libressl-devel-2.8.0-11.1<>,[渋/=„Jnvm`L~Oid,2uRP,׸)FVi ٮ >)8D̛Zj-)#b EjhAZ?貌`v 5`DWE2z?jݯW|Z;iD_O;.=B j^ ä9 4Юɭ #Tn%ϵX)TQ:Vؐ%AmwmFK-Z}M>=?d  _ 5JPXOO 2O O  O O @O|OOO`  . \d(8/9T/:P/FsGtOHuLOIvOXvYv\w O]x\O^zb{2c{d|ee|jf|ol|qu|Ov}w}Ox8Oyt zClibressl-devel2.8.011.1Development files for LibreSSL, an SSL/TLS protocol implementationLibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It derives from OpenSSL, with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. This subpackage contains libraries and header files for developing applications that want to make use of libressl.[cloud112CopenSUSE Leap 42.3openSUSEOpenSSLhttp://bugs.opensuse.orgDevelopment/Libraries/C and C++http://libressl.org/linuxx86_64߳7n !v. G 9%B]"(&&:0 Cw<I.\H( $-#cQv.sk+uSSm m5wPWV Q\kwAt (bby$(VhA큤[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɳ[ɲ[ɳ[ɳ[ɹ[ɹ[ɹ[ɹ701063d2bddddd91f6d4b93281b3fb6cf7e54f05f4235879e6a55f1ad7683497f02729c8cd9a628bbca7a37d10fb72b3cd0e32684e598514bf7663a82326184252af6641bad8fe715d74fa5ac2c80bb5a652fd0e18bf3b7a71c888310653bf652717c636e81150b739ed92a7ba92f463503cc242a51716ae5720f8ce66e02f3c7b568ba0e403bd88d8ebbce62424bf6eecddc3af8f51c4a976832b8e4084fbfb3fa9189d7406447a4dae526add24e4f5e58446233968423654f828b284cfd2d81b0b31b5dd22325c9c9d0a8c53ee99b29ce949445b6157074837d1eef2a5908bbbc539599f06e74d0f4bcb8f2cd0646ae6688f351ea8e544cbfd5fe367de921b3643f27e7d866a2eb2f5c2cf1b2cf7bfbd4c81e691a790278e05d74bd0b721c9e64dac20342b43919030c3a826f671952c42943e84bb577fa431068150d53c2d1253c82ffdccf6060986ea258c9bb381927455cf64148ece5eca0d269353c1ff52904d410305718e7b335bf82504c071831733e3fce743993a4a4b5434682461ece857186238a67f4339479b9809f57f6c43511360f0a88b297bc889457615f9b4c4b4acc1fa4bc94e291ad2e1759868f3ec7e5ce8315d4150e171fe97e4071cca0fce26205d3364970fcedc09d03698d2e8b83f571ab8f4b3b1a5350c9596ffc99498e8688c64ac2aef77f6dcf471c35e62139033abbffe1164db092ae7876ee0f4db6b893b0e79abe124b39368ffd2b5fe328d71ec7508ff75fe6631434764f277c09512b18d1ccf371ab0d24af8235043e3c5f4e3afb9f68e5a3af077eb20aa4461ef815cd90e1c7379d5a80d43495efbf9ea6b79b8e04b192194c8d9805e92ea4cb70b9ce9268e4a5b6c670684f564b0743a7aea716aa4ee27194232639232066ac18e0137f3ac5d613b90ded30a6dda80e94a3215569ed6ac42ffb569ab7e0575bd80ccf625140876fb82eff2e128c92a5b0ec5df5b79ec5e7cf7890e1bf4fd9b61c10533a044e57146c732eb7ca4652d69f7aa06e402badc9f4f916263e361a6db4af5be9bf4ee0fa26ca684d63c3c4e4ab50f1a0a900f31e4812f7dec11993b1fe65b6b691d89cdb7666906d8af13b116b148b0a065da813a800d2f89e6894f05975b673b05c73e46cd458d736e2ea2fa6b1f0ce023077bea9ce3c2d909d9f1d6b9f422dac40574ef50949cf9640bbd50c2b68812cf465d76514b6539013f1a4fe325a438f18386d042be2a972e94ff0dc024ad0afd00630cee1f3210e98df04006fea6108d906c134784ae61751a7c7026bcd4776d59876ce3e90899c6218eca89e61f66d76e6874041fb3bfd08d0ee69a562287ccbbe2d0c2b416167e186f08fcecb3b6a215203405267c2fa0aa01afed9546af1e81afddfeac896d6d4a1ad97483a5ce4b9fdbe59875f3e430edc2a6e5f4512cf34158d85bfde76d58db09352f8adbf66353f11c914d550a0bb97262332f2ab9d7c294985f5689992d7bf0ef95b383a57670202262467a1b977ddfa1d226382f15adbe27a070cf5de95896fae054534d93fe8f7349f57c370761f625d5f52993d9d7d720805e1bb4b95610caf0553f87255c020613b250158ee5d40dff9b00dceda21f939d6e87cd0b948f8dfaf799635be2b3dd7bf4a0cfdce612c0529305fec956f484388197fc22fcb7c7c8e537ca050323debe98abe2libcrypto.so.43.0.1libssl.so.45.0.1libtls.so.17.0.1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootlibressl-2.8.0-11.1.src.rpmlibressl-devellibressl-devel(x86-64)pkgconfig(libcrypto)pkgconfig(libssl)pkgconfig(libtls)pkgconfig(openssl)@@@   /usr/bin/pkg-configlibcrypto43libssl45libtls17pkgconfig(libcrypto)pkgconfig(libssl)rpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsLzma)2.8.02.8.02.8.03.0.4-14.0-14.4.6-1libopenssl-develotherproviders(ssl-devel)4.11.2[j@Z?Z@ZZ@Z;@Z%8Z@Y*@YKYY@Y i@Y XX@W@WWWZWPW)@V@V@VjV9@V VU@UUU@U@UzU@U @TT@TÉ@TT~@S @SSR@Si@StS#@jengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.detchvatal@suse.comtchvatal@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.desor.alexei@meowr.rujengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.de- Update to new upstream release 2.8.0 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. * Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. * Fixed a potential memory leak on failure in ASN1_item_digest. * Fixed a potential memory alignment crash in asn1_item_combine_free. * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. * Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. * Added a missing bounds check in c2i_ASN1_BIT_STRING. * Removed three remaining single DES cipher suites. * Fixed a potential leak/incorrect return value in DSA signature generation. * Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. * Added ECC constant time scalar multiplication support. * Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. * Changes from 2.7.4: * Avoid a timing side-channel leak when generating DSA and ECDSA signatures. [CVE-2018-12434, boo#1097779] * Reject excessively large primes in DH key generation.- Update to new upstream release 2.7.3 * Removed incorrect NULL checks in DH_set0_key(). * Limited tls_config_clear_keys() to only clear private keys.- Update to new upstream release 2.7.2 * Updated and added extensive new HISTORY sections to the API manuals.- Update to new upstream release 2.7.1 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name length provided is 0 to match the OpenSSL behaviour. [CVE-2018-8970, boo#1086778]- Update to new upstream release 2.7.0 * Added support for many OpenSSL 1.0.2 and 1.1 APIs. * Added support for automatic library initialization in libcrypto, libssl, and libtls. * Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages. * Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions. * Rewrote ASN1_TYPE_ get,set _octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_ macros (asn1_mac.h) from API that needs to continue to exist. * Added support for client-side session resumption in libtls. * A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. * Merged more DTLS support into the regular TLS code path.- Update to new upstream release 2.6.4 * Make tls_config_parse_protocols() work correctly when passed a NULL pointer for a protocol string. * Correct TLS extensions handling when no extensions are present.- Add extra-symver.diff- Update to new upstream release 2.6.3 * Added support for providing CRLs to libtls - once a CRL is provided via tls_config_set_crl_file(3) or tls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server. * Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd. * Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions. * Imported HKDF (HMAC Key Derivation Function) from BoringSSL. * Dropped cipher suites using DSS authentication. * Removed support for DSS/DSA from libssl. * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. * Removed NPN support - NPN was never standardised and the last draft expired in October 2012. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. - Add des-fcrypt.diff [boo#1065363]- Update to new upstream release 2.6.2 * Provide a useful error with libtls if there are no OCSP URLs in a peer certificate. * Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair. - Update to new upstream release 2.6.1 * Added tls_config_set_ecdhecurves() to libtls, which allows the names of the eliptical curves that may be used during client and server key exchange to be specified. * Removed support for DSS/DSA, since we removed the cipher suites a while back. * Removed NPN support. NPN was never standardised and the last draft expired in October 2012. ALPN was standardised. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termintation. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Implemented the SSL_CTX_set_min_proto_version(3) API. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.- Update to new upstream release 2.6.0 * Added support for providing CRLs to libtls. Once a CRL is provided, we enable CRL checking for the full certificate chain. * Allow non-compliant clients using IP literal addresses with SNI to connect to a server using libtls. * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). * Added definitions for three OIDs used in EV certificates. * Plugged a memory leak in tls_ocsp_free. * Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to libtls, useful in private certificate validation callbacks. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Added tls_keypair_clear_key for clearing key material. * Removed inconsistent IPv6 handling from BIO_get_accept_socket, simplified BIO_get_host_ip and BIO_accept. * Fixed the openssl(1) ca command so that is generates certificates with RFC 5280-conformant time. * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *. * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. * Added HKDF (HMAC Key Derivation Function) from BoringSSL * Providea a tls_unload_file() function that frees the memory returned from a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. * Perform reference counting for tls_config. This allows tls_config_free() to be called as soon as it has been passed to the final tls_configure() call, simplifying lifetime tracking for the application. * Moved internal state of SSL and other structures to be opaque. * Dropped cipher suites with DSS authentication.- Update to new upstream release 2.5.5 * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category.- Add conflict between libressl and the main versioned packages too- Add conflict for split openssl packages- Update to new upstream release 2.5.4 * Reverted a previous change that forced consistency between return value and error code when specifing a certificate verification callback, since this breaks the documented API. * Switched Linux getrandom() usage to non-blocking mode, continuing to use fallback mechanims if unsuccessful. * Fixed a bug caused by the return value being set early to signal successful DTLS cookie validation.- Update to new upstream release 2.5.1 * Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. [bnc#1019334] * Detect zero-length encrypted session data early * Curve25519 Key Exchange support. * Support for alternate chains for certificate verification. - Update to new upstream release 2.5.2 * Added EVP interface for MD5+SHA1 hashes * Fixed DTLS client failures when the server sends a certificate request. * Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. * Allowed protocols and ciphers to be set on a TLS config object in libtls. - Update to new upstream release 2.5.3 * Documentation updates - Remove ecs.diff (merged)- Add ecs.diff [bnc#1019334]- Update to new upstream release 2.5.0 * libtls now supports ALPN and SNI * libtls adds a new callback interface for integrating custom IO functions. * libtls now handles 4 cipher suite groups: "secure" (TLSv1.2+AEAD+PFS), "compat" (HIGH:!aNULL), "legacy" (HIGH:MEDIUM:!aNULL), "insecure" (ALL:!aNULL:!eNULL). This allows for flexibility and finer grained control, rather than having two extremes. * libtls now always loads CA, key and certificate files at the time the configuration function is called. * Add support for OCSP intermediate certificates. * Added functions used by stunnel and exim from BoringSSL - this brings in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc. * Improved behavior of arc4random on Windows when using memory leak analysis software. * Correctly handle an EOF that occurs prior to the TLS handshake completing. * Limit the support of the "backward compatible" ssl2 handshake to only be used if TLS 1.0 is enabled. * Fix incorrect results in certain cases on 64-bit systems when BN_mod_word() can return incorrect results. BN_mod_word() now can return an error condition. * Added constant-time updates to address CVE-2016-0702 * Fixed undefined behavior in BN_GF2m_mod_arr() * Removed unused Cryptographic Message Support (CMS) * More conversions of long long idioms to time_t * Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour. * Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions. * Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls. * Removed flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls.- Update to new upstream release 2.4.1 * Correct a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.- Update to new upstream release 2.4.0 * Added missing error handling around bn_wexpand() calls. * Added explicit_bzero calls for freed ASN.1 objects. * Fixed X509_*set_object functions to return 0 on allocation failure. * Implemented the IETF ChaCha20-Poly1305 cipher suites. * Changed default EVP_aead_chacha20_poly1305() implementation to the IETF version, which is now the default. * Fixed password prompts from openssl(1) to properly handle ^C. * Reworked error handling in libtls so that configuration errors are visible. * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.- Update to new upstream release 2.3.4 [boo#978492, boo#977584] * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.- Update to new upstream release 2.3.3 * cert.pem has been reorganized and synced with Mozilla's certificate store- Update to new upstream release 2.3.2 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD construction introduced in RFC 7539, which is different than that already used in TLS with EVP_aead_chacha20_poly1305(). * Avoid a potential undefined C99+ behavior due to shift overflow in AES_decrypt. - Remove 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch (included)- Add 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch [boo#958768]- Update to new upstream release 2.3.1 * ASN.1 cleanups and RFC5280 compliance fixes. * Time representations switched from "unsigned long" to "time_t". LibreSSL now checks if the host OS supports 64-bit time_t. * Changed tls_connect_servername to use the first address that resolves with getaddrinfo(). * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of sizeof(RC4_CHUNK). - Drop CVE-2015-5333_CVE-2015-5334.patch (merged)- Security update for libressl: * CVE-2015-5333: Memory Leak [boo#950707] * CVE-2015-5334: Buffer Overflow [boo#950708] - adding CVE-2015-5333_CVE-2015-5334.patch- Update to new upstream release 2.3.0 * SSLv3 is now permanently removed from the tree. * libtls API: The read/write functions work correctly with external event libraries. See the tls_init man page for examples of using libtls correctly in asynchronous mode. * When using tls_connect_fds, tls_connect_socket or tls_accept_fds, libtls no longer implicitly closes the passed in sockets. The caller is responsible for closing them in this case. * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no longer supported. * SHA-0 is removed, which was withdrawn shortly after publication 20 years ago.- Update to new upstream release 2.2.3 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not include TLS extensions, resulting in such handshakes being aborted. This release corrects the handling of such messages.- drop /etc/ssl/cert.pem- Avoid file conflict with ca-certificates by dropping /etc/ssl/certs- Update to new upstream release 2.2.2 * Incorporated fix for OpenSSL issue #3683 [malformed private key via command line segfaults openssl] * Removed workarounds for TLS client padding bugs, removed SSLv3 support from openssl(1), removed IE 6 SSLv3 workarounds, removed RSAX engine. * Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation. * Building a program that intentionally uses SSLv3 will result in a linker warning. * Added TLS_method, TLS_client_method and TLS_server_method as a replacement for the SSLv23_*method calls. * Switched `openssl dhparam` default from 512 to 2048 bits * Fixed `openssl pkeyutl -verify` to exit with a 0 on success * Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.- Update to new upstream release 2.2.1 [bnc#937891] * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL * Removed Dynamic Engine support * Removed unused and obsolete MDC-2DES cipher * Removed workarounds for obsolete SSL implementations * Fixes and changes for plaforms other than GNU/Linux- Update to new upstream release 2.2.0 * Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still supported with the openssl(1) command. * libtls API and documentation additions * fixed: * CVE-2015-1788: Malformed ECParameters causes infinite loop * CVE-2015-1789: Exploitable out-of-bounds read in X509_cmp_time * CVE-2015-1792: CMS verify infinite loop with unknown hash function (this code is not enabled by default) * already fixed earlier, or not found in LibreSSL: * CVE-2015-4000: DHE man-in-the-middle protection (Logjam) * CVE-2015-1790: PKCS7 crash with missing EnvelopedContent * CVE-2014-8176: Invalid free in DTLS- Ship pkgconfig files again- Update to new upstream release 2.1.6 * Reject server ephemeral DH keys smaller than 1024 bits * Fixed CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp * Fixed CVE-2015-0287 - ASN.1 structure reuse memory corruption * Fixed CVE-2015-0289 - PKCS7 NULL pointer dereferences * Fixed CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error * Fixed CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref- Update to 2.1.4: * Improvements to libtls: - a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. - Ciphers default to TLSv1.2 with AEAD and PFS. - Improved error handling and message generation. - New APIs and improved documentation. * Add X509_STORE_load_mem API for loading certificates from memory. This facilitates accessing certificates from a chrooted environment. * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by using 'TLSv1.2+AEAD' as the cipher selection string. * New openssl(1) command 'certhash' replaces the c_rehash script. * Server-side support for TLS_FALLBACK_SCSV for compatibility with various auditor and vulnerability scanners. * Dead and disabled code removal including MD5, Netscape workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more. * The ASN1 macros are expanded to aid readability and maintainability. * Various NULL pointer asserts removed in favor of letting the OS/signal handler catch them. * Refactored argument handling in openssl(1) for consistency and maintainability. * Support for building with OPENSSL_NO_DEPRECATED. * Dozens of issues found with the Coverity scanner fixed. * Fix a minor information leak that was introduced in t1_lib.c r1.71, whereby an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. * Fixes for the following low-severity issues were integrated into LibreSSL from OpenSSL 1.0.1k: - CVE-2015-0205 - DH client certificates accepted without verification. - CVE-2014-3570 - Bignum squaring may produce incorrect results. - CVE-2014-8275 - Certificate fingerprints can be modified. - CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client].- Add package signatures- Update to new upstream release 2.1.3 * Fixes for various memory leaks in DTLS, including those for CVE-2015-0206. * Application-Layer Protocol Negotiation (ALPN) support. * Simplfied and refactored SSL/DTLS handshake code. * SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. * Ensure the stack is marked non-executable for assembly sections.- Update to new upstream release 2.1.2 * The two cipher suites GOST and Camellia have been reworked or reenabled, providing better interoperability with systems around the world. * The libtls library, a modern and simplified interface for secure client and server communications, is now packaged. * Assembly acceleration of various algorithms (most importantly AES, MD5, SHA1, SHA256, SHA512) are enabled for AMD64. - Remove libressl-no-punning.diff (file to patch is gone)- Update to new upstream release 2.1.1 * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection bug- Update to new upstream release 2.0.5 * This version forward-ports security fixes from OpenSSL 1.0.1i: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508 (partially vulnerable), CVE-2014-3509, CVE-2014-3510, CVE-2014-3511. (LibreSSL was found not to be vulnerable to CVE-2014-3502, CVE-2014-3512, CVE-2014-5139)- Update to new upstream release 2.0.4 * This version includes more portability changes, as well as other work. most noticable may be the deletion of the of the SRP code (which has not been enabled in any LibreSSL release). - Remove pkg-config files so "pkgconfig(libcrypto)" remains unambiguous in the distro- Update to new upstream release 2.0.3 * This release includes a number of portability fixes, and also includes some improvements to the fork detection support. - Remove libressl-auxdal.diff, libressl-asn1test.diff (solved upstream)- Update to new upstream release 2.0.2 * This release addresses the Linux forking and pid wrap issue reported recently. - Add libressl-auxval.diff (fix compile error), libressl-asn1test.diff (fix testsuite failure)- Update to new upstream release 2.0.1 * This release includes a number of portability fixes based on the initial feedback received. A few hardcoded compiler options that were problematic on some systems as well as -Werror have been removed. This release also includes pkg-config support. - Remove libressl-rt.diff (solved differently upstream)- Initial package (version 2.0.0) for build.opensuse.org - Add libressl-no-punning.diff, libressl-rt.diff to fix build errorscloud112 1535101414  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO2.8.0-11.12.8.0-11.12.8.02.8.02.8.02.8.0opensslaes.hasn1.hasn1_mac.hasn1t.hbio.hblowfish.hbn.hbuffer.hcamellia.hcast.hchacha.hcmac.hcomp.hconf.hconf_api.hcrypto.hcurve25519.hdes.hdh.hdsa.hdso.hdtls1.hec.hecdh.hecdsa.hengine.herr.hevp.hgost.hhkdf.hhmac.hidea.hlhash.hmd4.hmd5.hmodes.hobj_mac.hobjects.hocsp.hopensslconf.hopensslfeatures.hopensslv.hossl_typ.hpem.hpem2.hpkcs12.hpkcs7.hpoly1305.hrand.hrc2.hrc4.hripemd.hrsa.hsafestack.hsha.hsrtp.hssl.hssl2.hssl23.hssl3.hstack.htls1.hts.htxt_db.hui.hui_compat.hwhrlpool.hx509.hx509_vfy.hx509v3.htls.hlibcrypto.solibssl.solibtls.solibcrypto.pclibssl.pclibtls.pcopenssl.pc/usr/include//usr/include/openssl//usr/lib64//usr/lib64/pkgconfig/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:8655/openSUSE_Leap_42.3_Update/e87898c5f8bc8d623e458d66e863147c-libressl.openSUSE_Leap_42.3_Updatedrpmlzma5x86_64-suse-linuxdirectoryC source, ASCII textASCII textpkgconfig file PRPRRPRRRPRRR͗,<_@{?0]"k%nd)(c|s3'i2gmiO4bܢy>;%A;/dbMht=B։E]=`~"j0a]'E8 5QTkNnsr%؝bt煝XU.`$:'e+p+Q 7SR^a&a_;Z]C]pxV>YJ't."K'_Ä{x9c2[;<kL[B GN_7=bcG//gr_.whŞ)},ea .:&z쉟P mZ(!\α(>+<%6rϖ,6!%'"<<g\/PTHѝ`nF>8gУ͓pj~Ŋfk@Y6ۋa~'^砀ˆDO'a+ol-v(GLT\y+ы>iHN'PK@,[¡Be|I471%2GrE8q/"uc@bJ)[pwKFBp ToհLYm*T{zaR}ݾnŴ5LrQpvV<2Ǿ\*;?VD#*6Co^xɝǭhS8i#M1<ˬ%C7~)sFd6h1Hl1x%V!ۣwPqmj2`K ^ԋ +V{ u Dj9ν-#"$#SӞc5MYi!r]d˕G [&;oIix:ZZBfc/8vقqA}#!tP+XTf;N?8n:" O,w4zbFET@WPg¿e G)ϯ'@&|FUma^& kMw)]U-#Ks nT$\c2}{4#|0e%|$D!\ ա؏L ( u5`Ԙ@bw`]e_2wI;G\aSlRO}BD[$R''g[[28u39u&B8 ~L4 (Wvƨx}Z'-$VݗL#0wؗI5WZ@8h\*Y1n-z[.,hYr EHҳzyl L))GO]V$cҠZ3K6yҠ}>_협-iO)K(4 ^mޥ:gm.)7韒j7ki2F 8R|lXG4H*4K}Yk9muzmX$]#Zٜ% 2,tIfl2 @RdO_'.8ç#)ʘnwZu('a -*yEalYxf/ma( #>mL,rg)r3^wg9}4ԟ$BBivR } .1N9lUoԖ׃_v *hHZ%}jJ~0\I1$z&3snrh$2P0^;,Tvro"xt?ZLq{ F⪜+2wjB0q)AF5 K%1M20K ÛʠE뻱"d]lZ>33i`y~׶*tt|j*ZlbɳLk#~bm7л1~Yɻ$Mѿ?^ě/Pv@{FDB[ht5]\"Q8KP~q&ٓDR0}L X2w6-Z/y!M :$ YZeU5 aT!OTu?5`#1'~7s$3b,f֖JepL9F@X*z46YZ&K{b2ot鞱VgUGλͰ7T>zK}#CSXe[ܱUF.ۢ Q5xCSJ!Sޖґ6$ra\Q[[_vD '?-#)1R님ɦTe\幙AK.gkTNSvWSʃˌWdrc]ٵŦ-a p-xMp2Xk_#㳯;ш/4H>1a ){K)f9"O8]&}VvQRZ($m8Csjq7IAFeCSWz´I3M5?OH5Dwj{1tYz@SH$RPPxmkQ^v`,P3">S_NC27% ت*9J(NdK f!.Dk%πdDir_Hvݽ/nl߁Cdy:uFsoؼOZ=DJMNƜF/)G=H%Sk4>+Dh z~L͵nnH)\ha>68>PY&d: w[~Ez*$[}τ*Zu)m^yC`i-3O VƳG?}W ,`F ttu$.ߴ. e b(8tw#FD~3s/lLlvejĠpiٽmd2i"ϰCc6o/'>Ѭ`r+]^AQ^Ppf6y!fͪ?pSn({"̎ܮ%y!Ig2Ed[- imTS&'r^Źj&[/.GTv<bwkF S6Q']S Q{6KU﯅pʕO\:ivJ4zRb|x$WRGC|cX 2 ]QJ..gDױ@ڑ/YV&H8F3Uc'JkM^`"ʪ<$2OѨTCy0Z(d@O7 QN"ٕx_R&Np`\a;9\KV`W>~X!B3q;wXXJ.ۂ%趜=;a ȰMqR.-8N"]΅-GTnD̨۪&CŅ ߐ3IF{G#Z:]ȗQ8{)o&B94f ||^VR1W4VFC# ^Rlu̐5gu|=>vN+v@/D \;4|1OW{fh8'!Brݳ>0xam6Z)T~@l#:3jҢA$u6S+^i&9x ~~L3\a46=pw n" 4$N[7eе3uw}wp{E(@F9AЯL)kؘ4^c3h7Z =/_ [CZrd̹[gE 0  ^/R5'vuYhT[o˔%AounwC ?m=<{i0yzG*ub.PMl]ox[r8V9tHjR(t&ISy@С^DXH"aG@2= ;B~(GZ{?mEg71qllX}+^}yz;P{)I3c 0ఽRm17oikkLqܯ^f `lfgn~֯(Lnt@RY6:VNM؅ Z.tV,gEWZ6WN (Fh oG{Cs븽$Jfo"4 ѠVM9}0W;nìS/r9pqV m(0lϾ?;f0CsV9 ݤ%%^ ڿL /<"'pgMx"-pW$q|*{ĺ}|\FЖ>Y8hE;T541Tv_*2uɞKFwk/5"tzԯ% 2/yHSOO5!+ytrGkTS=`d~O8fK?]oTZV+6 Ep⒖U!uoH"p<.TBx٧O Zh_ >m`;֍Tr# .o$2w=EQdz|[gʜ. 3p(|ZLۀs '/\h hyx~x?>6َ/.YT,ehɈ6݅%X޸y`v?)U z?#8a j a`TZe,L })Pq\bxD!z_)`%/ZkImXz;@g}|[*q&u>RhX[P6_+f0c\e$X#ac@/xo?oH~gÿh.4'N\.^!$S&MaYv{]*w1ML nv$9!sLSqCI:[*I~\'SC%{ |ڽ4ħOJL?m_WJ G3l؟3J!_~oI`: JJ=:lys1"S Inb2I tOW߈[K^{7q$Gg~R, Nv-v4k?˗߄4z9/ $GLIWYu[Ftt7*h3dNM̪3ZK(h(t.~XR%ɏXc,iH,KG $Jx <K"-o?HA(Z-6#aeĞ(Y^X|dr6^M9̂U!'QL c_@ x믡`|Iq]J乹q }/ڎ Ux= 0iҙ\'G 7*Rا,=/埜nS~x'PЄiGҹ"R`f " ɗ5}]?A},#meKb6aգ8L&RvlyJA(ڰ&jț-]Ĵ2>5dl}3JRo$x!`Z[gdvaߣ`^|@5қ-ꄺ(EfV+-s<"!k\xˮ۔p迱xt Rxj=l m?Ȟ/S:bQ63<bi:*EF~辺9{5铘ύB ԷI<}C̉ph0*R漸sZ3q20c qys87HM+.ߍQ[Y)g*]$̅ti_FB"G-95ٻhj ⮿o3KI!\߶f])y!g* '=]X nT]-Wp?>Soa51_kr Vji0bi&^&yFTf:͸>W6f%}gB]]f|yti^eXmhCv_ǀ#*/W)5;15K/cL(L )yJz7*{R:]>#IЫKSD,pi2m !z܍]0;;ZXV\sW&ԅE[˧Q7ξI$ Mc6M&= ?L ItneiX"hA Pú;)ޫbE3.ˢZs B)d 7VaV=  ZX&|9{ml2.TkmW3/q~oYݹ(