--- rpms/openssl/sme8/openssl.spec 2014/02/18 18:24:06 1.2 +++ rpms/openssl/sme8/openssl.spec 2015/04/15 14:21:07 1.8 @@ -21,7 +21,7 @@ Summary: The OpenSSL toolkit Name: openssl Version: 0.9.8e -Release: 27.1%{?dist} +Release: 33.1%{?dist} # The tarball is based on the openssl-fips-1.2.0-test.tar.gz tarball Source: openssl-fips-%{version}-usa.tar.bz2 Source1: hobble-openssl @@ -94,6 +94,22 @@ Patch104: openssl-fips-0.9.8e-cve-2012-2 Patch105: openssl-fips-0.9.8e-secure-getenv.patch Patch106: openssl-fips-0.9.8e-cve-2013-0166.patch Patch107: openssl-fips-0.9.8e-cve-2013-0169.patch +Patch108: openssl-fips-0.9.8e-cve-2014-0224.patch +Patch109: openssl-fips-0.9.8e-cve-2014-0221.patch +Patch110: openssl-fips-0.9.8e-cve-2014-3505.patch +Patch111: openssl-fips-0.9.8e-cve-2014-3506.patch +Patch112: openssl-fips-0.9.8e-cve-2014-3508.patch +Patch113: openssl-fips-0.9.8e-cve-2014-3510.patch +Patch114: openssl-fips-0.9.8e-fallback-scsv.patch +Patch115: openssl-fips-0.9.8e-x509-store-lock.patch +# This patch includes the CVE-2015-0286 fix +Patch116: openssl-fips-0.9.8e-cve-2014-8275.patch +Patch117: openssl-fips-0.9.8e-cve-2015-0204.patch +Patch118: openssl-fips-0.9.8e-cve-2015-0287.patch +Patch119: openssl-fips-0.9.8e-cve-2015-0288.patch +Patch120: openssl-fips-0.9.8e-cve-2015-0289.patch +Patch121: openssl-fips-0.9.8e-cve-2015-0292.patch +Patch122: openssl-fips-0.9.8e-cve-2015-0293.patch License: BSDish Group: System Environment/Libraries @@ -195,6 +211,21 @@ from other formats to the formats used b %patch105 -p1 -b .secure-getenv %patch106 -p1 -b .ocsp-dos %patch107 -p1 -b .lucky13 +%patch108 -p1 -b .keying-mitm +%patch109 -p1 -b .dtls-recursion +%patch110 -p1 -b .dtls-doublefree +%patch111 -p1 -b .dtls-sizechecks +%patch112 -p1 -b .oid-handling +%patch113 -p1 -b .adh-dos +%patch114 -p1 -b .fallback-scsv +%patch115 -p1 -b .lock +%patch116 -p1 -b .cert-fingerprint +%patch117 -p1 -b .rsa-ephemeral +%patch118 -p1 -b .item-reuse +%patch119 -p1 -b .req-null-deref +%patch120 -p1 -b .pkcs7-null-deref +%patch121 -p1 -b .b64-underflow +%patch122 -p1 -b .ssl2-assert # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -448,10 +479,38 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openss %postun -p /sbin/ldconfig %changelog -* Mon Feb 17 2014 Ian Wells 0.9.8e-27.1.el5.sme -- update with ca-bundle.crt from SME 9 [SME: 8208] +* Wed Apr 15 2015 Daniel Berteaud 0.9.8e-27.1 +* Thu Apr 2 2015 Tomas Mraz 0.9.8e-33 +- fix CVE-2014-8275 (without introduction of CVE-2015-0286) - various + certificate fingerprint issues +- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export + ciphersuites and on server +- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption +- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference +- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data +- fix CVE-2015-0292 - integer underflow in base64 decoder +- fix CVE-2015-0293 - triggerable assert in SSLv2 server + +* Wed Dec 17 2014 Tomas Mraz 0.9.8e-32 +- properly lock X509_STORE accesses (#1168938) + +* Wed Oct 15 2014 Tomas Mraz 0.9.8e-31 +- add support for fallback SCSV to partially mitigate CVE-2014-3566 + (padding attack on SSL3) + +* Fri Aug 8 2014 Tomas Mraz 0.9.8e-30 +- fix CVE-2014-0221 - recursion in DTLS code leading to DoS +- fix CVE-2014-3505 - doublefree in DTLS packet processing +- fix CVE-2014-3506 - avoid memory exhaustion in DTLS +- fix CVE-2014-3508 - fix OID handling to avoid information leak +- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS + +* Mon Jun 2 2014 Tomas Mraz 0.9.8e-29 +- fix for CVE-2014-0224 - SSL/TLS MITM vulnerability + +* Tue Jan 28 2014 Tomas Mraz 0.9.8e-28 - replace expired GlobalSign Root CA certificate in ca-bundle.crt * Mon Feb 25 2013 Tomas Mraz 0.9.8e-27