rpms/opensc
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Upstream update available: opensc 0.26.1 → 0.27.1 #1

New issue
Open
opened 2026-04-28 01:37:51 +03:00 by sbelikov · 0 comments
sbelikov commented 2026-04-28 01:37:51 +03:00
Owner
Copy link

Upstream update available: opensc 0.26.10.27.1

Package

  • Package: opensc
  • RPM name: opensc
  • Branch: niceos-5.2
  • Current EVR: 0.26.1-1
  • Update class: minor
  • Compare method: python_rpm
  • Update policy: leaf
  • Risk tags: github-upstream, patch-debt

Upstream

Signals

  • Security-relevant keywords detected: True
  • Policy blocked: False
  • Policy reason: -
  • Labels: ai-summary, bot, needs-build, needs-triage, priority/high, security-release, update/minor, upstream-update, upstream/github

NiceSOFT AI preliminary stability analysis

Analysis of Upstream Update for opensc in NAI.S.OS

1. Risk Level

The update is classified as a minor patch (minor version: 0.27.1), with risk tags github-upstream and patch-debt.

  • Risk Factors:
    • Security Vulnerabilities: The release notes mention critical fixes (e.g., CVE-2024-8443, 45615, 45616), which address heap buffer overflows and uninitialized value usage in the OpenPGP and libopensc drivers.
    • Patch Debt: The update is a patch (minor version), but the CVEs indicate serious security risks that require immediate attention.
    • Upstream Dependency: The package is updated from the upstream repository, but the patch may not address all critical issues (e.g., the CVEs mentioned are resolved in this version).

2. Presence of CVEs

The release notes explicitly list three critical vulnerabilities (CVE-2024-8443, 45615, 45616) that were fixed in version 0.27.1. These include:

  • CVE-2024-8443: Heap buffer overflow in the OpenPGP driver.
  • CVE-2024-45615: Uninitialized values in libopensc and pkcs15init.
  • CVE-2024-45616: Uninitialized values in APDU response handling.

These vulnerabilities were resolved in the update, but the patch-debt tag suggests that the update is not a full release and may not address all potential issues.

3. ABI/API Risks

  • No API Changes: The release notes do not mention any API-breaking changes or compatibility issues.
  • Potential Risks:
    • The update may include minor changes (e.g., bug fixes, configuration tweaks) but no major API shifts.
    • Users should verify that their existing code (e.g., scripts, drivers, or custom modules) is compatible with the new version.

4. RPM Build Issues

  • Package Status: The package is listed as non-maintainer uploaded (e.g., in Arch Linux's repository: opensc 0.27.1-1).
  • Potential Issues:
    • The package may lack proper signing or security audits, raising concerns about unverified updates.
    • Users should verify the package's authenticity (e.g., via checksums or trusted sources) before installation.

5. Impact on the System

  • Security: The update addresses critical vulnerabilities (CVEs), reducing the risk of exploits or data breaches.
  • Stability: The update is a minor patch, so the system should remain stable unless there are **unreported

Источники, найденные web_search

  1. GitHub release API: OpenSC/OpenSC 0.27.1
  2. GitHub tag page: OpenSC/OpenSC 0.27.1
  3. GitHub releases page: OpenSC/OpenSC
  4. GitHub compare page: OpenSC/OpenSC 0.26.1...0.27.1
  5. Arch Linux - opensc 0.27.1-1 (x86_64)
  6. OpenSC/OpenSC 0.27.1 on GitHub - NewReleases.io
  7. Releases · OpenSC/OpenSC - GitHub | Release Alert
  8. tracker.debian.org

Upstream release notes / description

Edit 2026-04-18: Replaced the MacOS release binary due to originally uploading wrongly signed one (see #3654).

New in 0.27.1; 2026-03-31

  • Bugfix release to fix up infrastructure issues. There were no 0.27.0 artifacts published.

New in 0.27.0; 2026-03-30

Security

  • CVE-2025-13763: Several uses of potentially uninitialized memory detected by fuzzers
  • CVE-2025-49010: Possible write beyond buffer bounds during processing of GET RESPONSE APDU
  • CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver
  • CVE-2025-66038: Possible read beyond buffer bounds when parsing historical bytes in PIV driver
  • CVE-2025-66037: Possible buffer overrun while parsing SPKI
  • More low-severity data handling issues when parsing profile configuration

General improvements

  • Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test(#3510)
  • Added support for Ed448, X448 mechanisms and improve support for
    Edwards and montgomery keys in general (#3090)
  • Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute (#3090)
  • Various refactoring of autotools build system
  • Remove obsolete tokend support (#3285)
  • Run tests against different software PKCS#11 tokens kryoptic and NSS softokn (#3365)
  • Removed internal caching for current EF/DF (#3403)
  • Correctly detect OS-level FIPS mode in OpenSSL automatically (#3551)
    or through custom configuration file (#3525)
  • Added support for Brainpool twisted curves to pkcs11-tool and SC-HSM (#3601)

PC/SC

  • Handle case when smart card is removed and inserted between two subsequent calls to
    refresh_attributes() (#2803)

EsteID

  • Add support for EstEID 2025 (#3392)
  • Implement FinEID 4.0/4.1 support (#3505)
  • Add Latvian IDEMIA Cosmo X card support (#3503)
  • Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED (#3490)
  • Remove obsolete FinEID cards (#3522)
  • Add Latvian Cosmo 8.2 card support (#3521)

D-Trust

  • Prevent unncecessary pin prompts on pinpad readers (#3266)
  • Support for D-Trust Card 5.1 & 5.4 (#3137)
  • Implement PIN change and unblock in dtrust-tool (#3137)

Belpic

  • Add supports for belpic applet version 1.8 (#3308)

OpenPGP

  • Implement key derived PIN format (KDF-DO) as per OpenPGP card spec v3.3 (#3398)

IDPrime

  • Implement 5110+ FIPS and 5110 CC (940) derive support (#3483)

Windows

  • Update to Wix 6 (#3435)
  • Fix C_WaitForSlotEvent() not working in Windows (#2919)
  • remove pkcs11-register from autostart (#3354)

MacOS

  • Installer images are now notarized (#3536)

pkcs11-tool

  • Added support for ML-DSA, ML-KEM, SLH-DSA keys from PKCS#11 3.2 (#3510)
  • Improve support for Edwards and montgomery keys and
    add derive key support for CKK_MONTGOMERY (#3090)
  • Add support for ChaCha20 and Poly1305 (#3339)
  • Add support for AES CTR in decrypt_data() and encrypt_data() (#3338)
  • Add initial support for PKCS#11 URIs (#3289)
  • Print more information about RSA keys (#3623)

New Contributors

Full Changelog: github.com — 0.26.0...0.27.1

NiceOS maintainer checklist

  • Confirm that the detected version is a stable upstream release.
  • Check upstream changelog for security fixes, ABI/API changes and build-system changes.
  • Check ABI/API compatibility and reverse dependencies.
  • Download source into NiceOS lookaside storage.
  • Update Version and related fields in SPECS/*.spec only if policy allows it.
  • Regenerate SOURCES/sources.lock.json, manifests, metadata and SBOM.
  • Build SRPM/RPM in a clean NiceOS buildroot.
  • Run package smoke tests.
  • Link PR/build logs and close this issue after update or triage.

Bot metadata

  • Tool: niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages
  • Generated at: 2026-06-15T00:18:42Z
<!-- niceos-upstream-monitor:fingerprint=upstream-update:opensc:0.27.1 --> <!-- niceos-upstream-monitor:package=opensc --> <!-- niceos-upstream-monitor:current=0.26.1 --> <!-- niceos-upstream-monitor:latest=0.27.1 --> # Upstream update available: `opensc` `0.26.1` → `0.27.1` ## Package - Package: `opensc` - RPM name: `opensc` - Branch: `niceos-5.2` - Current EVR: `0.26.1-1` - Update class: `minor` - Compare method: `python_rpm` - Update policy: `leaf` - Risk tags: `github-upstream, patch-debt` ## Upstream - Upstream type: `github` - Upstream project: `OpenSC/OpenSC` - Upstream URL: <a href="https://github.com/OpenSC/OpenSC" target="_blank" rel="noopener noreferrer">github.com — OpenSC</a> - Detected version: `0.27.1` - Tag/release: `0.27.1` - Source: `github_release_latest` - Published: `2026-03-31T12:36:41Z` - Release URL: <a href="https://github.com/OpenSC/OpenSC/releases/tag/0.27.1" target="_blank" rel="noopener noreferrer">github.com — 0.27.1</a> - Source URL: <a href="https://api.github.com/repos/OpenSC/OpenSC/tarball/0.27.1" target="_blank" rel="noopener noreferrer">api.github.com — 0.27.1</a> - Pre-release: `False` ## Signals - Security-relevant keywords detected: `True` - Policy blocked: `False` - Policy reason: `-` - Labels: `ai-summary, bot, needs-build, needs-triage, priority/high, security-release, update/minor, upstream-update, upstream/github` ## NiceSOFT AI preliminary stability analysis ### Analysis of Upstream Update for `opensc` in NAI.S.OS --- #### **1. Risk Level** The update is classified as a **minor patch** (minor version: 0.27.1), with **risk tags** `github-upstream` and `patch-debt`. - **Risk Factors**: - **Security Vulnerabilities**: The release notes mention **critical fixes** (e.g., CVE-2024-8443, 45615, 45616), which address **heap buffer overflows** and **uninitialized value usage** in the OpenPGP and libopensc drivers. - **Patch Debt**: The update is a **patch** (minor version), but the **CVEs** indicate **serious security risks** that require immediate attention. - **Upstream Dependency**: The package is updated from the **upstream repository**, but the **patch may not address all critical issues** (e.g., the CVEs mentioned are resolved in this version). --- #### **2. Presence of CVEs** The release notes explicitly list **three critical vulnerabilities** (CVE-2024-8443, 45615, 45616) that were fixed in version 0.27.1. These include: - **CVE-2024-8443**: Heap buffer overflow in the OpenPGP driver. - **CVE-2024-45615**: Uninitialized values in `libopensc` and `pkcs15init`. - **CVE-2024-45616**: Uninitialized values in APDU response handling. These vulnerabilities were **resolved in the update**, but the **patch-debt tag** suggests that the update is **not a full release** and may not address all potential issues. --- #### **3. ABI/API Risks** - **No API Changes**: The release notes do not mention **any API-breaking changes** or **compatibility issues**. - **Potential Risks**: - The update may include **minor changes** (e.g., bug fixes, configuration tweaks) but **no major API shifts**. - Users should verify that their **existing code** (e.g., scripts, drivers, or custom modules) is compatible with the new version. --- #### **4. RPM Build Issues** - **Package Status**: The package is listed as **non-maintainer uploaded** (e.g., in Arch Linux's repository: `opensc 0.27.1-1`). - **Potential Issues**: - The package may lack **proper signing** or **security audits**, raising concerns about **unverified updates**. - Users should **verify the package's authenticity** (e.g., via checksums or trusted sources) before installation. --- #### **5. Impact on the System** - **Security**: The update addresses **critical vulnerabilities** (CVEs), reducing the risk of **exploits** or **data breaches**. - **Stability**: The update is a **minor patch**, so the **system should remain stable** unless there are **unreported ### Источники, найденные web_search 1. <a href="https://github.com/OpenSC/OpenSC/releases/tag/0.27.1" target="_blank" rel="noopener noreferrer">GitHub release API: OpenSC/OpenSC 0.27.1</a> 2. <a href="https://github.com/OpenSC/OpenSC/tree/0.27.1" target="_blank" rel="noopener noreferrer">GitHub tag page: OpenSC/OpenSC 0.27.1</a> 3. <a href="https://github.com/OpenSC/OpenSC/releases" target="_blank" rel="noopener noreferrer">GitHub releases page: OpenSC/OpenSC</a> 4. <a href="https://github.com/OpenSC/OpenSC/compare/0.26.1...0.27.1" target="_blank" rel="noopener noreferrer">GitHub compare page: OpenSC/OpenSC 0.26.1...0.27.1</a> 5. <a href="https://archlinux.org/packages/extra/x86_64/opensc/" target="_blank" rel="noopener noreferrer">Arch Linux - opensc 0.27.1-1 (x86_64)</a> 6. <a href="https://newreleases.io/project/github/OpenSC/OpenSC/release/0.27.1" target="_blank" rel="noopener noreferrer">OpenSC/OpenSC 0.27.1 on GitHub - NewReleases.io</a> 7. <a href="https://releasealert.dev/github/OpenSC/OpenSC" target="_blank" rel="noopener noreferrer">Releases · OpenSC/OpenSC - GitHub | Release Alert</a> 8. <a href="https://tracker.debian.org/media/packages/o/opensc/changelog-0.27.1-1" target="_blank" rel="noopener noreferrer">tracker.debian.org</a> ## Upstream release notes / description ## Edit 2026-04-18: Replaced the MacOS release binary due to originally uploading wrongly signed one (see #3654). # New in 0.27.1; 2026-03-31 * Bugfix release to fix up infrastructure issues. There were no 0.27.0 artifacts published. # New in 0.27.0; 2026-03-30 ## Security * CVE-2025-13763: Several uses of potentially uninitialized memory detected by fuzzers * CVE-2025-49010: Possible write beyond buffer bounds during processing of GET RESPONSE APDU * CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver * CVE-2025-66038: Possible read beyond buffer bounds when parsing historical bytes in PIV driver * CVE-2025-66037: Possible buffer overrun while parsing SPKI * More low-severity data handling issues when parsing profile configuration ## General improvements * Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test(#3510) * Added support for Ed448, X448 mechanisms and improve support for Edwards and montgomery keys in general (#3090) * Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute (#3090) * Various refactoring of autotools build system * Remove obsolete tokend support (#3285) * Run tests against different software PKCS#11 tokens kryoptic and NSS softokn (#3365) * Removed internal caching for current EF/DF (#3403) * Correctly detect OS-level FIPS mode in OpenSSL automatically (#3551) or through custom configuration file (#3525) * Added support for Brainpool twisted curves to pkcs11-tool and SC-HSM (#3601) ## PC/SC * Handle case when smart card is removed and inserted between two subsequent calls to `refresh_attributes()` (#2803) ## EsteID * Add support for EstEID 2025 (#3392) * Implement FinEID 4.0/4.1 support (#3505) * Add Latvian IDEMIA Cosmo X card support (#3503) * Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED (#3490) * Remove obsolete FinEID cards (#3522) * Add Latvian Cosmo 8.2 card support (#3521) ## D-Trust * Prevent unncecessary pin prompts on pinpad readers (#3266) * Support for D-Trust Card 5.1 & 5.4 (#3137) * Implement PIN change and unblock in dtrust-tool (#3137) ## Belpic * Add supports for belpic applet version 1.8 (#3308) ## OpenPGP * Implement key derived PIN format (KDF-DO) as per OpenPGP card spec v3.3 (#3398) ## IDPrime * Implement 5110+ FIPS and 5110 CC (940) derive support (#3483) ## Windows * Update to Wix 6 (#3435) * Fix C_WaitForSlotEvent() not working in Windows (#2919) * remove pkcs11-register from autostart (#3354) ## MacOS * Installer images are now notarized (#3536) ## pkcs11-tool * Added support for ML-DSA, ML-KEM, SLH-DSA keys from PKCS#11 3.2 (#3510) * Improve support for Edwards and montgomery keys and add derive key support for CKK_MONTGOMERY (#3090) * Add support for ChaCha20 and Poly1305 (#3339) * Add support for AES CTR in decrypt_data() and encrypt_data() (#3338) * Add initial support for PKCS#11 URIs (#3289) * Print more information about RSA keys (#3623) # New Contributors * @GeorgePantelakis made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3254" target="_blank" rel="noopener noreferrer">github.com — 3254</a> * @tinyboxvk made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3260" target="_blank" rel="noopener noreferrer">github.com — 3260</a> * @dgalling made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3281" target="_blank" rel="noopener noreferrer">github.com — 3281</a> * @botovq made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3306" target="_blank" rel="noopener noreferrer">github.com — 3306</a> * @tpetazzoni made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3303" target="_blank" rel="noopener noreferrer">github.com — 3303</a> * @Mironenko made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3326" target="_blank" rel="noopener noreferrer">github.com — 3326</a> * @cdanger made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3324" target="_blank" rel="noopener noreferrer">github.com — 3324</a> * @D4ryus made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3386" target="_blank" rel="noopener noreferrer">github.com — 3386</a> * @vssldmtrv made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3415" target="_blank" rel="noopener noreferrer">github.com — 3415</a> * @hendrikdonner made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3405" target="_blank" rel="noopener noreferrer">github.com — 3405</a> * @antimeme made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3428" target="_blank" rel="noopener noreferrer">github.com — 3428</a> * @citypw made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3421" target="_blank" rel="noopener noreferrer">github.com — 3421</a> * @marcwillert made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3445" target="_blank" rel="noopener noreferrer">github.com — 3445</a> * @hardening made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3493" target="_blank" rel="noopener noreferrer">github.com — 3493</a> * @pavelkohout396 made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3546" target="_blank" rel="noopener noreferrer">github.com — 3546</a> * @daloic made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3587" target="_blank" rel="noopener noreferrer">github.com — 3587</a> * @gkapetanakis made their first contribution in <a href="https://github.com/OpenSC/OpenSC/pull/3625" target="_blank" rel="noopener noreferrer">github.com — 3625</a> **Full Changelog**: <a href="https://github.com/OpenSC/OpenSC/compare/0.26.0...0.27.1" target="_blank" rel="noopener noreferrer">github.com — 0.26.0...0.27.1</a> ## NiceOS maintainer checklist - [ ] Confirm that the detected version is a stable upstream release. - [ ] Check upstream changelog for security fixes, ABI/API changes and build-system changes. - [ ] Check ABI/API compatibility and reverse dependencies. - [ ] Download source into NiceOS lookaside storage. - [ ] Update `Version` and related fields in `SPECS/*.spec` only if policy allows it. - [ ] Regenerate `SOURCES/sources.lock.json`, manifests, metadata and SBOM. - [ ] Build SRPM/RPM in a clean NiceOS buildroot. - [ ] Run package smoke tests. - [ ] Link PR/build logs and close this issue after update or triage. ## Bot metadata - Tool: `niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages` - Generated at: `2026-06-15T00:18:42Z`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
No results found.
Labels
Clear labels   
ai-summary
Issue contains local NiceSOFT AI generated preliminary analysis

  
bot
Created by automation

  
needs-build
Needs build verification

  
needs-triage
Needs maintainer triage

  
priority/high
High priority

  
security-release
Release notes mention security fixes or CVE

  
update/minor
Minor update

  
upstream-update
New upstream version is available

  
upstream/github
GitHub upstream

No labels
ai-summary
bot
needs-build
needs-triage
priority/high
security-release
update/minor
upstream-update
upstream/github
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/opensc#1
No description provided.