -%patch60 -p1 -b .krb5-kdf -%patch61 -p1 -b .edk2-build -%patch62 -p1 -b .fips-curves -%patch65 -p1 -b .drbg-selftest -%patch66 -p1 -b .fips-dh -%patch67 -p1 -b .kdf-selftest -%patch69 -p1 -b .alpn-cb -%patch70 -p1 -b .rewire-fips-drbg -%patch74 -p1 -b .addrconfig -%patch75 -p1 -b .tls13-curves -%patch76 -p1 -b .cleanup-reneg -%patch77 -p1 -b .s390x-aes -%patch78 -p1 -b .addr-ipv6 -%patch79 -p1 -b .servername-cb -%patch80 -p1 -b .s390x-test-aes -%patch81 -p1 -b .read-buff -%patch82 -p1 -b .cve-2022-0778 -%patch83 -p1 -b .replace-expired-certs -%patch84 -p1 -b .cve-2022-1292 -%patch85 -p1 -b .cve-2022-2068 -%patch86 -p1 -b .cve-2022-2097 -%patch101 -p1 -b .cve-2022-4304 -%patch102 -p1 -b .cve-2022-4450 -%patch103 -p1 -b .cve-2023-0215 -%patch104 -p1 -b .cve-2023-0286 -%patch105 -p1 -b .cve-2023-3446 -%patch106 -p1 -b .cve-2023-3817 -%patch107 -p1 -b .cve-2023-5678 -%patch108 -p1 -b .pkcs15imprejection -%patch109 -p1 -b .cve-2024-5535 -%patch110 -p1 -b .cve-2025-9230 -%patch111 -p1 -b .ticket_lifetime_hint +%patch -P31 -p1 -b .conf-paths +%patch -P32 -p1 -b .version-add-engines +%patch -P33 -p1 -b .dgst +%patch -P36 -p1 -b .no-brainpool +%patch -P37 -p1 -b .curves +%patch -P38 -p1 -b .no-weak-verify +%patch -P40 -p1 -b .sslv3-abi +%patch -P41 -p1 -b .system-cipherlist +%patch -P42 -p1 -b .fips +%patch -P44 -p1 -b .version-override +%patch -P45 -p1 -b .weak-ciphers +%patch -P46 -p1 -b .seclevel +%patch -P47 -p1 -b .ts-sha256-default +%patch -P48 -p1 -b .fips-post-rand +%patch -P49 -p1 -b .evp-kdf +%patch -P50 -p1 -b .ssh-kdf +%patch -P51 -p1 -b .intel-cet +%patch -P52 -p1 -b .s390x-update +%patch -P53 -p1 -b .crng-test +%patch -P55 -p1 -b .arm-update +%patch -P56 -p1 -b .s390x-ecc +%patch -P60 -p1 -b .krb5-kdf +%patch -P61 -p1 -b .edk2-build +%patch -P62 -p1 -b .fips-curves +%patch -P65 -p1 -b .drbg-selftest +%patch -P66 -p1 -b .fips-dh +%patch -P67 -p1 -b .kdf-selftest +%patch -P69 -p1 -b .alpn-cb +%patch -P70 -p1 -b .rewire-fips-drbg +%patch -P74 -p1 -b .addrconfig +%patch -P75 -p1 -b .tls13-curves +%patch -P76 -p1 -b .cleanup-reneg +%patch -P77 -p1 -b .s390x-aes +%patch -P78 -p1 -b .addr-ipv6 +%patch -P79 -p1 -b .servername-cb +%patch -P80 -p1 -b .s390x-test-aes +%patch -P81 -p1 -b .read-buff +%patch -P82 -p1 -b .cve-2022-0778 +%patch -P83 -p1 -b .replace-expired-certs +%patch -P84 -p1 -b .cve-2022-1292 +%patch -P85 -p1 -b .cve-2022-2068 +%patch -P86 -p1 -b .cve-2022-2097 +%patch -P101 -p1 -b .cve-2022-4304 +%patch -P102 -p1 -b .cve-2022-4450 +%patch -P103 -p1 -b .cve-2023-0215 +%patch -P104 -p1 -b .cve-2023-0286 +%patch -P105 -p1 -b .cve-2023-3446 +%patch -P106 -p1 -b .cve-2023-3817 +%patch -P107 -p1 -b .cve-2023-5678 +%patch -P108 -p1 -b .pkcs15imprejection +%patch -P109 -p1 -b .cve-2024-5535 +%patch -P110 -p1 -b .cve-2025-9230 +%patch -P111 -p1 -b .ticket_lifetime_hint +%patch -P112 -p1 -b .cve-2025-69419-1 +%patch -P113 -p1 -b .cve-2025-69419-2 %build # Figure out which flags we want to use. @@ -523,61 +529,63 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog -* Mon Dec 08 2025 Nikita Sanjay Patwa - 1:1.1.1k-14 -- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap - Fix CVE-2025-9230 - Resolves: RHEL-128613 -- Fix bug for ticket_lifetime_hint exceed issue - Resolves: RHEL-119891 +* Thu Feb 12 2026 Antonio Vieiro - 1:1.1.1k-15 +- Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing + ticket_lifetime_hint exceed 1 week in TLSv1.3 and breaks compliant clients + Resolves: RHEL-149165 + Resolves: RHEL-142715 -* Mon Sep 16 2024 Maurizio Barbaro - 1:1.1.1k-13 -- Backport fix SSL_select_next proto from OpenSSL 3.2 +* Mon Dec 22 2025 Nikita Sanjay Patwa - 1:1.1.1k-14.1 +- Backport fix for openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap + Fix CVE-2025-9230 + Resolves: RHEL-128615 + +* Tue Sep 17 2024 Maurizio Barbaro - 1:1.1.1k-14 +- Backport fix SSL_select_next proto from OpenSSL 3.2 Fix CVE-2024-5535 Resolves: RHEL-45654 * Thu Nov 30 2023 Dmitry Belyavskiy - 1:1.1.1k-12 - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series (a proper fix for CVE-2020-25659) - Resolves: RHEL-17696 + Resolves: RHEL-17694 * Wed Nov 15 2023 Clemens Lang - 1:1.1.1k-11 - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow - Resolves: RHEL-16538 + Resolves: RHEL-16536 * Thu Oct 19 2023 Clemens Lang - 1:1.1.1k-10 - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters - Resolves: RHEL-14245 + Resolves: RHEL-14243 - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value - Resolves: RHEL-14239 + Resolves: RHEL-14237 -* Wed Feb 08 2023 Dmitry Belyavskiy - 1:1.1.1k-9 +* Thu May 04 2023 Dmitry Belyavskiy - 1:1.1.1k-9 - Fixed Timing Oracle in RSA Decryption Resolves: CVE-2022-4304 - Fixed Double free after calling PEM_read_bio_ex Resolves: CVE-2022-4450 - Fixed Use-after-free following BIO_new_NDEF Resolves: CVE-2023-0215 + +* Wed Feb 08 2023 Dmitry Belyavskiy - 1:1.1.1k-8 - Fixed X.400 address type confusion in X.509 GeneralName Resolves: CVE-2023-0286 -* Thu Jul 21 2022 Dmitry Belyavskiy - 1:1.1.1k-8 -- Fix no-ec build - Resolves: rhbz#2071020 - * Tue Jul 05 2022 Clemens Lang - 1:1.1.1k-7 - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 Resolves: CVE-2022-2097 - Update expired certificates used in the testsuite - Resolves: rhbz#2092462 + Resolves: rhbz#2100554 - Fix CVE-2022-1292: openssl: c_rehash script allows command injection - Resolves: rhbz#2090372 + Resolves: rhbz#2090371 - Fix CVE-2022-2068: the c_rehash script allows command injection - Resolves: rhbz#2098279 + Resolves: rhbz#2098278 * Wed Mar 23 2022 Clemens Lang - 1:1.1.1k-6 - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates -- Resolves: rhbz#2067146 +- Resolves: rhbz#2067145 * Tue Nov 16 2021 Sahana Prasad - 1:1.1.1k-5 - Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings