From 136394ce2c11b7f9ad9f58c7153617d0a9362be6 Mon Sep 17 00:00:00 2001 From: Jakub Bogusz Date: Wed, 5 Oct 2022 16:22:06 +0200 Subject: [PATCH 01/16] - clearer man pages packaging (as base names are too common, ensure specific extension) - package info(1ossl) page, moved config(5ossl) to base package --- openssl.spec | 111 ++++++++++++++++++++++++++------------------------- 1 file changed, 57 insertions(+), 54 deletions(-) diff --git a/openssl.spec b/openssl.spec index 3a8ba3b..8c8af3d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -368,63 +368,66 @@ fi %dir %{_sysconfdir}/%{name}/certs %dir %attr(700,root,root) %{_sysconfdir}/%{name}/private %dir %{_datadir}/ssl +%{_mandir}/man5/config.5ossl* %files tools %defattr(644,root,root,755) %attr(755,root,root) %{_bindir}/c_rehash.sh %attr(755,root,root) %{_bindir}/openssl %attr(754,root,root) %{_bindir}/ssl-certificate -%{_mandir}/man1/asn1parse.1* -%{_mandir}/man1/ca.1* -%{_mandir}/man1/ciphers.1* -%{_mandir}/man1/cms.1* -%{_mandir}/man1/crl.1* -%{_mandir}/man1/crl2pkcs7.1* -%{_mandir}/man1/dgst.1* -%{_mandir}/man1/dhparam.1* -%{_mandir}/man1/dsa.1* -%{_mandir}/man1/dsaparam.1* -%{_mandir}/man1/ec.1* -%{_mandir}/man1/ecparam.1* -%{_mandir}/man1/enc.1* -%{_mandir}/man1/engine.1* -%{_mandir}/man1/errstr.1* -%{_mandir}/man1/gendsa.1* -%{_mandir}/man1/genpkey.1* -%{_mandir}/man1/genrsa.1* -%{_mandir}/man1/kdf.1* -%{_mandir}/man1/mac.1* -%{_mandir}/man1/nseq.1* -%{_mandir}/man1/ocsp.1* +%{_mandir}/man1/asn1parse.1ossl* +%{_mandir}/man1/ca.1ossl* +%{_mandir}/man1/ciphers.1ossl* +%{_mandir}/man1/cms.1ossl* +%{_mandir}/man1/crl.1ossl* +%{_mandir}/man1/crl2pkcs7.1ossl* +%{_mandir}/man1/dgst.1ossl* +%{_mandir}/man1/dhparam.1ossl* +%{_mandir}/man1/dsa.1ossl* +%{_mandir}/man1/dsaparam.1ossl* +%{_mandir}/man1/ec.1ossl* +%{_mandir}/man1/ecparam.1ossl* +%{_mandir}/man1/enc.1ossl* +%{_mandir}/man1/engine.1ossl* +%{_mandir}/man1/errstr.1ossl* +%{_mandir}/man1/gendsa.1ossl* +%{_mandir}/man1/genpkey.1ossl* +%{_mandir}/man1/genrsa.1ossl* +%{_mandir}/man1/info.1ossl* +%{_mandir}/man1/kdf.1ossl* +%{_mandir}/man1/mac.1ossl* +%{_mandir}/man1/nseq.1ossl* +%{_mandir}/man1/ocsp.1ossl* %{_mandir}/man1/openssl.1* %{_mandir}/man1/openssl-*.1* -%{_mandir}/man1/passwd.1* -%{_mandir}/man1/pkcs12.1* -%{_mandir}/man1/pkcs7.1* -%{_mandir}/man1/pkcs8.1* -%{_mandir}/man1/pkey.1* -%{_mandir}/man1/pkeyparam.1* -%{_mandir}/man1/pkeyutl.1* -%{_mandir}/man1/prime.1* -%{_mandir}/man1/rand.1* -%{_mandir}/man1/rehash.1* -%{_mandir}/man1/req.1* -%{_mandir}/man1/rsa.1* -%{_mandir}/man1/rsautl.1* -%{_mandir}/man1/s_client.1* -%{_mandir}/man1/sess_id.1* -%{_mandir}/man1/smime.1* -%{_mandir}/man1/speed.1* -%{_mandir}/man1/spkac.1* -%{_mandir}/man1/srp.1* -%{_mandir}/man1/s_server.1* -%{_mandir}/man1/s_time.1* -%{_mandir}/man1/storeutl.1* -%{_mandir}/man1/ts.1* -%{_mandir}/man1/verify.1* -%{_mandir}/man1/version.1* -%{_mandir}/man1/x509.1* -%{_mandir}/man5/*.5* +%{_mandir}/man1/passwd.1ossl* +%{_mandir}/man1/pkcs12.1ossl* +%{_mandir}/man1/pkcs7.1ossl* +%{_mandir}/man1/pkcs8.1ossl* +%{_mandir}/man1/pkey.1ossl* +%{_mandir}/man1/pkeyparam.1ossl* +%{_mandir}/man1/pkeyutl.1ossl* +%{_mandir}/man1/prime.1ossl* +%{_mandir}/man1/rand.1ossl* +%{_mandir}/man1/rehash.1ossl* +%{_mandir}/man1/req.1ossl* +%{_mandir}/man1/rsa.1ossl* +%{_mandir}/man1/rsautl.1ossl* +%{_mandir}/man1/s_client.1ossl* +%{_mandir}/man1/sess_id.1ossl* +%{_mandir}/man1/smime.1ossl* +%{_mandir}/man1/speed.1ossl* +%{_mandir}/man1/spkac.1ossl* +%{_mandir}/man1/srp.1ossl* +%{_mandir}/man1/s_server.1ossl* +%{_mandir}/man1/s_time.1ossl* +%{_mandir}/man1/storeutl.1ossl* +%{_mandir}/man1/ts.1ossl* +%{_mandir}/man1/verify.1ossl* +%{_mandir}/man1/version.1ossl* +%{_mandir}/man1/x509.1ossl* +%{_mandir}/man5/fips_config.5ossl* +%{_mandir}/man5/x509v3_config.5ossl* %lang(pl) %{_mandir}/pl/man1/openssl.1* %files tools-perl @@ -434,9 +437,9 @@ fi %attr(755,root,root) %{_libdir}/%{name}/CA.pl %attr(755,root,root) %{_libdir}/%{name}/tsget %attr(755,root,root) %{_libdir}/%{name}/tsget.pl -%{_mandir}/man1/CA.pl.1* -%{_mandir}/man1/c_rehash.1* -%{_mandir}/man1/tsget.1* +%{_mandir}/man1/CA.pl.1ossl* +%{_mandir}/man1/c_rehash.1ossl* +%{_mandir}/man1/tsget.1ossl* %files devel %defattr(644,root,root,755) @@ -446,8 +449,8 @@ fi %{_pkgconfigdir}/libcrypto.pc %{_pkgconfigdir}/libssl.pc %{_pkgconfigdir}/openssl.pc -%{_mandir}/man3/*.3* -%{_mandir}/man7/*.7* +%{_mandir}/man3/*.3ossl* +%{_mandir}/man7/*.7ossl* %files static %defattr(644,root,root,755) -- 2.43.0 From bc4ec2c94a9e791a4d535f7e40b4e85e19a1cba5 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 11 Oct 2022 18:11:52 +0200 Subject: [PATCH 02/16] up to 3.0.6 (fixes CVE-2022-3358) --- openssl.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl.spec b/openssl.spec index 8c8af3d..dd8cbac 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.0.5 -Release: 3 +Version: 3.0.6 +Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 163bb3e58c143793d1dc6a6ec7d185d5 +# Source0-md5: 1ea2006ec913ef3de6894c1154d17d3e Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh @@ -378,6 +378,7 @@ fi %{_mandir}/man1/asn1parse.1ossl* %{_mandir}/man1/ca.1ossl* %{_mandir}/man1/ciphers.1ossl* +%{_mandir}/man1/cmp.1ossl* %{_mandir}/man1/cms.1ossl* %{_mandir}/man1/crl.1ossl* %{_mandir}/man1/crl2pkcs7.1ossl* -- 2.43.0 From 5d0a44ae4e5af8051c4144ed9f4f8ccf32d55060 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 1 Nov 2022 17:22:14 +0100 Subject: [PATCH 03/16] up to 3.0.7 (fixes CVE-2022-3786 CVE-2022-3602) --- openssl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index dd8cbac..f8b7f5c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.0.6 +Version: 3.0.7 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 1ea2006ec913ef3de6894c1154d17d3e +# Source0-md5: 545478ce41b96bf3beacb4dc58b36c77 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From d4b3e0791ba6b73fd16019a4e4a2a47e3c4e24e1 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20R=C4=99korajski?= Date: Sun, 6 Nov 2022 12:11:18 +0100 Subject: [PATCH 04/16] Release 2 (by relup.sh) --- openssl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index f8b7f5c..ede27bd 100644 --- a/openssl.spec +++ b/openssl.spec @@ -14,7 +14,7 @@ Summary(ru.UTF-8): Библиотеки и утилиты для соедине Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl Version: 3.0.7 -Release: 1 +Release: 2 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -- 2.43.0 From 04a58dbc5c7d30c2be73550495d74085303630a8 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 7 Feb 2023 17:16:08 +0100 Subject: [PATCH 05/16] up to 3.0.8 (security fixes) fixes: CVE-2023-0401 CVE-2023-0286 CVE-2023-0217 CVE-2023-0216 CVE-2023-0215 CVE-2022-4450 CVE-2022-4304 CVE-2022-4203 CVE-2022-3996 --- openssl.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl.spec b/openssl.spec index ede27bd..84fad05 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.0.7 -Release: 2 +Version: 3.0.8 +Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 545478ce41b96bf3beacb4dc58b36c77 +# Source0-md5: 61e017cf4fea1b599048f621f1490fbd Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From a4b7076dbe6a5a551f56278041bd53953d189919 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 14 Mar 2023 23:48:30 +0100 Subject: [PATCH 06/16] up to 3.1.0 --- openssl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index 84fad05..a769705 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.0.8 +Version: 3.1.0 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 61e017cf4fea1b599048f621f1490fbd +# Source0-md5: f6c520aa2206d4d1fa71ea30b5e9a56d Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From 71ef81bf9b4409c8e3d803c67eb8f33e2fba7106 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Wed, 24 May 2023 17:30:39 +0200 Subject: [PATCH 07/16] make -devel depend on %{?_isa} variant of openssl --- openssl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index a769705..c8a5f11 100644 --- a/openssl.spec +++ b/openssl.spec @@ -144,7 +144,7 @@ Summary(pt_BR.UTF-8): Bibliotecas e arquivos de inclusão para desenvolvimento O Summary(ru.UTF-8): Библиотеки, хедеры и утилиты для Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки, хедери та утиліти для Secure Sockets Layer Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} Obsoletes: libopenssl0-devel < 1 %description devel -- 2.43.0 From 41645ace58ffa55d71e7676fc440fa3cedb0a5ce Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 30 May 2023 18:04:38 +0200 Subject: [PATCH 08/16] up to 3.1.1 (security fixes) fixes: CVE-2023-2650 CVE-2023-1255 CVE-2023-0466 CVE-2023-0465 CVE-2023-0464 --- openssl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index c8a5f11..98fca96 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.1.0 +Version: 3.1.1 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: f6c520aa2206d4d1fa71ea30b5e9a56d +# Source0-md5: 1864b75e31fb4a6e0a07fd832529add3 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From 0758b14e8010efc28a912cff32aa85db2f779740 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 1 Aug 2023 21:08:56 +0200 Subject: [PATCH 09/16] up to 3.1.2 (fixes CVE-2023-3817 CVE-2023-3446 CVE-2023-2975) --- openssl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index 98fca96..c2b8e32 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.1.1 +Version: 3.1.2 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 1864b75e31fb4a6e0a07fd832529add3 +# Source0-md5: 1d7861f969505e67b8677e205afd9ff4 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From 3e92f7dcbf1b0b7da54a317dac7c70628c9783ec Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Thu, 5 Oct 2023 19:51:23 +0200 Subject: [PATCH 10/16] Up to 3.1.3 (windows only fixes) --- openssl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index c2b8e32..2e5a756 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.1.2 +Version: 3.1.3 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 1d7861f969505e67b8677e205afd9ff4 +# Source0-md5: ece430df6d3158913df0950cc70ea2b2 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From 0599cb225119181c0e409e0245c65ede5526a1f1 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 24 Oct 2023 16:21:31 +0200 Subject: [PATCH 11/16] up to 3.1.4 (fixes CVE-2023-5363) --- openssl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index 2e5a756..dcc3d8c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.1.3 +Version: 3.1.4 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: ece430df6d3158913df0950cc70ea2b2 +# Source0-md5: 653ad58812c751b887e8ec37e02bba70 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh -- 2.43.0 From b0eec0c54404b97f981b08068587b606f3fdca45 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 24 Oct 2023 23:29:42 +0200 Subject: [PATCH 12/16] make -tools depend on %{?_isa} variant of openssl --- openssl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index dcc3d8c..72f8027 100644 --- a/openssl.spec +++ b/openssl.spec @@ -113,7 +113,7 @@ RC4, RSA и SSL. Summary: OpenSSL command line tool and utilities Summary(pl.UTF-8): Zestaw narzędzi i skryptów Group: Applications/Communications -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} Requires: which %description tools -- 2.43.0 From d1568a7cadb8d940f37544df4b0c7d255b164ca4 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Thu, 23 Nov 2023 16:22:29 +0100 Subject: [PATCH 13/16] up to 3.2.0 --- openssl-ca-certificates.patch | 4 ++-- openssl.spec | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/openssl-ca-certificates.patch b/openssl-ca-certificates.patch index 1afdbfb..67bad3f 100644 --- a/openssl-ca-certificates.patch +++ b/openssl-ca-certificates.patch @@ -1,5 +1,5 @@ ---- openssl-1.1.1/include/internal/cryptlib.h~ 2018-09-11 14:48:23.000000000 +0200 -+++ openssl-1.1.1/include/internal/cryptlib.h 2018-09-11 22:14:32.008012409 +0200 +--- openssl-1.1.1/include/internal/common.h~ 2018-09-11 14:48:23.000000000 +0200 ++++ openssl-1.1.1/include/internal/common.h 2018-09-11 22:14:32.008012409 +0200 @@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM); # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR diff --git a/openssl.spec b/openssl.spec index 72f8027..2fc3026 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.1.4 +Version: 3.2.0 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 653ad58812c751b887e8ec37e02bba70 +# Source0-md5: 7903549a14abebc5c323ce4e85f2cbb2 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh @@ -31,6 +31,7 @@ URL: http://www.openssl.org/ %ifarch %{arm} ppc mips sparc sparcv9 BuildRequires: libatomic-devel %endif +BuildRequires: libbrotli-devel BuildRequires: libsctp-devel BuildRequires: linux-libc-headers >= 7:4.13 BuildRequires: perl-devel >= 1:5.10.0 @@ -39,6 +40,7 @@ BuildRequires: rpm-perlprov >= 4.1-13 BuildRequires: rpmbuild(macros) >= 1.745 BuildRequires: sed >= 4.0 BuildRequires: zlib-devel +BuildRequires: zstd-devel Requires: ca-certificates >= 20141019-3 Requires: rpm-whiteout >= 1.7 Obsoletes: SSLeay < 0.9.3 @@ -227,6 +229,7 @@ PERL="%{__perl}" \ threads \ %{?with_sslv3:enable-ssl3}%{!?with_sslv3:no-ssl3} \ %{!?with_zlib:no-}zlib \ + enable-brotli \ enable-cms \ enable-idea \ enable-md2 \ @@ -238,6 +241,7 @@ PERL="%{__perl}" \ enable-camellia \ enable-ktls \ enable-fips \ + enable-zstd \ %ifarch %{x8664} enable-ec_nistp_64_gcc_128 \ %endif -- 2.43.0 From 06001b82e4b63b31c2590e7df19f2c8ad416c3aa Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Wed, 6 Dec 2023 12:45:49 +0100 Subject: [PATCH 14/16] upstream duplicate symbols test fix fixes: https://github.com/openssl/openssl/issues/22837 from: https://github.com/openssl/openssl/pull/22880 --- duplicate-symbols-test.patch | 136 +++++++++++++++++++++++++++++++++++ openssl.spec | 2 + 2 files changed, 138 insertions(+) create mode 100644 duplicate-symbols-test.patch diff --git a/duplicate-symbols-test.patch b/duplicate-symbols-test.patch new file mode 100644 index 0000000..db8a316 --- /dev/null +++ b/duplicate-symbols-test.patch @@ -0,0 +1,136 @@ +From 38cf48b3044749fd5b37e36e5d9b2dc9fe7056ff Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 30 Nov 2023 08:48:33 +0100 +Subject: [PATCH 1/3] test/recipes/01-test_symbol_presence.t: Ignore symbols + starting with '__' + +On some platforms, the compiler may add symbols that aren't ours and that we +should ignore. + +They are generally expected to start with a double underscore, and thereby +easy to detect. + +Fixes #22869 (partially) +--- + test/recipes/01-test_symbol_presence.t | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 9efa9f8d2d6eb..66e5669e193c7 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -124,7 +124,13 @@ foreach (sort keys %stlibname) { + # Return the result + $_ + } +- grep(m|.* [BCDST] .*|, @$_); ++ # Drop any symbol starting with a double underscore, they ++ # are reserved for the compiler / system ABI and are none ++ # of our business ++ grep !m|^__|, ++ # Only look at external definitions ++ grep m|.* [BCDST] .*|, ++ @$_ ), + } + + # Massage the mkdef.pl output to only contain global symbols + +From feead62eb7873c6a8a95e75ad5ca3ac7b9ed8bcd Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 30 Nov 2023 09:02:25 +0100 +Subject: [PATCH 2/3] test/recipes/01-test_symbol_presence.t: Treat common + symbols specially + +Common symbols (type 'C' in the 'nm' output) are allowed to be defined more +than once. This makes test/recipes/01-test_symbol_presence.t reflect that. + +Fixes #22869 (partially) +Fixes #22837 +--- + test/recipes/01-test_symbol_presence.t | 45 +++++++++++++++++--------- + 1 file changed, 30 insertions(+), 15 deletions(-) + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 66e5669e193c7..cd3ac48bae5e7 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -114,23 +114,38 @@ foreach (sort keys %stlibname) { + my @arrays = ( \@stlib_lines ); + push @arrays, \@shlib_lines unless disabled('shared'); + foreach (@arrays) { ++ my %commons; ++ foreach (@$_) { ++ if (m|^(.*) C .*|) { ++ $commons{$1}++; ++ } ++ } ++ foreach (sort keys %commons) { ++ note "Common symbol: $_"; ++ } ++ + @$_ = + sort +- map { +- # Drop the first space and everything following it +- s| .*||; +- # Drop OpenSSL dynamic version information if there is any +- s|\@\@.+$||; +- # Return the result +- $_ +- } +- # Drop any symbol starting with a double underscore, they +- # are reserved for the compiler / system ABI and are none +- # of our business +- grep !m|^__|, +- # Only look at external definitions +- grep m|.* [BCDST] .*|, +- @$_ ), ++ ( map { ++ # Drop the first space and everything following it ++ s| .*||; ++ # Drop OpenSSL dynamic version information if there is any ++ s|\@\@.+$||; ++ # Drop any symbol starting with a double underscore, they ++ # are reserved for the compiler / system ABI and are none ++ # of our business ++ s|^__||; ++ # Return the result ++ $_ ++ } ++ # Drop any symbol starting with a double underscore, they ++ # are reserved for the compiler / system ABI and are none ++ # of our business ++ grep !m|^__|, ++ # Only look at external definitions ++ grep m|.* [BDST] .*|, ++ @$_ ), ++ keys %commons; + } + + # Massage the mkdef.pl output to only contain global symbols + +From 1055cefa6718167759e51165324b10345f8e7a99 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 30 Nov 2023 10:09:41 +0100 +Subject: [PATCH 3/3] fixup! test/recipes/01-test_symbol_presence.t: Treat + common symbols specially + +--- + test/recipes/01-test_symbol_presence.t | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index cd3ac48bae5e7..222b1886aec01 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -131,10 +131,6 @@ foreach (sort keys %stlibname) { + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; +- # Drop any symbol starting with a double underscore, they +- # are reserved for the compiler / system ABI and are none +- # of our business +- s|^__||; + # Return the result + $_ + } diff --git a/openssl.spec b/openssl.spec index 2fc3026..e46913b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -27,6 +27,7 @@ Patch1: %{name}-ca-certificates.patch Patch2: %{name}-find.patch Patch3: pic.patch Patch4: engines-dir.patch +Patch5: duplicate-symbols-test.patch URL: http://www.openssl.org/ %ifarch %{arm} ppc mips sparc sparcv9 BuildRequires: libatomic-devel @@ -212,6 +213,7 @@ RC4, RSA и SSL. Включает статические библиотеки д %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # fails with enable-sctp as of 1.1.1 %{__rm} test/recipes/80-test_ssl_new.t -- 2.43.0 From da3da8833f0d66b5d42be2fea3807d6d6a5868dd Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 30 Jan 2024 16:01:39 +0100 Subject: [PATCH 15/16] up to 3.2.1 (fixes CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678) --- duplicate-symbols-test.patch | 136 ----------------------------------- openssl.spec | 6 +- 2 files changed, 2 insertions(+), 140 deletions(-) delete mode 100644 duplicate-symbols-test.patch diff --git a/duplicate-symbols-test.patch b/duplicate-symbols-test.patch deleted file mode 100644 index db8a316..0000000 --- a/duplicate-symbols-test.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 38cf48b3044749fd5b37e36e5d9b2dc9fe7056ff Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Thu, 30 Nov 2023 08:48:33 +0100 -Subject: [PATCH 1/3] test/recipes/01-test_symbol_presence.t: Ignore symbols - starting with '__' - -On some platforms, the compiler may add symbols that aren't ours and that we -should ignore. - -They are generally expected to start with a double underscore, and thereby -easy to detect. - -Fixes #22869 (partially) ---- - test/recipes/01-test_symbol_presence.t | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index 9efa9f8d2d6eb..66e5669e193c7 100644 ---- a/test/recipes/01-test_symbol_presence.t -+++ b/test/recipes/01-test_symbol_presence.t -@@ -124,7 +124,13 @@ foreach (sort keys %stlibname) { - # Return the result - $_ - } -- grep(m|.* [BCDST] .*|, @$_); -+ # Drop any symbol starting with a double underscore, they -+ # are reserved for the compiler / system ABI and are none -+ # of our business -+ grep !m|^__|, -+ # Only look at external definitions -+ grep m|.* [BCDST] .*|, -+ @$_ ), - } - - # Massage the mkdef.pl output to only contain global symbols - -From feead62eb7873c6a8a95e75ad5ca3ac7b9ed8bcd Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Thu, 30 Nov 2023 09:02:25 +0100 -Subject: [PATCH 2/3] test/recipes/01-test_symbol_presence.t: Treat common - symbols specially - -Common symbols (type 'C' in the 'nm' output) are allowed to be defined more -than once. This makes test/recipes/01-test_symbol_presence.t reflect that. - -Fixes #22869 (partially) -Fixes #22837 ---- - test/recipes/01-test_symbol_presence.t | 45 +++++++++++++++++--------- - 1 file changed, 30 insertions(+), 15 deletions(-) - -diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index 66e5669e193c7..cd3ac48bae5e7 100644 ---- a/test/recipes/01-test_symbol_presence.t -+++ b/test/recipes/01-test_symbol_presence.t -@@ -114,23 +114,38 @@ foreach (sort keys %stlibname) { - my @arrays = ( \@stlib_lines ); - push @arrays, \@shlib_lines unless disabled('shared'); - foreach (@arrays) { -+ my %commons; -+ foreach (@$_) { -+ if (m|^(.*) C .*|) { -+ $commons{$1}++; -+ } -+ } -+ foreach (sort keys %commons) { -+ note "Common symbol: $_"; -+ } -+ - @$_ = - sort -- map { -- # Drop the first space and everything following it -- s| .*||; -- # Drop OpenSSL dynamic version information if there is any -- s|\@\@.+$||; -- # Return the result -- $_ -- } -- # Drop any symbol starting with a double underscore, they -- # are reserved for the compiler / system ABI and are none -- # of our business -- grep !m|^__|, -- # Only look at external definitions -- grep m|.* [BCDST] .*|, -- @$_ ), -+ ( map { -+ # Drop the first space and everything following it -+ s| .*||; -+ # Drop OpenSSL dynamic version information if there is any -+ s|\@\@.+$||; -+ # Drop any symbol starting with a double underscore, they -+ # are reserved for the compiler / system ABI and are none -+ # of our business -+ s|^__||; -+ # Return the result -+ $_ -+ } -+ # Drop any symbol starting with a double underscore, they -+ # are reserved for the compiler / system ABI and are none -+ # of our business -+ grep !m|^__|, -+ # Only look at external definitions -+ grep m|.* [BDST] .*|, -+ @$_ ), -+ keys %commons; - } - - # Massage the mkdef.pl output to only contain global symbols - -From 1055cefa6718167759e51165324b10345f8e7a99 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Thu, 30 Nov 2023 10:09:41 +0100 -Subject: [PATCH 3/3] fixup! test/recipes/01-test_symbol_presence.t: Treat - common symbols specially - ---- - test/recipes/01-test_symbol_presence.t | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index cd3ac48bae5e7..222b1886aec01 100644 ---- a/test/recipes/01-test_symbol_presence.t -+++ b/test/recipes/01-test_symbol_presence.t -@@ -131,10 +131,6 @@ foreach (sort keys %stlibname) { - s| .*||; - # Drop OpenSSL dynamic version information if there is any - s|\@\@.+$||; -- # Drop any symbol starting with a double underscore, they -- # are reserved for the compiler / system ABI and are none -- # of our business -- s|^__||; - # Return the result - $_ - } diff --git a/openssl.spec b/openssl.spec index e46913b..ad932d9 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.2.0 +Version: 3.2.1 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 7903549a14abebc5c323ce4e85f2cbb2 +# Source0-md5: c239213887804ba00654884918b37441 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh @@ -27,7 +27,6 @@ Patch1: %{name}-ca-certificates.patch Patch2: %{name}-find.patch Patch3: pic.patch Patch4: engines-dir.patch -Patch5: duplicate-symbols-test.patch URL: http://www.openssl.org/ %ifarch %{arm} ppc mips sparc sparcv9 BuildRequires: libatomic-devel @@ -213,7 +212,6 @@ RC4, RSA и SSL. Включает статические библиотеки д %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 # fails with enable-sctp as of 1.1.1 %{__rm} test/recipes/80-test_ssl_new.t -- 2.43.0 From d48564fb1c098ef680401cfd89c76ac93a5a095c Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Wed, 10 Apr 2024 00:40:11 +0200 Subject: [PATCH 16/16] up to 3.3.0 (fixes CVE-2024-2511) --- engines-dir.patch | 11 ----------- openssl.spec | 5 +++-- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/engines-dir.patch b/engines-dir.patch index 513e877..29d83ee 100644 --- a/engines-dir.patch +++ b/engines-dir.patch @@ -11,14 +11,3 @@ # Convenience variable for those who want to set the rpath in shared # libraries and applications -@@ -1399,8 +1399,8 @@ libcrypto.pc: - echo 'libdir=$(libdir)'; \ - fi; \ - echo 'includedir=$${prefix}/include'; \ -- echo 'enginesdir=$${libdir}/engines-{- $sover_dirname -}'; \ -- echo 'modulesdir=$${libdir}/ossl-modules'; \ -+ echo 'enginesdir=/$(LIBDIR)/engines-{- $sover_dirname -}'; \ -+ echo 'modulesdir=/$(LIBDIR)/ossl-modules'; \ - echo ''; \ - echo 'Name: OpenSSL-libcrypto'; \ - echo 'Description: OpenSSL cryptography library'; \ diff --git a/openssl.spec b/openssl.spec index ad932d9..424e865 100644 --- a/openssl.spec +++ b/openssl.spec @@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 3.2.1 +Version: 3.3.0 Release: 1 License: Apache v2.0 Group: Libraries Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: c239213887804ba00654884918b37441 +# Source0-md5: c8b063afbea85d867e161ecb8816cfa9 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh @@ -451,6 +451,7 @@ fi %attr(755,root,root) %{_libdir}/libcrypto.so %attr(755,root,root) %{_libdir}/libssl.so %{_includedir}/%{name} +%{_libdir}/cmake/OpenSSL %{_pkgconfigdir}/libcrypto.pc %{_pkgconfigdir}/libssl.pc %{_pkgconfigdir}/openssl.pc -- 2.43.0