Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series

Resolves: RHEL-17696

openssl.spec

@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1k
-Release: 11%{?dist}
+Release: 12%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -96,6 +96,9 @@ Patch104: openssl-1.1.1-cve-2023-0286-X400.patch
 Patch105: openssl-1.1.1-cve-2023-3446.patch
 Patch106: openssl-1.1.1-cve-2023-3817.patch
 Patch107: openssl-1.1.1-cve-2023-5678.patch
+# Backport from OpenSSL 3.2/RHEL 9
+# Proper fix for CVE-2020-25659
+Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
 
 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@@ -228,6 +231,7 @@ cp %{SOURCE13} test/
 %patch105 -p1 -b .cve-2023-3446
 %patch106 -p1 -b .cve-2023-3817
 %patch107 -p1 -b .cve-2023-5678
+%patch108 -p1 -b .pkcs15imprejection
 
 %build
 # Figure out which flags we want to use.
@@ -511,6 +515,11 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
+- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
+  (a proper fix for CVE-2020-25659)
+  Resolves: RHEL-17696
+
 * Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
 - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
   excessively long X9.42 DH keys or parameters may be very slow