[Orabug 20182267] The openssl-fips-devel package should Provide:
openssl-devel and openssl-devel(x86-64) like the standard -devel
package
The openssl-fips-devel package should include fips.h and fips_rand.h
for apps that want to build against FIPS* APIs
[1.0.1j-2.0.3]
[Orabug 20086847] reintroduce patch openssl-1.0.1e-ecc-suiteb.patch,
update ec_curve.c which gets copied into build tree to match the patch
(ie only have curves which are advertised). The change items from the
orignal patch are as follows:
do not advertise ECC curves we do not support
fix CPU identification on Cyrix CPUs
[1.0.1j-2.0.2]
update README.FIPS with step-by-step install instructions
[1.0.1j-2.0.1]
update to upstream 1.0.1j
change name to openssl-fips
change Obsoletes: openssl to Conflicts: openssl
add Provides: openssl
[1.0.1i-2.0.3.fips]
update to fips canister 2.0.8 to remove Dual EC DRBG
run gcc -v so the gcc build version is captured in the build log
[1.0.1i-2.0.2.fips]
flip EVP_CIPH_* flag bits for compatibility with original RH patched pkg
[1.0.1i-2.0.1.fips]
build against upstream 1.0.1i
build against fips validated canister 2.0.7
add patch to support fips=1
rename pkg to openssl-fips and Obsolete openssl
[1.0.1e-16.14]
fix CVE-2010-5298 - possible use of memory after free
fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment
fix CVE-2014-0198 - possible NULL pointer dereference
fix CVE-2014-0221 - DoS from invalid DTLS handshake packet
fix CVE-2014-0224 - SSL/TLS MITM vulnerability
fix CVE-2014-3470 - client-side DoS when using anonymous ECDH
[1.0.1e-16.7]
fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
[1.0.1e-16.4]
add -x931 parameter to openssl genrsa command to use the ANSI X9.31
key generation method
use FIPS-186-3 method for DSA parameter generation
add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
to allow using MD5 when the system is in the maintenance state
even if the /proc fips flag is on
make openssl pkcs12 command work by default in the FIPS mode
[1.0.0-7]
listen on ipv6 wildcard in s_server so we accept connections
from both ipv4 and ipv6 (#601612)
fix openssl speed command so it can be used in the FIPS mode
with FIPS allowed ciphers (#619762)
[1.0.0-6]
disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864
(#649304)
[1.0.0-5]
fix race in extension parsing code - CVE-2010-3864 (#649304)
[1.0.0-4]
openssl man page fix (#609484)
[1.0.0-3]
fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)
fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)
[1.0.0-2]
make CA dir readable - the private keys are in private subdir (#584810)
a few fixes from upstream CVS
make X509_NAME_hash_old work in FIPS mode (#568395)
[1.0.0-1]
update to final 1.0.0 upstream release
[1.0.0-0.22.beta5]
make TLS work in the FIPS mode
[1.0.0-0.21.beta5]
gracefully handle zero length in assembler implementations of
OPENSSL_cleanse (#564029)
do not fail in s_server if client hostname not resolvable (#561260)
[1.0.0-0.20.beta5]
new upstream release
[1.0.0-0.19.beta4]
fix CVE-2009-4355 - leak in applications incorrectly calling
CRYPTO_free_all_ex_data() before application exit (#546707)
upstream fix for future TLS protocol version handling
[1.0.0-0.18.beta4]
add support for Intel AES-NI
[1.0.0-0.17.beta4]
upstream fix compression handling on session resumption
various null checks and other small fixes from upstream
upstream changes for the renegotiation info according to the latest draft
[1.0.0-0.16.beta4]
fix non-fips mingw build (patch by Kalev Lember)
add IPV6 fix for DTLS
[1.0.0-0.15.beta4]
add better error reporting for the unsafe renegotiation
[1.0.0-0.14.beta4]
fix build on s390x
[1.0.0-0.13.beta4]
disable enforcement of the renegotiation extension on the client (#537962)
add fixes from the current upstream snapshot
[1.0.0-0.12.beta4]
keep the beta status in version number at 3 so we do not have to rebuild
openssh and possibly other dependencies with too strict version check
[1.0.0-0.11.beta4]
update to new upstream version, no soname bump needed
fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
so the compatibility with unfixed clients is not broken. The
protocol extension is also not final.
[1.0.0-0.10.beta3]
fix use of freed memory if SSL_CTX_free() is called before
SSL_free() (#521342)
[1.0.0-0.9.beta3]
fix typo in DTLS1 code (#527015)
fix leak in error handling of d2i_SSL_SESSION()
[1.0.0-0.8.beta3]
Fix link line for libssl (bug #111154).
[0.9.7a-25]
add dependency on zlib-devel for the -devel package, which depends on zlib
symbols because we enable zlib for libssl (#102962)
[0.9.7a-24]
Use /dev/urandom instead of PRNG for libica.
Apply libica-1.3.5 fix for /dev/urandom in icalinux.c
Use latest ICA engine patch from IBM.
[0.9.7a-22.1]
rebuild
[0.9.7a-22]
rebuild (22 wasn’t actually built, fun eh?)
[0.9.7a-23]
re-disable optimizations on ppc64
Tue Sep 30 2003 Joe Orton
add a_mbstr.c fix for 64-bit platforms from CVS
[0.9.7a-22]
add -Wa,–noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged
as not needing executable stacks
[0.9.7a-21]
rebuild
Thu Sep 25 2003 Nalin Dahyabhai
re-enable optimizations on ppc64
Thu Sep 25 2003 Nalin Dahyabhai
remove exclusivearch
[0.9.7a-20]
only parse a client cert if one was requested
temporarily exclusivearch for %{ix86}
Tue Sep 23 2003 Nalin Dahyabhai
add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
and heap corruption (CAN-2003-0545)
update RHNS-CA-CERT files
ease back on the number of threads used in the threading test
[0.9.7a-19]
rebuild to fix gzipped file md5sums (#91211)
[0.9.7a-18]
Updated libica to version 1.3.4.
[0.9.7a-17]
rebuild
[0.9.7a-10.9]
free the kssl_ctx structure when we free an SSL structure (#99066)
[0.9.7a-16]
rebuild
[0.9.7a-15]
lower thread test count on s390x
[0.9.7a-14]
rebuild
[0.9.7a-13]
disable assembly on arches where it seems to conflict with threading
[0.9.7a-12]
Updated libica to latest upstream version 1.3.0
[0.9.7a-9.9]
rebuild
[0.9.7a-11]
rebuild
[0.9.7a-10]
ubsec: don’t stomp on output data which might also be input data
[0.9.7a-9]
temporarily disable optimizations on ppc64
Mon Jun 09 2003 Nalin Dahyabhai
backport fix for engine-used-for-everything from 0.9.7b
backport fix for prng not being seeded causing problems, also from 0.9.7b
add a check at build-time to ensure that RSA is thread-safe
keep perlpath from stomping on the libica configure scripts
Fri Jun 06 2003 Nalin Dahyabhai
thread-safety fix for RSA blinding
[0.9.7a-8]
rebuilt
[0.9.7a-7]
Added libica-1.2 to openssl (featurerequest).
[0.9.7a-6]
fix building with incorrect flags on ppc64
[0.9.7a-5]
add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher’s
attack (CAN-2003-0131)
[ 0.9.7a-4]
add patch to enable RSA blinding by default, closing a timing attack
(CAN-2003-0147)
[0.9.7a-3]
disable use of BN assembly module on x86_64, but continue to allow inline
assembly (#83403)
[0.9.7a-2]
disable EC algorithms
[0.9.7a-1]
update to 0.9.7a
[0.9.7-8]
add fix to guard against attempts to allocate negative amounts of memory
add patch for CAN-2003-0078, fixing a timing attack
[0.9.7-7]
Add openssl-ppc64.patch
[0.9.7-6]
EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),
to get the right behavior when passed uninitialized context structures
(#83766)
build with -mcpu=ev5 on alpha family (#83828)
Wed Jan 22 2003 Tim Powers
rebuilt
[0.9.7-4]
Added IBM hw crypto support patch.
Wed Jan 15 2003 Nalin Dahyabhai
add missing builddep on sed
[0.9.7-3]
debloat
fix broken manpage symlinks
[0.9.7-2]
fix double-free in ‘openssl ca’
[0.9.7-1]
update to 0.9.7 final
[0.9.7-0]
update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)
Wed Dec 11 2002 Nalin Dahyabhai
update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)
[0.9.6b-30]
add configuration stanza for x86_64 and use it on x86_64
build for linux-ppc on ppc
start running the self-tests again
[0.9.6b-29hammer.3]
Merge fixes from previous hammer packages, including general x86-64 and
multilib
[0.9.6b-29]
rebuild
[0.9.6b-28]
update asn patch to fix accidental reversal of a logic check
[0.9.6b-27]
update asn patch to reduce chance that compiler optimization will remove
one of the added tests
[0.9.6b-26]
rebuild
[0.9.6b-25]
add patch to fix ASN.1 vulnerabilities
[0.9.6b-24]
add backport of Ben Laurie’s patches for OpenSSL 0.9.6d
[0.9.6b-23]
own {_datadir}/ssl/misc
Fri Jun 21 2002 Tim Powers
automated rebuild
Sun May 26 2002 Tim Powers
automated rebuild
[0.9.6b-20]
free ride through the build system (whee!)
[0.9.6b-19]
rebuild in new environment
[0.9.6b-17, 0.9.6b-18]
merge RHL-specific bits into stronghold package, rename
[stronghold-0.9.6c-2]
add support for Chrysalis Luna token
Tue Mar 26 2002 Gary Benson
disable AEP random number generation, other AEP fixes
[0.9.6b-15]
only build subpackages on primary arches
[0.9.6b-13]
on ia32, only disable use of assembler on i386
enable assembly on ia64
[0.9.6b-11]
fix sparcv9 entry
[stronghold-0.9.6c-1]
upgrade to 0.9.6c
bump BuildArch to i686 and enable assembler on all platforms
synchronise with shrimpy and rawhide
bump soversion to 3
Wed Oct 10 2001 Florian La Roche
delete BN_LLONG for s390x, patch from Oliver Paukstadt
[0.9.6b-9]
update AEP driver patch
Mon Sep 10 2001 Nalin Dahyabhai
adjust RNG disabling patch to match version of patch from Broadcom
[0.9.6b-8]
disable the RNG in the ubsec engine driver
[0.9.6b-7]
tweaks to the ubsec engine driver
[0.9.6b-6]
tweaks to the ubsec engine driver
[0.9.6b-5]
update ubsec engine driver from Broadcom
[0.9.6b-4]
move man pages back to %{_mandir}/man?/foo.?ssl from
%{_mandir}/man?ssl/foo.?
add an [ engine ] section to the default configuration file
Thu Aug 09 2001 Nalin Dahyabhai
add a patch for selecting a default engine in SSL_library_init()
[0.9.6b-3]
add patches for AEP hardware support
add patch to keep trying when we fail to load a cert from a file and
there are more in the file
add missing prototype for ENGINE_ubsec() in engine_int.h
[0.9.6b-2]
actually add hw_ubsec to the engine list
Tue Jul 17 2001 Nalin Dahyabhai
add in the hw_ubsec driver from CVS
[0.9.6b-1]
update to 0.9.6b
Thu Jul 05 2001 Nalin Dahyabhai
move .so symlinks back to %{_libdir}
Tue Jul 03 2001 Nalin Dahyabhai
move shared libraries to /lib (#38410)
Mon Jun 25 2001 Nalin Dahyabhai
switch to engine code base
Mon Jun 18 2001 Nalin Dahyabhai
add a script for creating dummy certificates
move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.?
Thu Jun 07 2001 Florian La Roche
add s390x support
Fri Jun 01 2001 Nalin Dahyabhai
change two memcpy() calls to memmove()
don’t define L_ENDIAN on alpha
[stronghold-0.9.6a-1]
Add ‘stronghold-’ prefix to package names.
Obsolete standard openssl packages.
Wed May 16 2001 Joe Orton
Add BuildArch: i586 as per Nalin’s advice.
Tue May 15 2001 Joe Orton
Enable assembler on ix86 (using new .tar.bz2 which does
include the asm directories).
Tue May 15 2001 Nalin Dahyabhai
make subpackages depend on the main package
Tue May 01 2001 Nalin Dahyabhai
adjust the hobble script to not disturb symlinks in include/ (fix from
Joe Orton)
Fri Apr 27 2001 Nalin Dahyabhai
drop the m2crypo patch we weren’t using
Tue Apr 24 2001 Nalin Dahyabhai
configure using ‘shared’ as well
Sun Apr 08 2001 Nalin Dahyabhai
update to 0.9.6a
use the build-shared target to build shared libraries
bump the soversion to 2 because we’re no longer compatible with
our 0.9.5a packages or our 0.9.6 packages
drop the patch for making rsatest a no-op when rsa null support is used
put all man pages into
ssl instead of
break the m2crypto modules into a separate package
Tue Mar 13 2001 Nalin Dahyabhai
use BN_LLONG on s390
Mon Mar 12 2001 Nalin Dahyabhai
fix the s390 changes for 0.9.6 (isn’t supposed to be marked as 64-bit)
Sat Mar 03 2001 Nalin Dahyabhai
move c_rehash to the perl subpackage, because it’s a perl script now
bump the soversion to 1 because we’re no longer compatible with any of
the various 0.9.5a packages circulating around, which provide lib*.so.0
Wed Feb 28 2001 Florian La Roche
change hobble-openssl for disabling MD2 again
Tue Feb 27 2001 Nalin Dahyabhai
re-disable MD2 – the EVP_MD_CTX structure would grow from 100 to 152
bytes or so, causing EVP_DigestInit() to zero out stack variables in
apps built against a version of the library without it
Mon Feb 26 2001 Nalin Dahyabhai
disable some inline assembly, which on x86 is Pentium-specific