-
Tue Feb 12 2019 Anderson Sasaki <ansasaki@redhat.com> 3.3.29-9
- Make sure the FIPS startup KAT selftest run for ECDSA (#1673919)
-
Fri Jul 20 2018 Anderson Sasaki <ansasaki@redhat.com> 3.3.29-8
- Backported --sni-hostname option which allows overriding the hostname
advertised to the peer (#1444792)
- Improved counter-measures in TLS CBC record padding for lucky13 attack
(CVE-2018-10844, #1589704, CVE-2018-10845, #1589707)
- Added counter-measures for "Just in Time" PRIME + PROBE cache-based attack
(CVE-2018-10846, #1589708)
- Address p11tool issue in object deletion in batch mode (#1375307)
- Backport PKCS#11 tests from master branch. Some tests were disabled due to
unsupported features in 3.3.x (--load-pubkey and --test-sign options, ECC key
generation without login, and certificates do not inherit ID from the private
key)
- p11tool explicitly marks certificates and public keys as NOT private objects
and private keys as private objects
- Enlarge buffer size to support resumption with large keys (#1542461)
- Legacy HMAC-SHA384 cipher suites were disabled by default
- Added DSA key generation to p11tool (#1464896)
- Address session renegotiation issue using client certificate (#1434091)
- Address issue when importing private keys into Atos HSM (#1460125)
-
Fri May 26 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.26-9
- Address crash in OCSP status request extension, by eliminating the
unneeded parsing (CVE-2017-7507, #1455828)
-
Wed Apr 26 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.26-7
- Address interoperability issue with 3.5.x (#1388932)
- Reject CAs which are both trusted and blacklisted in trust module (#1375303)
- Added new functions to set issuer and subject ID in certificates (#1378373)
- Reject connections with less than 1024-bit DH parameters (#1335931)
- Fix issue that made GnuTLS parse only the first 32 extensions (#1383748)
- Mention limitations of certtool in manpage (#1375463)
- Read PKCS#8 files with HMAC-SHA256 -as generated by openssl 1.1 (#1380642)
- Do not link directly to trousers but instead use dlopen (#1379739)
- Fix incorrect OCSP validation (#1377569)
- Added support for pin-value in PKCS#11 URIs (#1379283)
- Added the --id option to p11tool (#1399232)
- Improved sanity checks in RSA key generation (#1444780)
- Addressed CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337,
CVE-2017-7869
-
Tue Jul 12 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.24-1
- Addressed issue with DSA public keys smaller than 2^1024 (#1238279)
- Addressed two-byte buffer overflow in the DTLS-0.9 protocol (#1209365)
- When writing certificates to smart cards write the CKA_ISSUER and
CKA_SERIAL_NUMBER fields to allow NSS reading them (#1272179)
- Use the shared system certificate store (#1110750)
- Address MD5 transcript collision attacks in TLS key exchange (#1289888,
CVE-2015-7575)
- Allow hashing data over 2^32 bytes (#1306953)
- Ensure written PKCS#11 public keys are not marked as private (#1339453)
- Ensure secure_getenv() is called on all uses of environment variables
(#1344591).
- Fix issues related to PKCS #11 private key listing on certain HSMs
(#1351389)
-
Fri Jun 05 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-13
- Corrected reseed and respect of max_number_of_bits_per_request in
FIPS140-2 mode. Also enhanced the initial tests. (#1228199)
-
Mon Jan 05 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-12
- corrected fix of handshake buffer resets (#1153106)
-
Thu Dec 11 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-11
- Applied fix for urandom FD in FIPS140 mode (#1165047)
- Applied fix for FIPS140-2 related regression (#1110696)
-
Tue Dec 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-10
- Amended fix for urandom FD to avoid regression in FIPS140 mode (#1165047)
-
Tue Nov 18 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-9
- Amended fix for FIPS enforcement issue (#1163848)
- Fixed issue with applications that close all file descriptors (#1165047)