%bcond_with fips %define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0} %{!?_pkgdocdir:%global _pkgdocdir %{_docdir}} # 1.0.0 soversion = 10 # 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols # depends on build configuration options) %define soversion 1.1 Summary: Secure Sockets Layer Toolkit Name: openssl Version: 1.1.1i Release: 1%{_dist_release} Group: system,security Vendor: Project Vine Distribution: Vine Linux Packager: daisuke, iwamoto License: BSDish URL: http://www.openssl.org/ # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. Source: openssl-%{version}-hobbled.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert Source7: renew-dummy-cert Source9: opensslconf-new.h Source10: opensslconf-new-warning.h Source11: README.FIPS Source12: ec_curve.c Source13: ectest.c # Build changes Patch1: openssl-1.1.1f-build.patch Patch2: openssl-1.1.0-defaults.patch Patch3: openssl-1.1.0-no-html.patch Patch4: openssl-1.1.1-man-rename.patch # Bug fixes Patch21: openssl-1.1.0-issuer-hash.patch # Functionality changes Patch31: openssl-1.1.1-conf-paths.patch Patch32: openssl-1.1.1-version-add-engines.patch Patch33: openssl-1.1.1-apps-dgst.patch Patch36: openssl-1.1.1-no-brainpool.patch Patch37: openssl-1.1.1-ec-curves.patch Patch38: openssl-1.1.1-no-weak-verify.patch Patch40: openssl-1.1.1-disable-ssl3.patch Patch41: openssl-1.1.1-system-cipherlist.patch Patch42: openssl-1.1.1-fips.patch Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch Patch48: openssl-1.1.1-fips-post-rand.patch Patch49: openssl-1.1.1-evp-kdf.patch Patch50: openssl-1.1.1-ssh-kdf.patch Patch51: openssl-1.1.1-intel-cet.patch Patch60: openssl-1.1.1-krb5-kdf.patch Patch61: openssl-1.1.1-edk2-build.patch Patch62: openssl-1.1.1-fips-curves.patch Patch65: openssl-1.1.1-fips-drbg-selftest.patch Patch66: openssl-1.1.1-fips-dh.patch Patch67: openssl-1.1.1-kdf-selftest.patch Patch69: openssl-1.1.1-alpn-cb.patch Patch70: openssl-1.1.1-rewire-fips-drbg.patch # Backported fixes including security fixes Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch Patch55: openssl-1.1.1-arm-update.patch Patch56: openssl-1.1.1-s390x-ecc.patch # security fix # none BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: perl, sed BuildRequires: zlib-devel, krb5-devel BuildRequires: lksctp-tools-devel Requires: mktemp Requires: ca-certificates %define solibbase %(echo %version | sed 's/[[:alpha:]]//g') %description The OpenSSL certificate management tool and the shared libraries that provide various cryptographic algorithms and protocols. %package devel Summary: OpenSSL libraries and development headers. Group: programming Requires: %{name} = %{version}-%{release} Requires: krb5-devel %description devel The static libraries and include files needed to compile apps with support for various the cryptographic algorithms and protocols supported by OpenSSL. Patches for many networking apps can be found at: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/ %package static Summary: Libraries for static linking of applications which will use OpenSSL Group: programming Requires: %{name}-devel = %{version}-%{release} %description static OpenSSL is a toolkit for supporting cryptography. The openssl-static package contains static libraries needed for static linking of applications which support various cryptographic algorithms and protocols. %package perl Summary: OpenSSL scripts which require Perl. Group: security Requires: %{name} = %{version}-%{release} Requires: perl %description perl Perl scripts provided with OpenSSL for converting certificates and keys from other formats to those used by OpenSSL. ## to build compat32 for x86_64 architecture support %package -n compat32-%{name} Summary: Secure Sockets Layer Toolkit Group: system Requires: %{name} = %{version}-%{release} %description -n compat32-%{name} The OpenSSL certificate management tool and the shared libraries that provide various cryptographic algorithms and protocols. %package -n compat32-%{name}-devel Summary: OpenSSL libraries and development headers. Group: programming Requires: compat32-%{name} = %{version}-%{release} Requires: compat32-krb5-devel %description -n compat32-%{name}-devel The static libraries and include files needed to compile apps with support for various the cryptographic algorithms and protocols supported by OpenSSL. %debug_package %prep %setup -q -n %{name}-%{version} # The hobble_openssl is called here redundantly, just to be sure. # The tarball has already the sources removed. %{SOURCE1} > /dev/null cp %{SOURCE12} crypto/ec/ cp %{SOURCE13} test/ %patch1 -p1 -b .build %{?_rawbuild} %patch2 -p1 -b .defaults %patch3 -p1 -b .no-html %{?_rawbuild} %patch4 -p1 -b .man-rename %patch21 -p1 -b .issuer-hash %patch31 -p1 -b .conf-paths %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst %patch36 -p1 -b .no-brainpool %patch37 -p1 -b .curves %patch38 -p1 -b .no-weak-verify %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist %if %{with fips} %patch42 -p1 -b .fips %endif %if %{with fips} %patch44 -p1 -b .version-override %endif %patch45 -p1 -b .weak-ciphers %if %{with fips} %patch46 -p1 -b .seclevel %patch49 -p1 -b .evp-kdf %patch50 -p1 -b .ssh-kdf %patch51 -p1 -b .upstream-sync #patch52 -p1 -b .s390x-update %endif %if %{with fips} %patch53 -p1 -b .crng-test %endif #patch55 -p1 -b .arm-update #patch56 -p1 -b .s390x-ecc %if %{with fips} %patch60 -p1 -b .krb5-kdf %patch61 -p1 -b .edk2-build %patch62 -p1 -b .fips-curves %patch65 -p1 -b .drbg-selftest %patch66 -p1 -b .fips-dh %patch67 -p1 -b .kdf-selftest %endif %patch69 -p1 -b .alpn-cb %if %{with fips} %patch70 -p1 -b .rewire-fips-drbg %endif # security fix # none %build # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} # %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i686 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS" export HASHBANGPERL=/usr/bin/perl perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl # ia64, x86_64, ppc are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-weak-ssl-ciphers \ no-mdc2 no-ec2m no-sm2 no-sm4 \ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update make all %if %{with fips} # Overwrite FIPS README cp -f %{SOURCE11} . %endif # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i done %check # Verify that what was compiled actually works. # Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) # We must revert patch31 before tests otherwise they will fail patch -p1 -R < %{PATCH31} # drop a recipe includes tests for brainpool curves (not supported by openssl-hobbled). rm -f test/recipes/80-test_ssl_new.t LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export LD_LIBRARY_PATH OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE make test # Add generation of HMAC checksum of the final stripped library %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ %{nil} %define __provides_exclude_from %{_libdir}/openssl %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT # Install OpenSSL. install -d $RPM_BUILD_ROOT{/%{_lib},%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} make DESTDIR=$RPM_BUILD_ROOT install mv $RPM_BUILD_ROOT%{_libdir}/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/ rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT/%{_lib}/*.so.%{soversion} for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do chmod 755 ${lib} ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT/%{_libdir}/`basename ${lib} .%{version}` ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion} done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert # Move runable perl scripts to bindir mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir} mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir} # Rename man pages so that they don't conflict with other system man pages. pushd $RPM_BUILD_ROOT%{_mandir} ln -s -f config.5 man5/openssl.cnf.5 for manpage in man*/* ; do if [ -L ${manpage} ]; then TARGET=`ls -l ${manpage} | awk '{ print $NF }'` ln -snf ${TARGET}ssl ${manpage}ssl rm -f ${manpage} else mv ${manpage} ${manpage}ssl fi done for conflict in passwd rand ; do rename ${conflict} ssl${conflict} man*/${conflict}* # Fix dangling symlinks manpage=man1/openssl-${conflict}.* if [ -L ${manpage} ] ; then ln -snf ssl${conflict}.1ssl ${manpage} fi done popd mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts # Ensure the config file timestamps are identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} %ifarch %{ix86} basearch=i386 %endif # Next step of gradual disablement of SSL3. # Make SSL3 disappear to newly built dependencies. sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ #ifndef OPENSSL_NO_SSL3\ # define OPENSSL_NO_SSL3\ #endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h %ifarch %{multilib_arches} # Do an opensslconf.h switcheroo to avoid file conflicts on systems where you # can have both a 32- and 64-bit version of the library, and they each need # their own correct-but-different versions of opensslconf.h to be usable. install -m644 %{SOURCE10} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h install -m644 %{SOURCE9} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h %endif LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export LD_LIBRARY_PATH %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %{!?_licensedir:%global license %%doc} %license LICENSE %doc FAQ NEWS README %if %{with fips} %doc README.FIPS %endif %{_pkgdocdir}/Makefile.certificate %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %{_bindir}/make-dummy-cert %{_bindir}/renew-dummy-cert %{_bindir}/openssl %attr(0755,root,root) /%{_lib}/*.so.* %attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion} %dir %{_mandir}/man1* %{_mandir}/man1*/* %dir %{_mandir}/man5* %{_mandir}/man5*/* %dir %{_mandir}/man7* %{_mandir}/man7*/* %files devel %defattr(-,root,root) %{_prefix}/include/openssl %exclude %{_libdir}/lib*.a %attr(0755,root,root) %{_libdir}/*.so %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc %dir %{_mandir}/man3* %{_mandir}/man3*/* %files static %defattr(-,root,root) %attr(0644,root,root) %{_libdir}/*.a %files perl %defattr(-,root,root) %{_bindir}/c_rehash %{_bindir}/*.pl %{_bindir}/tsget %{_mandir}/man1*/*.pl* %{_mandir}/man1*/c_rehash* %{_mandir}/man1*/tsget* %{_mandir}/man1*/openssl-tsget* %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts ## to build compat32 for x86_64 architecture support %if %{build_compat32} %files -n compat32-%{name} %defattr(-,root,root) %attr(0755,root,root) /%{_lib}/*.so.* %files -n compat32-%{name}-devel %defattr(-,root,root) %exclude %{_libdir}/lib*.a %attr(0755,root,root) %{_libdir}/*.so %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc %endif %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %post -n compat32-%{name} -p /sbin/ldconfig %postun -n compat32-%{name} -p /sbin/ldconfig %changelog * Wed Dec 09 2020 Tomohiro "Tomo-p" KATO 1.1.1i-1 - new upstream release. * Sat Nov 21 2020 Tomohiro "Tomo-p" KATO 1.1.1h-1 - new upstream release. - dropped Patch43: fixed in upstream. - imported Patch55-70 from rawhide. - updated Source13. * Sat Apr 25 2020 Tomohiro "Tomo-p" KATO 1.1.1g-1 - new upstream release. * Wed Apr 08 2020 Tomohiro "Tomo-p" KATO 1.1.1f-1 - new upstream release. - updated Patch1. - dropped Patch54: fixed in upstream. * Wed Mar 18 2020 Tomohiro "Tomo-p" KATO 1.1.1e-1 - new upstream release. - dropped Patch100 and 1000: fixed in upstream. * Fri Dec 20 2019 Tomohiro "Tomo-p" KATO 1.1.1d-2 - imported Patch1000 from upstream. * Fri Sep 13 2019 Tomohiro "Tomo-p" KATO 1.1.1d-1 - new upstream release. - updated Source12 and 13. - updated all patches. - imported Patch100 from upstream. * Sat Aug 24 2019 Tomohiro "Tomo-p" KATO 1.1.1c-1 - new upstream release. - updated Patch37 and 41. - imported Patch52-54 from rawhide. * Mon May 06 2019 Tomohiro "Tomo-p" KATO 1.1.1b-2 - fixed openssl.cnf * Sun May 05 2019 Tomohiro "Tomo-p" KATO 1.1.1b-1 - new upstream release. - imported Patch36 from rawhide. - updated Patch32. * Sat Dec 08 2018 Tomohiro "Tomo-p" KATO 1.1.1a-1 - new upstream release. - updated Patch2. - dropped Patch36 and 46: fixed in upstream. * Thu Nov 01 2018 Tomohiro "Tomo-p" KATO 1.1.1-2 - fixed symlinks. * Thu Nov 01 2018 Tomohiro "Tomo-p" KATO 1.1.1-1 - new upstream release (newest LTS version). - imported fedora stuff (except FIPS). * Sun Apr 1 2018 IWAI, Masaharu 1.0.2o-1 - new upstream release with security fixes * Sun Jan 21 2018 Satoshi IWAMOTO 1.0.2n-1 - new upstream release with security fixes * Wed Nov 15 2017 Satoshi IWAMOTO 1.0.2m-1 - new upstream release with security fixes * Sun Jan 29 2017 IWAI, Masaharu 1.0.2k-1 - new upstream release with security fixes * Thu May 5 2016 IWAI, Masaharu 1.0.2h-1 - new upstream release with security fixes * Wed Mar 9 2016 Satoshi IWAMOTO 1.0.2g-1 - new upstream release 1.0.2 with security fixes - Patch2 is merged into Patch0 * Mon Dec 28 2015 Satoshi IWAMOTO 1.0.1q-1 - new upstream release with security fixes * Fri Jul 10 2015 Satoshi IWAMOTO 1.0.1p-1 - new upstream release with security fixes * Wed Jul 1 2015 Satoshi IWAMOTO 1.0.1o-1 - new upstream release * Sun Apr 12 2015 Yoji TOYODA 1.0.1m-1 - merged into Vine6 * Fri Mar 20 2015 Satoshi IWAMOTO 1.0.1m-1 - new upstream release with security fixes - update Patch2,5 * Mon Jan 12 2015 Satoshi IWAMOTO 1.0.1k-1 - new upstream release with security fixes * Mon Oct 20 2014 Satoshi IWAMOTO 1.0.1j-1 - new upstream release with security fixes - add patch8 from fc21 (fix perl find.pl) * Fri Jun 6 2014 Tomohiro "Tomo-p" KATO 1.0.1h-1 - new upstream release with security fixes. * Tue Apr 8 2014 Satoshi IWAMOTO 1.0.1g-1 - new upstream release with security fixes * Thu Jan 9 2014 Satoshi IWAMOTO 1.0.1f-1 - new upstream release with security fixes * Tue Sep 24 2013 Daisuke SUZUKI 1.0.1e-2 - move root CA bundle to ca-certificates package * Tue Feb 12 2013 Daisuke SUZUKI 1.0.1e-1 - update to 1.0.1e - 1.0.1d has major regressions from 1.0.1c * Sat Feb 9 2013 IWAI, Masaharu 1.0.1d-2 - remove tsget script to delete dependency perl(WWW::Curl::Easy) - openssl-perl package contains it in docdir * Fri Feb 08 2013 Toshiharu Kudoh 1.0.1d-1 - new upstream release with security fix (CVE-2012-2686, CVE-2013-0166, 0169) - fixed %%files * Tue May 29 2012 Daisuke SUZUKI 1.0.1c-1 - update to 1.0.1c - enable configure options: enable-camellia enable-seed enable-tlsext enable-rfc3779 enable-cms enable-md2 - remove no-asm option from ai64/x86_64/ppc/ppc64/i686 - generate a table with the compile settings before configure * Fri Jan 20 2012 Satoshi IWAMOTO 1.0.0g-1 - new upstream release with security fix (CVE-2012-0050) * Fri Jan 6 2012 Satoshi IWAMOTO 1.0.0f-1 - new upstream release with security fix (CVE-2011-4108,09, CVE-2011-4576,77, CVE-2011-4619, CVE-2012-0027) * Wed Sep 7 2011 Satoshi IWAMOTO 1.0.0e-1 - new upstream release with security fix (CVE-2011-3207, 3210) * Sun Mar 20 2011 Satoshi IWAMOTO 1.0.0d-2 - rebuild with krb5-libs 1.8 * Fri Feb 11 2011 Satoshi IWAMOTO 1.0.0d-1 - new upstream release with security fix * Sat Jan 15 2011 Satoshi IWAMOTO 1.0.0c-4 - use upstream openssl.pc instead of vine original one (SOURCE6) * Sun Jan 9 2011 Satoshi IWAMOTO 1.0.0c-3 - move tsget to docs to delete dependency perl(WWW::Curl::Easy) * Sat Jan 1 2011 Satoshi IWAMOTO 1.0.0c-2 - add R: krb5-devel into devel pkg - add R: compat32-krb5-devel into compat32-devel pkg * Fri Dec 31 2010 Satoshi IWAMOTO 1.0.0c-1 - new upstream release 1.0.0x - separate static libs into static package - change configure options - change so version 10 - add tsget into perl package - update all patches * Thu Dec 30 2010 Satoshi IWAMOTO 0.9.8q-2 - fix changelog typo... * Tue Dec 7 2010 Satoshi IWAMOTO 0.9.8q-1 - new upstream release with security fix (CVE-2010-4180) * Wed Nov 17 2010 Satoshi IWAMOTO 0.9.8p-1 - new upstream release with security fix (CVE-2010-3864) - drop patches included in new release - update patch4 * Sun Jan 17 2010 Satoshi IWAMOTO 0.9.8k-5 - add patch12 for fix CVE-2009-3555 (renegotiation) * Fri Jan 15 2010 Satoshi IWAMOTO 0.9.8k-4 - add patch11 for fix CVE-2009-4355 (memory leak) * Tue Jun 23 2009 Satoshi IWAMOTO 0.9.8k-3 - add patch10 to fix CVE-2009-1377, 78, 79 (from fc11) * Mon Jun 22 2009 NAKAMURA Kenta 0.9.8k-2 - removed unnecessary %%if %{build_compat32} statements - removed lib*.a from devel package * Mon Mar 30 2009 Satosh IWAMOTO 0.9.8k-1 - new upstream release with security fix (CVE-2000-0590,0591,0789) * Sun Jan 11 2009 Satosh IWAMOTO 0.9.8j-1 - new upstream release with security fix (CVE-2008-5077) * Sat Sep 20 2008 Daisuke SUZUKI 0.9.8i-1 - new upstream release * Sat Jul 12 2008 Satosh IWAMOTO 0.9.8h-1 - new upstream release - new versioning policy * Sat Oct 27 2007 Daisuke SUZUKI 0.9.8g-0vl1 - new upstream release - drop patch10,20 which is merged in upstream * Fri Sep 28 2007 MATSUBAYASHI Kohji 0.9.8e-0vl3 - add security patch in advance for CVE-2007-5135 http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded http://marc.info/?l=openssl-cvs&m=119020417919619&w=2 * Fri Aug 10 2007 MATSUBAYASHI Kohji 0.9.8e-0vl2 - add security patch for CVE-2007-3108 (http://openssl.org/news/patch-CVE-2007-3108.txt) * Tue May 15 2007 Daisuke SUZUKI 0.9.8e-0vl1 - new upstream release * Sun Dec 24 2006 Satosh IWAMOTO 0.9.7l-0vl2 - update (fix) openssl.pc * Fri Sep 29 2006 Satosh IWAMOTO 0.9.7l-0vl1 - new upstream release (with security fix) * Mon Sep 11 2006 Satosh IWAMOTO 0.9.7k-0vl1 - new upstream release - add patch2 to use RPM_OPT macro * Mon Feb 06 2006 Shu KONNO 0.9.7i-0vl3 - moved macros _lib to /usr/lib/rpm/rpmrc or macros files * Fri Feb 03 2006 Shu KONNO 0.9.7i-0vl2 - added compat32-* packages for x86_64 architecture support - added openssl-0.9.7i.Configure-compat32.patch - changed '/lib' to '/%{_lib}' * Mon Oct 17 2005 Daisuke SUZUKI 0.9.7i-0vl1 - new upstream release * Mon Jan 31 2005 Daisuke SUZUKI 0.9.7d-0vl4 - rebuild on VineSeed * Sun Jan 09 2005 IKEDA Katsumi 0.9.7d-0vl3.1 - added a security patch from Gentoo. - Patch1: openssl-0.9.7c-tempfile.patch * Sun Mar 28 2004 MATSUBAYASHI Kohji 0.9.7d-0vl3 - sslarch for ppc was missing... added. * Fri Mar 26 2004 Tomoya TAKA 0.9.7d-0vl2 - use sslarch=linux-alpha-gcc instead of alpha-gcc * Mon Mar 22 2004 Satoshi MACHINO 0.9.7d-0vl1 - new upstream version - clean up of spec file -- removed old patches * Sat Mar 20 2004 Daisuke SUZUKI 0.9.6m-0vl1 - new upstream release - SECURITY fix. - http://www.openssl.org/news/secadv_20040317.txt * Wed Oct 1 2003 Daisuke SUZUKI 0.9.6k-0vl1 - new upstream release - [Security fix] - Vulnerabilities in ASN.1 parsing http://www.openssl.org/news/secadv_20030930.txt - see %{_docdir}/%{name}-%{version}/CHANGES for other changes * Wed Jun 04 2003 HOTTA Michihide 0.9.6j-0vl2 - add openssl.pc for pkgconfig * Tue Mar 11 2003 Satoshi MACHINO 0.9.6j-0vl1 - New upstream version - dropped patch10, 11 -- merged upstream version * Sun Feb 23 2003 Daisuke SUZUKI 0.9.6i-0vl1 - rebuild for VineSeed * Sun Feb 23 2003 Daisuke SUZUKI 0.9.6i-0vl0.26.1 - [Security Fix] - Timing-based attacks on RSA keys http://www.openssl.org/news/secadv_20030317.txt - Klima-Pokorny0Rosa attack on RSA in SSL/TLS http://www.openssl.org/news/secadv_20030317.txt * Sun Feb 23 2003 Daisuke SUZUKI 0.9.6i-0vl0.26 - new upstream release 0.9.6i - [Security Fix] - build for Vine Linux 2.6 errata * Mon Nov 18 2002 Daisuke SUZUKI 0.9.6h-0vl1 - new upstream release 0.9.6h * Mon Nov 18 2002 Daisuke SUZUKI 0.9.6g-0vl1 - new upstream release 0.9.6g * Mon Oct 28 2002 IWAI Masaharu 0.9.6b-1vl6 - SECURITY: CAN-2002-0659 fixed - added Patch101 from RedHat 7.2 updates 0.9.6b-28 * Fri Aug 02 2002 Nalin Dahyabhai 0.9.6b-28 - update asn patch to fix accidental reversal of a logic check * Thu Aug 01 2002 Nalin Dahyabhai 0.9.6b-27 - update asn patch to reduce chance that compiler optimization will remove one of the added tests * Thu Aug 01 2002 Nalin Dahyabhai 0.9.6b-26 - rebuild * Tue Jul 30 2002 Nalin Dahyabhai 0.9.6b-25 - add patch to fix ASN.1 vulnerabilities * Wed Jul 31 2002 IWAI Masaharu 0.9.6b-1vl5 - rename spec file name - SECURITY: CA-2002-23 fixed - added Patch100 from RedHat 7.2 updates 0.9.6b-24 * Thu Jul 25 2002 Nalin Dahyabhai 0.9.6b-24 - add backport of Ben Laurie's patches for OpenSSL 0.9.6d * Mon Sep 10 2001 Satoshi MACHINO 0.9.6b-1vl4 - added ${PATH} in LD_LIBRARY_PATH - added install -m 755 *.so.* $RPM_BUILD_ROOT%{_libdir} in %install * Sun Jul 15 2001 Daisuke SUZUKI 0.9.6b-1vl3 - remove --no- * Sun Jul 15 2001 Daisuke SUZUKI 0.9.6b-1vl2 - add Patch10 for mipsel shared ( Configure ) * Sat Jul 14 2001 Daisuke SUZUKI 0.9.6b-1vl1 - build for Vine Linux - use openssl-engine-0.9.6b.tar.gz * Wed Jul 11 2001 Nalin Dahyabhai - update to 0.9.6b * Thu Jul 5 2001 Nalin Dahyabhai - move .so symlinks back to %%{_libdir} * Tue Jul 3 2001 Nalin Dahyabhai - move shared libraries to /lib (#38410) * Mon Jun 25 2001 Nalin Dahyabhai - switch to engine code base * Mon Jun 18 2001 Nalin Dahyabhai - add a script for creating dummy certificates - move man pages from %%{_mandir}/man?/foo.?ssl to %%{_mandir}/man?ssl/foo.? * Thu Jun 07 2001 Florian La Roche - add s390x support * Fri Jun 1 2001 Nalin Dahyabhai - change two memcpy() calls to memmove() - don't define L_ENDIAN on alpha * Tue May 15 2001 Nalin Dahyabhai - make subpackages depend on the main package * Tue May 1 2001 Nalin Dahyabhai - adjust the hobble script to not disturb symlinks in include/ (fix from Joe Orton) * Thu Apr 26 2001 Nalin Dahyabhai - drop the m2crypo patch we weren't using * Tue Apr 24 2001 Nalin Dahyabhai - configure using "shared" as well * Sun Apr 8 2001 Nalin Dahyabhai - update to 0.9.6a - use the build-shared target to build shared libraries - bump the soversion to 2 because we're no longer compatible with our 0.9.5a packages or our 0.9.6 packages - drop the patch for making rsatest a no-op when rsa null support is used - put all man pages into
ssl instead of
- break the m2crypto modules into a separate package * Tue Mar 13 2001 Nalin Dahyabhai - use BN_LLONG on s390 * Mon Mar 12 2001 Nalin Dahyabhai - fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit) * Sat Mar 3 2001 Nalin Dahyabhai - move c_rehash to the perl subpackage, because it's a perl script now * Fri Mar 2 2001 Nalin Dahyabhai - update to 0.9.6 - enable MD2 - use the libcrypto.so and libssl.so targets to build shared libs with - bump the soversion to 1 because we're no longer compatible with any of the various 0.9.5a packages circulating around, which provide lib*.so.0 * Wed Feb 28 2001 Florian La Roche - change hobble-openssl for disabling MD2 again * Tue Feb 27 2001 Nalin Dahyabhai - re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152 bytes or so, causing EVP_DigestInit() to zero out stack variables in apps built against a version of the library without it * Mon Feb 26 2001 Nalin Dahyabhai - disable some inline assembly, which on x86 is Pentium-specific - re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all) * Thu Feb 08 2001 Florian La Roche - fix s390 patch * Fri Dec 8 2000 Than Ngo - added support s390 * Mon Nov 20 2000 Nalin Dahyabhai - remove -Wa,* and -m* compiler flags from the default Configure file (#20656) - add the CA.pl man page to the perl subpackage * Thu Nov 2 2000 Nalin Dahyabhai - always build with -mcpu=ev5 on alpha * Tue Oct 31 2000 Nalin Dahyabhai - add a symlink from cert.pem to ca-bundle.crt * Wed Oct 25 2000 Nalin Dahyabhai - add a ca-bundle file for packages like Samba to reference for CA certificates * Tue Oct 24 2000 Nalin Dahyabhai - remove libcrypto's crypt(), which doesn't handle md5crypt (#19295) * Mon Oct 2 2000 Nalin Dahyabhai - add unzip as a buildprereq (#17662) - update m2crypto to 0.05-snap4 * Tue Sep 26 2000 Bill Nottingham - fix some issues in building when it's not installed * Wed Sep 6 2000 Nalin Dahyabhai - make sure the headers we include are the ones we built with (aaaaarrgh!) * Fri Sep 1 2000 Nalin Dahyabhai - add Richard Henderson's patch for BN on ia64 - clean up the changelog * Tue Aug 29 2000 Nalin Dahyabhai - fix the building of python modules without openssl-devel already installed * Wed Aug 23 2000 Nalin Dahyabhai - byte-compile python extensions without the build-root - adjust the makefile to not remove temporary files (like .key files when building .csr files) by marking them as .PRECIOUS * Sat Aug 19 2000 Nalin Dahyabhai - break out python extensions into a subpackage * Mon Jul 17 2000 Nalin Dahyabhai - tweak the makefile some more * Tue Jul 11 2000 Nalin Dahyabhai - disable MD2 support * Thu Jul 6 2000 Nalin Dahyabhai - disable MDC2 support * Sun Jul 2 2000 Nalin Dahyabhai - tweak the disabling of RC5, IDEA support - tweak the makefile * Thu Jun 29 2000 Nalin Dahyabhai - strip binaries and libraries - rework certificate makefile to have the right parts for Apache * Wed Jun 28 2000 Nalin Dahyabhai - use %%{_perl} instead of /usr/bin/perl - disable alpha until it passes its own test suite * Fri Jun 9 2000 Nalin Dahyabhai - move the passwd.1 man page out of the passwd package's way * Fri Jun 2 2000 Nalin Dahyabhai - update to 0.9.5a, modified for U.S. - add perl as a build-time requirement - move certificate makefile to another package - disable RC5, IDEA, RSA support - remove optimizations for now * Wed Mar 1 2000 Florian La Roche - Bero told me to move the Makefile into this package * Wed Mar 1 2000 Florian La Roche - add lib*.so symlinks to link dynamically against shared libs * Tue Feb 29 2000 Florian La Roche - update to 0.9.5 - run ldconfig directly in post/postun - add FAQ * Sat Dec 18 1999 Bernhard Rosenkrdnzer - Fix build on non-x86 platforms * Fri Nov 12 1999 Bernhard Rosenkrdnzer - move /usr/share/ssl/* from -devel to main package * Tue Oct 26 1999 Bernhard Rosenkrdnzer - inital packaging - changes from base: - Move /usr/local/ssl to /usr/share/ssl for FHS compliance - handle RPM_OPT_FLAGS