[openssl/f17] new upstream release fixing CVE-2012-0884 - Bleichenbacher attack

Tomáš Mráz tmraz at fedoraproject.org
Fri Mar 23 17:37:52 UTC 2012 

commit 9ade2aa2dfb3de6cb307efddcf15cc9c0e7ecb21
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Fri Mar 23 18:34:20 2012 +0100

    new upstream release fixing CVE-2012-0884 - Bleichenbacher attack
    
      against PKCS#7 and CMS (#802725) and CVE-2012-1165 mime_param_cmp
      NULL dereference (#802489)

 .gitignore                                         |    1 +
 openssl-0.9.8j-bad-mime.patch                      |   14 --------
 openssl-1.0.0a-load-certs.patch                    |   23 --------------
 openssl-1.0.0e-pkgconfig-private.patch             |   33 --------------------
 ...g-version.patch => openssl-1.0.0h-version.patch |   15 ++++-----
 openssl.spec                                       |   17 +++++-----
 sources                                            |    2 +-
 7 files changed, 17 insertions(+), 88 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index d0e8a97..12d27b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.0e-usa.tar.bz2
 /openssl-1.0.0f-usa.tar.bz2
 /openssl-1.0.0g-usa.tar.xz
+/openssl-1.0.0h-usa.tar.xz
diff --git a/openssl-1.0.0g-version.patch b/openssl-1.0.0h-version.patch
similarity index 50%
rename from openssl-1.0.0g-version.patch
rename to openssl-1.0.0h-version.patch
index 55aa0c0..6dbfb1d 100644
--- a/openssl-1.0.0g-version.patch
+++ b/openssl-1.0.0h-version.patch
@@ -1,17 +1,16 @@
-diff -up openssl-1.0.0g/crypto/opensslv.h.version openssl-1.0.0g/crypto/opensslv.h
---- openssl-1.0.0g/crypto/opensslv.h.version	2012-01-19 14:50:50.094028047 +0100
-+++ openssl-1.0.0g/crypto/opensslv.h	2012-01-19 14:51:48.655529671 +0100
-@@ -25,7 +25,8 @@
+diff -up openssl-1.0.0h/crypto/opensslv.h.version openssl-1.0.0h/crypto/opensslv.h
+--- openssl-1.0.0h/crypto/opensslv.h.version	2012-03-23 18:28:55.204891622 +0100
++++ openssl-1.0.0h/crypto/opensslv.h	2012-03-23 18:29:24.233500886 +0100
+@@ -25,7 +25,7 @@
   * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
   *  major minor fix final patch/beta)
   */
--#define OPENSSL_VERSION_NUMBER	0x1000007fL
-+/* we have to keep the version number to not break the abi */
+-#define OPENSSL_VERSION_NUMBER	0x1000008fL
 +#define OPENSSL_VERSION_NUMBER	0x10000003
  #ifdef OPENSSL_FIPS
- #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0g-fips 18 Jan 2012"
+ #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0h-fips 12 Mar 2012"
  #else
-@@ -83,7 +84,7 @@
+@@ -83,7 +83,7 @@
   * should only keep the versions that are binary compatible with the current.
   */
  #define SHLIB_VERSION_HISTORY ""
diff --git a/openssl.spec b/openssl.spec
index 35a20b2..81215eb 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -20,8 +20,8 @@
 
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.0g
-Release: 4%{?dist}
+Version: 1.0.0h
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -44,9 +44,7 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch
 Patch7: openssl-1.0.0-timezone.patch
 # Bug fixes
 Patch23: openssl-1.0.0-beta4-default-paths.patch
-Patch24: openssl-0.9.8j-bad-mime.patch
 Patch25: openssl-1.0.0a-manfix.patch
-Patch26: openssl-1.0.0a-load-certs.patch
 # Functionality changes
 Patch32: openssl-0.9.8g-ia64.patch
 Patch33: openssl-1.0.0-beta4-ca-dir.patch
@@ -62,7 +60,7 @@ Patch45: openssl-0.9.8j-env-nozlib.patch
 Patch47: openssl-1.0.0-beta5-readme-warning.patch
 Patch49: openssl-1.0.0-beta4-algo-doc.patch
 Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
-Patch51: openssl-1.0.0g-version.patch
+Patch51: openssl-1.0.0h-version.patch
 Patch52: openssl-1.0.0b-aesni.patch
 Patch53: openssl-1.0.0-name-hash.patch
 Patch54: openssl-1.0.0c-speed-fips.patch
@@ -78,7 +76,6 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch
 Patch64: openssl-1.0.0d-intelopts.patch
 Patch65: openssl-1.0.0e-chil-fixes.patch
 Patch66: openssl-1.0.0-sha2test.patch
-Patch67: openssl-1.0.0e-pkgconfig-private.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.0d-padlock64.patch
 
@@ -144,9 +141,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch7 -p1 -b .timezone
 
 %patch23 -p1 -b .default-paths
-%patch24 -p1 -b .bad-mime
 %patch25 -p1 -b .manfix
-%patch26 -p1 -b .load-certs
 
 %patch32 -p1 -b .ia64
 %patch33 -p1 -b .ca-dir
@@ -178,7 +173,6 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch64 -p1 -b .intelopts
 %patch65 -p1 -b .chil
 %patch66 -p1 -b .sha2test
-%patch67 -p1 -b .private
 
 %patch81 -p1 -b .padlock64
 
@@ -430,6 +424,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Fri Mar 23 2012 Tomas Mraz <tmraz at redhat.com> 1.0.0h-1
+- new upstream release fixing CVE-2012-0884 - Bleichenbacher attack
+  against PKCS#7 and CMS (#802725) and CVE-2012-1165 mime_param_cmp
+  NULL dereference (#802489)
+
 * Wed Feb 29 2012 Tomas Mraz <tmraz at redhat.com> 1.0.0g-4
 - fixup requires to properly require the Epoch 1
 
diff --git a/sources b/sources
index 45e0449..4da4ff2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9d7281bdc7ec0845c240eb6c0adc8dc3  openssl-1.0.0g-usa.tar.xz
+909886cae52acc459225ff056f0bec1f  openssl-1.0.0h-usa.tar.xz

More information about the scm-commits mailing list