• Files Changed
• Browse Source

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Version update to 1.67 [bsc#1180215, CVE-2020-28052]
  * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method
    compared incorrect data when checking the password
  * Defects Fixed:
    - BCJSSE: SunJSSE compatibility fix - override of getChannel()
      removed and 'urgent data' behaviour should now conform to
      what the SunJSSE expects
    - Nested BER data could sometimes cause issues in octet strings
    - Certificates/CRLs with short signatures could cause an exception
      in toString() in the BC X509 Certificate implmentation
    - In line with latest changes in the JVM, SignatureSpis which
      don't require parameters now return null on engineGetParameters()
    - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey
      where it can on requests for a KeySpec based on an RSAPrivateKey
    - CMSTypedStream$FullReaderStream now handles zero length reads correctly
    - Unecessary padding was added on KMAC when the key string was block aligned
    - Zero length data would cause an unexpected exception from RFC5649WrapEngine
    - OpenBSDBcrypt was failing to handle some valid prefixes
  * Additional Features and Functionality
    - Performance improvement of Argon2 and Noekeon
    - A setSessionKeyObfuscation() method has been added to
      PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key
      obfuscation (default is on, method primarily to get around early version
      GPG issues with AES-128 keys)
    - Implemented 'safegcd' constant-time modular inversion (as well as a
      variable-time variant). It has replaced Fermat inversion in all our EC
      code, and BigInteger.modInverse in several other places, particularly
      signers. This improves side-channel protection, and also gives a
      significant performance boost
    - Performance of custom binary ECC curves and Edwards Curves has been improved

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Version update to 1.66
  * Defects Fixed:
    - EdDSA verifiers now reset correctly after rejecting overly long signatures.
    - BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException.
    - qTESLA-I verifier would reject some valid signatures.
    - qTESLA verifiers now reject overly long signatures.
    - PGP regression caused failure to preserve existing version header when
      headers were reset.
    - PKIXNameConstraintValidator had a bad cast preventing use of multiple
      OtherName constraints.
    - Serialisation of the non-CRT RSA Private Key could cause a NullPointerException.
    - An extra 4 bytes was included in the start of HSS public key encodings.
    - CMS with Ed448 using a direct signature was using id-shake256-len
      rather than id-shake256.
    - Use of GCMParameterSpec could cause an AccessControlException under
      some circumstances.
    - DTLS: Fixed high-latency HelloVerifyRequest handshakes.
    - An encoding bug for rightEncoded() in KMAC has been fixed.
    - For a few values the cSHAKE implementation would add unnecessary pad bytes
      where the N and S strings produced encoded data that was block aligned.
    - There were a few circumstances where Argon2BytesGenerator might hit an
      unexpected null. These have been removed.
  * Additional Features and Functionality
    - The qTESLA signature algorithm has been updated to v2.8 (20191108).
    - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
    - Support has been added for "ocsp.enable", "ocsp.responderURL" and
      PKIXRevocationChecker for users of Java 8 and later.
    - Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator.
    - BCJSSE: Now supports system property 'jsse.enableFFDHE'
    - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes'

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Version update to 1.65
  * Defects Fixed:
    - DLExternal would encode using DER encoding for tagged SETs.
    - ChaCha20Poly1305 could fail for large (>~2GB) files.
    - ChaCha20Poly1305 could fail for small updates when used via the provider.
    - Properties.getPropertyValue could ignore system property when other
       local overrides set.
    - The entropy gathering thread was not running in daemon mode, meaning there
       could be a delay in an application shutting down due to it.
    - A recent change in Java 11 could cause an exception with the BC Provider's
       implementation of PSS.
    - BCJSSE: TrustManager now tolerates having no trusted certificates.
    - BCJSSE: Choice of credentials and signing algorithm now respect the peer's
       signature_algorithms extension properly.
    - BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory.
  * Additional Features and Functionality:
    - LMS and HSS (RFC 8554) support has been added to the low level library and
       the PQC provider.
    - SipHash128 support has been added to the low level library and the JCE provider.
    - BCJSSE: BC API now supports explicitly specifying the session to resume.
    - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is
       negotiated (except in FIPS mode).
    - BCJSSE: Added support for extended_master_secret system properties:
       jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption,
       jdk.tls.useExtendedMasterSecret .
    - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is
       negotiated (except in FIPS mode).
    - BCJSSE: KeyManager and TrustManager now check algorithm constraints for
       keys and certificate chains.
    - BCJSSE: KeyManager selection of server credentials now prefers matching

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Fix arch dependent macros in noarch package [bsc#1109539]

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update pom files with those from Maven repository.

• Files Changed
• Browse Source

- Version update to 1.64 [bsc#1153385, CVE-2019-17359]
  [bsc#1096291, CVE-2018-1000180][bsc#1100694, CVE-2018-1000613]
  * Security Advisory:
    - CVE-2019-17359: A change to the ASN.1 parser in 1.63 introduced
      a regression that can cause an OutOfMemoryError to occur on
      parsing ASN.1 data.
  * Defects Fixed:
    - OpenSSH: Fixed padding in generated Ed25519 private keys.
    - GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest.
    - Validation of headers in PemReader now looks for tailing dashes in header.
    - Some compatibility issues around the signature encryption algorithm
      field in CMS SignedData and the GOST algorithms have been addressed.
  * Additional Features and Functionality:
    - PKCS12 key stores containing only certificates can now be created
      without the need to provide passwords.
    - BCJSSE: Initial support for AlgorithmConstraints; protocol versions
      and cipher suites.
    - BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol
      versions and cipher suites.
    - BCJSSE: Add SecurityManager check to access session context.
    - BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION.
    - BCJSSE: SSLContext algorithms updated for SunJSSE compatibility
      	      (default enabled protocols).
    - The digest functions Haraka-256 and Haraka-512 have been added to
      the provider and the light-weight API
    - XMSS/XMSS^MT key management now allows for allocating subsets of the
      private key space using the extraKeyShard() method. Use of
      StateAwareSignature is now deprecated.
    - Support for Java 11's NamedParameterSpec class has been added
      (using reflection) to the EC and EdEC KeyPairGenerator implementations.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source