[ol7_developer_EPEL] openssl11-devel-1:1.1.1k-7.el7.x86_64

OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.

Changelog (Show File list) (Show related packages)

• Wed Jan 24 2024 Robert Scheck <robert@fedoraproject.org> 1.1.1k-7

  - backport from 1.1.1k-12: Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
    (a proper fix for CVE-2020-25659). Resolves: RHEL-17696

• Sat Nov 25 2023 Robert Scheck <robert@fedoraproject.org> 1.1.1k-6

  - backport from 1.1.1k-11: Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
    excessively long X9.42 DH keys or parameters may be very slow
    Resolves: RHEL-16538
  - backport from 1.1.1k-10: Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
    Resolves: RHEL-14245
  - backport from 1.1.1k-10: Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
    Resolves: RHEL-14239

• Sun Feb 19 2023 Robert Scheck <robert@fedoraproject.org> 1.1.1k-5

  - backport from 1.1.1k-9: Fixed Timing Oracle in RSA Decryption
    Resolves: CVE-2022-4304
  - backport from 1.1.1k-9: Fixed Double free after calling PEM_read_bio_ex
    Resolves: CVE-2022-4450
  - backport from 1.1.1k-9: Fixed Use-after-free following BIO_new_NDEF
    Resolves: CVE-2023-0215
  - backport from 1.1.1k-9: Fixed X.400 address type confusion in X.509 GeneralName
    Resolves: CVE-2023-0286
  - backport from 1.1.1k-8: Fix no-ec build
    Resolves: rhbz#2071020

• Fri Jul 22 2022 Robert Scheck <robert@fedoraproject.org> 1.1.1k-4

  - backport from 1.1.1k-7: CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
    Resolves: CVE-2022-2097
  - backport from 1.1.1k-7: Update expired certificates used in the testsuite
    Resolves: rhbz#2092462
  - backport from 1.1.1k-7: CVE-2022-1292: openssl: c_rehash script allows command injection
    Resolves: rhbz#2090372
  - backport from 1.1.1k-7: CVE-2022-2068: the c_rehash script allows command injection
    Resolves: rhbz#2098279

• Mon Mar 28 2022 Robert Scheck <robert@fedoraproject.org> 1.1.1k-3

  - backport from 1.1.1k-6: CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
    Resolves: rhbz#2067146

• Wed Nov 17 2021 Robert Scheck <robert@fedoraproject.org> 1.1.1k-2

  - backport from 1.1.1k-5: CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
    Resolves: rhbz#2005402

• Tue Nov 09 2021 Robert Scheck <robert@fedoraproject.org> 1.1.1k-1

  - backport from 1.1.1k-4: Fixes bugs in s390x AES code
  - backport from 1.1.1k-4: Uses the first detected address family if IPv6 is not available
  - backport from 1.1.1k-4: Reverts the changes in https://github.com/openssl/openssl/pull/13305
    as it introduces a regression if server has a DSA key pair, the handshake fails
    when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted,
    it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature
    will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already
    known - https://trac.nginx.org/nginx/ticket/2071#comment:1
    As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx could
    early callback instead of servername callback. Resolves: rhbz#197821, related: rhbz#1934534
  - backport from 1.1.1k-3: Cleansup the peer point formats on renegotiation. Resolves rhbz#1965362
  - backport from 1.1.1k-2: Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085
  - backport from 1.1.1k-2: Using safe primes for FIPS DH self-test
  - backport from 1.1.1k-1: Update to version 1.1.1k
  - backport from 1.1.1g-16: Use AI_ADDRCONFIG only when explicit host name is given
  - backport from 1.1.1g-16: Allow only curves defined in RFC 8446 in TLS 1.3

• Mon Mar 29 2021 Robert Scheck <robert@fedoraproject.org> 1.1.1g-3

  - backport from 1.1.1g-15: version bump
  - backport from 1.1.1g-14: CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT
  - backport from 1.1.1g-13: Fix CVE-2021-3449 NULL pointer deref in signature_algorithms processing

• Wed Dec 16 2020 Robert Scheck <robert@fedoraproject.org> 1.1.1g-2

  - backport from 1.1.1g-12: Fix CVE-2020-1971 ediparty null pointer dereference
  - backport from 1.1.1g-11.1: Implemented new FIPS requirements in regards to KDF and DH selftests
  - backport from 1.1.1g-11.1: Disallow certificates with explicit EC parameters

• Fri Nov 13 2020 Robert Scheck <robert@fedoraproject.org> 1.1.1g-1

  - backport from 1.1.1g-11: Further changes for SP 800-56A rev3 requirements
  - backport from 1.1.1g-9: Rewire FIPS_drbg API to use the RAND_DRBG
  - backport from 1.1.1g-9: Use the well known DH groups in TLS even for 2048 and 1024 bit parameters
  - backport from 1.1.1g-7: Disallow dropping Extended Master Secret extension on renegotiation
  - backport from 1.1.1g-7: Return alert from s_server if ALPN protocol does not match
  - backport from 1.1.1g-7: SHA1 is allowed in @SECLEVEL=2 only if allowed by TLS SigAlgs configuration
  - backport from 1.1.1g-6: Add FIPS selftest for PBKDF2 and KBKDF
  - backport from 1.1.1g-5: Allow only well known DH groups in the FIPS mode
  - backport from 1.1.1g-1: update to the 1.1.1g release
  - backport from 1.1.1g-1: FIPS module installed state definition is modified