Compare commits
No commits in common. "c8s" and "c8" have entirely different histories.
@ -1 +0,0 @@
|
|||||||
1
|
|
||||||
48
.gitignore
vendored
48
.gitignore
vendored
@ -1,47 +1 @@
|
|||||||
.build*.log
|
SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||||
clog
|
|
||||||
000*.patch
|
|
||||||
*.src.rpm
|
|
||||||
openssl-1.0.0a-usa.tar.bz2
|
|
||||||
/openssl-1.0.0b-usa.tar.bz2
|
|
||||||
/openssl-1.0.0c-usa.tar.bz2
|
|
||||||
/openssl-1.0.0d-usa.tar.bz2
|
|
||||||
/openssl-1.0.0e-usa.tar.bz2
|
|
||||||
/openssl-1.0.0f-usa.tar.bz2
|
|
||||||
/openssl-1.0.0g-usa.tar.xz
|
|
||||||
/openssl-1.0.1-beta2-usa.tar.xz
|
|
||||||
/openssl-1.0.1-beta3-usa.tar.xz
|
|
||||||
/openssl-1.0.1-usa.tar.xz
|
|
||||||
/openssl-1.0.1a-usa.tar.xz
|
|
||||||
/openssl-1.0.1b-usa.tar.xz
|
|
||||||
/openssl-1.0.1c-usa.tar.xz
|
|
||||||
/openssl-1.0.1e-usa.tar.xz
|
|
||||||
/openssl-1.0.1e-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1g-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1h-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1i-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1j-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1k-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2a-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2c-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2d-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2e-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2f-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2g-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2h-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2i-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2j-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0b-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0c-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0d-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0e-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0f-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0g-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0h-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1-pre9-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1b-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1c-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1g-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1k-hobbled.tar.xz
|
|
||||||
|
|||||||
1
.openssl.metadata
Normal file
1
.openssl.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||||
@ -1,13 +1,11 @@
|
|||||||
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||||
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||||
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||||
@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
|
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
|
||||||
#ifndef OPENSSL_NO_SRP
|
#ifndef OPENSSL_NO_SRP
|
||||||
static int init_srp(SSL *s, unsigned int context);
|
static int init_srp(SSL *s, unsigned int context);
|
||||||
#endif
|
#endif
|
||||||
+#ifndef OPENSSL_NO_EC
|
|
||||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||||
+#endif
|
|
||||||
static int init_etm(SSL *s, unsigned int context);
|
static int init_etm(SSL *s, unsigned int context);
|
||||||
static int init_ems(SSL *s, unsigned int context);
|
static int init_ems(SSL *s, unsigned int context);
|
||||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||||
@ -20,11 +18,10 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
|||||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||||
final_ec_pt_formats
|
final_ec_pt_formats
|
||||||
},
|
},
|
||||||
@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
|
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+#ifndef OPENSSL_NO_EC
|
|
||||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||||
+{
|
+{
|
||||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||||
@ -33,7 +30,6 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
|||||||
+
|
+
|
||||||
+ return 1;
|
+ return 1;
|
||||||
+}
|
+}
|
||||||
+#endif
|
|
||||||
+
|
+
|
||||||
static int init_etm(SSL *s, unsigned int context)
|
static int init_etm(SSL *s, unsigned int context)
|
||||||
{
|
{
|
||||||
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1k
|
Version: 1.1.1k
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -99,7 +99,7 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
|
|||||||
# Backport from OpenSSL 3.2/RHEL 9
|
# Backport from OpenSSL 3.2/RHEL 9
|
||||||
# Proper fix for CVE-2020-25659
|
# Proper fix for CVE-2020-25659
|
||||||
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
||||||
# Backport from OpenSSL 3.0
|
# Backport from OpenSSL 3.2
|
||||||
# Fix for CVE-2024-5535
|
# Fix for CVE-2024-5535
|
||||||
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
||||||
|
|
||||||
@ -519,54 +519,52 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
|
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
|
||||||
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
||||||
Fix CVE-2024-5535
|
Fix CVE-2024-5535
|
||||||
Resolves: RHEL-45654
|
Resolves: RHEL-45654
|
||||||
|
|
||||||
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
||||||
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
||||||
(a proper fix for CVE-2020-25659)
|
(a proper fix for CVE-2020-25659)
|
||||||
Resolves: RHEL-17696
|
Resolves: RHEL-17694
|
||||||
|
|
||||||
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
||||||
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
||||||
excessively long X9.42 DH keys or parameters may be very slow
|
excessively long X9.42 DH keys or parameters may be very slow
|
||||||
Resolves: RHEL-16538
|
Resolves: RHEL-16536
|
||||||
|
|
||||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
||||||
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
||||||
Resolves: RHEL-14245
|
Resolves: RHEL-14243
|
||||||
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
||||||
Resolves: RHEL-14239
|
Resolves: RHEL-14237
|
||||||
|
|
||||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||||
- Fixed Timing Oracle in RSA Decryption
|
- Fixed Timing Oracle in RSA Decryption
|
||||||
Resolves: CVE-2022-4304
|
Resolves: CVE-2022-4304
|
||||||
- Fixed Double free after calling PEM_read_bio_ex
|
- Fixed Double free after calling PEM_read_bio_ex
|
||||||
Resolves: CVE-2022-4450
|
Resolves: CVE-2022-4450
|
||||||
- Fixed Use-after-free following BIO_new_NDEF
|
- Fixed Use-after-free following BIO_new_NDEF
|
||||||
Resolves: CVE-2023-0215
|
Resolves: CVE-2023-0215
|
||||||
|
|
||||||
|
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||||
- Fixed X.400 address type confusion in X.509 GeneralName
|
- Fixed X.400 address type confusion in X.509 GeneralName
|
||||||
Resolves: CVE-2023-0286
|
Resolves: CVE-2023-0286
|
||||||
|
|
||||||
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
|
||||||
- Fix no-ec build
|
|
||||||
Resolves: rhbz#2071020
|
|
||||||
|
|
||||||
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
||||||
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
||||||
Resolves: CVE-2022-2097
|
Resolves: CVE-2022-2097
|
||||||
- Update expired certificates used in the testsuite
|
- Update expired certificates used in the testsuite
|
||||||
Resolves: rhbz#2092462
|
Resolves: rhbz#2100554
|
||||||
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
||||||
Resolves: rhbz#2090372
|
Resolves: rhbz#2090371
|
||||||
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
||||||
Resolves: rhbz#2098279
|
Resolves: rhbz#2098278
|
||||||
|
|
||||||
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||||
- Resolves: rhbz#2067146
|
- Resolves: rhbz#2067145
|
||||||
|
|
||||||
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||||
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
||||||
15
fixpatch
15
fixpatch
@ -1,15 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# Fixes patch from upstream tracker view
|
|
||||||
gawk '
|
|
||||||
BEGIN {
|
|
||||||
dir=""
|
|
||||||
}
|
|
||||||
/^Index: openssl\// {
|
|
||||||
dir = $2
|
|
||||||
}
|
|
||||||
/^(---|\+\+\+)/ {
|
|
||||||
$2 = dir
|
|
||||||
}
|
|
||||||
{
|
|
||||||
print
|
|
||||||
}'
|
|
||||||
@ -1,9 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-8
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
|
|
||||||
@ -1,14 +0,0 @@
|
|||||||
Do not return failure when setting version bound on fixed protocol
|
|
||||||
version method.
|
|
||||||
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
|
|
||||||
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
|
|
||||||
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
|
|
||||||
* methods are not subject to controls that disable individual protocol
|
|
||||||
* versions.
|
|
||||||
*/
|
|
||||||
- return 0;
|
|
||||||
+ return 1;
|
|
||||||
|
|
||||||
case TLS_ANY_VERSION:
|
|
||||||
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
|
||||||
26
plans/ci.fmf
26
plans/ci.fmf
@ -1,26 +0,0 @@
|
|||||||
/fips-disabled-buildroot-disabled:
|
|
||||||
plan:
|
|
||||||
import:
|
|
||||||
url: https://pkgs.devel.redhat.com/git/tests/openssl
|
|
||||||
name: /Plans/ci/fips-disabled-buildroot-disabled
|
|
||||||
|
|
||||||
|
|
||||||
/fips-disabled-buildroot-enabled:
|
|
||||||
plan:
|
|
||||||
import:
|
|
||||||
url: https://pkgs.devel.redhat.com/git/tests/openssl
|
|
||||||
name: /Plans/ci/fips-disabled-buildroot-enabled
|
|
||||||
|
|
||||||
|
|
||||||
/fips-enabled-buildroot-disabled:
|
|
||||||
plan:
|
|
||||||
import:
|
|
||||||
url: https://pkgs.devel.redhat.com/git/tests/openssl
|
|
||||||
name: /Plans/ci/fips-enabled-buildroot-disabled
|
|
||||||
|
|
||||||
|
|
||||||
/fips-enabled-buildroot-enabled:
|
|
||||||
plan:
|
|
||||||
import:
|
|
||||||
url: https://pkgs.devel.redhat.com/git/tests/openssl
|
|
||||||
name: /Plans/ci/fips-enabled-buildroot-enabled
|
|
||||||
Loading…
Reference in New Issue
Block a user