Group :: Segurança/Rede
RPM: LibreSSL
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
29 maio 2023 Vladimir D. Seleznev <vseleznv at altlinux.org> 3.7.3-alt1
- Updated to 3.7.3.
- Updated to 3.7.2.
- Updated to 3.6.2 (fixes CVE-2023-0286).
- Updated to 3.6.1.
- libtls26: requires /etc/libressl.
- Set watchfile to monitor 3.6 branch.
- Updated to 3.5.3.
- libcrypto49: Added explicit conflict to libcrypto45, libcrypto46 and
libcrypto47 (closes: 42719).
- Updated to 3.5.2.
- Updated to 3.4.3 (fixed: OVE-20220316-0001).
- cert.pem is pointed to ca-bundle.crt now (fixed dist-upgrade).
- Updated to 3.4.2.
- Update to 3.3.5.
- Updated to 3.3.4 (fixed CVE-2021-3712).
- Updated to 3.3.3.
- Updated to 3.2.5.
- Fixed:
+ OVE-20210317-0001 Use after free.
+ License field.
- Updated to 3.2.4.
- Updated to 3.2.3.
- Updated to 3.2.2.
- Updated to 3.1.4.
- Updated to 3.1.2.
- Updated to 3.1.1.
- Updated to 3.1.0.
- Packed manpages:
+ ocspcheck.8 to ocspcheck subpackage;
+ openssl-LibreSSL.cnf.5 to libcrypto-LibreSSL subpackage;
+ x509v3-LibreSSL.cnf.5 to openssl-LibreSSL subpackage.
- Updated to 3.0.2.
- Packed upstream-signing-key.asc.
- Updated watch file.
- 2.9.2.
- Applied extra-symver.diff patch from openSUSE project that added symbol
versions into the library.
- 2.9.1.
- 2.8.3
- 2.8.2
- 2.7.4
- 2.7.3
- netcat-tls: provides netcat
- 2.6.4
- 2.6.3
- fixed cert.pem lookup location for netcat and ocspcheck
- fixed manpages
- removed RELNOTES
- disabled tests
- fixed LibreSSL-devel provides and requires to avoid collision with openssl
- make watchfile to watch for the stable releases
- 2.5.5
- 2.5.4
- Fixes:
+ CVE-2017-8301
- 2.5.3
- added ocspcheck package.
- renamed -doc packages to -devel-doc.
- added RELNOTES.
- placed `%make check' to proper location in spec.
- 2.4.5
- packaged %_sysconfdir/%oname/openssl.cnf as noreplace config file.
- packaged ChangeLog and COPYING files.
- fixed license: added notice about original OpenSSL code license.
- removed conflict to openssl in openssl-LibreSSL package.
- 2.4.4
- packaged ungziped source tarball
- changed watchfile to watch stable releases
- packaged watchfile
- Changes and fixes:
+ Avoid continual processing of an unlimited number of TLS records,
which can cause a denial-of-service condition.
+ In X509_cmp_time(), pass asn1_time_parse() the tag of the field
being parsed so that a malformed GeneralizedTime field is recognized
as an error instead of potentially being interpreted as if it was a
valid UTCTime.
+ Improve ticket validity checking when tlsext_ticket_key_cb()
callback chooses a different HMAC algorithm.
+ Check for packets with a truncated DTLS cookie.
+ Detect zero-length encrypted session data early, instead of when
malloc(0) fails or the HMAC check fails.
+ Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate()
- 2.4.3
- Bug fixes and reliability improvements:
+ Reverted change that cleans up the EVP cipher context in
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
previous behaviour.
+ Avoid unbounded memory growth in libssl, which can be triggered by a
TLS client repeatedly renegotiating and sending OCSP Status Request
TLS extensions.
+ Avoid falling back to a weak digest for (EC)DH when using SNI with
libssl. - add `nc' providing
- remove `netcat' providing
- 2.4.2
- LibreSSL
+ Bug fixes and improvements: - Fixed loading default certificate locations with openssl s_client.
- Ensured OSCP only uses and compares GENERALIZEDTIME values as per
RFC6960. Also added fixes for OCSP to work with intermediate
certificates provided in responses. - Improved behavior of arc4random on Windows to not appear to leak
memory in debug tools, reduced privileges of allocated memory. - Fixed incorrect results from BN_mod_word() when the modulus is too
large, thanks to Brian Smith from BoringSSL. - Correctly handle an EOF prior to completing the TLS handshake in
libtls. - Improved libtls ceritificate loading and cipher string validation.
- Updated libtls cipher group suites into four categories:
- "secure" (TLSv1.2+AEAD+PFS)
- "compat" (HIGH:!aNULL)
- "legacy" (HIGH:MEDIUM:!aNULL)
- "insecure" (ALL:!aNULL:!eNULL)
This allows for flexibility and finer grained control, rather than
having two extremes. - Limited support for 'backward com
- openssl-LibreSSL:
+ rename package from LibreSSL-openssl
+ remove conflict with openssl
+ rename binary and manpages fro openssl to openssl-LibreSSL
+ move some man pages to LibreSSL-doc package - netcat-tls:
+ rename package from netcat-openbsd
+ adopt many of original netcat alt and owl patches
- 2.3.6
- Correct a problem that prevents the DSA signing algorithm from running
in constant time even if the flag BN_FLG_CONSTTIME is set.
- 2.3.5
- 2.3.4
- Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding
(From OpenSSL):
+ Memory corruption in the ASN.1 encoder (CVE-2016-2108)
+ Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+ EVP_EncodeUpdate overflow (CVE-2016-2105)
+ EVP_EncryptUpdate overflow (CVE-2016-2106)
+ ASN.1 BIO excessive memory allocation (CVE-2016-2109) - Minor build fixes.
- LibreSSL-openssl
+ Added conflict to openssl-doc
- LibreSSL-doc
+ Add conflict: openssl-doc. - libtls-doc
+ Build as noarch - libcrypto-LibreSSL
+ "/etc/libressl" directory is owned by package now.
- Initial build.