[openssl-announce] This list is now moderated
This list is now moderated, again. As some already noticed, this list was unmoderated for a short while. That was an error on our part and it has now been corrected. Apologies for the inconvenience. On behalf of the OpenSSL team, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-announce mailing list openssl-announce@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-announce
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [6th November 2023] = Excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) == Severity: Low Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 (for 3.1) and commit db925ae2e65d0d925adef429afc37f75bd1c2017 (for 3.0). It is available to premium support customers in commit 710fee740904b6290fef0dd5536fbcedbc38ff0c (for 1.1.1) and in commit 34efaef6c103d636ab507a0cc34dca4d3aecc055 (for 1.0.2). This issue was reported on 16th August 2023 by David Benjamin (Google). The fix was developed by Richard Levitte. General Advisory Notes == URL for this Security Advisory: https://www.openssl.org/news/secadv/20231106.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/general/security-policy.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmVJCvoACgkQ1enkP335 7oytjRAAl2eNIEk0dNel7QoTFCTyXFl7IWUqWqNqx1WEr4oD/2SnFiOtQzOGl1U2 +Wr7y0GBz1cfY7xj5yw3JBajnq8v92rWHXfLheN4makflwhHwjx/faX/uTGey5Xp +5ZdKZTnkSMC4gY4gS3/SWlmyHZAYVjs/OJIlKXNYRl0q+91OBydQEcixvetIF+c tdog1im+92xvkOtm6RfYJXEg84keft4twzw+xxeiFQ8c856SvBOSEtIhewpF9gyo mP2QS8/Ne6zeLXuw52pbwc/nXSXR1qPSwv+PDcDMIaVtAKYthdMbsugW05pNori1 +bjbDQ9lM+No+jtbkWXObGKuXciWCnqGmKxgBIDCmpvTKSVJ2Bfnewy08a+nMkG4 ZNmvOpF53dqVAaJRMPPZURW5697cYteF1WDWen48rx+eEP96KGB0u/jPitF1yGWC larXfkpeoL8nK8c8BZS9wF1J8xUfH1TBzl78YdQInI6yNH1cIXCYquGPVYgJQU4O TIQwqYCghL2+c46AkooepW5E7ltWK7LHB/64BU7BiTZeMKH+DO8L1YvFgliZLpzo v9n3amunUylXzdcDznt01PtIwzTsEAKioxl0Xq7k9EQyNAdx3BL21MifkjxofUTV 54AyaYXtBVHNxqsZrdv6wVGc7F23vqmhmtS5IpgPkxtDQzKWdYk= =FBln -END PGP SIGNATURE-
[ANNOUNCE] OpenSSL 0.9.6f released
-BEGIN PGP SIGNED MESSAGE- OpenSSL version 0.9.6f released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.6f of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates several changes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). The most significant changes are: o Various important bugfixes. We consider OpenSSL 0.9.6f to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.6f is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ [1] OpenSSL comes in the form of two distributions this time. The reasons for this is that we want to deploy the external crypto device support but don't want to have it part of the normal distribution just yet. The distribution containing the external crypto device support is popularly called engine, and is considered experimental. It's been fairly well tested on Unix and flavors thereof. If run on a system with no external crypto device, it will work just like the normal distribution. The distribution file names are: o openssl-0.9.6f.tar.gz [normal] MD5 checksum: 160ac38bd2784e633ed291d03f0087d4 o openssl-engine-0.9.6f.tar.gz [engine] MD5 checksum: 26f4b7189fb3ef9c701e961ffe101a95 The checksums were calculated using the following commands: openssl md5 openssl-0.9.6f.tar.gz openssl md5 openssl-engine-0.9.6f.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakoff Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Lutz JänickeUlf Möller -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQEVAwUBPVLvwPTy7ZjgbSyxAQGLEwgAuSbbdWdymu0/mgQVrWFt7vZO6F5pNmsA 5jgleiGnW1JQDBVCeFuCyuup7p8w5BOj4movpB88Ch+R+hVbz9klm53LhOhXbZsh QreLEALvenczMn2x3n5oorr7p5uf888AKj1l+tv5ZHl2ouW4lKU8+ONjIWJ+JtEV FWaUY9NHqU9CXGm87u7xXeL6GGpdM2Zxhzbn7486ghi6CpcEwI3pgQk8MKeCdi4S 1WFmJabfY1QgR/KKN4QUA1UlKSyaUvBkmFNXwjB/on+hAu2vKLpojiQRUlM8BzbO QMDmAf5q7ATV8FBD2HdQW9AHWXVI/J4WJpTIufVgaBASsp5R1tI9dg== =mZfD -END PGP SIGNATURE- -- Richard Levitte [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~levitte/ __ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.6h released
-BEGIN PGP SIGNED MESSAGE- OpenSSL version 0.9.6h release correction = A small packaging fault was just discovered. In crypto/opensslv.h, the macro OPENSSL_VERSION_NUMBER has the value 0x00906080L when it should really be 0x0090608fL. The cause of this fault was a tagging error in our CVS repository. To solve this issue, the faulty has been corrected, and we have rebuilt the 0.9.6h distribution. The 0.9.6h [engine] distribution is unaffected by this. The corrected distribution is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distributed file name is: o openssl-0.9.6h.tar.gz MD5 checksum: 1a0c2bee9f6b0af95ce65106462411f5 The checksum was calculated using the following commands: openssl md5 openssl-0.9.6h.tar.gz Additionally, for those who don't really want to reload a full distribution, the following very small patch file is available: o openssl-0.9.6h.BOGUS-0.9.6h.patch Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Lutz JänickeUlf Möller -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQEVAwUBPfOxX/Ty7ZjgbSyxAQGcjAf8CZdNuDkbM7IO/PDT5HYTJVwGDdIhFmV2 znAu91zD/zrMICyQC0xjQSOs+j8/5bUzT8NTDjGlkc2DTIYZB/PAhyt5cEtMh8qz Q5h82tFmeHAmFr6xedJbbVNV5vjzA3Y/En97By1fl0aCMxnrW3NeIQmDAu5JZ9tg PQOXI47sBWV2YvaVjlQ87kjm8GyQkbtPFb3WYhNpWXi3//5FAz+6Mj4NEITw64Fs XM5M66jhoaIoGVt3i7w8LEokxE1x4SPbCNAQ24+UnudbCYeg/aB8Y309a4lorsVB npToQW+LTuQXst9jTHec9pDWD51CwVbviAKKXWLCl0KWxoay6OcUvA== =Jm+M -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.7 beta 6 released
-BEGIN PGP SIGNED MESSAGE- The sixth beta release of OpenSSL 0.9.7 is now available from the OpenSSL FTP site URL: ftp://ftp.openssl.org/source/. This beta contains just a few fixes since beta 5. This is assumed to be the final beta. The final release of OpenSSL 0.9.7 has been rescheduled for somewhere between Friday 2002-12-27 to Monday 2002-12-30, mostly because of all the holidays around that time. To make sure that it will work correctly, please test beta 6 thoroughly, for example with your favorite piece of software, and please report back to us! Also, please test on as many platforms as you have available and you have time for, especially on less common platforms. If you're interested in helping further, please join the [EMAIL PROTECTED] list, where test requests on specific development snapshots will be announced. Changes between 0.9.7 beta 5 and 0.9.7 beta 6 include: o Solaris shared library fixes. o Support for new platforms: Linux 64-bit on Sparc v9 o Now only builds PIC code when shared library support is requested. o Makes symbolic links to or copies of manuals to cover all described functions. o Dynamic lock bugfixes. o Correct DES header protection macros for better backward compatibility. The full set of changes between 0.9.6{x} and 0.9.7 beta 5 include: o New library section OCSP. o Complete rewrite of ASN1 code. o CRL checking in verify code and openssl utility. o Extension copying in 'ca' utility. o Flexible display options in 'ca' utility. o Provisional support for international characters with UTF8. o Support for external crypto devices ('engine') is no longer a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, Linux x86_64, Linux 64-bit on Sparc v9 o Extended support for some platforms: VxWorks o Enhanced support for shared libraries. o Now only builds PIC code when shared library support is requested. o Support for pkg-config. o Lots of new manuals. o Makes symbolic links to or copies of manuals to cover all described functions. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the future). o Unify handling of cryptographic algorithms (software and engine) to be available via EVP routines for asymmetric and symmetric ciphers. o NCONF: new configuration handling routines. o Change API to use more 'const' modifiers to improve error checking and help optimizers. o Finally remove references to RSAref. o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. o A few new engines added in the demos area. o Extended and corrected OID (object identifier) table. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). Only supports MIT Kerberos for now. o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). The distribution file name is: o openssl-0.9.7-beta6.tar.gz MD5 checksum: 8877ea9643e4d6ac18476bc63015c450 The checksum was calculated using the following commands: openssl md5 openssl-0.9.7-beta5.tar.gz -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQEVAwUBPf9EYvTy7ZjgbSyxAQEXDAf/ScZf66H2Xyohs6qrRSLNwuCPIH9QyVCJ hzV8eZla8ETmzYQBwZY65+MdciBaVSwaSVOGFGgG++ZDXkD4tO7AppUUxacGzw3C OnzY5NKD5nZrUA7ns7aovBGh+okuozRSOYXendPHkizODnxXy259HtlRZ9vqTY9/ qBPTetptduHzMQadn0mviG6GWUu5m1W5jAFyFY+iD5t2BSilm/LHGQmyOg+1fPdS WHV/tpsrvvxYx1+unAkEMRCgViQfNoRq+HvzYQjGGIVukRHfElWluxuFoTOf3rcY NaAWalf33NXXQZEVv7QunppJMhJ8efhWVmae5BFFUU/8Qp06g4AeyA== =/D6x -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.7a and 0.9.6i released
-BEGIN PGP SIGNED MESSAGE- OpenSSL version 0.9.7a and 0.9.6i released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.7a of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates at least 11 changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES. We also release 0.9.6i, which contains the same security bugfix as 0.9.7a and a few more small bugfixes compared to 0.9.6h. The most significant changes are: o Security: Important security related bugfixes. [0.9.7a and 0.9.6i] o Enhanced compatibility with MIT Kerberos. [0.9.7a] o Can be built without the ENGINE framework. [0.9.7a] o IA32 assembler enhancements. [0.9.7a] o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. [0.9.7a] o Configuration: the no-err option now works properly. [0.9.7a] o SSL/TLS: now handles manual certificate chain building. [0.9.7a] o SSL/TLS: certain session ID malfunctions corrected. [0.9.7a] We consider OpenSSL 0.9.7a to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.7a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.6 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.6i as soon as possible. It's available in the same location as 0.9.7a. The distribution file name is: o openssl-0.9.7a.tar.gz [normal] MD5 checksum: a0d3203ecf10989fdc61c784ae82e531 o openssl-0.9.6i.tar.gz [normal] MD5 checksum: 9c4db437c17e0b6412c5e4645b6fcf5c o openssl-engine-0.9.6i.tar.gz [engine] MD5 checksum: c9adc0596c630b31b999eba32fc0a6b3 The checksums were calculated using the following command: openssl md5 openssl-0.9.7a.tar.gz openssl md5 openssl-0.9.6i.tar.gz openssl md5 openssl-engine-0.9.6i.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Lutz JänickeUlf Möller -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQEVAwUBPlOJmPTy7ZjgbSyxAQHG4Qf+K6vX8kk9msYI3iD6zK3BSXzMFO0pCVNN 8OkUW7wsmAnoSRuT89jGTom0fmIi1eiQcOFUf1krlk7btJ4KRVEok/G2ooa4qOmq MU+4djKgM/LDlqzAbDfN7cEbWGPJeP4polPTgOBYqexBdwoTvJuX9m4LRgvK2enW BsJjqdsmsLqWlMmixpKsMHNXXyYqs8SGhdSR7SQlbCVNu6QabWi21NbKCvyJzhEq 5Bn9mUej60GHOdTNpRGwqWxBCvl/kAPnOP4ffj5mbQL+R9VYCeCy3BsjDmLdmDt9 xqxdXBxPqu/S1OnSnsTQeMk70o3qX0F6lgqhNUt6FtHynbxoAGAPcw== =KOdL -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.7g released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.7g released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.7g of our open source toolkit for SSL/TLS. This new OpenSSL version is mainly a bugfix release and incorporates changes and bugfixes to the toolkit, but is also contains the new processing of proxy certificates (RFC 3820). For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES . The most significant changes are: o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). We consider OpenSSL 0.9.7g to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.7g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.7g.tar.gz MD5 checksum: 991615f73338a571b6a1be7d74906934 SHA1 checksum: 008511ec9f0bcda4a431c3f0a0827e535b8c5c93 The checksums were calculated using the following command: openssl md5 openssl-0.9.7g.tar.gz openssl sha1 openssl-0.9.7g.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCWpwNp6+eePcJRTsRApIBAJwK431ohe5S0Z858ZQVq+9cduG1fwCgl60w FNrImhvazY+w+bREYoFy4Ok= =Y6xS -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 released
Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCyuIRp6+eePcJRTsRAmPlAJ9E/E0j4ckuIOVb+7xKFeQT0YjlnQCgtkVW yc0z6p3sqHBzvitdStyEuJI= =WBGr -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager [EMAIL PROTECTED]