ELBA-2020-6010
- ULN >
- Oracle Linux Errata repository >
- ELBA-2020-6010
ELBA-2020-6010 - openssl bug fix update
| Type: | BUG |
| Severity: | NA |
| Release Date: | 2020-12-18 |
Description
[1.1.1c-15]
- add selftest of the RAND_DRBG implementation
[1.1.1c-14]
- fix incorrect error return value from FIPS_selftest_dsa
- S390x: properly restore SIGILL signal handler
[1.1.1c-12]
- additional fix for the edk2 build
[1.1.1c-9]
- disallow use of SHA-1 signatures in TLS in FIPS mode
[1.1.1c-8]
- fix CVE-2019-1547 - side-channel weak encryption vulnerability
- fix CVE-2019-1563 - padding oracle in CMS API
- fix CVE-2019-1549 - ensure fork safety of the DRBG
- fix handling of non-FIPS allowed EC curves in FIPS mode
- fix TLS compliance issues
[1.1.1c-7]
- backported ARM performance fixes from master
[1.1.1c-6]
- backport of S390x ECC CPACF enhancements from master
- FIPS mode: properly disable 1024 bit DSA key generation
- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed
- FIPS mode: allow AES-CCM ciphersuites
[1.1.1c-5]
- make the code suitable for edk2 build
[1.1.1c-4]
- backport of SSKDF from master
[1.1.1c-3]
- backport of KBKDF and KRB5KDF from master
[1.1.1c-2]
- do not try to use EC groups disallowed in FIPS mode
in TLS
- fix Valgrind regression with constant-time code
[1.1.1c-1]
- update to the 1.1.1c release
[1.1.1b-6]
- adjust the default cert pbe algorithm for pkcs12 -export
in the FIPS mode
[1.1.1b-5]
- Fix small regressions related to the rebase
[1.1.1b-3]
- FIPS compliance fixes
[1.1.1b-1]
- update to the 1.1.1b release
- EVP_KDF API backport from master
- SSH KDF implementation for EVP_KDF API backport from master
- add S390x chacha20-poly1305 assembler support from master branch
[1.1.1-8]
- make openssl ts default to using SHA256 digest
[1.1.1-7]
- use /dev/urandom for seeding the RNG in FIPS POST
[1.1.1-6]
- make SECLEVEL=3 work
[1.1.1-5]
- fix defects found in Coverity scan
[1.1.1-4]
- drop SSLv3 support
[1.1.1-3]
- drop the TLS-1.3 version revert
[1.1.1-2]
- disable RC4-MD5 ciphersuites completely
[1.1.1-1]
- update to the final 1.1.1 version
- for consistent support of security policies we build
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
- use only /dev/urandom if getrandom() is not available
- disable SM4
[1.1.1-0.pre9.1]
- update to the latest 1.1.1 beta version
- temporarily revert TLS-1.3 to draft 28 version
[1.1.1-0.pre8.4]
- bidirectional shutdown fixes from upstream
[1.1.1-0.pre8.3]
- do not put error on stack when using fixed protocol version
with the default config (#1615098)
[1.1.1-0.pre8.2]
- load crypto policy config file from the default config
[1.1.1-0.pre8]
- update to the latest 1.1.1 beta version
[1:1.1.0h-6]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
[1.1.0h-5]
- fix FIPS RSA key generation failure
[1.1.0h-4]
- ppc64le is not multilib arch (#1584994)
[1.1.0h-3]
- fix regression of c_rehash (#1562953)
[1.1.0h-2]
- fix FIPS symbol versions
[1.1.0h-1]
- update to upstream version 1.1.0h
- add Recommends for openssl-pkcs11
[1.1.0g-6]
- one more try to apply RPM_LD_FLAGS properly (#1541033)
- dropped unneeded starttls xmpp patch (#1417017)
[1:1.1.0g-5]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
[1.1.0g-4]
- apply RPM_LD_FLAGS properly (#1541033)
[1.1.0g-3]
- silence the .rnd write failure as that is auxiliary functionality (#1524833)
[1.1.0g-2]
- put the Makefile.certificate in pkgdocdir and drop the requirement on make
[1.1.0g-1]
- update to upstream version 1.1.0g
[1:1.1.0f-9]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
[1:1.1.0f-8]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
[1:1.1.0f-7]
- make s_client and s_server work with -ssl3 option (#1471783)
[1:1.1.0f-6]
- perl dependency renamed to perl-interpreter
[1.1.0f-5]
- disable verification of all insecure hashes
[1.1.0f-4]
- make DTLS work (#1462541)
[1.1.0f-3]
- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)
[1.1.0f-2]
- only release thread-local key if we created it (from upstream) (#1458775)
[1.1.0f-1]
- update to upstream version 1.1.0f
- SRP and GOST is now allowed, note that GOST support requires
adding GOST engine which is not part of openssl anymore
[1.1.0e-1]
- update to upstream version 1.1.0e
- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
[1:1.1.0d-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
[1.1.0d-2]
- applied upstream fixes (fix regression in X509_CRL_digest)
[1.1.0d-1]
- update to upstream version 1.1.0d
[1.1.0c-5]
- preserve new line in fd BIO BIO_gets() as other BIOs do
[1.1.0c-4]
- FIPS mode fixes for TLS
[1.1.0c-3]
- revert SSL_read() behavior change - patch from upstream (#1394677)
- fix behavior on client certificate request in renegotiation (#1393579)
[1.1.0c-2]
- EC curve NIST P-224 is now allowed, still kept disabled in TLS due
to less than optimal security
[1.1.0c-1]
- update to upstream version 1.1.0c
[1.1.0b-4]
- use a random seed if the supplied one did not generate valid
parameters in dsa_builtin_paramgen2()
[1.1.0b-3]
- do not break contract on return value when using dsa_builtin_paramgen2()
[1.1.0b-2]
- fix afalg failure on big endian
[1.1.0b-1]
- update to upstream version 1.1.0b
[1:1.0.2j-2]
- Add flags for riscv64.
[1.0.2j-1]
- minor upstream release 1.0.2j fixing regression from previous release
[1.0.2i-2]
- Fix enginesdir in libcrypto.c (#1375361)
[1.0.2i-1]
- minor upstream release 1.0.2i fixing security issues
- move man pages for perl based scripts to perl subpackage (#1377617)
[1.0.2h-3]
- fix regression in Cisco AnyConnect VPN support (#1354588)
[1.0.2h-2]
- require libcrypto in libssl.pc (#1301301)
[1.0.2h-1]
- minor upstream release 1.0.2h fixing security issues
[1.0.2g-4]
- disable SSLv2 support altogether (without ABI break)
[1.0.2g-3]
- enable RC5
[1.0.2g-2]
- reenable SSL2 in the build to avoid ABI break (it does not
make the openssl vulnerable to DROWN attack)
[1.0.2g-1]
- minor upstream release 1.0.2g fixing security issues
[1:1.0.2f-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
[1.0.2f-1]
- minor upstream release 1.0.2f fixing security issues
- add support for MIPS secondary architecture
[1.0.2e-5]
- document some options of openssl speed command
[1.0.2e-4]
- enable sctp support in DTLS
[1.0.2e-3]
- remove unimplemented EC method from header (#1289599)
[1.0.2e-2]
- the fast nistp implementation works only on little endian architectures
[1.0.2e-1]
- minor upstream release 1.0.2e fixing moderate severity security issues
- enable fast assembler implementation for NIST P-256 and P-521
elliptic curves (#1164210)
- filter out unwanted link options from the .pc files (#1257836)
- do not set serial to 0 in Makefile.certificate (#1135719)
[1.0.2d-3]
- fix sigill on some AMD CPUs (#1278194)
[1.0.2d-2]
- re-enable secp256k1 (bz1021898)
[1.0.2d-1]
- minor upstream release 1.0.2d fixing a high severity security issue
[1.0.2c-3]
- fix the aarch64 build
[1:1.0.2c-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
[1.0.2c-1]
- minor upstream release 1.0.2c fixing multiple security issues
[1.0.2a-4]
- Add aarch64 sslarch details
[1.0.2a-3]
- fix some 64 bit build targets
[1.0.2a-2]
- add alternative certificate chain discovery support from upstream
[1.0.2a-1]
- rebase to 1.0.2 branch
[1.0.1k-7]
- drop the AES-GCM restriction of 2^32 operations because the IV is
always 96 bits (32 bit fixed field + 64 bit invocation field)
[1.0.1k-6]
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
- fix CVE-2015-0293 - triggerable assert in SSLv2 server
[1.0.1k-5]
- fix bug in the CRYPTO_128_unwrap()
[1.0.1k-4]
- fix bug in the RFC 5649 support (#1185878)
[1:1.0.1k-3]
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
[1.0.1k-2]
- test in the non-FIPS RSA keygen for minimal distance of p and q
similarly to the FIPS RSA keygen
[1.0.1k-1]
- new upstream release fixing multiple security issues
[1.0.1j-3]
- disable SSLv3 by default again (mail servers and possibly
LDAP servers should probably allow it explicitly for legacy
clients)
[1.0.1j-2]
- update the FIPS RSA keygen to be FIPS 186-4 compliant
[1.0.1j-1]
- new upstream release fixing multiple security issues
[1.0.1i-5]
- copy negotiated digests when switching certs by SNI (#1150032)
[1.0.1i-4]
- add support for RFC 5649
[1:1.0.1i-3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
[1.0.1i-2]
- drop RSA X9.31 from RSA FIPS selftests
- add Power 8 optimalizations
[1.0.1i-1]
- new upstream release fixing multiple moderate security issues
- for now disable only SSLv2 by default
[1.0.1h-6]
- fix license handling
[1.0.1h-5]
- disable SSLv2 and SSLv3 protocols by default (can be enabled
via appropriate SSL_CTX_clear_options() call)
[1.0.1h-4]
- use system profile for default cipher list
[1.0.1h-3]
- make FIPS mode keygen bit length restriction enforced only when
OPENSSL_ENFORCE_MODULUS_BITS is set
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
[1:1.0.1h-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
[1.0.1h-1]
- new upstream release 1.0.1h
[1.0.1g-2]
- Drop obsolete and irrelevant docs
- Move devel docs to appropriate package
[1.0.1g-1]
- new upstream release 1.0.1g
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
- fail on hmac integrity check if the .hmac file is empty
[1.0.1e-44]
- pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency
[1.0.1e-43]
- add support for ppc64le architecture (#1072633)
[1.0.1e-42]
- properly detect encryption failure in BIO
- use 2048 bit RSA key in FIPS selftests
[1.0.1e-41]
- use the key length from configuration file if req -newkey rsa is invoked
[1.0.1e-40]
- print ephemeral key size negotiated in TLS handshake (#1057715)
- add DH_compute_key_padded needed for FIPS CAVS testing
[1.0.1e-39]
- make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
[1.0.1e-38]
- make 3des strength to be 128 bits instead of 168 (#1056616)
[1.0.1e-37]
- fix CVE-2013-4353 - Invalid TLS handshake crash
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
[1.0.1e-36]
- fix CVE-2013-6449 - crash when version in SSL structure is incorrect
- more FIPS validation requirement changes
[1.0.1e-35]
- drop weak ciphers from the default TLS ciphersuite list
- add back some symbols that were dropped with update to 1.0.1 branch
- more FIPS validation requirement changes
[1.0.1e-34]
- fix locking and reseeding problems with FIPS drbg
[1.0.1e-33]
- additional changes required for FIPS validation
[1.0.1e-32]
- disable verification of certificate, CRL, and OCSP signatures
using MD5 if OPENSSL_ENABLE_MD5_VERIFY environment variable
is not set
[1.0.1e-31]
- add back support for secp521r1 EC curve
- add aarch64 to Configure (#969692)
[1.0.1e-30]
- fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346)
[1.0.1e-29]
- do not advertise ECC curves we do not support (#1022493)
[1.0.1e-28]
- only ECC NIST Suite B curves support
- drop -fips subpackage
[1.0.1e-27]
- resolve bugzilla 319901 (phew! only took 6 years & 9 days)
[1.0.1e-26]
- make DTLS1 work in FIPS mode
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
[1.0.1e-25]
- avoid dlopening libssl.so from libcrypto (#1010357)
[1.0.1e-24]
- fix small memory leak in FIPS aes selftest
[1.0.1e-23]
- fix segfault in openssl speed hmac in the FIPS mode
[1.0.1e-22]
- document the nextprotoneg option in manual pages
original patch by Hubert Kario
[1.0.1e-21]
- [arm] use elf auxv to figure out armcap.c instead of playing silly
games with SIGILL handlers. (#1006474)
[1.0.1e-20]
- try to avoid some races when updating the -fips subpackage
[1.0.1e-19]
- use version-release in .hmac suffix to avoid overwrite
during upgrade
[1.0.1e-18]
- allow deinitialization of the FIPS mode
[1.0.1e-17]
- always perform the FIPS selftests in library constructor
if FIPS module is installed
[1.0.1e-16]
- add -fips subpackage that contains the FIPS module files
[1.0.1e-15]
- fix use of rdrand if available
- more commits cherry picked from upstream
- documentation fixes
[1:1.0.1e-14]
- Perl 5.18 rebuild
[1.0.1e-13]
- additional manual page fix
- use symbol versioning also for the textual version
[1.0.1e-12]
- additional manual page fixes
[1.0.1e-11]
- use _prefix macro
[1:1.0.1e-10]
- Perl 5.18 rebuild
[1.0.1e-9]
- add openssl.cnf.5 manpage symlink to config.5
[1.0.1e-8]
- add relro linking flag
[1.0.1e-7]
- add support for the -trusted_first option for certificate chain verification
[1.0.1e-6]
- fix build of manual pages with current pod2man (#959439)
[1.0.1e-5]
- Enable ARM optimised build
[1.0.1e-4]
- fix random bad record mac errors (#918981)
[1.0.1e-3]
- fix up the SHLIB_VERSION_NUMBER
[1.0.1e-2]
- disable ZLIB loading by default (due to CRIME attack)
[1.0.1e-1]
- new upstream version
[1.0.1c-12]
- more fixes from upstream
- fix errors in manual causing build failure (#904777)
[1.0.1c-11]
- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in
the FIPS mode (#881336)
[1.0.1c-10]
- do not load default verify paths if CApath or CAfile specified (#884305)
[1.0.1c-9]
- more fixes from upstream CVS
- fix DSA key pairwise check (#878597)
[1.0.1c-8]
- use 1024 bit DH parameters in s_server as 512 bit is not allowed
in FIPS mode and it is quite weak anyway
[1.0.1c-7]
- add missing initialization of str in aes_ccm_init_key (#853963)
- add important patches from upstream CVS
- use the secure_getenv() with new glibc
[1:1.0.1c-6]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
[1.0.1c-5]
- use __getenv_secure() instead of __libc_enable_secure
[1.0.1c-4]
- do not move libcrypto to /lib
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
[1.0.1c-3]
- fix DSA key generation in FIPS mode (#833866)
- allow duplicate FIPS_mode_set(1)
- enable build on ppc64 subarch (#834652)
[1.0.1c-2]
- fix s_server with new glibc when no global IPv6 address (#839031)
- make it build with new Perl
[1.0.1c-1]
- new upstream version
[1.0.1b-1]
- new upstream version
[1.0.1a-1]
- new upstream version fixing CVE-2012-2110
[1.0.1-3]
- add Kerberos 5 libraries to pkgconfig for static linking (#807050)
[1.0.1-2]
- backports from upstream CVS
- fix segfault when /dev/urandom is not available (#809586)
[1.0.1-1]
- new upstream release
[1.0.1-0.3.beta3]
- add obsoletes to assist multilib updates (#799636)
[1.0.1-0.2.beta3]
- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17
- new upstream release from the 1.0.1 branch
- fix s390x build (#798411)
- versioning for the SSLeay symbol (#794950)
- add -DPURIFY to build flags (#797323)
- filter engine provides
- split the libraries to a separate -libs package
- add make to requires on the base package (#783446)
[1.0.1-0.1.beta2]
- new upstream release from the 1.0.1 branch, ABI compatible
- add documentation for the -no_ign_eof option
[1.0.0g-1]
- new upstream release fixing CVE-2012-0050 - DoS regression in
DTLS support introduced by the previous release (#782795)
[1.0.0f-1]
- new upstream release fixing multiple CVEs
[1.0.0e-4]
- move the libraries needed for static linking to Libs.private
[1.0.0e-3]
- do not use AVX instructions when osxsave bit not set
- add direct known answer tests for SHA2 algorithms
[1.0.0e-2]
- fix missing initialization of variable in CHIL engine
[1.0.0e-1]
- new upstream release fixing CVE-2011-3207 (#736088)
[1.0.0d-8]
- drop the separate engine for Intel acceleration improvements
and merge in the AES-NI, SHA1, and RC4 optimizations
- add support for OPENSSL_DISABLE_AES_NI environment variable
that disables the AES-NI support
[1.0.0d-7]
- correct openssl cms help output (#636266)
- more tolerant starttls detection in XMPP protocol (#608239)
[1.0.0d-6]
- add support for newest Intel acceleration improvements backported
from upstream by Intel in form of a separate engine
[1.0.0d-5]
- allow the AES-NI engine in the FIPS mode
[1.0.0d-4]
- add API necessary for CAVS testing of the new DSA parameter generation
[1.0.0d-3]
- add support for VIA Padlock on 64bit arch from upstream (#617539)
- do not return bogus values from load_certs (#652286)
[1.0.0d-2]
- clarify apps help texts for available digest algorithms (#693858)
[1.0.0d-1]
- new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability)
[1.0.0c-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
[1.0.0c-3]
- add -x931 parameter to openssl genrsa command to use the ANSI X9.31
key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
to allow using MD5 when the system is in the maintenance state
even if the /proc fips flag is on
- make openssl pkcs12 command work by default in the FIPS mode
[1.0.0c-2]
- listen on ipv6 wildcard in s_server so we accept connections
from both ipv4 and ipv6 (#601612)
- fix openssl speed command so it can be used in the FIPS mode
with FIPS allowed ciphers
[1.0.0c-1]
- new upstream version fixing CVE-2010-4180
[1.0.0b-3]
- replace the revert for the s390x bignum asm routines with
fix from upstream
[1.0.0b-2]
- revert upstream change in s390x bignum asm routines
[1.0.0b-1]
- new upstream version fixing CVE-2010-3864 (#649304)
[1.0.0a-3]
- make SHLIB_VERSION reflect the library suffix
[1.0.0a-2]
- openssl man page fix (#609484)
[1.0.0a-1]
- new upstream patch release, fixes CVE-2010-0742 (#598738)
and CVE-2010-1633 (#598732)
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
