From cb1dfbe298cd35442cf64a6d0d7afff9fb7bbfe7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Mar 2024 21:19:38 +0000 Subject: [PATCH] import UBI dotnet6.0-6.0.128-2.el9_3 --- .dotnet6.0.metadata | 2 +- .gitignore | 2 +- SOURCES/runtime-openssl-sha1.patch | 34 ++++++++++++++++++++++++++++++ SPECS/dotnet6.0.spec | 28 ++++++++++++++++++++---- 4 files changed, 60 insertions(+), 6 deletions(-) create mode 100644 SOURCES/runtime-openssl-sha1.patch diff --git a/.dotnet6.0.metadata b/.dotnet6.0.metadata index 11bca36..7a20510 100644 --- a/.dotnet6.0.metadata +++ b/.dotnet6.0.metadata @@ -1 +1 @@ -722442f6afac60d4d6dce2c43752717a4d396d84 SOURCES/dotnet-v6.0.127.tar.gz +c649ed6290120976258e02ab5bab39e37f565b86 SOURCES/dotnet-v6.0.128.tar.gz diff --git a/.gitignore b/.gitignore index 1dc40a5..546c695 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/dotnet-v6.0.127.tar.gz +SOURCES/dotnet-v6.0.128.tar.gz diff --git a/SOURCES/runtime-openssl-sha1.patch b/SOURCES/runtime-openssl-sha1.patch new file mode 100644 index 0000000..98f48d7 --- /dev/null +++ b/SOURCES/runtime-openssl-sha1.patch @@ -0,0 +1,34 @@ +From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Wed, 28 Feb 2024 14:08:15 +0100 +Subject: [PATCH] Allow certificate validation with SHA-1 signatures. + +RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate +validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag +with a chain where the last certificate uses a SHA-1 signature. + +This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default +OpenSSL behavior for certificate validation. +--- + .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c +index 04c6ba06cd..2cd3413dae 100644 +--- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c ++++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c +@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 + { + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + +- if (val != 0) +- { +- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); +- } +- + return val; + } + +-- +2.43.2 + diff --git a/SPECS/dotnet6.0.spec b/SPECS/dotnet6.0.spec index 39761f7..a317046 100644 --- a/SPECS/dotnet6.0.spec +++ b/SPECS/dotnet6.0.spec @@ -20,10 +20,10 @@ # until that's done, disable LTO. This has to happen before setting the flags below. %define _lto_cflags %{nil} -%global host_version 6.0.27 -%global runtime_version 6.0.27 +%global host_version 6.0.28 +%global runtime_version 6.0.28 %global aspnetcore_runtime_version %{runtime_version} -%global sdk_version 6.0.127 +%global sdk_version 6.0.128 %global sdk_feature_band_version %(echo %{sdk_version} | sed -e 's|[[:digit:]][[:digit:]]$|00|') %global templates_version %{runtime_version} #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }') @@ -60,7 +60,7 @@ Name: dotnet6.0 Version: %{sdk_rpm_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: .NET Runtime and SDK License: MIT and ASL 2.0 and BSD and LGPLv2+ and CC-BY and CC0 and MS-PL and EPL-1.0 and GPL+ and GPLv2 and ISC and OFL and zlib URL: https://github.com/dotnet/ @@ -88,6 +88,13 @@ Patch100: runtime-arm64-lld-fix.patch Patch101: runtime-mono-remove-ilstrip.patch # https://github.com/dotnet/runtime/pull/95218#issuecomment-1842799422 Patch102: runtime-re-enable-implicit-rejection.patch +# We disable checking the signature of the last certificate in a chain +# if the certificate is supposedly self-signed. A side effect of not +# checking the self-signature of such a certificate is that disabled +# or unsupported message digests used for the signature are not +# treated as fatal errors. https://issues.redhat.com/browse/RHEL-25254 +Patch103: runtime-openssl-sha1.patch + # Disable apphost, needed for s390x Patch500: fsharp-no-apphost.patch @@ -378,6 +385,7 @@ pushd src/runtime %patch100 -p1 %patch101 -p1 %patch102 -p1 +%patch103 -p1 popd pushd src/fsharp @@ -612,6 +620,18 @@ rm -rf %{buildroot}%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0 %changelog +* Wed Mar 06 2024 Tom Deseyn - 6.0.128-2 +- We disable checking the signature of the last certificate in a chain + if the certificate is supposedly self-signed. A side effect of not + checking the self-signature of such a certificate is that disabled + or unsupported message digests used for the signature are not + treated as fatal errors. +- Resolves: RHEL-28359 + +* Thu Feb 29 2024 Omair Majid - 6.0.128-1 +- Update to .NET SDK 6.0.128 and Runtime 6.0.28 +- Resolves: RHEL-27540 + * Thu Feb 01 2024 Omair Majid - 6.0.127-1 - Update to .NET SDK 6.0.127 and Runtime 6.0.27 - Resolves: RHEL-23787