The following Fedora EPEL 8 Security updates need testing: Age URL 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-99cf4e74b7 putty-0.81-1.el8 The following builds have been pushed to Fedora EPEL 8 updates-testing openssl3-3.2.1-1.1.el8 stow-2.4.0-1.el8 Details about builds: ================================================================================ openssl3-3.2.1-1.1.el8 (FEDORA-EPEL-2024-b002585dd2) Utilities from the general purpose cryptography library with TLS implementation -------------------------------------------------------------------------------- Update Information: Merge in changes from c9s' openssl to pick up various CVE fixes and other bugfixes -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 22 2024 Michel Lind <salimma@xxxxxxxxxxxxxxxxx> - 3.2.1-1.1 - Merge c9s openssl changes to pick up CVE fixes * Wed Apr 3 2024 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.2.1-1 - Rebasing OpenSSL to 3.2.1 Resolves: RHEL-26271 * Wed Feb 21 2024 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-27 - Use certified FIPS module instead of freshly built one in Red Hat distribution Related: RHEL-23474 * Tue Nov 21 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-26 - Avoid implicit function declaration when building openssl Related: RHEL-1780 - In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails Resolves: RHEL-17104 - Add a directory for OpenSSL providers configuration Resolves: RHEL-17193 - Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context Resolves: RHEL-19515 - POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) Resolves: RHEL-21151 - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Resolves: RHEL-21654 - SSL ECDHE Kex fails when pkcs11 engine is set in config file Resolves: RHEL-20249 - Denial of service via null dereference in PKCS#12 Resolves: RHEL-22486 - Use certified FIPS module instead of freshly built one in Red Hat distribution Resolves: RHEL-23474 * Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 - Don't limit using SHA1 in KDFs in non-FIPS mode. Resolves: RHEL-5295 - Provide empty evp_properties section in main OpenSSL configuration file Resolves: RHEL-11439 - Avoid implicit function declaration when building openssl Resolves: RHEL-1780 - Forbid explicit curves when created via EVP_PKEY_fromdata Resolves: RHEL-5304 - AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries (CVE-2023-2975) Resolves: RHEL-5302 - Excessive time spent checking DH keys and parameters (CVE-2023-3446) Resolves: RHEL-5306 - Excessive time spent checking DH q parameter value (CVE-2023-3817) Resolves: RHEL-5308 - Fix incorrect cipher key and IV length processing (CVE-2023-5363) Resolves: RHEL-13251 - Switch explicit FIPS indicator for RSA-OAEP to approved following clarification with CMVP Resolves: RHEL-14083 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) Resolves: RHEL-14083 - Add missing ECDH Public Key Check in FIPS mode Resolves: RHEL-15990 - Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) Resolves: RHEL-15954 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly Related: rhbz#2216256 * Tue Jul 11 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-23 - Add a workaround for lack of EMS in FIPS mode Resolves: rhbz#2216256 * Thu Jul 6 2023 Sahana Prasad <sahana@xxxxxxxxxx> - 1:3.0.7-22 - Remove unsupported curves from nist_curves. Resolves: rhbz#2069336 * Mon Jun 26 2023 Sahana Prasad <sahana@xxxxxxxxxx> - 1:3.0.7-21 - Remove the listing of brainpool curves in FIPS mode. Related: rhbz#2188180 * Tue May 30 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-20 - Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650 - Release the DRBG in global default libctx early Resolves: rhbz#2211340 * Mon May 22 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-19 - Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode Resolves: rhbz#2169757 * Thu May 18 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-18 - Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode Resolves: rhbz#2160797 * Tue May 9 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-17 - Enforce using EMS in FIPS mode - better alerts Related: rhbz#2157951 * Tue May 2 2023 Sahana Prasad <sahana@xxxxxxxxxx> - 1:3.0.7-16 - Upload new upstream sources without manually hobbling them. - Remove the hobbling script as it is redundant. It is now allowed to ship the sources of patented EC curves, however it is still made unavailable to use by compiling with the 'no-ec2m' Configure option. The additional forbidden curves such as P-160, P-192, wap-tls curves are manually removed by updating 0011-Remove-EC-curves.patch. - Enable Brainpool curves. - Apply the changes to ec_curve.c and ectest.c as a new patch 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. Resolves: rhbz#2130618, rhbz#2188180 * Fri Apr 28 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-15 - Backport implicit rejection for RSA PKCS#1 v1.5 encryption Resolves: rhbz#2153471 * Fri Apr 21 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-14 - Input buffer over-read in AES-XTS implementation on 64 bit ARM Resolves: rhbz#2188554 * Tue Apr 18 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-13 - Enforce using EMS in FIPS mode Resolves: rhbz#2157951 - Fix excessive resource usage in verifying X509 policy constraints Resolves: rhbz#2186661 - Fix invalid certificate policies in leaf certificates check Resolves: rhbz#2187429 - Certificate policy check not enabled Resolves: rhbz#2187431 - OpenSSL rsa_verify_recover key length checks in FIPS mode Resolves: rhbz#2186819 * Fri Mar 24 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved Resolves: rhbz#2179379 * Mon Mar 20 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-11 - Add missing reference to patchfile to add explicit FIPS indicator to RSA encryption and RSASVE and fix the gettable parameter list for the RSA asymmetric cipher implementation. Resolves: rhbz#2179379 * Fri Mar 17 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-10 - Add explicit FIPS indicator to RSA encryption and RSASVE Resolves: rhbz#2179379 * Thu Mar 16 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-9 - Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes Resolves: rhbz#2175864 * Thu Mar 16 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-8 - Fix Wpointer-sign compiler warning Resolves: rhbz#2178034 * Tue Mar 14 2023 Clemens Lang <cllang@xxxxxxxxxx> - 1:3.0.7-7 - Add explicit FIPS indicators to key derivation functions Resolves: rhbz#2175860 rhbz#2175864 - Zeroize FIPS module integrity check MAC after check Resolves: rhbz#2175873 - Add explicit FIPS indicator for IV generation in AES-GCM Resolves: rhbz#2175868 - Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test Resolves: rhbz#2178137 - Limit RSA_NO_PADDING for encryption and signature in FIPS mode Resolves: rhbz#2178029 - Pairwise consistency tests should use Digest+Sign/Verify Resolves: rhbz#2178034 - Forbid DHX keys import in FIPS mode Resolves: rhbz#2178030 - DH PCT should abort on failure Resolves: rhbz#2178039 - Increase RNG seeding buffer size to 32 Related: rhbz#2168224 * Wed Mar 8 2023 Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode Resolves: rhbz#2168224 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2182590 - CVE-2023-0465 openssl3: openssl: Invalid certificate policies in leaf certificates are silently ignored [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2182590 [ 2 ] Bug #2182602 - CVE-2023-0466 openssl3: openssl: Certificate policy check not enabled [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2182602 [ 3 ] Bug #2188526 - CVE-2023-1255 openssl3: openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2188526 [ 4 ] Bug #2211109 - CVE-2023-2650 openssl3: openssl: Possible DoS translating ASN.1 object identifiers [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2211109 [ 5 ] Bug #2223821 - TRIAGE-CVE-2023-2975 openssl3: openSSL: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2223821 [ 6 ] Bug #2228050 - CVE-2023-3817 openssl3: OpenSSL: Excessive time spent checking DH q parameter value [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2228050 [ 7 ] Bug #2248621 - CVE-2023-5678 openssl3: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2248621 [ 8 ] Bug #2249063 - CVE-2023-5363 openssl3: openssl: Incorrect cipher key and IV length processing [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2249063 [ 9 ] Bug #2257573 - CVE-2023-6129 openssl3: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2257573 [ 10 ] Bug #2258505 - CVE-2023-6237 openssl3: openssl: Excessive time spent checking invalid RSA public keys [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2258505 [ 11 ] Bug #2276143 - openssl3 epel-8 SIGILL on ppc64le Power8 https://bugzilla.redhat.com/show_bug.cgi?id=2276143 -------------------------------------------------------------------------------- ================================================================================ stow-2.4.0-1.el8 (FEDORA-EPEL-2024-c8eff7a0b7) Manage the installation of software packages from source -------------------------------------------------------------------------------- Update Information: Changes in version 2.4.0 --dotfiles now works with directories A long-standing bug preventing the --dotfiles option from working correctly with directories has been fixed. It should also works in combination with the --compat option. Eliminated a spurious warning on unstowing 2.3.1 introduced a benign but annoying warning when unstowing in certain circumstances. It looked like: BUG in find_stowed_path? Absolute/relative mismatch between Stow dir X and path Y This was caused by erroneous logic, and has now been fixed. Unstowing logic has been improved in other cases Several other improvements have been made internally to the unstowing logic. These changes should all be either invisible (except for changes to debug output) or improvements, but if you encounter any unexpected behaviour, please report it as directed in the manual. Improved debug output Extra output resulting from use of the -v / --verbose flag now appears in a more logical and understandable way. Janitorial tasks Users are not substantially affected by these changes. Added some more information from the web page to the README Made some improvements to the documentation Improve readability of source code Quite a few extra details have been added in comments to clarify how the code works. Many variable names have also been improved. The comments of many Stow class methods have been converted into Perl POD format. Added a CONTRIBUTING.md file Add a watch target to Makefile make watch provides easy continual pre-processing during development, which reduces the risk of debugging the wrong code. Removed texinfo.tex from the distribution This eliminates existing and future bit-rot. Updated aclocal.m4 from 1.15.1 to 1.16.5 This mostly just updates copyright notices to 2021, and URLs to https. Replace broken gmane links with links to lists.gnu.org gmane has been dead for quite a while. Improve support for navigating / editing source via emacs Support source navigation in emacs via [[https://github.com/jacktasia/dumb- jump][dumb-jump]]. Configure cperl-mode to match existing coding style. Various maintainer tweaks Further improved the release process and its documentation in various minor ways. -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 22 2024 Packit <hello@xxxxxxxxxx> - 2.4.0-1 - Update to 2.4.0 upstream release - Resolves: rhbz#2273895 * Mon Apr 22 2024 Michel Lind <salimma@xxxxxxxxxxxxxxxxx> - 2.3.1-8 - Use SPDX license expression * Mon Apr 22 2024 Michel Lind <salimma@xxxxxxxxxxxxxxxxx> - 2.3.1-7 - Enable Packit -------------------------------------------------------------------------------- References: [ 1 ] Bug #2273895 - stow-2.4.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2273895 -------------------------------------------------------------------------------- -- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
