Secure Sockets and Transport Layer Security
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and open source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols with full-strength cryptography. The project is managed
by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
Derivation and License
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
- Developed at security:tls
- Sources inherited from project openSUSE:Factory
-
7
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout devel:ARM:Factory:Contrib:ILP32/openssl && cd $_ - Create Badge
Refresh
Refresh
Source Files
Revision 132 (latest revision is 171)
Dominique Leuenberger (dimstar_suse)
accepted
request 393456
from
Marcus Meissner (msmeissn)
(revision 132)
- OpenSSL Security Advisory [3rd May 2016]
- update to 1.0.2h (boo#977584, boo#977663)
* Prevent padding oracle in AES-NI CBC MAC check
A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.
(CVE-2016-2107, boo#977616)
* Fix EVP_EncodeUpdate overflow
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.
(CVE-2016-2105, boo#977614)
* Fix EVP_EncryptUpdate overflow
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
is able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate() with a partial block then a length check can overflow
resulting in a heap corruption.
(CVE-2016-2106, boo#977615)
* Prevent ASN.1 BIO excessive memory allocation
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
(CVE-2016-2109, boo#976942)
* EBCDIC overread
ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. This could result
in arbitrary stack data being returned in the buffer.
(CVE-2016-2176, boo#978224)
* Modify behavior of ALPN to invoke callback after SNI/servername (forwarded request 393446 from vitezslav_cizek)
Comments 10
Can anyone explain, openssl-1.0.2i-new-fips-reqs.patch is for what and which code based ? I'm unable to map to any code base either openssl-1.0.2i nor openssl-fips which found in https://www.openssl.org/
It is from a seperate FIPS patchset which we used for FIPS certification of openssl in SLES 12 and SLES 12 SP2.
Can i get the source copy of it ?
check out these sources: SUSE:SLE-12-SP2:Update openssl
I'm sorry, couldn't able to locate the exact link. If you don't mind can you help me to point the link ?
https://build.opensuse.org/package/show/SUSE:SLE-12:Update/openssl
Thanks a lot. anyway i can't find openssl-1.0.2i-new-fips-reqs.patch in this path of any updation. I think it's been deleted, prior to this can find openssl-1.0.1i-new-fips-reqs.patch.
make that https://build.opensuse.org/package/show/SUSE:SLE-12-SP2:Update/openssl
Thank you, got it. Basically the New requirements of FIPS 140-2 RSA/DSA were adopted from Red Hat Inc right ?
The patchset is largely from Redhat, we did some small adaptions to even stricter FIPS requirements but I do not recall the details.