Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1073906 Details for
Bug 1223990
Review Request: openssl101e - A general purpose cryptography library with TLS implementation
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh109 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
Migrated Products
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Diff between current OpenSSL from RHEL 6 and this package
diff (text/plain), 12.75 KB, created by
Robert Scheck
on 2015-09-16 07:08:29 UTC
(
hide
)
Description:
Diff between current OpenSSL from RHEL 6 and this package
Filename:
MIME Type:
Creator:
Robert Scheck
Created:
2015-09-16 07:08:29 UTC
Size:
12.75 KB
patch
obsolete
>--- openssl.spec 2015-06-23 15:07:51.000000000 +0200 >+++ openssl101e.spec 2015-09-15 00:18:24.000000000 +0200 >@@ -19,9 +19,9 @@ > %define multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 > > Summary: A general purpose cryptography library with TLS implementation >-Name: openssl >+Name: openssl101e > Version: 1.0.1e >-Release: 42%{?dist} >+Release: 3%{?dist} > # We have to remove certain patented algorithms from the openssl source > # tarball with the hobble-openssl script which is included below. > # The original openssl upstream tarball cannot be shipped in the .src.rpm. >@@ -131,6 +131,8 @@ > Patch132: openssl-1.0.1e-cve-2015-1790.patch > Patch133: openssl-1.0.1e-cve-2015-1791.patch > Patch134: openssl-1.0.1e-cve-2015-1792.patch >+# EPEL specific changes >+Patch900: openssl-1.0.1e-c_rehash.patch > > License: OpenSSL > Group: System Environment/Libraries >@@ -139,13 +141,12 @@ > BuildRequires: coreutils, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp > BuildRequires: /usr/bin/rename > Requires: coreutils, make >-Requires: ca-certificates >= 2008-5 >+Requires: openssl > > %description > The OpenSSL toolkit provides support for secure communications between > machines. OpenSSL includes a certificate management tool and shared >-libraries which provide various cryptographic algorithms and >-protocols. >+libraries which provide various cryptographic algorithms and protocols. > > %package devel > Summary: Files for development of applications which will use OpenSSL >@@ -154,9 +155,9 @@ > Requires: pkgconfig > > %description devel >-OpenSSL is a toolkit for supporting cryptography. The openssl-devel >-package contains include files needed to develop applications which >-support various cryptographic algorithms and protocols. >+OpenSSL is a toolkit for supporting cryptography. The openssl101e-devel >+package contains include files needed to develop applications which support >+various cryptographic algorithms and protocols. > > %package static > Summary: Libraries for static linking of applications which will use OpenSSL >@@ -164,10 +165,9 @@ > Requires: %{name}-devel = %{version}-%{release} > > %description static >-OpenSSL is a toolkit for supporting cryptography. The openssl-static >-package contains static libraries needed for static linking of >-applications which support various cryptographic algorithms and >-protocols. >+OpenSSL is a toolkit for supporting cryptography. The openssl101e-static >+package contains static libraries needed for static linking of applications >+which support various cryptographic algorithms and protocols. > > %package perl > Summary: Perl scripts provided with OpenSSL >@@ -176,16 +176,16 @@ > Requires: %{name} = %{version}-%{release} > > %description perl >-OpenSSL is a toolkit for supporting cryptography. The openssl-perl >-package provides Perl scripts for converting certificates and keys >-from other formats to the formats used by the OpenSSL toolkit. >+OpenSSL is a toolkit for supporting cryptography. The openssl101e-perl >+package provides Perl scripts for converting certificates and keys from >+other formats to the formats used by the OpenSSL toolkit. > > %prep >-%setup -q -n %{name}-%{version} >+%setup -q -n openssl-%{version} > > # The hobble_openssl is called here redundantly, just to be sure. > # The tarball has already the sources removed. >-%{SOURCE1} > /dev/null >+sh %{SOURCE1} > /dev/null > > cp %{SOURCE12} %{SOURCE13} crypto/ec/ > >@@ -284,6 +284,8 @@ > %patch133 -p1 -b .ticket-race > %patch134 -p1 -b .unknown-hash > >+%patch900 -p1 -b .c_rehash >+ > sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h > > # Modify the various perl scripts to reference perl in the right location. >@@ -338,7 +340,7 @@ > --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ > zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ > enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ >- --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ >+ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/%{name}/engines \ > --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips} > > # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be >@@ -391,10 +393,10 @@ > %install > [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT > # Install OpenSSL. >-install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl} >+install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/%{name}} > make INSTALL_PREFIX=$RPM_BUILD_ROOT install > make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs >-mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl >+mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/%{name}/ > mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/ > rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man > rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} >@@ -480,6 +482,26 @@ > rm -rf $RPM_BUILD_ROOT/%{_libdir}/fips_premain.* > rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* > >+# Transformation for openssl101e >+mkdir -p $RPM_BUILD_ROOT%{_includedir}/%{name}/ >+rm -rf $RPM_BUILD_ROOT{%{_mandir},%{_sysconfdir}/pki} >+rm -f $RPM_BUILD_ROOT%{_libdir}/*.so >+mv -f $RPM_BUILD_ROOT%{_includedir}/{openssl,%{name}/openssl}/ >+mv -f $RPM_BUILD_ROOT%{_bindir}/{openssl,%{name}} >+mv -f $RPM_BUILD_ROOT%{_libdir}/{*.a,%{name}} >+mv -f $RPM_BUILD_ROOT%{_bindir}/c_rehash{,101e} >+ >+for pc in libcrypto libssl openssl; do >+ sed -e 's@\(Libs: -L${libdir}\)@\1 -L${libdir}/%{name}@' \ >+ -e 's@\(Cflags: -I${includedir}\)@\1 -I${includedir}/%{name}@' \ >+ $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}101e.pc >+ touch -c -r $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}101e.pc >+ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc >+done >+ >+ln -s ../libcrypto.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libcrypto.so >+ln -s ../libssl.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libssl.so >+ > %clean > [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT > >@@ -490,86 +512,78 @@ > %doc doc/openssl_button.html doc/openssl_button.gif > %doc doc/ssleay.txt > %doc README.FIPS >-%{_sysconfdir}/pki/tls/certs/make-dummy-cert >-%{_sysconfdir}/pki/tls/certs/renew-dummy-cert >-%{_sysconfdir}/pki/tls/certs/Makefile >-%{_sysconfdir}/pki/tls/misc/CA >-%dir %{_sysconfdir}/pki/CA >-%dir %{_sysconfdir}/pki/CA/private >-%dir %{_sysconfdir}/pki/CA/certs >-%dir %{_sysconfdir}/pki/CA/crl >-%dir %{_sysconfdir}/pki/CA/newcerts >-%{_sysconfdir}/pki/tls/misc/c_* >-%attr(0755,root,root) %{_bindir}/openssl >-%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]* >-%attr(0644,root,root) %{_mandir}/man5*/* >-%attr(0644,root,root) %{_mandir}/man7*/* >-%dir %{_sysconfdir}/pki/tls >-%dir %{_sysconfdir}/pki/tls/certs >-%dir %{_sysconfdir}/pki/tls/misc >-%dir %{_sysconfdir}/pki/tls/private >-%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf >+%attr(0755,root,root) %{_bindir}/%{name} > %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} > %attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion} > %attr(0755,root,root) %{_libdir}/libssl.so.%{version} > %attr(0755,root,root) %{_libdir}/libssl.so.%{soversion} > %attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac > %attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac >-%attr(0755,root,root) %{_libdir}/openssl >+%attr(0755,root,root) %{_libdir}/%{name} >+%exclude %{_libdir}/%{name}/*.a >+%exclude %{_libdir}/%{name}/*.so > > %files devel > %defattr(-,root,root) >-%{_prefix}/include/openssl >-%attr(0755,root,root) %{_libdir}/*.so >-%attr(0644,root,root) %{_mandir}/man3*/* >+%{_prefix}/include/%{name} >+%attr(0755,root,root) %{_libdir}/%{name}/*.so > %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc > > %files static > %defattr(-,root,root) >-%attr(0644,root,root) %{_libdir}/*.a >+%attr(0644,root,root) %{_libdir}/%{name}/*.a > > %files perl > %defattr(-,root,root) >-%attr(0755,root,root) %{_bindir}/c_rehash >-%attr(0644,root,root) %{_mandir}/man1*/*.pl* >-%{_sysconfdir}/pki/tls/misc/*.pl >-%{_sysconfdir}/pki/tls/misc/tsget >+%attr(0755,root,root) %{_bindir}/c_rehash101e > > %post -p /sbin/ldconfig > > %postun -p /sbin/ldconfig > > %changelog >-* Tue Jun 23 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42 >-- fix regression caused by mistake in fix for CVE-2015-1791 >+* Tue Sep 15 2015 Robert Scheck <robert@fedoraproject.org> 1.0.1e-3 >+- backport from 1.0.1e-42: fix regression caused by mistake in fix >+ for CVE-2015-1791 >+- backport from 1.0.1e-41: improved fix for CVE-2015-1791 >+- backport from 1.0.1e-41: add missing parts of CVE-2015-0209 fix >+ for corectness although unexploitable >+- backport from 1.0.1e-40: fix CVE-2014-8176 - invalid free in >+ DTLS buffering code >+- backport from 1.0.1e-40: fix CVE-2015-1789 - out-of-bounds read >+ in X509_cmp_time >+- backport from 1.0.1e-40: fix CVE-2015-1790 - PKCS7 crash with >+ missing EncryptedContent >+- backport from 1.0.1e-40: fix CVE-2015-1791 - race condition >+ handling NewSessionTicket >+- backport from 1.0.1e-40: fix CVE-2015-1792 - CMS verify infinite >+ loop with unknown hash function >+- backport from 1.0.1e-39: fix CVE-2015-3216 - regression in RAND >+ locking that can cause segfaults on read in multithreaded >+ applications >+- backport from 1.0.1e-34: copy digest algorithm when handling SNI >+ context switch >+- backport from 1.0.1e-34: improve documentation of ciphersuites - >+ patch by Hubert Kario >+- backport from 1.0.1e-34: add support for setting Kerberos service >+ and keytab in s_server and s_client >+ >+* Sun Jul 12 2015 Robert Scheck <robert@fedoraproject.org> 1.0.1e-2 >+- backport from 1.0.1e-30.9: fix CVE-2015-4000 - prevent the logjam >+ attack on client - restrict the DH key size to at least 768 bits >+ (limit will be increased in future) > >-* Thu Jun 11 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-41 >-- improved fix for CVE-2015-1791 >-- add missing parts of CVE-2015-0209 fix for corectness although unexploitable >- >-* Tue Jun 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-40 >-- fix CVE-2014-8176 - invalid free in DTLS buffering code >-- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time >-- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent >-- fix CVE-2015-1791 - race condition handling NewSessionTicket >-- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function >- >-* Tue Jun 2 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39 >-- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on >- read in multithreaded applications >- >-* Mon May 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38 >-- fix CVE-2015-4000 - prevent the logjam attack on client - restrict >- the DH key size to at least 768 bits (limit will be increased in future) >+* Thu May 21 2015 Robert Scheck <robert@fedoraproject.org> 1.0.1e-1 >+- transformed openssl-1.0.1e-30.el6.8 into openssl101e (#1223990) > >-* Wed Mar 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37 >+* Thu Mar 26 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.8 > - drop the AES-GCM restriction of 2^32 operations because the IV is > always 96 bits (32 bit fixed field + 64 bit invocation field) > >-* Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-36 >+* Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.7 > - update fix for CVE-2015-0287 to what was released upstream > >-* Wed Mar 18 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-35 >+* Wed Mar 18 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.6 > - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() > - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison > - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption >@@ -578,13 +592,7 @@ > - fix CVE-2015-0292 - integer underflow in base64 decoder > - fix CVE-2015-0293 - triggerable assert in SSLv2 server > >-* Tue Mar 3 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34 >-- copy digest algorithm when handling SNI context switch >-- improve documentation of ciphersuites - patch by Hubert Kario >-- add support for setting Kerberos service and keytab in >- s_server and s_client >- >-* Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-33 >+* Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.5 > - fix CVE-2014-3570 - incorrect computation in BN_sqr() > - fix CVE-2014-3571 - possible crash in dtls1_get_record() > - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state >@@ -594,10 +602,10 @@ > - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate > - fix CVE-2015-0206 - possible memory leak when buffering DTLS records > >-* Thu Oct 16 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-32 >+* Thu Oct 16 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.4 > - use FIPS approved method for computation of d in RSA > >-* Wed Oct 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-31 >+* Wed Oct 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.2 > - fix CVE-2014-3567 - memory leak when handling session tickets > - fix CVE-2014-3513 - memory leak in srtp support > - add support for fallback SCSV to partially mitigate CVE-2014-3566
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="https://bugzilla.redhat.com/attachment.cgi?id=1073906">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1223990
: 1073906