ELBA-2019-4829

ELBA-2019-4829 - glibc openssl bug fix update

Type:BUG
Severity:NA
Release Date:2019-10-29

Description


glibc
[2.28-42.0.1]
- add Ampere emag to tunable cpu list (Patrick McGehearty)
- add optimized memset for emag
- add an ASIMD variant of strlen for falkor
- Orabug: 2700101.
- Modify glibc-ora28849085.patch so it works with RHCK kernels.
- Orabug: 28849085.
- Make _IO_funlockfile match __funlockfile and _IO_flockfile match __flockfile
- Both should test
- if (stream->_flags & _IO_USER_LOCK) == 0)
- _IO_lock_lock (*stream->_lock);
- OraBug: 28481550.

[2.28-42.1]
- ja_JP: Add new Japanese Era name (#1692450)

[2.28-42]
- Fix rdlock stall with PREFER_WRITER_NONRECURSIVE_NP (#1654872)

[2.28-41]
- malloc: Implement double-free check for the thread cache (#1642094)

[2.28-40]
- Add upstream test case for CVE-2018-19591 (#1654010)

[2.28-39]
- Add GCC dependency for new inline string functions on ppc64le (#1652932)

[2.28-38]
- Add requires on explicit glibc version for glibc-nss-devel (#1649890)

[2.28-37]
- Fix data race in dynamic loader when using LD_AUDIT (#1635779)

[2.28-36]
- CVE-2018-19591: File descriptor leak in if_nametoindex (#1654010)

[2.28-35]
- Do not use parallel make for building locales (#1652229)

[2.28-34]
- support: Print timestamps in timeout handler (#1651274)

[2.28-33]
- Increase test timeout for libio/tst-readline (#1638520)

[2.28-32]
- Fix tzfile low-memory assertion failure (#1650571)

[2.28-31]
- Add newlines in __libc_fatal calls (#1650566)

[2.28-30]
- nscd: Fix use-after-free in addgetnetgrentX (#1650563)

[2.28-29]
- Update syscall names to Linux 4.19 (#1650560)

[2.28-28]
- kl_GL: Fix spelling of Sunday, should be 'sapaat' (#1645597)

[2.28-27]
- Fix x86 CPU flags analysis for string function selection (#1641982)

[2.28-26]
- Reduce RAM requirements for stdlib/test-bz22786 (#1638523)

[2.28-25]
- x86: Improve enablement for 32-bit code using CET (#1645601)

[2.28-24]
- Fix crash in getaddrinfo_a when thread creation fails (#1646379)

[2.28-23]
- Fix race in pthread_mutex_lock related to PTHREAD_MUTEX_ELISION_NP (#1645604)

[2.28-22]
- Fix misreported errno on preadv2/pwritev2 (#1645596)

[2.28-21]
- Fix posix/tst-spawn4-compat test case (#1645593)

[2.28-20]
- Disable CET for binaries created by older link editors (#1614979)

[2.28-19]
- Include Esperanto (eo) in glibc-all-langpacks (#1644303)

[2.28-18]
- stdlib/tst-setcontext9 test suite failure on ppc64le (#1623536)

[2.28-17]
- Add missing ENDBR32 in start.S (#1631730)

[2.28-16]
- Fix bug in generic strstr with large needles (#1631722)

[2.28-15]
- stdlib/tst-setcontext9 test suite failure (#1623536)

[2.28-14]
- gethostid: Missing NULL check for gethostbyname_r (#1631293)

[2.28-13]
- Provide compatibility support for linking against libpthread_nonshared.a
(#1614439)

[2.28-12]
- Add python3-devel build dependency (#1625592)

[2.28-11]
- Drop glibc-ldflags.patch and valgrind bug workaround (#1623456)

[2.28-10]
- regex: Fix memory overread when pattern contains NUL byte (#1622678)

[2.28-9]
- nptl: Fix waiters-after-spinning case in pthread_cond_broadcast (#1622675)

[2.28-8]
- nss_files aliases database file stream leak (#1615790)

[2.28-7]
- Fix static analysis warning in nscd user name allocation (#1615784)

[2.28-6]
- error, error_at_line: Add missing va_end calls (#1615781)

[2.28-5]
- Remove abort() warning in manual (#1577365)

[2.28-4]
- Fix regression in readdir64@GLIBC_2.1 compat symbol (#1614253)

[2.28-3]
- Log /proc/sysinfo if available (on s390x)

[2.28-2]
- Honor %{valgrind_arches}

[2.27.9000-43]
- Update to glibc 2.28 release tarball:
- Translation updates
- x86/CET: Fix property note parser (swbz#23467)
- x86: Add tst-get-cpu-features-static to (swbz#23458)

[2.27.9000-42]
- Auto-sync with upstream branch master,
commit af86087f02a5522d8801a11d8381e04f95e33162:
- x86/CET: Don't parse beyond the note end
- Fix Linux fcntl OFD locks tests on unsupported kernels
- x86: Populate COMMON_CPUID_INDEX_80000001 for Intel CPUs (swbz#23459)
- x86: Correct index_cpu_LZCNT (swbz#23456)
- Fix string/tst-xbzero-opt if build with gcc head

[2.27.9000-41]
- Build with --enable-cet on x86_64, i686
- Auto-sync with upstream branch master,
commit cfba5dbb10cc3abde632b46c60c10b2843917035:
- Keep expected behaviour for [a-z] and [A-z] (#1607286)
- Additional ucontext tests
- Intel CET enhancements
- ISO C11 threads support
- Fix out-of-bounds access in IBM-1390 converter (swbz#23448)
- New locale Yakut (Sakha) for Russia (sah_RU) (swbz#22241)
- os_RU: Add alternative month names (swbz#23140)
- powerpc64: Always restore TOC on longjmp (swbz#21895)
- dsb_DE locale: Fix syntax error and add tests (swbz#23208)
- Improve performance of the generic strstr implementation
- regcomp: Fix off-by-one bug in build_equiv_class (swbz#23396)
- Fix out of bounds access in findidxwc (swbz#23442)

[2.27.9000-40]
- Fix file list for glibc RPM packaging (#1601011).

[2.27.9000-39]
- Add POWER9 multilib (downstream only)

[2.27.9000-38]
- Auto-sync with upstream branch master,
commit 93304f5f7a32f73b551266c5a181db51d97a71e4:
- Install header
- Put the correct Unicode version number 11.0.0 into the generated files

[2.27.9000-37]
- Work around valgrind issue on i686 (#1600034)

[2.27.9000-36]
- Auto-sync with upstream branch master,
commit fd70af45528d59a00eb3190ef6706cb299488fcd:
- Add the statx function
- regexec: Fix off-by-one bug in weight comparison (#1582229)
- nss_files: Fix re-reading of long lines (swbz#18991)
- aarch64: add HWCAP_ATOMICS to HWCAP_IMPORTANT
- aarch64: Remove HWCAP_CPUID from HWCAP_IMPORTANT
- conform/conformtest.pl: Escape literal braces in regular expressions
- x86: Use AVX_Fast_Unaligned_Load from Zen onwards.

[2.27.9000-35]
- Remove ppc64 multilibs

[2.27.9000-34]
- Auto-sync with upstream branch master,
commit 3a885c1f51b18852869a91cf59a1b39da1595c7a.

[2.27.9000-33]
- Enable build flags inheritance for nonshared flags

[2.27.9000-32]
- Add annobin annotations to assembler code (#1548438)

[2.27.9000-31]
- Enable -D_FORTIFY_SOURCE=2 for nonshared code

[2.27.9000-30]
- Auto-sync with upstream branch master,
commit b7b88cea4151d85eafd7ababc2e4b7ae1daeedf5:
- New locale: dsb_DE (Lower Sorbian)

[2.27.9000-29]
- Drop glibc-deprecate_libcrypt.patch. Variant applied upstream. (#1566464)
- Drop glibc-linux-timespec-header-compat.patch. Upstreamed.
- Auto-sync with upstream branch master,
commit e69d994a63afc2d367f286a2a7df28cbf710f0fe.

[2.27.9000-28]
- Drop glibc-rh1315108.patch. extend_alloca was removed upstream. (#1315108)
- Auto-sync with upstream branch master,
commit c49e18222e4c40f21586dabced8a49732d946917.

[2.27.9000-27]
- Compatibility fix for and

[2.27.9000-26]
- Auto-sync with upstream branch master,
commit f496b28e61d0342f579bf794c71b80e9c7d0b1b5.

[2.27.9000-25]
- Auto-sync with upstream branch master,
commit f2857da7cdb65bfad75ee30981f5b2fde5bbb1dc.

[2.27.9000-24]
- Auto-sync with upstream branch master,
commit 14beef7575099f6373f9a45b4656f1e3675f7372:
- iconv: Make IBM273 equivalent to ISO-8859-1 (#1592270)

[2.27.9000-23]
- Inherit the -msse2 build flag as well (#1592212)

[2.27.9000-22]
- Modernise nsswitch.conf defaults (#1581809)
- Adjust build flags inheritence from redhat-rpm-config
- Auto-sync with upstream branch master,
commit 104502102c6fa322515ba0bb3c95c05c3185da7a.

[2.27.9000-21]
- Auto-sync with upstream branch master,
commit c1dc1e1b34873db79dfbfa8f2f0a2abbe28c0514.

[2.27.9000-20]
- Auto-sync with upstream branch master,
commit 7f9f1ecb710eac4d65bb02785ddf288cac098323:
- CVE-2018-11237: Buffer overflow in __mempcpy_avx512_no_vzeroupper (#1581275)
- Drop glibc-rh1452750-allocate_once.patch,
glibc-rh1452750-libidn2.patch. Applied upstream.

[2.27.9000-19]
- Auto-sync with upstream branch master,
commit 8f145c77123a565b816f918969e0e35ee5b89153.

[2.27.9000-18]
- Do not run telinit u on upgrades (#1579225)
- Auto-sync with upstream branch master,
commit 632a6cbe44cdd41dba7242887992cdca7b42922a.

[2.27.9000-17]
- Avoid exporting some Sun RPC symbols with default versions (#1577210)
- Inherit the -mstackrealign flag if it is set
- Inherit compiler flags in the original order
- Auto-sync with upstream branch master,
commit 89aacb513eb77549a29df2638913a0f8178cf3f5:
- CVE-2018-11236: realpath: Fix path length overflow (#1581270, swbz#22786)

[2.27.9000-16]
- Use /usr/bin/python3 for benchmarks scripts (#1577223)

[2.27.9000-15]
- Auto-sync with upstream branch master,
commit 0085be1415a38b40a5a1a12e49368498f1687380.

[2.27.9000-14]
- Auto-sync with upstream branch master,
commit 583a27d525ae189bdfaa6784021b92a9a1dae12e.

[2.27.9000-13]
- Auto-sync with upstream branch master,
commit d39c0a459ef32a41daac4840859bf304d931adab:
- CVE-2017-18269: memory corruption in i386 memmove (#1580934)

[2.27.9000-12]
- Auto-sync with upstream branch master,
commit fbce6f7260c3847f14dfa38f60c9111978fb33a5.

[2.27.9000-11]
- Auto-sync with upstream branch master,
commit 700593fdd7aef1e36cfa8bad969faab76a6facda.

[2.27.9000-10]
- Auto-sync with upstream branch master,
commit 7108f1f944792ac68332967015d5e6418c5ccc88.

openssl
[1.1.1-8.0.1]
- sha256 should be used for the RSA pairwise consistency test instead of sha1 [OraBug: 26333094]

[1.1.1-8]
- make openssl ts default to using SHA256 digest

[1.1.1-7]
- use /dev/urandom for seeding the RNG in FIPS POST

[1.1.1-6]
- make SECLEVEL=3 work

[1.1.1-5]
- fix defects found in Coverity scan

[1.1.1-4]
- drop SSLv3 support

[1.1.1-3]
- drop the TLS-1.3 version revert

[1.1.1-2]
- disable RC4-MD5 ciphersuites completely

[1.1.1-1]
- update to the final 1.1.1 version
- for consistent support of security policies we build
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
- use only /dev/urandom if getrandom() is not available
- disable SM4

[1.1.1-0.pre9.1]
- update to the latest 1.1.1 beta version
- temporarily revert TLS-1.3 to draft 28 version

[1.1.1-0.pre8.4]
- bidirectional shutdown fixes from upstream

[1.1.1-0.pre8.3]
- do not put error on stack when using fixed protocol version
with the default config (#1615098)

[1.1.1-0.pre8.2]
- load crypto policy config file from the default config

[1.1.1-0.pre8]
- update to the latest 1.1.1 beta version

[1:1.1.0h-6]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

[1.1.0h-5]
- fix FIPS RSA key generation failure

[1.1.0h-4]
- ppc64le is not multilib arch (#1584994)

[1.1.0h-3]
- fix regression of c_rehash (#1562953)

[1.1.0h-2]
- fix FIPS symbol versions

[1.1.0h-1]
- update to upstream version 1.1.0h
- add Recommends for openssl-pkcs11

[1.1.0g-6]
- one more try to apply RPM_LD_FLAGS properly (#1541033)
- dropped unneeded starttls xmpp patch (#1417017)

[1:1.1.0g-5]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

[1.1.0g-4]
- apply RPM_LD_FLAGS properly (#1541033)

[1.1.0g-3]
- silence the .rnd write failure as that is auxiliary functionality (#1524833)

[1.1.0g-2]
- put the Makefile.certificate in pkgdocdir and drop the requirement on make

[1.1.0g-1]
- update to upstream version 1.1.0g

[1:1.1.0f-9]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

[1:1.1.0f-8]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

[1:1.1.0f-7]
- make s_client and s_server work with -ssl3 option (#1471783)

[1:1.1.0f-6]
- perl dependency renamed to perl-interpreter


[1.1.0f-5]
- disable verification of all insecure hashes

[1.1.0f-4]
- make DTLS work (#1462541)

[1.1.0f-3]
- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)

[1.1.0f-2]
- only release thread-local key if we created it (from upstream) (#1458775)

[1.1.0f-1]
- update to upstream version 1.1.0f
- SRP and GOST is now allowed, note that GOST support requires
adding GOST engine which is not part of openssl anymore

[1.1.0e-1]
- update to upstream version 1.1.0e
- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)

[1:1.1.0d-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

[1.1.0d-2]
- applied upstream fixes (fix regression in X509_CRL_digest)

[1.1.0d-1]
- update to upstream version 1.1.0d

[1.1.0c-5]
- preserve new line in fd BIO BIO_gets() as other BIOs do

[1.1.0c-4]
- FIPS mode fixes for TLS

[1.1.0c-3]
- revert SSL_read() behavior change - patch from upstream (#1394677)
- fix behavior on client certificate request in renegotiation (#1393579)

[1.1.0c-2]
- EC curve NIST P-224 is now allowed, still kept disabled in TLS due
to less than optimal security

[1.1.0c-1]
- update to upstream version 1.1.0c

[1.1.0b-4]
- use a random seed if the supplied one did not generate valid
parameters in dsa_builtin_paramgen2()

[1.1.0b-3]
- do not break contract on return value when using dsa_builtin_paramgen2()

[1.1.0b-2]
- fix afalg failure on big endian

[1.1.0b-1]
- update to upstream version 1.1.0b

[1:1.0.2j-2]
- Add flags for riscv64.

[1.0.2j-1]
- minor upstream release 1.0.2j fixing regression from previous release

[1.0.2i-2]
- Fix enginesdir in libcrypto.c (#1375361)

[1.0.2i-1]
- minor upstream release 1.0.2i fixing security issues
- move man pages for perl based scripts to perl subpackage (#1377617)

[1.0.2h-3]
- fix regression in Cisco AnyConnect VPN support (#1354588)

[1.0.2h-2]
- require libcrypto in libssl.pc (#1301301)

[1.0.2h-1]
- minor upstream release 1.0.2h fixing security issues

[1.0.2g-4]
- disable SSLv2 support altogether (without ABI break)

[1.0.2g-3]
- enable RC5

[1.0.2g-2]
- reenable SSL2 in the build to avoid ABI break (it does not
make the openssl vulnerable to DROWN attack)

[1.0.2g-1]
- minor upstream release 1.0.2g fixing security issues

[1:1.0.2f-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

[1.0.2f-1]
- minor upstream release 1.0.2f fixing security issues
- add support for MIPS secondary architecture

[1.0.2e-5]
- document some options of openssl speed command

[1.0.2e-4]
- enable sctp support in DTLS

[1.0.2e-3]
- remove unimplemented EC method from header (#1289599)

[1.0.2e-2]
- the fast nistp implementation works only on little endian architectures

[1.0.2e-1]
- minor upstream release 1.0.2e fixing moderate severity security issues
- enable fast assembler implementation for NIST P-256 and P-521
elliptic curves (#1164210)
- filter out unwanted link options from the .pc files (#1257836)
- do not set serial to 0 in Makefile.certificate (#1135719)

[1.0.2d-3]
- fix sigill on some AMD CPUs (#1278194)

[1.0.2d-2]
- re-enable secp256k1 (bz1021898)

[1.0.2d-1]
- minor upstream release 1.0.2d fixing a high severity security issue

[1.0.2c-3]
- fix the aarch64 build

[1:1.0.2c-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

[1.0.2c-1]
- minor upstream release 1.0.2c fixing multiple security issues

[1.0.2a-4]
- Add aarch64 sslarch details

[1.0.2a-3]
- fix some 64 bit build targets

[1.0.2a-2]
- add alternative certificate chain discovery support from upstream

[1.0.2a-1]
- rebase to 1.0.2 branch

[1.0.1k-7]
- drop the AES-GCM restriction of 2^32 operations because the IV is
always 96 bits (32 bit fixed field + 64 bit invocation field)

[1.0.1k-6]
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
- fix CVE-2015-0293 - triggerable assert in SSLv2 server

[1.0.1k-5]
- fix bug in the CRYPTO_128_unwrap()

[1.0.1k-4]
- fix bug in the RFC 5649 support (#1185878)

[1:1.0.1k-3]
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code

[1.0.1k-2]
- test in the non-FIPS RSA keygen for minimal distance of p and q
similarly to the FIPS RSA keygen

[1.0.1k-1]
- new upstream release fixing multiple security issues

[1.0.1j-3]
- disable SSLv3 by default again (mail servers and possibly
LDAP servers should probably allow it explicitly for legacy
clients)

[1.0.1j-2]
- update the FIPS RSA keygen to be FIPS 186-4 compliant

[1.0.1j-1]
- new upstream release fixing multiple security issues

[1.0.1i-5]
- copy negotiated digests when switching certs by SNI (#1150032)

[1.0.1i-4]
- add support for RFC 5649

[1:1.0.1i-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

[1.0.1i-2]
- drop RSA X9.31 from RSA FIPS selftests
- add Power 8 optimalizations

[1.0.1i-1]
- new upstream release fixing multiple moderate security issues
- for now disable only SSLv2 by default

[1.0.1h-6]
- fix license handling

[1.0.1h-5]
- disable SSLv2 and SSLv3 protocols by default (can be enabled
via appropriate SSL_CTX_clear_options() call)

[1.0.1h-4]
- use system profile for default cipher list

[1.0.1h-3]
- make FIPS mode keygen bit length restriction enforced only when
OPENSSL_ENFORCE_MODULUS_BITS is set
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support

[1:1.0.1h-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

[1.0.1h-1]
- new upstream release 1.0.1h

[1.0.1g-2]
- Drop obsolete and irrelevant docs
- Move devel docs to appropriate package

[1.0.1g-1]
- new upstream release 1.0.1g
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
- fail on hmac integrity check if the .hmac file is empty

[1.0.1e-44]
- pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency

[1.0.1e-43]
- add support for ppc64le architecture (#1072633)

[1.0.1e-42]
- properly detect encryption failure in BIO
- use 2048 bit RSA key in FIPS selftests

[1.0.1e-41]
- use the key length from configuration file if req -newkey rsa is invoked

[1.0.1e-40]
- print ephemeral key size negotiated in TLS handshake (#1057715)
- add DH_compute_key_padded needed for FIPS CAVS testing

[1.0.1e-39]
- make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)

[1.0.1e-38]
- make 3des strength to be 128 bits instead of 168 (#1056616)

[1.0.1e-37]
- fix CVE-2013-4353 - Invalid TLS handshake crash
- fix CVE-2013-6450 - possible MiTM attack on DTLS1

[1.0.1e-36]
- fix CVE-2013-6449 - crash when version in SSL structure is incorrect
- more FIPS validation requirement changes

[1.0.1e-35]
- drop weak ciphers from the default TLS ciphersuite list
- add back some symbols that were dropped with update to 1.0.1 branch
- more FIPS validation requirement changes

[1.0.1e-34]
- fix locking and reseeding problems with FIPS drbg

[1.0.1e-33]
- additional changes required for FIPS validation

[1.0.1e-32]
- disable verification of certificate, CRL, and OCSP signatures
using MD5 if OPENSSL_ENABLE_MD5_VERIFY environment variable
is not set

[1.0.1e-31]
- add back support for secp521r1 EC curve
- add aarch64 to Configure (#969692)

[1.0.1e-30]
- fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346)

[1.0.1e-29]
- do not advertise ECC curves we do not support (#1022493)

[1.0.1e-28]
- only ECC NIST Suite B curves support
- drop -fips subpackage

[1.0.1e-27]
- resolve bugzilla 319901 (phew! only took 6 years & 9 days)

[1.0.1e-26]
- make DTLS1 work in FIPS mode
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode

[1.0.1e-25]
- avoid dlopening libssl.so from libcrypto (#1010357)

[1.0.1e-24]
- fix small memory leak in FIPS aes selftest

[1.0.1e-23]
- fix segfault in openssl speed hmac in the FIPS mode

[1.0.1e-22]
- document the nextprotoneg option in manual pages
original patch by Hubert Kario

[1.0.1e-21]
- [arm] use elf auxv to figure out armcap.c instead of playing silly
games with SIGILL handlers. (#1006474)

[1.0.1e-20]
- try to avoid some races when updating the -fips subpackage

[1.0.1e-19]
- use version-release in .hmac suffix to avoid overwrite
during upgrade

[1.0.1e-18]
- allow deinitialization of the FIPS mode

[1.0.1e-17]
- always perform the FIPS selftests in library constructor
if FIPS module is installed

[1.0.1e-16]
- add -fips subpackage that contains the FIPS module files

[1.0.1e-15]
- fix use of rdrand if available
- more commits cherry picked from upstream
- documentation fixes

[1:1.0.1e-14]
- Perl 5.18 rebuild

[1.0.1e-13]
- additional manual page fix
- use symbol versioning also for the textual version

[1.0.1e-12]
- additional manual page fixes

[1.0.1e-11]
- use _prefix macro

[1:1.0.1e-10]
- Perl 5.18 rebuild

[1.0.1e-9]
- add openssl.cnf.5 manpage symlink to config.5

[1.0.1e-8]
- add relro linking flag

[1.0.1e-7]
- add support for the -trusted_first option for certificate chain verification

[1.0.1e-6]
- fix build of manual pages with current pod2man (#959439)

[1.0.1e-5]
- Enable ARM optimised build

[1.0.1e-4]
- fix random bad record mac errors (#918981)

[1.0.1e-3]
- fix up the SHLIB_VERSION_NUMBER

[1.0.1e-2]
- disable ZLIB loading by default (due to CRIME attack)

[1.0.1e-1]
- new upstream version

[1.0.1c-12]
- more fixes from upstream
- fix errors in manual causing build failure (#904777)

[1.0.1c-11]
- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in
the FIPS mode (#881336)

[1.0.1c-10]
- do not load default verify paths if CApath or CAfile specified (#884305)

[1.0.1c-9]
- more fixes from upstream CVS
- fix DSA key pairwise check (#878597)

[1.0.1c-8]
- use 1024 bit DH parameters in s_server as 512 bit is not allowed
in FIPS mode and it is quite weak anyway

[1.0.1c-7]
- add missing initialization of str in aes_ccm_init_key (#853963)
- add important patches from upstream CVS
- use the secure_getenv() with new glibc

[1:1.0.1c-6]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

[1.0.1c-5]
- use __getenv_secure() instead of __libc_enable_secure

[1.0.1c-4]
- do not move libcrypto to /lib
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes

[1.0.1c-3]
- fix DSA key generation in FIPS mode (#833866)
- allow duplicate FIPS_mode_set(1)
- enable build on ppc64 subarch (#834652)

[1.0.1c-2]
- fix s_server with new glibc when no global IPv6 address (#839031)
- make it build with new Perl

[1.0.1c-1]
- new upstream version

[1.0.1b-1]
- new upstream version

[1.0.1a-1]
- new upstream version fixing CVE-2012-2110

[1.0.1-3]
- add Kerberos 5 libraries to pkgconfig for static linking (#807050)

[1.0.1-2]
- backports from upstream CVS
- fix segfault when /dev/urandom is not available (#809586)

[1.0.1-1]
- new upstream release

[1.0.1-0.3.beta3]
- add obsoletes to assist multilib updates (#799636)

[1.0.1-0.2.beta3]
- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17
- new upstream release from the 1.0.1 branch
- fix s390x build (#798411)
- versioning for the SSLeay symbol (#794950)
- add -DPURIFY to build flags (#797323)
- filter engine provides
- split the libraries to a separate -libs package
- add make to requires on the base package (#783446)

[1.0.1-0.1.beta2]
- new upstream release from the 1.0.1 branch, ABI compatible
- add documentation for the -no_ign_eof option

[1.0.0g-1]
- new upstream release fixing CVE-2012-0050 - DoS regression in
DTLS support introduced by the previous release (#782795)

[1.0.0f-1]
- new upstream release fixing multiple CVEs

[1.0.0e-4]
- move the libraries needed for static linking to Libs.private

[1.0.0e-3]
- do not use AVX instructions when osxsave bit not set
- add direct known answer tests for SHA2 algorithms

[1.0.0e-2]
- fix missing initialization of variable in CHIL engine

[1.0.0e-1]
- new upstream release fixing CVE-2011-3207 (#736088)

[1.0.0d-8]
- drop the separate engine for Intel acceleration improvements
and merge in the AES-NI, SHA1, and RC4 optimizations
- add support for OPENSSL_DISABLE_AES_NI environment variable
that disables the AES-NI support

[1.0.0d-7]
- correct openssl cms help output (#636266)
- more tolerant starttls detection in XMPP protocol (#608239)

[1.0.0d-6]
- add support for newest Intel acceleration improvements backported
from upstream by Intel in form of a separate engine

[1.0.0d-5]
- allow the AES-NI engine in the FIPS mode

[1.0.0d-4]
- add API necessary for CAVS testing of the new DSA parameter generation

[1.0.0d-3]
- add support for VIA Padlock on 64bit arch from upstream (#617539)
- do not return bogus values from load_certs (#652286)

[1.0.0d-2]
- clarify apps help texts for available digest algorithms (#693858)

[1.0.0d-1]
- new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability)

[1.0.0c-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

[1.0.0c-3]
- add -x931 parameter to openssl genrsa command to use the ANSI X9.31
key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
to allow using MD5 when the system is in the maintenance state
even if the /proc fips flag is on
- make openssl pkcs12 command work by default in the FIPS mode

[1.0.0c-2]
- listen on ipv6 wildcard in s_server so we accept connections
from both ipv4 and ipv6 (#601612)
- fix openssl speed command so it can be used in the FIPS mode
with FIPS allowed ciphers

[1.0.0c-1]
- new upstream version fixing CVE-2010-4180

[1.0.0b-3]
- replace the revert for the s390x bignum asm routines with
fix from upstream

[1.0.0b-2]
- revert upstream change in s390x bignum asm routines

[1.0.0b-1]
- new upstream version fixing CVE-2010-3864 (#649304)

[1.0.0a-3]
- make SHLIB_VERSION reflect the library suffix

[1.0.0a-2]
- openssl man page fix (#609484)

[1.0.0a-1]
- new upstream patch release, fixes CVE-2010-0742 (#598738)
and CVE-2010-1633 (#598732)




Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete