Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openssl-libs-3.2.1-1.el9 RPM for x86_64

From CentOS Stream 9 BaseOS for x86_64

Name: openssl-libs Distribution: CentOS
Version: 3.2.1 Vendor: CentOS
Release: 1.el9 Build date: Mon Apr 15 17:09:26 2024
Group: Unspecified Build host: x86-04.stream.rdu2.redhat.com
Size: 8779002 Source RPM: openssl-3.2.1-1.el9.src.rpm
Packager: [email protected]
Url: http://www.openssl.org/
Summary: A general purpose cryptography library with TLS implementation
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.

Provides

Requires

License

ASL 2.0

Changelog

* Wed Apr 03 2024 Dmitry Belyavskiy <[email protected]> - 1:3.2.1-1
  - Rebasing OpenSSL to 3.2.1
    Resolves: RHEL-26271
* Wed Feb 21 2024 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-27
  - Use certified FIPS module instead of freshly built one in Red Hat distribution
    Related: RHEL-23474
* Tue Nov 21 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-26
  - Avoid implicit function declaration when building openssl
    Related: RHEL-1780
  - In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails
    Resolves: RHEL-17104
  - Add a directory for OpenSSL providers configuration
    Resolves: RHEL-17193
  - Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context
    Resolves: RHEL-19515
  - POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
    Resolves: RHEL-21151
  - Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
    Resolves: RHEL-21654
  - SSL ECDHE Kex fails when pkcs11 engine is set in config file
    Resolves: RHEL-20249
  - Denial of service via null dereference in PKCS#12
    Resolves: RHEL-22486
  - Use certified FIPS module instead of freshly built one in Red Hat distribution
    Resolves: RHEL-23474
* Mon Oct 16 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-25
  - Provide relevant diagnostics when FIPS checksum is corrupted
    Resolves: RHEL-5317
  - Don't limit using SHA1 in KDFs in non-FIPS mode.
    Resolves: RHEL-5295
  - Provide empty evp_properties section in main OpenSSL configuration file
    Resolves: RHEL-11439
  - Avoid implicit function declaration when building openssl
    Resolves: RHEL-1780
  - Forbid explicit curves when created via EVP_PKEY_fromdata
    Resolves: RHEL-5304
  - AES-SIV cipher implementation contains a bug that causes it to ignore empty
    associated data entries (CVE-2023-2975)
    Resolves: RHEL-5302
  - Excessive time spent checking DH keys and parameters (CVE-2023-3446)
    Resolves: RHEL-5306
  - Excessive time spent checking DH q parameter value (CVE-2023-3817)
    Resolves: RHEL-5308
  - Fix incorrect cipher key and IV length processing (CVE-2023-5363)
    Resolves: RHEL-13251
  - Switch explicit FIPS indicator for RSA-OAEP to approved following
    clarification with CMVP
    Resolves: RHEL-14083
  - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
    Resolves: RHEL-14083
  - Add missing ECDH Public Key Check in FIPS mode
    Resolves: RHEL-15990
  - Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678)
    Resolves: RHEL-15954
* Wed Jul 12 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-24
  - Make FIPS module configuration more crypto-policies friendly
    Related: rhbz#2216256
* Tue Jul 11 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-23
  - Add a workaround for lack of EMS in FIPS mode
    Resolves: rhbz#2216256
* Thu Jul 06 2023 Sahana Prasad <[email protected]> - 1:3.0.7-22
  - Remove unsupported curves from nist_curves.
    Resolves: rhbz#2069336
* Mon Jun 26 2023 Sahana Prasad <[email protected]> - 1:3.0.7-21
  - Remove the listing of brainpool curves in FIPS mode.
    Related: rhbz#2188180
* Tue May 30 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-20
  - Fix possible DoS translating ASN.1 object identifiers
    Resolves: CVE-2023-2650
  - Release the DRBG in global default libctx early
    Resolves: rhbz#2211340
* Mon May 22 2023 Clemens Lang <[email protected]> - 1:3.0.7-19
  - Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode
    Resolves: rhbz#2169757
* Thu May 18 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-18
  - Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
    Resolves: rhbz#2160797
* Tue May 09 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-17
  - Enforce using EMS in FIPS mode - better alerts
    Related: rhbz#2157951
* Tue May 02 2023 Sahana Prasad <[email protected]> - 1:3.0.7-16
  - Upload new upstream sources without manually hobbling them.
  - Remove the hobbling script as it is redundant. It is now allowed to ship
    the sources of patented EC curves, however it is still made unavailable to use
    by compiling with the 'no-ec2m' Configure option. The additional forbidden
    curves such as P-160, P-192, wap-tls curves are manually removed by updating
    0011-Remove-EC-curves.patch.
  - Enable Brainpool curves.
  - Apply the changes to ec_curve.c and  ectest.c as a new patch
    0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
  - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
  - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
    Resolves: rhbz#2130618, rhbz#2188180
* Fri Apr 28 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-15
  - Backport implicit rejection for RSA PKCS#1 v1.5 encryption
    Resolves: rhbz#2153471
* Fri Apr 21 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-14
  - Input buffer over-read in AES-XTS implementation on 64 bit ARM
    Resolves: rhbz#2188554
* Tue Apr 18 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-13
  - Enforce using EMS in FIPS mode
    Resolves: rhbz#2157951
  - Fix excessive resource usage in verifying X509 policy constraints
    Resolves: rhbz#2186661
  - Fix invalid certificate policies in leaf certificates check
    Resolves: rhbz#2187429
  - Certificate policy check not enabled
    Resolves: rhbz#2187431
  - OpenSSL rsa_verify_recover key length checks in FIPS mode
    Resolves: rhbz#2186819
* Fri Mar 24 2023 Clemens Lang <[email protected]> - 1:3.0.7-12
  - Change explicit FIPS indicator for RSA decryption to unapproved
    Resolves: rhbz#2179379
* Mon Mar 20 2023 Clemens Lang <[email protected]> - 1:3.0.7-11
  - Add missing reference to patchfile to add explicit FIPS indicator to RSA
    encryption and RSASVE and fix the gettable parameter list for the RSA
    asymmetric cipher implementation.
    Resolves: rhbz#2179379
* Fri Mar 17 2023 Clemens Lang <[email protected]> - 1:3.0.7-10
  - Add explicit FIPS indicator to RSA encryption and RSASVE
    Resolves: rhbz#2179379
* Thu Mar 16 2023 Clemens Lang <[email protected]> - 1:3.0.7-9
  - Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes
    Resolves: rhbz#2175864
* Thu Mar 16 2023 Clemens Lang <[email protected]> - 1:3.0.7-8
  - Fix Wpointer-sign compiler warning 
    Resolves: rhbz#2178034
* Tue Mar 14 2023 Clemens Lang <[email protected]> - 1:3.0.7-7
  - Add explicit FIPS indicators to key derivation functions
    Resolves: rhbz#2175860 rhbz#2175864
  - Zeroize FIPS module integrity check MAC after check
    Resolves: rhbz#2175873
  - Add explicit FIPS indicator for IV generation in AES-GCM
    Resolves: rhbz#2175868
  - Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant
    salt in PBKDF2 FIPS self-test
    Resolves: rhbz#2178137
  - Limit RSA_NO_PADDING for encryption and signature in FIPS mode
    Resolves: rhbz#2178029
  - Pairwise consistency tests should use Digest+Sign/Verify
    Resolves: rhbz#2178034
  - Forbid DHX keys import in FIPS mode
    Resolves: rhbz#2178030
  - DH PCT should abort on failure
    Resolves: rhbz#2178039
  - Increase RNG seeding buffer size to 32
    Related: rhbz#2168224
* Wed Mar 08 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-6
  - Fixes RNG slowdown in FIPS mode
    Resolves: rhbz#2168224
* Wed Feb 08 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-5
  - Fixed X.509 Name Constraints Read Buffer Overflow
    Resolves: CVE-2022-4203
  - Fixed Timing Oracle in RSA Decryption
    Resolves: CVE-2022-4304
  - Fixed Double free after calling PEM_read_bio_ex
    Resolves: CVE-2022-4450
  - Fixed Use-after-free following BIO_new_NDEF
    Resolves: CVE-2023-0215
  - Fixed Invalid pointer dereference in d2i_PKCS7 functions
    Resolves: CVE-2023-0216
  - Fixed NULL dereference validating DSA public key
    Resolves: CVE-2023-0217
  - Fixed X.400 address type confusion in X.509 GeneralName
    Resolves: CVE-2023-0286
  - Fixed NULL dereference during PKCS7 data verification
    Resolves: CVE-2023-0401
* Wed Jan 11 2023 Clemens Lang <[email protected]> - 1:3.0.7-4
  - Disallow SHAKE in RSA-OAEP decryption in FIPS mode
    Resolves: rhbz#2142121
* Thu Jan 05 2023 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-3
  - Refactor OpenSSL fips module MAC verification
    Resolves: rhbz#2157965
* Thu Nov 24 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-2
  - Various provider-related imrovements necessary for PKCS#11 provider correct operations
    Resolves: rhbz#2142517
  - We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
    Resolves: rhbz#2133809
  - Removed recommended package for openssl-libs
    Resolves: rhbz#2093804
  - Adjusting include for the FIPS_mode macro
    Resolves: rhbz#2083879
  - Backport of ppc64le Montgomery multiply enhancement
    Resolves: rhbz#2130708
  - Fix explicit indicator for PSS salt length in FIPS mode when used with
    negative magic values
    Resolves: rhbz#2142087
  - Update change to default PSS salt length with patch state from upstream 
    Related: rhbz#2142087
* Tue Nov 22 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.7-1
  - Rebasing to OpenSSL 3.0.7
    Resolves: rhbz#2129063
* Mon Nov 14 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-44
  - SHAKE-128/256 are not allowed with RSA in FIPS mode
    Resolves: rhbz#2144010
  - Avoid memory leaks in TLS
    Resolves: rhbz#2144008
  - FIPS RSA CRT tests must use correct parameters
    Resolves: rhbz#2144006
  - FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
    Resolves: rhbz#2144017
  - Remove support for X9.31 signature padding in FIPS mode
    Resolves: rhbz#2144015
  - Add explicit indicator for SP 800-108 KDFs with short key lengths
    Resolves: rhbz#2144019
  - Add explicit indicator for HMAC with short key lengths
    Resolves: rhbz#2144000
  - Set minimum password length for PBKDF2 in FIPS mode
    Resolves: rhbz#2144003
  - Add explicit indicator for PSS salt length in FIPS mode
    Resolves: rhbz#2144012
  - Clamp default PSS salt length to digest size for FIPS 186-4 compliance
    Related: rhbz#2144012
  - Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
    Resolves: rhbz#2145170
* Tue Nov 01 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-43
  - CVE-2022-3602: X.509 Email Address Buffer Overflow
  - CVE-2022-3786: X.509 Email Address Buffer Overflow
    Resolves: CVE-2022-3602
* Wed Oct 26 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-42
  - CVE-2022-3602: X.509 Email Address Buffer Overflow
    Resolves: CVE-2022-3602 (rhbz#2137723)
* Thu Aug 11 2022 Clemens Lang <[email protected]> - 1:3.0.1-41
  - Zeroize public keys as required by FIPS 140-3
    Related: rhbz#2102542
  - Add FIPS indicator for HKDF
    Related: rhbz#2114772
* Fri Aug 05 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-40
  - Deal with DH keys in FIPS mode according FIPS-140-3 requirements
    Related: rhbz#2102536
  - Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
    Related: rhbz#2102537
  - Use signature for RSA pairwise test according FIPS-140-3 requirements
    Related: rhbz#2102540
  - Reseed all the parent DRBGs in chain on reseeding a DRBG
    Related: rhbz#2102541
* Mon Aug 01 2022 Clemens Lang <[email protected]> - 1:3.0.1-39
  - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test
  - Use Use digest_sign & digest_verify in FIPS signature self test
  - Use FFDHE2048 in Diffie-Hellman FIPS self-test
    Resolves: rhbz#2102535
* Thu Jul 14 2022 Clemens Lang <[email protected]> - 1:3.0.1-38
  - Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously
    initialized.
    Resolves: rhbz#2103289
  - Improve AES-GCM performance on Power9 and Power10 ppc64le
    Resolves: rhbz#2051312
  - Improve ChaCha20 performance on Power10 ppc64le
    Resolves: rhbz#2051312
* Tue Jul 05 2022 Clemens Lang <[email protected]> - 1:3.0.1-37
  - CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
    Resolves: CVE-2022-2097
* Thu Jun 16 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-36
  - Ciphersuites with RSAPSK KX should be filterd in FIPS mode
  - Related: rhbz#2085088
  - FIPS provider should block RSA encryption for key transport.
  - Other RSA encryption options should still be available if key length is enough
  - Related: rhbz#2053289
  - Improve diagnostics when passing unsupported groups in TLS
  - Related: rhbz#2070197
  - Fix PPC64 Montgomery multiplication bug
  - Related: rhbz#2098199
  - Strict certificates validation shouldn't allow explicit EC parameters
  - Related: rhbz#2058663
  - CVE-2022-2068: the c_rehash script allows command injection
  - Related: rhbz#2098277
* Wed Jun 08 2022 Clemens Lang <[email protected]> - 1:3.0.1-35
  - Add explicit indicators for signatures in FIPS mode and mark signature
    primitives as unapproved.
    Resolves: rhbz#2087147
* Fri Jun 03 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-34
  - Some OpenSSL test certificates are expired, updating
  - Resolves: rhbz#2092456
* Thu May 26 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-33
  - CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
  - Resolves: rhbz#2089444
  - CVE-2022-1343 openssl: Signer certificate verification returned
    inaccurate response when using OCSP_NOCHECKS
  - Resolves: rhbz#2087911
  - CVE-2022-1292 openssl: c_rehash script allows command injection
  - Resolves: rhbz#2090362
  - Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
    Related: rhbz#2087147
  - Use KAT for ECDSA signature tests, s390 arch
  - Resolves: rhbz#2069235
* Thu May 19 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-32
  - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
  - Resolves: rhbz#2083240
  - Ciphersuites with RSA KX should be filterd in FIPS mode
  - Related: rhbz#2085088
  - In FIPS mode, signature verification works with keys of arbitrary size
    above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys
    below 2048 bits
  - Resolves: rhbz#2077884
* Wed May 18 2022 Clemens Lang <[email protected]> - 1:3.0.1-31
  - Disable SHA-1 signature verification in FIPS mode
  - Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode
    Resolves: rhbz#2087147
* Mon May 16 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-30
  - Use KAT for ECDSA signature tests
  - Resolves: rhbz#2069235
* Thu May 12 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-29
  - `-config` argument of openssl app should work properly in FIPS mode
  - Resolves: rhbz#2083274
  - openssl req defaults on PKCS#8 encryption changed to AES-256-CBC
  - Resolves: rhbz#2063947
* Fri May 06 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-28
  - OpenSSL should not accept custom elliptic curve parameters
  - Resolves rhbz#2066412
  - OpenSSL should not accept explicit curve parameters in FIPS mode
  - Resolves rhbz#2058663
* Fri May 06 2022 Clemens Lang <[email protected]> - 1:3.0.1-27
  - Change FIPS module version to include hash of specfile, patches and sources
    Resolves: rhbz#2070550
* Thu May 05 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-26
  - OpenSSL FIPS module should not build in non-approved algorithms
  - Resolves: rhbz#2081378
* Mon May 02 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-25
  - FIPS provider should block RSA encryption for key transport.
  - Other RSA encryption options should still be available
  - Resolves: rhbz#2053289
* Thu Apr 28 2022 Clemens Lang <[email protected]> - 1:3.0.1-24
  - Fix regression in evp_pkey_name2type caused by tr_TR locale fix
    Resolves: rhbz#2071631
* Wed Apr 20 2022 Dmitry Belyavskiy <[email protected]> - 1:3.0.1-23
  - Fix openssl curl error with LANG=tr_TR.utf8
  - Resolves: rhbz#2071631

Files

/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/fips_local.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf
/etc/pki/tls/openssl.d
/etc/pki/tls/private
/usr/lib/.build-id
/usr/lib/.build-id/0f
/usr/lib/.build-id/0f/234d68bd26f9780d9f1d12f39c77581a292c7f
/usr/lib/.build-id/34
/usr/lib/.build-id/34/43143200c1df7a6c834293fb36911a12edc241
/usr/lib/.build-id/50
/usr/lib/.build-id/50/c25778ed958af791f713f776b42edda582625f
/usr/lib/.build-id/6b
/usr/lib/.build-id/6b/fae0eba620566353110a7a56aaf191ff82731c
/usr/lib/.build-id/9e
/usr/lib/.build-id/9e/8aab8733edddc5955d1e5ba98e845cf502b292
/usr/lib/.build-id/ae
/usr/lib/.build-id/ae/88364685adb614960000d3dd9c0e7552ecf591
/usr/lib/.build-id/c7
/usr/lib/.build-id/c7/dc537363d5c38dde12d2a0c9ea0dad67553f75
/usr/lib/.build-id/db
/usr/lib/.build-id/db/540dafd70769ec3386cc848ce52d30d3988c4a
/usr/lib64/engines-3
/usr/lib64/engines-3/afalg.so
/usr/lib64/engines-3/capi.so
/usr/lib64/engines-3/loader_attic.so
/usr/lib64/engines-3/padlock.so
/usr/lib64/libcrypto.so.3
/usr/lib64/libcrypto.so.3.2.1
/usr/lib64/libssl.so.3
/usr/lib64/libssl.so.3.2.1
/usr/lib64/ossl-modules
/usr/lib64/ossl-modules/fips.so
/usr/lib64/ossl-modules/legacy.so
/usr/share/licenses/openssl-libs
/usr/share/licenses/openssl-libs/LICENSE.txt


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Nov 26 08:13:19 2024