From d91aea88902ba90fa95ee7539c8675be3a59ea20 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jan 19 2012 15:48:48 +0000 Subject: new upstream release fixing CVE-2012-0050 - DoS regression in DTLS support introduced by the previous release (#782795) --- diff --git a/.gitignore b/.gitignore index 7795bf3..d0e8a97 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.0d-usa.tar.bz2 /openssl-1.0.0e-usa.tar.bz2 /openssl-1.0.0f-usa.tar.bz2 +/openssl-1.0.0g-usa.tar.xz diff --git a/openssl-1.0.0f-version.patch b/openssl-1.0.0f-version.patch deleted file mode 100644 index 6c67a5e..0000000 --- a/openssl-1.0.0f-version.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up openssl-1.0.0f/crypto/opensslv.h.version openssl-1.0.0f/crypto/opensslv.h ---- openssl-1.0.0f/crypto/opensslv.h.version 2012-01-05 13:28:32.000000000 +0100 -+++ openssl-1.0.0f/crypto/opensslv.h 2012-01-05 13:29:37.000000000 +0100 -@@ -25,7 +25,8 @@ - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ --#define OPENSSL_VERSION_NUMBER 0x1000006fL -+/* we have to keep the version number to not break the abi */ -+#define OPENSSL_VERSION_NUMBER 0x10000003 - #ifdef OPENSSL_FIPS - #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012" - #else -@@ -83,7 +84,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" --#define SHLIB_VERSION_NUMBER "1.0.0" -+#define SHLIB_VERSION_NUMBER "1.0.0f" - - - #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl-1.0.0g-version.patch b/openssl-1.0.0g-version.patch new file mode 100644 index 0000000..55aa0c0 --- /dev/null +++ b/openssl-1.0.0g-version.patch @@ -0,0 +1,22 @@ +diff -up openssl-1.0.0g/crypto/opensslv.h.version openssl-1.0.0g/crypto/opensslv.h +--- openssl-1.0.0g/crypto/opensslv.h.version 2012-01-19 14:50:50.094028047 +0100 ++++ openssl-1.0.0g/crypto/opensslv.h 2012-01-19 14:51:48.655529671 +0100 +@@ -25,7 +25,8 @@ + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-#define OPENSSL_VERSION_NUMBER 0x1000007fL ++/* we have to keep the version number to not break the abi */ ++#define OPENSSL_VERSION_NUMBER 0x10000003 + #ifdef OPENSSL_FIPS + #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0g-fips 18 Jan 2012" + #else +@@ -83,7 +84,7 @@ + * should only keep the versions that are binary compatible with the current. + */ + #define SHLIB_VERSION_HISTORY "" +-#define SHLIB_VERSION_NUMBER "1.0.0" ++#define SHLIB_VERSION_NUMBER "1.0.0g" + + + #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl.spec b/openssl.spec index 9ac89a9..95ee2b8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -20,12 +20,12 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.0f +Version: 1.0.0g Release: 1%{?dist} # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-usa.tar.bz2 +Source: openssl-%{version}-usa.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert @@ -61,7 +61,7 @@ Patch45: openssl-0.9.8j-env-nozlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.0-beta4-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch -Patch51: openssl-1.0.0f-version.patch +Patch51: openssl-1.0.0g-version.patch Patch52: openssl-1.0.0b-aesni.patch Patch53: openssl-1.0.0-name-hash.patch Patch54: openssl-1.0.0c-speed-fips.patch @@ -429,6 +429,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Thu Jan 19 2012 Tomas Mraz 1.0.0g-1 +- new upstream release fixing CVE-2012-0050 - DoS regression in + DTLS support introduced by the previous release (#782795) + * Thu Jan 5 2012 Tomas Mraz 1.0.0f-1 - new upstream release fixing multiple CVEs diff --git a/sources b/sources index ea39ae9..45e0449 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b3a89913eee6cac43cb53dba728e206d openssl-1.0.0f-usa.tar.bz2 +9d7281bdc7ec0845c240eb6c0adc8dc3 openssl-1.0.0g-usa.tar.xz