OpenSSL version 3.1.0-alpha1 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.1 alpha 1 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.1 is currently in alpha.

   OpenSSL 3.1 alpha 1 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.1 from previous versions are
   available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.1.0-alpha1.tar.gz
  Size: 15343477
  SHA1 checksum:  91a7cbcb761c4bb8a460899bccddcbd5d047d3c3
  SHA256 checksum:  
ef10f70023f4e3f701c434db0b4b0c8cfea1e1e473a0eb3c9ccbc5c54f5f5566

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.1.0-alpha1.tar.gz
openssl sha256 openssl-3.1.0-alpha1.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmOIqpASHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tWrIQAJHT40JekEs3DacHjQrTmGLc56TmzaFD
oDp8Md2E0RpX/vuANdIVGB89zGQMag13TPa9CzT1yk7wFBilPoiuapolmo8N0nvF
OnMLIQjF+sbsQN0gqchuMKKD98omc1ZNNcijq/GlKM9wH6ey1uHnFAi2aXF4f6ai
2SviauJvHQDgDOe9tFfA5lDF1EdYZt20D46Yc+yJf/zr4MJZFcX2T2qmo+oew6VA
djZ+cRPeeNmRXrl5Banqpfcy2iH4N57wvEcM4dtGaGY+4Pwr0H9XN6MxfamGUbLv
oSySdFpTagPENPGDBPoRilPSXdapCD5m8Xd2FERM1HF5E1GaemqaQKUYiXbANqL/
SDBftayilhYf+tXg3/22xksZVEkEjFD79M0mj75dn+UgQilOTR/AOdup2imTB7PG
7Cgq2HGz93ppO3kG0iuTS5uc95Gfu9AfkjgfcydA2eZf+rmHAoocm8kpThdxD/a5
avpMudgklyXysmO+2MJ16806Sa27L8N52YTPzy4Zthx/SLR/RA//bXBnlSlguRGw
7+hIDPncmaCfegaI65yq/TgtU9z/OLhNTPmYaUQi3IFtsCrAahZNVYg8qZtnMtgC
iaVYQkNZsqE0wSDalgJANJkZUa8VHdh2O3sOBSYbZvHWEiYJJ+9ATgLSLDjiGq0e
l9cvtybysQsx
=upN5
-END PGP SIGNATURE-

[openssl/general-policies]

[openssl-machine]

  Branch: refs/heads/master
  Home:   https://github.com/openssl/general-policies

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [01 November 2022]


X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
==

Severity: High

A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer. An attacker can craft a malicious email address
to overflow four attacker-controlled bytes on the stack. This buffer
overflow could result in a crash (causing a denial of service) or
potentially remote code execution.

Many platforms implement stack overflow protections which would mitigate
against the risk of remote code execution. The risk may be further
mitigated based on stack layout for any given platform/compiler.

Pre-announcements of CVE-2022-3602 described this issue as CRITICAL.
Further analysis based on some of the mitigating factors described above
have led this to be downgraded to HIGH. Users are still encouraged to
upgrade to a new version as soon as possible.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 17th October 2022 by Polar Bear.
The fixes were developed by Dr Paul Dale.

We are not aware of any working exploit that could lead to code execution,
and we have no evidence of this issue being exploited as of the time of
release of this advisory (November 1st 2022).

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
===

Severity: High

A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to
have signed a malicious certificate or for an application to continue
certificate verification despite failure to construct a path to a trusted
issuer. An attacker can craft a malicious email address in a certificate
to overflow an arbitrary number of bytes containing the `.' character
(decimal 46) on the stack. This buffer overflow could result in a crash
(causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was discovered on 18th October 2022 by Viktor Dukhovni while
researching CVE-2022-3602. The fixes were developed by Dr Paul Dale.

We have no evidence of this issue being exploited as of the time of
release of this advisory (November 1st 2022).

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221101.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhRdsSHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tARIP/R4TFlh4N3wH4enjT74oJowxjmwNIu0q
uRTmmwtMwJOd1Nw0tfydVEtd3qaN/KMcMnnBMzIzvCdzQ202g8SRSzX7zeHZtAEe
idu9qQyQep1ECK7UGybdN+4Ahey30Py6J99okWejCmdHSpxo7+OOtADFdraqrV5A
5vwyojD1Iv95Z0/RqYxMmMBEoJZitsGxeraw1IxBJCqw6sL2WwDelGb9NZwKFee1
BrfeF+dwaXlAZ97Hsaai6ssDf8VOoTNbCDsrsnbo4MAbFAc6ZraynMcWMm9kwF96
y+pO+0P9etzWeHkP+qHAeCCHZqU76Rexr58XtuWQpTdmbPbmLpnwr7wgwBAZxHA0
RkhpR244vPLYrF3cIssNxEstHCi2NFX0cMtOnbY84lJfmnxgHTJqH/7LvUmHibC6
FBNM9CCSezZgEiSvERB0R/auHZnpODj9riCyWWq82sXTkk3XrqkdnN3mAjgVpnDK
3Cacx9vJxpUDl2U4ObEVCE1I1qHKomAcKVAErAMmLLsdkbzoK9dUquG2VhFaJYJW
3TtqDMhQM0fqRgRu750P42w6dm1glH/UIK41viB0eVwbBZ0RdaAnI3+Tuk2NXH2o
nZdH5Lx6scgS+l4K+IF2WzO+WCYThG0Sg22hC6NnFbdksoGA/XaXl80Kf5Ec1LJr
QLeTSjQDj6Fc
=8mrQ
-END PGP SIGNATURE-

OpenSSL version 1.1.1s published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1s released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1s of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1s is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1s.tar.gz
  Size: 9868981
  SHA1 checksum: d316e1523a609bbfc4ddd3abfa9861db99f17044
  SHA256 checksum: 
c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1s.tar.gz
openssl sha256 openssl-1.1.1s.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhEsESHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tB9sP/0xTGoi3fCQNWE3tq2iSLbhMeoXNSrnT
kcKF98Dbzu1fuA+HRbb6rUr4Fnm8lp387cTM2ZQZQhpcMD8R16fwasZCkimaE64j
o9Szand1G6OauVqUSCumzyM7ZEYg3PMvCwM9tOdZoUwxAt7cXagXEl8d+WDX9Xdm
Gz8pAGTc2qk1oVfd25tBZkm6ievKq9a5B6QLmJdfYiycbRRLJV8bAcNrRNAy6EK/
aZDuQA7eYRgtg/K0LcwWKi0XYUT5zVTN1/GEEy4MzGASOw0UxWZ3B+gAje0bq2V0
3nt6+Ys/9THy418s3F16VRl9HiffZMICqDCPEYV7wQaKlm6dVTvc6kWQiGWR2C91
A1F/wOcvJzPuvNrqwwjmAzRJYdpyIS9FWhz39mOCbkm8C+ZAKyuhLzsZKeqDDGST
oNgoIcc+ewn3O3ZKT65n7cgllvco2YpfIkdkh+afmhC8Jyy4wOpvA1qo5fQb20bk
2/K+qj+oLWSwqUzDQ14Lij3QY6p9IJY87dY8wIheJSAaGsRx+59JIlKuc7Y+QMah
XJkugpXoht63j3phi8sDfz+be+oNNYNw9b43kkxPjT1T3403s5Eae3E8pPgj/ns3
12+nyNYe+e6O+i52QdjNVFG8DbIswrCWU2gm+5DZvd3ARffvWUykSZMuUGqz2d3R
vlAteLLJJpw/
=ysWZ
-END PGP SIGNATURE-

OpenSSL version 3.0.7 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0.7 released
   ==

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 3.0.7 of our open source toolkit for SSL/TLS.
   For details of the changes, see the release notes at:

https://www.openssl.org/news/openssl-3.0-notes.html

   Specific notes on upgrading to OpenSSL 3.0 from previous versions are
   available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

   OpenSSL 3.0.7 is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.7.tar.gz
  Size: 15107575
  SHA1 checksum:  f20736d6aae36bcbfa9aba0d358c71601833bf27
  SHA256 checksum:  
83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.7.tar.gz
openssl sha256 openssl-3.0.7.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhKfISHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tI3sP/0LX5X5pav+ajK9Vr0noUbAJwouA3YHi
QMqkY30JjoUEc47PE2IJlEAObWebkeePz09UixdlNyQv/sZ8OdhKlDvzHJ1LxMM2
LfetggGkASQ4nQkjFxiyNDTdaP0feKQGzBfo/rjTz+H1plY7D6u7AtIeCnJW0qZX
7a4yzTV8FxEdHvr81XCYyYsuUlWYwoZk4iEstGR4jG4lzA12jh1DXuCfKhV6siTm
7530FQ4kid2R0eAwffiaZPPSG53AOUsRbc7M2xgjl3HKOdTCEIInwpVtUWqFOufo
L/vkxjmFq8Xyq/DKUjCjcysiqX/Q4or0riMMzYkqqoIIQHGPyUrH7YvidEJ/ynPz
BexjXLSFpx+McUxs711BR7p6pHOrp/Acu1619EKgzhVOGdgqxd3PW2/maVqx5YIZ
ntsy5XNHE7UZ3tMTNz8gkVBAgZvQhl0YUN+LW5K6V/6VGxXqwFe6ZjyeyHvbv95J
TRfZvC/T7ABmeWKAblQ5LL3EeLXyLSOL3mV/fp+dRNUyuFJFuHQmUTGFNRgx191c
2PbAbtHTd7Wihx4M/mEhRiklo/VQI9jdRq47yjtKgv6tji6+9v+txK7f7lMlVZP9
IxsHYgcomMo92vpj+FTCVQcOTXTiCfHi9A6PBSltd4sodMR2XxED44cNJ/FyJPj6
nuPkN6wv8d59
=9cNh
-END PGP SIGNATURE-

[openssl/general-policies]

[openssl-machine]

  Branch: refs/heads/vote-306-pull
  Home:   https://github.com/openssl/general-policies

[openssl/general-policies]

[openssl-machine]

  Branch: refs/heads/new_koca_branch
  Home:   https://github.com/openssl/general-policies

[openssl/technical-policies]

[openssl-machine]

  Branch: refs/heads/master
  Home:   https://github.com/openssl/technical-policies

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [5 July 2022]
===

Heap memory corruption with RSA private key operation (CVE-2022-2274)
=

Severity: High

The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running
on machines supporting AVX512IFMA instructions of the X86_64 architecture
are affected by this issue.

Note that on a vulnerable machine, proper testing of OpenSSL would fail and
should be noticed before deployment.

Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The
fix was developed by Xi Ruoyao.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220705.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

AES OCB fails to encrypt some bytes (CVE-2022-2097)
===

Severity: MODERATE

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances.  This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written.  In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.

This issue affects versions 1.1.1 and 3.0.  It was addressed in the
releases of 1.1.1q and 3.0.5 on the 5th July 2022.

OpenSSL 1.1.1 users should upgrade to 1.1.1q
OpenSSL 3.0 users should upgrade to 3.0.5

This issue was reported to OpenSSL on the 15th June 2022 by Alex
Chernyakhovsky from Google. The fix was developed by Alex Chernyakhovsky,
David Benjamin and Alejandro Sedeño from Google.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLEEkUACgkQ1enkP335
7ozR5g/+Ofu4COpLp2VjRUuH268vwfaRCPgr9nbv3v9/KwW7FLzAWS/JqLqTmJiI
GDP2TOM7jKSVh8oG8vnQ0c9DY1CULk28gaH6fp9jhfhvsblpva9Hdk74xYy3ebbR
5gLI++3WlROoGYf486R/t13X5vTLLJaun5R+3khf/i5+6SwDKrw4WM3UXNHLOxjM
SFJ/hIPuVSFIHagZAzwcLMwOG+qa5JVU4i5TL9hio40Bl2gDKEkpDmj5UTWBT1Tu
FZ66FMveM4sTlX3QrjWAQjAX2iq7S5Ng7PXWKsNYB4lckigG88jj2uC30oS+S8Bs
/V10Yp9zlkfPAVZNo/qjy5ui+1KrZidF/deGPCs36ULbE2e9/aYFz6xfz0zfdkmr
8hgZBhMwJ+49woC45Vo67PPf7dHGvGh3OpPbApkeX0VtwPIElanf7uK8YQ/yCvYK
+T8wKSDE/qcl9trTDZa567KTcv341LmxMFuVP5Ohxzfr+O1fKEPGCWepxOaP2GZY
zx5MmLQmahcoYDInWr9iJD0OkySaJKWbEUM90oBHvjwY5+sW770LAX0nt8Uthb6J
JPRyAeu6Un70u63GmXuPEvtuUGjYYnQsSke9/M2IgnE+1E+Hj5rfhCjWMQURUcvZ
cC/hRphJ80ReuR8vEyBaN81tdr0/Dp6MUuvDnvkcYSzNHrgJL1o=
=bJgr
-END PGP SIGNATURE-

OpenSSL version 3.0.5 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 3.0.5 released
   ==

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 3.0.5 of our open source toolkit for SSL/TLS.
   For details of the changes, see the release notes at:

https://www.openssl.org/news/openssl-3.0-notes.html

   Specific notes on upgrading to OpenSSL 3.0 from previous versions are
   available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

   OpenSSL 3.0.5 is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.5.tar.gz
  Size: 15074407
  SHA1 checksum:  a5305213c681a5a4322dad7347a6e66b7b6ef3c7
  SHA256 checksum:  
aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.5.tar.gz
openssl sha256 openssl-3.0.5.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLD/PsUHGxldml0dGVA
b3BlbnNzbC5vcmcACgkQ1enkP3357oz2hQ/6Aqr3SwG5AmuS61OCOBHySdXb6FqB
PuF9pG5vAbpVLka5dk23IsmbUuvcNFQo6xOxY29YFk+1zVhnwDE/C6pDKtk9og8c
1jt/lueXd85/H6uWeSMxffoH0P406yQYiwGdSSfHz9hLLLip6/iyhKrE1iL7DgLG
P0mhDG2Y4/gHzeWFP11BttOL9noM2f/tcpoDeOkaPfsDkXb27z2T5QFTqRHC3uP4
GQkTJTPrif9HsWaOnTWOgLQ1UBcjqnmx9yus34Vhu5qyOY6/1D+MhX55L9CithHo
LMqxvZ8kxgbsEox4N3Z0xEgDRNg89fg/3ye39q56+CHKu8Sohj5Ap9UgcbrPc+K3
cOjZx9QdjNERtkXGlWFM7MEuSJYXrOhCgrZ9PM+QNVkYNEabQrP5n6OIQkB9y2j4
tkvN4QSO0xxOKASpts+/h4+ji3cFztBoFv4fDWR3RQ3JnYDanTyKZfOs7bc11l3C
AgeqSb/jsAY62/stv/Ze4SNEVcHKC9kAdTu/LiBqhMPB0Fw2H70qc62/8ZSRCWBU
g2Yu1pbVC1LJkOtvhrGwFSG1htANNjCCrI3NC2KMUPNxXXADHsP2bzvSvLU/Saj8
GOzF84W7o8hjzM2mcxGsp4onB17LJ/iWM1fijmg1F1x9GxSLxvJD0NMVXMzIM4cJ
aXzaEhySuU+6tm0=
=09pr
-END PGP SIGNATURE-

OpenSSL version 1.1.1q published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1q released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1q of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1q is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1q.tar.gz
  Size: 9864061
  SHA1 checksum: 79511a8f46f267c533efd32f22ad3bf89a92d8e5
  SHA256 checksum: 
d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1q.tar.gz
openssl sha256 openssl-1.1.1q.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLD/5gACgkQ1enkP335
7owfLBAAl5chNOum39VsNAKvkIb2zHcQ3Sa9/wWgWXMBgANolbnbGUExDv107DdK
RCcePIow2lymubul/+86/iV9N6d8XMVTnQJC/yvrwt+p1ie5U/U4XN/gndYUOj0r
Sx74j5dB0ekOqkCQuqETDJ7Cf1uuNRIg4cA4Qa6VteMwxxJdYnXEItvsDbLtIR5j
tk5ywJyKaQDAGvDJYVmQmADfL5ekB5R2P1o9FhT8qtY+R84rNYX5jXBd+OCj/Hq0
MVQ4a/Oa4bYleEPdZqgnoDUq3dmFnP2ZbF+QQ8gHcdJpgWGjc6TdAQFdYw9kPl2X
LacBUupfa/mToDiDr3ogKJpDUGP6SiF8qSLhNxy80t1lKrBxzjv4EU006Guly4dR
rp75tRYEsUXHrj3HjteBGXwjqBvaxhdv8EFY/kN/QoL4JjUoUsK972/kqTfFN8FY
bHGOR8Ai2UWomzpAzmz2zSymSJYfeR460bX+CPkxpBvgdAKslEJSBcU83kMZXkmv
1ciucDaX45OR1ZgfTOdgxpg3HhTaH6GKwpqu7BqhoYjYTvG3zmsLUKFmBAJRcpcV
8eS6bshQG+5C8uyZsmFtSVBWEiLdgNblvdlUSR15t/PZnuj6aHPpHgXMHNcp1ETO
0KH3ydbczWsPHm/ELD2lmW01jCK2VXfKOF6vowr1yws7eW/Y0Ho=
=55yH
-END PGP SIGNATURE-

OpenSSL version 3.0.0 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 3.0.0 released
   ==

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 3.0.0 of our open source toolkit for SSL/TLS.
   For details of the changes, see the release notes at:

https://www.openssl.org/news/openssl-3.0-notes.html

   Specific notes on upgrading to OpenSSL 3.0 from previous versions are
   available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

   OpenSSL 3.0.0 is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0.tar.gz
  Size: 14978663
  SHA1 checksum:  3be896f1b33bc01af874ccca701a6f700af9de20
  SHA256 checksum:  
59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0.tar.gz
openssl sha256 openssl-3.0.0.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmE3US4ACgkQ1enkP335
7owe+w/9FdP6I9XEuuo5O6ZOhYyzTuS8v9DGuzIzBEsBWpsA+gfOxF5Bx4WlnGAt
kB+2qfNfOgt00OrSUHntgn1+ubFvN+xteaslYsF3fN9FCPX2iQzXMPVM47UqYpA5
tCm0XrJo+PAZB4mEnOH6QBXZWPTE7E84HGUNyS8LfYeEbbLKEcc/xQBPpRovL3fA
6TnMrAvypIwEqgljyNzuMq7iD5WDA0Y26JwjCCtk0vNOVkDQDooGQHMY180BLfQT
Rk65hEt3/UkpLVCwCknrZsMWixXzTgcFb+403EPXMisyyQLEgxevrsGpQgINxraD
1JyRNnwJpIJuxl+j1oYjpdCbNQrQr7QKAj8pL5OGNVxXvyuZe9YyLrKmHvh09Q6M
nxbJFQmCyrZQvxCya+YR2VU9KxkYiXbiX2pHl06qN8n3MOhtVaxJPKM6WUwJLlo9
qD9JmLtW4gXCH4qHcqnb8jS0Zoxja1bzWwgvQx1A9XI4s2drhRvXkQmt+lxEUdcM
MiT3LrBgjfKgNa7XWmTOZxyLa74WyETVcjvI3ovJxiS4RAB7s7ssDVa8tnTUeeZG
gtXSTv49+l0j+DQcz8nxQeILimOusHzE5JO3JvGQKPbSQbdUQbNrsbTEvz5mIMu9
k/VuvJd1ezjYySp9pnZ3UTxrB1RozJ97iupq8MSzwElkSfUigrg=
=R5PX
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha17 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 17 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 17 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions are
   available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/manmaster/man7/migration_guide.html

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha17.tar.gz
  Size: 14551193
  SHA1 checksum:  c026f0451988a4d3799b0ac8cc6aae45d05eddc5
  SHA256 checksum:  
fcf7f7d732209904a8f994d6af5df10b1ca5df7bd18618e40805a2e32aa44f47

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha17.tar.gz
openssl sha256 openssl-3.0.0-alpha17.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCmZHoACgkQ2cTSbQ5g
RJFr9QgAiw+HwvyEf+uTsqeGMaKnfgUrBxZBsjDH4AwEhomsF7vZlA8TDDabf0s3
tHoAwjlqOlEO3LDUGy+xraofmkA/NRvJsEgdXHP03WSYkQwb+iYnJ1RPPwjSpny7
ujq2kFfDU9l7uwnucD3FHRzhUH/lvTVSl2sg3s9bNKhArcu6vLVCSYWRhz4ISKfe
BxYpp1HjYNE6jS6lIkUVaE50PKL+L29UDf0VzZhQCHQrBvRJq9cj6rUMx50e5vbF
PUEQhqkHFZpQgBnanQ8auf0Lzr+4EUdvJ52Y24uPb6bZAZMoAP/UYc3YM0jjGxhp
x9G11J5xuS6H/76XUevfyo8RnqXoXA==
=vyTR
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha16 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 16 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 16 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha16.tar.gz
  Size: 14491795
  SHA1 checksum:  9719fde1203a21f768c5688dd7bd579c6b5a8ae4
  SHA256 checksum:  
08ce8244b59d75f40f91170dfcb012bf25309cdcb1fef9502e39d694f883d1d1

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha16.tar.gz
openssl sha256 openssl-3.0.0-alpha16.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCT3csACgkQ2cTSbQ5g
RJFT+AgAr7HK6rYxwu3cmgutVCaMH1kZyvwaQPowm7br7xMiFM1aJpd2hTCqETTw
NydbsWOFL7M8ASowY1HjLjEL+NzFV0o9WMF3oi7SUkSny32eIQozwFTia1NDqf1i
aD1Ou7Y/E4RLykXFGpSyhtNudFjGWtNVgTzsjCEN/1XrkJqHmWliKvHt0y2phoWR
cR9sBAyHlkBzoYxjYDBDTlkt1/Q8n79giIb6CSsTU+XaOgClUCuJ5NEPrBqOitPC
Plt6WcOKEXXotezJFrL+alB/0mhCxZa+TWAb8AiTN0ptDHRSg0PBmfJED+yRfwLh
j+COkLymdQvO9XWp/jevKgEyPxwGTw==
=X9gN
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha15 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 15 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 15 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha15.tar.gz
  Size: 14423249
  SHA1 checksum:  57be66515f808b77d5b163a55474801f8bd764f4
  SHA256 checksum:  
7ebc12910a19d94c13ce589024c5ab655a81152823fe37a3b5753436f3706831

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha15.tar.gz
openssl sha256 openssl-3.0.0-alpha15.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCBfbIACgkQ2cTSbQ5g
RJEHcAf+MXdyMT9BzBSoEjQdcXfwWDjl7r8R6dXinaI9BIvN80qf1HHGEy5thMc7
lu5IPLF4iz61B1s8h37WtqksZpC+Ydjbw++LyUDVUfJBWYE0XRGuK+FljN+vESmX
+yqnv/Ll3lSce6HCFlWQDMp16Os8sCWl4DqaUOqsCo1Pi0ArLigNIwf1lmp0/FC8
d7vCp9jSTq9fvG33L0tbIZ6X6YdD9tiWh+Ae8IDMDli4BVTixgrf6Mqa8vrC6JZu
PWhlTuq/KZq4TjLdVPWsVC55MBItesGgYIDCOcefwSWaWfVk1WZF/ojbMBkpBWc1
BprBrZjgnoqQrtsqVVTD7dgfY5atRA==
=0woP
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha14 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 14 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 14 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha14.tar.gz
  Size: 14392548
  SHA1 checksum:  255708727c8772f930d1058d723341d68d6ed005
  SHA256 checksum:  
78a935e1d314d66cccaa68931702a52d42015b47c3c44bec631de9f5705cb6c0

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha14.tar.gz
openssl sha256 openssl-3.0.0-alpha14.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBu8/oACgkQ2cTSbQ5g
RJHWPAf/QqZmFy8ukDYogNnOYb6dJIccXM2603+RU587PBN2hb7yFXo0T/ODs2q/
LgU4xRd2leks1IkEPlBn6XeJPwyLVKGXieRHvZzoZFSML+R+ZcwvZc9c7tdHcACn
dsrOTvJkFcawI++BErtZdE03VHq0dxDfTCBHPgm7rvzkBPFPMBqoO7cwcu9z09SJ
mv9wK45uDP6jNdxkTrLv4YRa9AYW7Ya8wfZvxxSLMji8L5yUpZoezo7vvzOim4A0
CwMUoIFJnkfS2aYGm15LDbMzh2x0qQ1WQNxL0zWByz6BGp+EfvC/sXOnNZC3lOdb
TMpJgX9Jdhrl6SNfARp1Fou/j6uDcg==
=2FSP
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [25 March 2021]
=

CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)


Severity: High

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.

An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA.  All of the named "purpose"
values implemented in libcrypto perform this check.  Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.

In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.

OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk
from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was
developed by Tomáš Mráz.


NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=

Severity: High

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.

A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.

All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter Kästle and Samuel Sapalski from Nokia.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20210325.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBcl6sACgkQ2cTSbQ5g
RJGvnAgAtG6I7rfokDC9E5yB26KC3k0Vasfq5iH/aZz0CNRyOokWJBUyyNIVjqr0
2eZP7VsQT7zRM+tgh9c8MwH3FIghtpwJRJls4qZDHKoXts7JH4Ul4NLPd546x7xA
GcKNwTD4NkZbTqtZ72NTgliInzrj0MCC8jqQrIIkcAIleGNzvZ0f64jdE+vBXoqX
M2FOhWiA/JkAKtB3W7pthIt25qkOwHbrpTy+UUp/S5QD779NJ/EOYcsOFBRfLZiP
gA6QILuW2L55lhG6Y2u+nVE3UI2hqd2hGgSAvDIPr2lVJxq0LQpgHca7Gj5bfIRo
GLDz7n0FhN6n7NBqetP+nlHmYivcSg==
=XIXK
-END PGP SIGNATURE-

OpenSSL version 1.1.1k published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1k released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1k of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1k is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1k.tar.gz
  Size: 9823400
  SHA1 checksum: bad9dc4ae6dcc1855085463099b5dacb0ec6130b
  SHA256 checksum: 
892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1k.tar.gz
openssl sha256 openssl-1.1.1k.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBckA0ACgkQ2cTSbQ5g
RJE5lwgArWHJ+bjtnno8MtRH22cC4YjvDvTtwKsm2ESDKPnNMtMVDM/GUF3g9R5L
4H5WTWNCGFiQ/GqCIsty0tcV3NFMqKLBtl/5rm4+SQ+EG6oyKvjDBOOhwOoVS6Wy
Kam+sM+6u444JY0GjKxjXKwFLGZKhtetXH1kMbi5rZw/5ln+DOh+NfyAN6YxPfOD
KSV5K3sEA98ppeyE4ac+06lllXOZ8LfTGSxRojiQ08e6MkXDkWC2Vq5C963mm4Tk
1rmJTN3w3DoFh0IuZdTiCQzqUmam+jb3g8S95yKR7pjfydfbCtmkgIVAXFJ2UJR2
rUu1Sv19POSyy39WUnNb9s2PtoviTw==
=f54Z
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha13 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 13 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 13 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha13.tar.gz
  Size: 14211501
  SHA1 checksum:  754aab6dc677668255fec676c6340a3a191e8135
  SHA256 checksum:  
c88cbb9d330b4daa3dbb5af1ed511d5062253291a56e09fd17e9ac013a20f8a3

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha13.tar.gz
openssl sha256 openssl-3.0.0-alpha13.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBKH2UACgkQ2cTSbQ5g
RJGU0gf9F6POd8koanFFrOBR9BlnlZyhFqYgn0s0404f4FIv0ntX9ClJ/GU4CruD
hch4riFzD4uGtX9vpEHMs6cdWmMQmaoQendH0kIbHqLubxm3R51S8L5sIxQRnc0B
pXDEteafEPd8jQyZmcg5Hd0aQI1Ju7hw3B9H/0C8JkPbSyfP7XOanWJJh9dinOEb
HpswBhQWNmY6OwyIv9mmJQ+BtEbTXrADpMTsBWH1s84oQ8xT64e3Jzkwyx4DDnBi
dKDYJjhjAV6mm7GVTBgT3nier3p9CgvbmViMRf1RNbwOpX7lhd+VgWN0QfvOF2dT
rKbOZXDnSjbTt2lDr4VvOY+8B870/g==
=1LTf
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha12 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 12 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 12 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha12.tar.gz
  Size: 14142492
  SHA1 checksum:  fbcb255c1bf11928f4bd52b8cf68ab8341238d4f
  SHA256 checksum:  
8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha12.tar.gz
openssl sha256 openssl-3.0.0-alpha12.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwwACgkQ2cTSbQ5g
RJHuyQgApX0LV7z8tmxqPNyMIfLMMnlFfV7m4YcblXN6YO+wDwFiX3KgnopGvfim
0B8pGPxkwJjPhLQxGyZ4fUkTMEJ3jtp+ncVf7+ccF7JfKkh1bjBmmSBZ0GhJPqhB
HGxdb+cNe0rQFxXoWU5s8YmV4ImmPzUOhMKMP3b/lUJZpzlmriMw5QxbTc/dk96J
5wVf36sHbMPbAQlVrzRXLDWSacUXLVk4D4C9KJ1xt3Ri6RsWdlx6Z4N+dzhxOwP3
kyIzJAckQ8x3f8cAYu9CEgncLquUVO9vnC3CsbK6rfqNuGu6FzhDGYRzf5nn6NVd
4AAM/zKCkUlyufNVGQa7O96mkG6fsQ==
=BcMo
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [16 February 2021]


Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)


Severity: Moderate

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if the issuer
field is maliciously constructed). This may subsequently result in a NULL
pointer deref and a crash leading to a potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
itself so applications are only vulnerable if they use this function directly
and they use it on certificates that may have been obtained from untrusted
sources.

OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.

OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.

This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from
Google. The fix was developed by Matt Caswell.

Incorrect SSLv2 rollback protection (CVE-2021-23839)


Severity: Low

OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
server that is configured to support both SSLv2 and more recent SSL and TLS
versions then a check is made for a version rollback attack when unpadding an
RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
supposed to use a special form of padding. A server that supports greater than
SSLv2 is supposed to reject connection attempts from a client where this special
form of padding is present, because this indicates that a version rollback has
occurred (i.e. both client and server support greater than SSLv2, and yet this
is the version that is being requested).

The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if it
is absent. This means that such as server will accept a connection if a version
rollback attack has occurred. Further the server will erroneously reject a
connection if a normal SSLv2 connection attempt is made.

Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
issue. In order to be vulnerable a 1.0.2 server must:

1) have configured SSLv2 support at compile time (this is off by default),
2) have configured SSLv2 support at runtime (this is off by default),
3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
   list)

OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
padding mode used by various other functions. Although 1.1.1 does not support
SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
RSA_SSLV23_PADDING padding mode. Applications that directly call that function
or use that padding mode will encounter this issue. However since there is no
support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
security issue in that version.

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j.

This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel
Luellwitz from Trustwave. The fix was developed by Matt Caswell.

Integer overflow in CipherUpdate (CVE-2021-23840)
=

Severity: Low

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
the output length argument in some cases where the input length is close to the
maximum permissable length for an integer on the platform. In such cases the
return value from the function call will be 1 (indicating success), but the
output length value will be negative. This could cause applications to behave
incorrectly or crash.

OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.

OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.

This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix
was developed by Matt Caswell.

Note

OpenSSL version 1.1.1j published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1j released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1j of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1j is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1j.tar.gz
  Size: 9823161
  SHA1 checksum: 04c340b086828eecff9df06dceff196790bb9268
  SHA256 checksum: 
aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1j.tar.gz
openssl sha256 openssl-1.1.1j.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45gACgkQ2cTSbQ5g
RJFhXAf7BMbLDUqKxw1YnGpUTXRTKe1TSzrOPI/m/yfyn3YHm64HYwTxNy8Idm9Y
V+78djXqhs3VMDDu9ZOmopSLEOOOHvpKE89kj7pHrYnOJcmPE+HNmS0qneOyQZtb
slvYbDhqeyEqNxy/jVlz6Bm/BV57HdbszpAzhv9zTP6hf6aYvNwIFJoPpHznu028
Knn+qrlkcHizKPY9zG1h8zfK9m6CWGV+S8qeKHERgvlKBz6hAOYC/3f6sZumRr7K
m7jEEjkEvjVzcojXKoY2+C9yeRwJdj8GM2Haa+kdwcW34o4uCOrP+mW+MeBg+4qM
id26+r6cNtTdv7jE4gPWLCKoOZ7CsA==
=baPF
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha11 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 3.0 alpha 11 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 11 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha11.tar.gz
  Size: 14104901
  SHA1 checksum:  7c934bab3e310884e97b0f4a53dfe9fb3d97bb76
  SHA256 checksum:  
2a18f18df6a7ba33cfcc423b77d93990bf70939c06aa2b599b1eabf6e222ea74

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha11.tar.gz
openssl sha256 openssl-3.0.0-alpha11.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmASt0cACgkQ1enkP335
7ozLXA/9FQJ01swsFc5qzW0+Bn7vu2B4qykmyKhQURuyvR7BAbtiUaRIjaJf9sgY
ah1Rx8Pik8ff4BEnCnPfK2CEo0M1T4A8V94Liqico0JAYabUUMa3rAoy6muQnsMh
0CKdYSKcptWZL9zNEKAuB0WUmAFnaT5fS01/STpsjfb8zfS5YQCSAOZ0UZbjxFM2
Qpx7xxNYBJcaspu6xKcWm+c2nyRBh1eB8kTDtK1s54TVdCRLLO+zFYHZXH0mOdww
N+obyMk+GmD0tylSCMEHuXZzEfYO8fNjTL5gbnmlapdVpxk7vDCkTSiD0cT+dMlU
zZMpXWoVLSTQKlbQuozPAt3Crz2fmmij2+SZRxVKWBbVvmlEqAsFarvNhzuR0T8o
NrtKpKDHc2zEMXfeuRd9Wed/cxxiUe/nRjeh7kQ3K0eSciq0Cc2fSLGGZ/OihWQj
QnGE8a31NPXZnqaugiUktS0xK4lDSvObtSch7hkMbRd/2r7tPoa+iwWlQ1ZVXck9
ZH39sFtX56dbjzVp2d5jqls76O2A8oON4kvW+Q8TPa8uHvojb2ulgvPZcB+SurRE
sRYUzexVVZubMx1xvUIguDtsPeR0etVdWaRvLMYnoeMlfeb/DXR/7xGFvxLIjoEx
TKNGgLSRxdZlnkRyyUWukH9VQLqGmf8DZC+nF1DAkyyjPjJu0XM=
=m6RZ
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha10 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 10 released
   =

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 10 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha10.tar.gz
  Size: 14084047
  SHA1 checksum:  dfeb99f9bdb270d11f723039d07fda1478a31219
  SHA256 checksum:  
b1699acf2148db31f12edf5ebfdf12a92bfd3f0e60538d169710408a3cd3b138

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha10.tar.gz
openssl sha256 openssl-3.0.0-alpha10.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/3ESsACgkQ2cTSbQ5g
RJErmQgAj74iDsxOIigH87UxtnKLUqZc7ewbyZxM41XK52G/OPAzqSzGlMxhsYit
gvN7k+4qHWGuzyP5UGoTnxued/eG3tggUJh/WeuTmZ8DdrdV4C8Mhfb9ZkocDZZj
/wCnVGfb4xS5SPVnHU0qqtn0bWrltddjvdAzmuKvzQmyhftH6d/+VyUA9b9oUTkr
ygAvJYI6sJ/WBBSbRzONhwO16GKiLi5AzpPTuW9z7ZJS3YdZCCFFCYKPO255To9y
1GgxhGns9VksvN6NR3AFeTKMQyet3Uo2tRmigtRYZvaJDCE4am40zSuhdFmujwMA
HFVox7b+u1PJrUdxzOGJe+A+1I0R9A==
=yDQs
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [08 December 2020]


EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
==

Severity: High

The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.

OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL
   distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp
   authority name (exposed via the API functions TS_RESP_verify_response and
   TS_RESP_verify_token)

If an attacker can control both items being compared then that attacker could
trigger a crash. For example if the attacker can trick a client or server into
checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and verify
tools have support for the "-crl_download" option which implements automatic
CRL downloading and this attack has been demonstrated to work against those
tools.

Note that an unrelated bug means that affected versions of OpenSSL cannot parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
trigger this attack.

All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL
releases are out of support and have not been checked.

OpenSSL 1.1.1 users should upgrade to 1.1.1i.

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users should
upgrade to OpenSSL 1.1.1i.

This issue was reported to OpenSSL on 9th November 2020 by David Benjamin
(Google). Initial analysis was performed by David Benjamin with additional
analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell.

Note
====

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20201208.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PloEACgkQ2cTSbQ5g
RJERNQf/d8G0r7APrOuxlwOL2j0j4JX5HZoR/ilD1eD6kSj3uZmCbl/DTZgN9uhj
hMN9UTCVdF+NcWlqldwUVLLSq16/P821QLrbqKs4Q6i2NDwHIAU6VCneRZOUIOpl
VOyQ+BJDavvqQ2gNziDK29sjG8JxWUqQ10fdphfrV1vS0Wd1fV1/Kk9I0ba+yv5O
RiIyvbJobCEyNz52JdqbBsKjrSCtPh6qMra3IYm6EDJDnp+T8UpliB3RBIBuIPfU
ALRageyqmE9+J5BFYxbd1Lx37mHXq1PZsSYd6L09Y9Wg5fJLHzWffd74SfJHwRza
xZ/UTvCvkbGUbspT/U4mkuHwHzYXcg==
=41vP
-END PGP SIGNATURE-

OpenSSL version 1.1.1i published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1i released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1i of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1i is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1i.tar.gz
  Size: 9808346
  SHA1 checksum: eb684ba4ed31fe2c48062aead75233ecd36882a6
  SHA256 checksum: 
e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1i.tar.gz
openssl sha256 openssl-1.1.1i.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PfcIACgkQ2cTSbQ5g
RJGTdAgAg4vCZBf6Ugf0JojEHlqfxvdYTDPaz7C8vT4KFOsXW7vYr7Flc0O7rgfH
hL/N25f8Ao4AlX1mtlq5whR6adf3dA3Ny3T5r8WNXy8a2GdC/AH7zSVI1+0yQ3L8
C1ohbRYUHgP9o6DjjSBylSgJzmwSK7CfBFbiq4MX/FeEqon+fy8Er5LMW7Cor2Tq
07a5532Gb67zuRPu/U5D6fFsXBDvzeDsT/c9ZMt0eImvmpU6wJNqALC+I0qI/pKY
AY6FmljuYM3gr1aWbuCeyMbcGutRCFOLGrNl/VpQZFM5m7Rs6NQsQ+c3O5EICpoU
NKmPlsXfAabUZpEaWKK/4mzXLgMxfw==
=MgEX
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha9 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 9 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 9 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha9.tar.gz
  Size: 14058484
  SHA1 checksum:  9b5faa69485659407583fd653f8064fb425fc0c4
  SHA256 checksum:  
5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha9.tar.gz
openssl sha256 openssl-3.0.0-alpha9.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g
RJGGWQgAr12trYLeMYhAMzTnfQXOv+M16DrJyPZoyZyVNee3rcmOUA18Uiiji45F
BlauG3D/ShIJZ4zMs/jjVRnc/MqAZBphgO4Ow0XlFl+fkqess9hk/buerNZs9lbu
Xp/yRPO8d9hTB3ni1VPnaFlnRGKVZydR7p0s2b5j/ps6o0OVKwBxjFnX3Lr9loPs
HkiXZMdmZp2woTJc+Ch5KCzpZcVAWs14v6ZgKsMLIxkD3iU1NjSacR4AAEdwhd4m
4X3GSOMTzHniOWEGaRKJM8nYiaKyajnq386re5wsqK1J6EqRTQ73QgXhK0Ge1lC0
Eh9Mmg/7ajFmjLThcWqJVgy2m+9/Gw==
=t8pi
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha8 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 8 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 8 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha8.tar.gz
  Size: 14011376
  SHA1 checksum:  a6063ebb15b4e600b60fbb50b3102c6f2e3438ff
  SHA256 checksum:  
a6c7b618a6a37cf0cebbc583b49e6d22d86e2d777e60173433eada074c32eea4

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha8.tar.gz
openssl sha256 openssl-3.0.0-alpha8.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+kBlYACgkQ2cTSbQ5g
RJHOmQgAhqFZMut75DD4WChUdbwnlt+liy4SBVq+uG5zxSX8ayyiWoxkaQxMrI55
eyYWkLc05imDlM6dPgQQnBbLgDBUj6lPPN3bzAu/jPNC8Wk+9zwPdwLxKKnbMnoX
gHGVFEuAJeILT6jldQwyHL1O+YV0KFANZE09jt/jBqaMtnT8pcVgxe+9txLtWVPw
zLnh+t2Z9Pzhi8jz9I7LArVqgYOrnHHrFs1plzqz6YkTXCahGAoP5wtKFL1AS9eo
J3EPrLNpLcYjLJWAt6kIgIP6J7pBxmqp5411b1dKAqSzNd6RTm8N11YNOP6lDCy9
28Mu393UJc5I8GvB+taGs8oMXxQCIQ==
=Zocb
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha7 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 7 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 7 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha7.tar.gz
  Size: 14005200
  SHA1 checksum:  1d05682f62b34038a37b196c7c43a21013f5f507
  SHA256 checksum:  
2884219ad2fae614c0f0d57b77af2f0720f32ffa3a569ac70bbf506bd8732298

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha7.tar.gz
openssl sha256 openssl-3.0.0-alpha7.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+IS5sACgkQ2cTSbQ5g
RJGBOAgAidOQVOhw5N3tLVOD1EqNvg+0FoEugGtM0lXSBFXXbcKc12jV/e1INyw6
iaZImtypZtlrEfIYFQUkTfEzfGAYXK8E9Xx6GTIV41tacd516MWz7NtMJkZlp3Fb
D2DcEutqTO3Xi3XS+pPElLxSMzuSgGt8ZqqTv7ZqgseN+1uB/tdKUPZqDO+DTSpz
n/0oMnpsqJsEXqv3N5sS/2ASa9paLkLsIoChDeJzc5j41aKnMTgwAPqF2r8vLBfo
k851L5S/gsMw5Y9M3ljM4IYNiU0/lneGnT//uYOnLAKY/s1I9hNcWC/Q63xrOoqT
zukZ2NoqTcCYC+a0Vg3yBpjwSYuaSA==
=hL/2
-END PGP SIGNATURE-

OpenSSL version 1.1.1h published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1h released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1h of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1h is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1h.tar.gz
  Size: 9810045
  SHA1 checksum: 8d0d099e8973ec851368c8c775e05e1eadca1794
  SHA256 checksum: 
5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1h.tar.gz
openssl sha256 openssl-1.1.1h.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g
RJG6pAf/Y6B3I9pwD6MG7lm3ywEqp2dAwYym84l39K6LrBFPOg76GmHLby92Se5/
N2S5uHPCcXrBdtHLZZTi1Tn3rwMN6EAJmedZJvMwoxeKJxNjZ2f8K8SjgUkuimSa
dKbXtv92uDNRpD4X3Fv+uRatmbvygdjduwJWqgJ88ahz/IM7x1lv8E8GNnkPNBfA
9M9rDP5ThiQAetbefHBq9vb6wywwbi0FGTnXkeaYpyKDXmob0VWUdI0olMFLIUAG
ZAQAD8XEPnJBVh4qCOlVy0n/5+jzcOiqcwJyORQc/U0wkV71I9XigW9H7wgg6skD
iVQQe2QEODbEbtx9iMPsN4Ssmfk+VA==
=OYam
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [09 September 2020]
=

Raccoon Attack (CVE-2020-1968)
==

Severity: Low

The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker being able to compute the pre-master secret in connections which
have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
result in the attacker being able to eavesdrop on all encrypted communications
sent over that TLS connection. The attack can only be exploited if an
implementation re-uses a DH secret across multiple TLS connections. Note that
this issue only impacts DH ciphersuites and not ECDH ciphersuites.

OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
does not implement any "static" DH ciphersuites.

OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used. These static "DH" ciphersuites are ones that start with the
text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
ciphersuites all start with "TLS_DH_" but excludes those that start with
"TLS_DH_anon_".

OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
explicitly configured. Therefore all ciphersuites that use DH in servers
(including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
response to CVE-2016-0701.

Since the vulnerability lies in the TLS specification, fixing the affected
ciphersuites is not viable. For this reason 1.0.2w moves the affected
ciphersuites into the "weak-ssl-ciphers" list. Support for the
"weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
interoperability problems in most cases since use of these ciphersuites is rare.
Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
compile time with the "enable-weak-ssl-ciphers" option. This is not recommended.

OpenSSL 1.0.2 is out of support and no longer receiving public updates.

Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
that affected ciphersuites are disabled through runtime configuration. Also
note that the affected ciphersuites are only available on the server side if a
DH certificate has been configured. These certificates are very rarely used and
for this reason this issue has been classified as LOW severity.

This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj
Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
allow co-ordinated disclosure with other implementations.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200909.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
=U7OO
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha6 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 6 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 6 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha6.tar.gz
  Size: 13963353
  SHA1 checksum:  bac4e232f5238c5f267c3e108227cfadbd4b7120
  SHA256 checksum:  
1e8143b152f33f76530da2eaedc5d841121ff9e7247a857390cceac6503f482b

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha6.tar.gz
openssl sha256 openssl-3.0.0-alpha6.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl8r/u0ACgkQ2cTSbQ5g
RJFJhgf8C6Wv+1W8JolzZ2erbPSDFXTUjOJGvqnR2+73wtYMkzZKMnYTpqiW9Jrx
5V6zQ2WIYhnWZ97nSP0woo/h3tr8rQIj71Cj3TPqO11zOrXda9Op+P9ncCNNXTuz
/BS4HmnicV/pmrd2JMnFmo58tka9K47DhcACMKxuWPr32F40DJcr/yjvYnlf6k7y
s5EWK7tv7NLYWu+UN+JO6LpJrTFWRTajQj2OEZh3+Gm07Qv98TaXXr3QeiEpimu6
xbDi8oCcAzA+bKr1WpTCNYIU9H6QZIc0QqPjhSsS9o64RDlK7laRQ6ETMmePxDUK
u812RauTlxNuJHjy34a9k38kirPHaQ==
=uzj7
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha5 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 3.0 alpha 5 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 5 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha5.tar.gz
  Size: 13919931
  SHA1 checksum:  0e2aded2b2bd2104bcee6bfcd10132a8aec87776
  SHA256 checksum:  
09ad89af04cbf36dbbce1fc7063e18fcc333fcaaf3eccecf22c4a99bac83e139

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha5.tar.gz
openssl sha256 openssl-3.0.0-alpha5.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAl8QVLgUHGxldml0dGVA
b3BlbnNzbC5vcmcACgkQ1enkP3357owlsxAAsESoir2B2o8zLiBgZpo24k+FGcsb
zu6unJnYp0IZH+UkK+EXU4q440vpOcXaxC9zyXUKrdUp7e6iXzsVhqkTHFqkG+sE
wiEjCO5VS/gPWo3Alrr1Lyzuc9EFLk5XzU0/p2MEVMwjxwHGuqshmJe5dgkv/NCa
/SebPbzbKpCKnfnUhmEiiXzG8Sujit8zVl0bKSXsF0hgfm6bWzeuBUj2wqoUFmFe
OlPuZ53cYYaF6Hw0XjSiW20RVJ9wD+jgJoQbos7l8QORzuOGsgxYExG0+M+0ketY
W1TttXKZrPyO4qj/mdojrPOZWQQT3v5yInGI0wWLzPvXFBs4bKB088uKZQUyicd1
VJyvJBYR5K64podAoQSSjATo8zDZxts1A8JcfGKeLuIeXhhcOf+h75X0pk4+Sqaz
+YQLj7lupg9Hksu8UGIcFZNc4zDvDdeFMxphAUkbnlBt7wB+sGSKMcxciYYGh7Vf
8PBTqFS3QcTe33m8KFJMNSwSNDyFILbqskltRQ4vxIquNQu3b1pgfNpKetGnQZJs
hv1Ruc4o8rtkntMXx7xpY/uRnWDkdPtybZJNgUMc/iUe88p6YjXFq7q+PDtVAhYk
0EVNlU2lVjM0DZoi4aWKtqCWExJ/rFzuAeCNEXI8oFMSV3/wwE5WFv/uQC45vDuS
yuGJQvyOaBjoJws=
=uL/G
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha4 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 4 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 4 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha4.tar.gz
  Size: 13884897
  SHA1 checksum:  056194ea4ec57234ce3cb16b944d99c4d2a8b650
  SHA256 checksum:  
d930b650e0899f5baca8b80c50e7401620c129fef6c50198400999776a39bd37

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha4.tar.gz
openssl sha256 openssl-3.0.0-alpha4.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl70rYcACgkQ2cTSbQ5g
RJFWeAf/ZOGaHZbcAUy9Xm/R8x56qPJWD+3D8qGOgjNgKc/5r3kXII3I7NH7lc1j
zFSt/FA9NhqU7dIh/8/SlyZaBbFW/XZBRiczDqRSqAkAfsxhlj5tOq8xZoXuTqlN
it3DICC96jgh2xGo3LJUPgY1o0evsPLX98L/BtRZcZMcZed0ImZEEmJra3vEDr7H
C+Hu4/+gNDlAISDENSDygAE8vDB5hBDmk0YCySPKZpDbWPdV2/WF8oBlgRpNBjY+
zbk/V32xZkhf/x/nhRGNs44CJI8ymsDtp6UyV2e7ZW6LZNMGX7l0M8ZuJvLTFJJM
ZqQo7Xhn1EFdIRwTd+B2CvY2k73Pzw==
=khAk
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha2 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 2 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 2 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha2.tar.gz
  Size: 9601205
  SHA1 checksum:  9224a8957232db61b1e9cf1a80b3a19165f47236
  SHA256 checksum:  
9077d53d889f9708c261ee8a698df10575e2fd191de6924d89136b97dc8bc0c0

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha2.tar.gz
openssl sha256 openssl-3.0.0-alpha2.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6+miwACgkQ2cTSbQ5g
RJFqZggAhQGdzxbmbIa6aKeaX3sNpIYEpnu1W3htP/d2tMuqUlv31qG+IKZEnqHy
kk/rhpHj9XU08MurpZ9caALayA3WNSpZXCwzpG85pgIm/KlwM2YN2CdmFCuh/G4K
sMyU8UgSEcuEfF7BpYNgmfifYxDdRJjlrnrHwBPpFRJ0MdvS+8GN0a9n9b3o2eOm
u2Dnub85W7NUH4St4YdKqDfxUF3rIPg+hvgOllb8JjZAqbrnCkeFek2SL9fVYJBM
ORy3QODr2ahOo5sOYi61y7qe/MpcLdyjr5btm0L/xggWjBJ+EOo7m1iG2eQdzE88
AvcvALAtph/vmvfU3uPGWL7ms3z9Jg==
=ixcT
-END PGP SIGNATURE-

OpenSSL version 3.0.0-alpha1 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 1 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 1 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha1.tar.gz
  Size: 9530120
  SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
  SHA256 checksum:  
9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha1.tar.gz
openssl sha256 openssl-3.0.0-alpha1.tar.gz

   Please download and check this $LABEL release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
=uRpM
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [21 April 2020]
=

Segmentation fault in SSL_check_chain (CVE-2020-1967)
=

Severity: High

Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This
issue did not affect OpenSSL versions prior to 1.1.1d.

Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g

This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.

Note
=

This issue did not affect OpenSSL 1.0.2 however these versions are out of
support and no longer receiving public updates. Extended support is available
for premium support customers: https://www.openssl.org/support/contracts.html

This issue did not affect OpenSSL 1.1.0 however these versions are out of
support and no longer receiving updates.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200421.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g
RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t
vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt
2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis
Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl
aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ
vj2rIjoJHRj0EXqXhHoABqBHedilJQ==
=AXyP
-END PGP SIGNATURE-

OpenSSL version 1.1.1g published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1g released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1g of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1g is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1g.tar.gz
  Size: 9801502
  SHA1 checksum: b213a293f2127ec3e323fb3cfc0c9807664fd997
  SHA256 checksum: 
ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1g.tar.gz
openssl sha256 openssl-1.1.1g.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g
RJFGnQf8D8U0193cmqitZZ4L63ncx8aWPMdXMookxywTnhCHm7qyNGa0a41J0iZw
pRebjlrjo1rEOMFo9rNmvtoBBUs/cFD8ARsItK3Kh2ms0z4MJV4F07XJHwNkd0Wf
n18+oUS6Fj7Z8TgdA+UwBFuN248kqELDp8DYntLCzyEvkweU80JIRWhC+XawjcbA
W/zlD6oVfNsgYP38hSCQg14B+/djMTVYqtDSOBm3B+J7zRndYoTvsankWlsMmDD5
Tb6lOQ8IBEsgnlriOH936eKhlJ5UeTr2hPONnzDJ/cIUWn1RwX9yPGOoaf74IoHc
Hg/T6vP+pD3G3mDOS51Qm87A5+nDaQ==
=eNCz
-END PGP SIGNATURE-

OpenSSL version 1.1.1f published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1f released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1f of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1f is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1f.tar.gz
  Size: 9792828
  SHA1 checksum: 238e001ea1fbf19ede43e36209c37c1a636bb51f
  SHA256 checksum: 
186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1f.tar.gz
openssl sha256 openssl-1.1.1f.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6DNO8ACgkQ2cTSbQ5g
RJFAHAf/c5tRSC8FNTAwXj8pEniovI/XeIHgyJG37mKXt2V5ziXwCaJCTs6Tdvth
b7nGgcqHWmqTdDlYdOzhexWOESfCTEhipmh1E9wHX/fntadHn0LwzfXBIbE6CsW5
ksn2bXXHTLuY3E8GWzmdcDDZ6sjsAYCsfE6rnJqgPKl8+XqZsjlrMBLc1iXa7pvR
CMNmJ5ITo98OlqtFRsmR0G7nXCwm4NLGCv9DojfR5gfyoUWZZXInyZZ3RReZEwoH
fGRObO3/5E80+TxFJda8uDM0dSHUPzXJ7JA+h+uQRG+PGwXe4R8jZ8BJfjfVvmuk
d72zRaRwkGrHvCo93S8xI8W2jBAqHQ==
=TvT8
-END PGP SIGNATURE-

OpenSSL version 1.1.1e published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1e released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1e of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1e is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1e.tar.gz
  Size: 9792634
  SHA1 checksum: e7105567d3e7e6353a0110f1adc81f69dbc8f732
  SHA256 checksum: 
694f61ac11cb51c9bf73f54e771ff6022b0327a43bbdfa1b2f19de1662a6dcbe

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1e.tar.gz
openssl sha256 openssl-1.1.1e.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl5w3zsACgkQ2cTSbQ5g
RJFdTQf+OeJkXlBCQvdJTv7ky6y7MGesCiMjcQsuFSLlWCHC6k2rNcgrZUH50vOB
E6SH/VPvmreM+TNy95hP2uzGtFkpliIoZHu6NXJSo7QW9svBxzdqo8x7nYN3jhJ1
pEDjfk2vFz2Z/2uzoZdZVe4P8C4O4bFz79UmFUsXNffYcO0mDSih1jrjupASzSJH
0HB68p4lrdoJbiL6KIfGDLS5D+jn6KNU6gHT/6fhCalLQJ1StajpArrXXKrC2apP
YAMTLYH5qxFReobKguOk6RwZnNI2Mdl75qWJ+Wu4PQORPryPeMJ00z82jx6Wv5zF
vWQ4F8zoaiPfUSmyzOJgJQuRwrnNfg==
=1uA3
-END PGP SIGNATURE-

OpenSSL version 1.0.2u published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.0.2u released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2u of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2u is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2u.tar.gz
  Size: 5355412
  SHA1 checksum: 740916d79ab0d209d2775277b1c6c3ec2f6502b2
  SHA256 checksum: 
ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2u.tar.gz
openssl sha256 openssl-1.0.2u.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl38yAQACgkQ2cTSbQ5g
RJHhkggAgL/QJ1zRY8yppCnf9zT1h3DW6t6nHC+n01GV5Fu6L4lvJqmJEtR+Vr5l
u/z+kNDWdeTdic73MAdD9RO/k+sraZ13kAaj5VaQ7Sn16LIok0cQl09Q0yVYaXlC
aEVcQ3RUcOneqI+sMLlpIWE26tMCn9MvNmuFNmyOHvYDotJbHQc379Qt6qoYmqHd
Hn9vJrIAgjtuwtb2InA5Y29788dwQPXS9qPOWWN/xMOq2t4dSM43vvwrC2jgyTtR
tT/l/FZQuu8Y1oVKwuHB43tDM8Gnvpot9DwSxXSxBPcSKxNpKVqvyNUrYohYaruB
a6I9lBE7rbRojDiAvg9nUF3PTG0O/w==
=IOW8
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [6 December 2019]
===

rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551)
===

Severity: Low

There is an overflow bug in the x64_64 Montgomery squaring procedure used in
exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
result of this defect would be very difficult to perform and are not believed
likely. Attacks against DH512 are considered just feasible. However, for an
attack the target would have to re-use the DH512 private key, which is not
recommended anyway. Also applications directly using the low level API
BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue. However due to the
low severity of this issue we are not creating new releases at this time. The
1.1.1 mitigation for this issue can be found in commit 419102400. The 1.0.2
mitigation for this issue can be found in commit f1c5eea8a.

This issue was found by OSS-Fuzz and Guido Vranken and reported to OpenSSL on
12th September 2019. The fix was developed by Andy Polyakov with additional
analysis by Bernd Edlinger.

Note
=

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019. Extended support is available for premium
support customers: https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect it.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20191206.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl3qhRUACgkQ2cTSbQ5g
RJHQvwgAhVefbdppxDZbGhiIjc/MLTeZmYC5U57rGMvGQ7WL8+xbkGVYmFPu69kp
dN+kGPVJAZySmbhJZVmbrdxgl/zCvwE1WXPh5ILQCvA8cF0z762TCJpxbDJksy/9
igmavYVMxWLePMz7+HsVo6VCcvmBNGykg8zpJm33v2/wc9dBE+c/sJoep/pcXYNI
fLrcLUnsnJoWhg23VNUXEkW8Ru4jkaXTtg4v4sdxHzPbp0qBbekdhj6GAekyFRjn
Zpv4buJDxohcJw91rBK36tXU/PZARW4tO6TR6CdVuB16T7XMye0wKp3kRNd0QPE9
O/LGrT1Jq8cFTxYHfFYeOrkVJKpgog==
=6Z6t
-END PGP SIGNATURE-

OpenSSL version 1.1.1d published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1d released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1d of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1d is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1d.tar.gz
  Size: 8845861
  SHA1 checksum: 056057782325134b76d1931c48f2c7e6595d7ef4
  SHA256 checksum: 
1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1d.tar.gz
openssl sha256 openssl-1.1.1d.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13oWoACgkQ2cTSbQ5g
RJFGjwf+IA34TBZZt/lwjtsALggJuoRrYyCBCDbdwJA+rBO2uQV2h+f7Tj5FBcuI
ARRhbUJqCDq7MFl1+6O5jPhTxZK0P1z242rOTvW50w4MFy+FZCwZjloxRBtgOlTy
y4t7yzuvCU1RidKiK9B42a6KypgQFEEHSlCkepNAjX94OLQhB+iF20vJ86gSFzrv
keJTUDXEbAa7I9MyK9p7SQbqHgFbTt0QAIYj/afNGOGv6ZyjiVrbp+4I29I0IG98
Dn4+4dp0xaY+oC1FTyO+lqfTLXuSnVR8TGDACHFyeQHCjf6wfSbFlxfH40CfeQzv
8vakK0+YhIAij7Pcm4te9ffUaSeNHg==
=jsdh
-END PGP SIGNATURE-

OpenSSL version 1.1.0l published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.0l released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.0l of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.0-notes.html

   OpenSSL 1.1.0l is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0l.tar.gz
  Size: 5294857
  SHA1 checksum: 6e3507b29e2630f56023887d1f7d7ba1f584819b
  SHA256 checksum: 
74a2f756c64fd7386a29184dc0344f4831192d61dc2481a93a4c5dd727f41148

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0l.tar.gz
openssl sha256 openssl-1.1.0l.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13okkACgkQ2cTSbQ5g
RJFu5wf9HCvluEc1W1UwNqaw48n3g1ZclRdexYFO12HtUTTtriUwu0BPorvzHVmo
x4I0JzUxLeRXyS2kdBBPJC0OlPlrZMkWfwNy9IF2BRFGcMuGhjIOu60FfRNkGOM8
63RdIuSy1oPnwL4kUOdQi4pru1UcQVx25l4tpB6pLMKKgioGc1x75mP+C/lxhM16
PvPSo8pETU60V2QFaxzbfOqbS8LJhbO2m+dYCzgGy6Rjrd2CyzyZbtKC/bWoyMhW
s3jQ4oBjGh28y/mrzLup9oXP4f4/GlWajxd+pFXsj8xRfwEN7Zwg7eLlg6uZh6Cq
4KhsFKHIKgvba/lekhASdh71BdVVSA==
=na1Q
-END PGP SIGNATURE-

OpenSSL version 1.0.2t published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.0.2t released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2t of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2t is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2t.tar.gz
  Size: 5355422
  SHA1 checksum: 8ac3fd379cf8c8ef570abb51ec52a88fd526f88a
  SHA256 checksum: 
14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2t.tar.gz
openssl sha256 openssl-1.0.2t.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13pssACgkQ2cTSbQ5g
RJFr9wf/X0fke/exS13hQb4h9RqE9fYouVbSNKTKhLp9X8BtYUOtUTjO5ispKt+1
BGWBotApoXBTopOsdJVXhzLtYst2YdKEtvyJAEFyxfpJa2PL4jmo5zxk93qWjDjA
u0HXR1Tu4XTLlE3EfqbfV/8bVO4kntTCk/xvg0gql1LUCVIRtjmqmsKOe7MJAHkH
94yb3kRFMpXb2YB6/zrK+ZuruL5ejTZCcXG7Dx9+LH5X7E/8KFDknk0Zo6w6970I
LbrXjtAOfHtVEK5XAFESCkMkjNqahopOs90AtemiOt1oOsNztjr7bVFHqJ3/oBMf
OYamiO1W2IhyxnPbet6zUDYG0FtYpw==
=sBvh
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [10 September 2019]
=

ECDSA remote timing attack (CVE-2019-1547)
==

Severity: Low

Normally in OpenSSL EC groups always have a co-factor present and this is used
in side channel resistant code paths. However, in some cases, it is possible to
construct a group using explicit parameters (instead of using a named curve). In
those cases it is possible that such a group does not have the cofactor present.
This can occur even where all the parameters match a known named curve.

If such a curve is used then OpenSSL falls back to non-side channel resistant
code paths which may result in full key recovery during an ECDSA signature
operation.

In order to be vulnerable an attacker would have to have the ability to time
the creation of a large number of signatures where explicit parameters with no
co-factor present are in use by an application using libcrypto.

For the avoidance of doubt libssl is not vulnerable because explicit parameters
are never used.

OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.

OpenSSL 1.1.1 users should upgrade to 1.1.1d
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t

This issue was reported by Cesar Pereida García, Sohaib ul Hassan,
Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley. The
fix was developed by Billy Brumley. It was reported to OpenSSL on 5th August
2019.


Fork Protection (CVE-2019-1549)
===

Severity: Low

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
intended to include protection in the event of a fork() system call in order to
ensure that the parent and child processes did not share the same RNG state.
However this protection was not being used in the default case.

A partial mitigation for this issue is that the output from a high precision
timer is mixed into the RNG state so the likelihood of a parent and child
process sharing state is significantly reduced.

If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.

OpenSSL version 1.1.1 is affected by this issue.

OpenSSL 1.1.1 users should upgrade to 1.1.1d

This issue was reported by Matt Caswell. The fix was developed by Matthias
St. Pierre. It was reported to OpenSSL on 27th May 2019.


Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)


Severity: Low

In situations where an attacker receives automated notification of the success
or failure of a decryption attempt an attacker, after sending a very large
number of messages to be decrypted, can recover a CMS/PKCS7 transported
encryption key or decrypt any RSA encrypted message that was encrypted with the
public RSA key, using a Bleichenbacher padding oracle attack. Applications are
not affected if they use a certificate together with the private RSA key to the
CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to
decrypt.

OpenSSL 1.1.1 users should upgrade to 1.1.1d
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t

This issue was reported by and the fix developed by Bernd Edlinger. It was
reported to OpenSSL on 21st August 2019.


Note
=

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019.

Support for 1.1.0 ends on 11th September 2019 so 1.1.0l is expected to be the
last 1.1.0 release.

Users of these versions should upgrade to OpenSSL 1.1.1.


References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190910.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13vK0ACgkQ2cTSbQ5g
RJGJIgf+Me900bLV9TrVDWvNRQbuRe0tOPPhP59J4tJAJiRZ1GG0JV2YITQynjTP
hrz9mvajgWbkGYlTZmPVFOdJr7LKbrUrxk7shEfXqmiiCLG8tHYiCe3PF+/Cy7gA
X1vY9CDfv//3VSqOLM9RM3CCcWAAv3KeP851X0PgCiMVvGAJbYOu3bmB+KsEKFzm
fWRDabUMbl1KCSgCIvvlNv0bKR/GfpW3cWruUvG0sfjyPWwS+yn8z0T3/ibFJqkb
Cmuqa3/kC9uZg8AhiODR+nz6D1mC2UiNZ2Wa/XO6O68rO/y3ZKbaiMGLze1qJep5
3PnybOw8b3JvpVRFYw09YwgLObBX8w==
=8bP1
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [30 July 2019]


Windows builds with insecure path defaults (CVE-2019-1552)
==

Severity: Low

OpenSSL has internal defaults for a directory tree where it can find a
configuration file as well as certificates used for verification in
TLS.  This directory is most commonly referred to as OPENSSLDIR, and
is configurable with the --prefix / --openssldir configuration options.

For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets
assume that resulting programs and libraries are installed in a
Unix-like environment and the default prefix for program installation
as well as for OPENSSLDIR should be '/usr/local'.

However, mingw programs are Windows programs, and as such, find
themselves looking at sub-directories of 'C:/usr/local', which may be
world writable, which enables untrusted users to modify OpenSSL's
default configuration, insert CA certificates, modify (or even
replace) existing engine modules, etc.

For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR
on all Unix and Windows targets, including Visual C builds.  However,
some build instructions for the diverse Windows targets on 1.0.2
encourage you to specify your own --prefix.

OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
Due to the limited scope of affected deployments this has been
assessed as low severity and therefore we are not creating new
releases at this time.

The mitigations are found in these commits:
- - For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e
- - For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and
  b15a19c148384e73338aa7c5b12652138e35ed28
- - For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd

The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for
mingw, while the 1.0.2 mitigation documents the issue and provides
enhanced examples.

This issue was reported by Rich Mirth.  The fix was developed by
Richard Levitte from the OpenSSL development team.  It was reported to
OpenSSL on 9th Jun 2019.

Note
=

OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates.
Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0
will end on 11th September 2019. Users of these versions should
upgrade to OpenSSL 1.1.1.


Referenses
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190730.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl1AU3sACgkQ1enkP335
7oxnEw//ebb9FK16oXpvW6nifNgSHUBYRaq+3ApvSfGG8Er1M0Zn80iD/WY8wzM7
ZabUUNlOdnOs0iQivMYzy+8QzP9NRaqX2WZk/Q1koNT5WAt9+VDCw6hhbp6FN8B9
9aeRvdawNME9JPysl3KOR6DnYJQnpJgV0yQ2pJM2yMKNuDFkvy6E9ieMoWAGx5Ya
8JZ4KGFubA1vDPj5xowkRDxZo+SLdAaEMQw0YG8DWSK5BViZV+3d4OMAAL1RjnZy
s4OSghqi7wUbgo8XO38/roN4y4BEgmEXU0IpSRNf1xrwCoFM82hEgOO3xWxPtbZk
EtDcMUTtMYa1g5IMdGIkVvS4wnNr2j2BAi8WECkPf5QCzCoaX/Xc9jutslTw20M/
UoZnyGgVoOQCsO6ECwLUnSEp772mhS1056c4OKb62kfhlIcGkWi5vk5wjWVZFxEx
rXJC7xabp29e051mnrJtLr85UWUv5B/ywREPyvbdjWg6lJBxB0dOYXMQLpJi6B5i
/bDX7czP/1EeOg+FDSGOR174JGIyMYmPqpyzGpdds72GfOQqtGHC2z41FlvHMglB
9VobSZnF97MIan4/9H4ge+gUUq0PeIZ+invvgCHzuW4oYBOngwwVD5QXfSQUjA9a
etYHkJx+3t4hPrPKAT/J0jHA7AbWtYK7dL6qTxSwli2Gl/D4ipk=
=gxli
-END PGP SIGNATURE-

OpenSSL version 1.1.0k published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.0k released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.0k of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.0-notes.html

   OpenSSL 1.1.0k is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0k.tar.gz
  Size: 5287321
  SHA1 checksum: aaa2ddad0285575da7c9fa8021c26e5c8433ab15
  SHA256 checksum: 
efa4965f4f773574d6cbda1cf874dbbe455ab1c0d4f906115f867d3070b1

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0k.tar.gz
openssl sha256 openssl-1.1.0k.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlztMKgACgkQ1enkP335
7ozB7BAArso7v+Yy6+3TiPPaH+EAYkEr2J+WQ2D17s7M9kpW8errvyX7B/yMIVSh
1ZEPfWWtmDdd9CDqfpM/P2ttipjHvrPvwh01+Re8sm+pE8me3j9N1UkqXLpRPQuW
eSAwjSYcVTgGlDlJnsDW7Yxf1vibfjA7hDHL+7MY3tdPna2rb2TICOmX1TmwR4ha
Xc6E6JAH049Rjzh9NCgcxANnembTnPqRAVmxyf6ziMmvHeDe6voYQZrtagC1CHbY
x1Y+Q3GMLtvebm7YRqoy3o29WFMPUPErcfPsun9aizmTR+UgePjQ9Tjq6bF9umTL
5Z1lt4JJsC0gUmKLTpPL0SNhAf1/TS59Usvk4pMefSq7ejteSzX1xoHY/VQ4U8pO
pO8Vsn7k8U4azuRgi3diprYhgtMDeK4udyepFTI53Bqk/H7Gm0v+R7tYYH2Zbwqm
49UuvMlP/7XHKwo0hIoV6Ul3xrNprxoXQmTG+Tm4+AoA4Qn9jELvMe96CaeLAPxG
V7NjqK7Tr4Iosso4h+Pq2oEsu3GLzXVdFYA5RORkakuX60Y8+jznKAP4WNhPS/rs
zPr8fVghb0kpctodvq2px47DVQSsUf2nYGVwu205bHpGyTKuB1ZWkYbC6cQEg3yB
SPlFyHmHWYjqk8RSmSKZSiN33x0ysG8kwr3PEJOEEe8bvF3r7cM=
=go9J
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [6 March 2019]


ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
==

Severity: Low

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every
encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96
bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce
with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a
nonce to be set of up to 16 bytes. In this case only the last 12 bytes are
significant and any additional leading bytes are ignored.

It is a requirement of using this cipher that nonce values are unique. Messages
encrypted using a reused nonce value are susceptible to serious confidentiality
and integrity attacks. If an application changes the default nonce length to be
longer than 12 bytes and then makes a change to the leading bytes of the nonce
expecting the new value to be a new unique nonce then such an application could
inadvertently encrypt messages with a reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the integrity
guarantee of this cipher. Any application that relies on the integrity of these
ignored leading bytes of a long nonce may be further affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because
no such use sets such a long nonce value. However user applications that use
this cipher directly and set a non-default nonce length to be longer than 12
bytes may be vulnerable.

OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited
scope of affected deployments this has been assessed as low severity and
therefore we are not creating new releases at this time. The 1.1.1 mitigation
for this issue can be found in commit f426625b6a. The 1.1.0 mitigation for this
issue can be found in commit ee22257b14.

This issue does not impact OpenSSL 1.0.2.

This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developed
by Matt Caswell from the OpenSSL development team. It was reported to OpenSSL on
26th February 2019.

Note


OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190306.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx/5b4ACgkQ2cTSbQ5g
RJEXSwgAgHQkb/CyWdubYozRAeUDBT9o6gt/kgsBwPYBxAV75lRo4qwBxzfkeQ6P
6EUFSzEPhabQOhpnTY4QaqphzG2FAl4BbtDalYN+zPOZxppmH7O8Kje+j+onInDI
O4jbjXLgAlgmf5jw5IyhfxQKcaFbdLtcFGzh1t4rMEhT+ehx8ePnGnklPTjfh4ea
bN+BlM1Fm6Au3i/IJB2I6e8ayxFnTx9mAegPvV/RRYma43Ee/Hpvb6eBaTfTZ9yp
lOp0jG4iViB4r3EP3H/l5oVC9fWCAI0Am+vcLq9PsWl632fc39hDREhPrRMfnOds
40ayI4NwoUu4Z89Qdae1iWEUkgjRgA==
=Aub4
-END PGP SIGNATURE-

OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [26 February 2019]


0-byte record padding oracle (CVE-2019-1559)


Severity: Moderate

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one) then
OpenSSL can respond differently to the calling application if a 0 byte record is
received with invalid padding compared to if a 0 byte record is received with an
invalid MAC. If the application then behaves differently based on that in a way
that is detectable to the remote peer, then this amounts to a padding oracle
that could be used to decrypt data.

In order for this to be exploitable "non-stitched" ciphersuites must be in use.
Stitched ciphersuites are optimised implementations of certain commonly used
ciphersuites. Also the application must call SSL_shutdown() twice even if a
protocol error has occurred (applications should not do this but some do
anyway).

This issue does not impact OpenSSL 1.1.1 or 1.1.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2r.

This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,
with additional investigation by Steven Collison and Andrew Hourselt. It was
reported to OpenSSL on 10th December 2018.

Note
====

OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190226.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1U+gACgkQ2cTSbQ5g
RJFnlAf/U9yZtCz59BjgD0Kh7Eya5KxlmUWItdBu1r3DwbY4KDgL/Wwh4UxG3Qim
D7Ht5Xsta4iAywrMRI/iPEdEQct8pcpWjq4/65lEbTYjToEnNWhIeWHH/Lw3Jfza
gcVpIfbWoWc7OL7U4uPQuGWcb/PO8fJXF+HcCdZ+kIuut0peMSgN5sK/wBnmSdsM
+sJXCei+jwVy/9WvCBMOooX7D8oerJ6NX12n2cNAYH/K7e2deiPZ7D/HB7T9MSv/
BgOi1UqFzBxcsNhFpY5NMTHG8pl0bmS0OiZ9bThN0YHwxFVJz6ZsVX/L5cYOAbm/
mJAdDE24XMmUAOlVZrROzCZKXADx/A==
=8h8L
-END PGP SIGNATURE-

OpenSSL version 1.1.1b published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1b released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1b of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1b is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1b.tar.gz
  Size: 8213737
  SHA1 checksum: e9710abf5e95c48ebf47991b10cbb48c09dae102
  SHA256 checksum: 
5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1b.tar.gz
openssl sha256 openssl-1.1.1b.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1SgkACgkQ2cTSbQ5g
RJEc5QgAoB+R93O6fi3QBaLM6zcZQWcq0y/c2fEo+tybClP4DfUudJij5cjlfzfN
W0srK+qq15PJPxbH02fUcUdIBHF5OdQv0XMIS5ueN1clvGTcvpqdmyvE7INqouFd
xUGbRzNw8hN4BY/skamuc1uxMXQUFx4ek2W12q4D/oCSOuPrS411uSev3pACLyK8
Bchcs/TLSreaz46ckRC+fiQ9jgBKjcA5q4pC/kIn+KGrfoRZz+no4cQlZS84NFgN
BbT4bn9mV1+f1PksSlBZ6r+YSeaFrXP/e0sfTuMGYiXUx+XPQ+uMHjiljAGuYYz3
Nr2GqL9nHLvJ5xMBJmJCes4zkd0J9g==
=Wh0M
-END PGP SIGNATURE-

OpenSSL version 1.0.2r published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.0.2r released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2r of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2r is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2r.tar.gz
  Size: 5348369
  SHA1 checksum: b9aec1fa5cedcfa433aed37c8fe06b0ab0ce748d
  SHA256 checksum: 
ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2r.tar.gz
openssl sha256 openssl-1.0.2r.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1S0oACgkQ2cTSbQ5g
RJH9UQf9Gi2WrDyOwxtlu84f7vlcQX1zfG+Fs10OZgYi6rvD6VprJJewsWaJI9S+
O5LDv0p1aCFNgcTc57oNZCb+Or8xWdhvTOc5cNa408nFVK4wVazTdzKRFLECZEL4
E0vs22XNEIhrPHuHAJnuYaP12232Wymn9VHSbWeNl2ZR7Vj64rJ8Lqp8w+YpBU5+
eGidbLSKC29r8VV/6/9ei8PUSGEpy6ci8Tp+oMn6iVgMx6fuAnVDWDL32kWbzdAB
r/OUee06D+QQFQMAJGAiDRxbC4XuNaLCiysr8a7QoltsxJjCaq7H9zRlArv3iE27
/fuwegvHE+upW2k3J1ZCL/Dlq+MuxA==
=MwGd
-END PGP SIGNATURE-

[openssl-project] OpenSSL version 1.1.1a published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1a released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1a of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1a is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1a.tar.gz
  Size: 8350547
  SHA1 checksum: 8fae27b4f34445a5500c9dc50ae66b4d6472ce29
  SHA256 checksum: 
fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1a.tar.gz
openssl sha256 openssl-1.1.1a.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DbQACgkQ2cTSbQ5g
RJEs7Af+K00VWk3I/Eqo+HfIwVenGBE18xo26yCNjB7anxBi0ic4b/06ilME7lcT
WANVlBcWg/ea7g8k8dEFNdnKlcdcQWRo51mfVelyC1L3OrVNfNzP1BrKTutaRq9S
Hv8WvGGWaNlAdtLmy9rqmZVxuUMKYf0bC+9B8QqZ4hP1FjZry/wLSgU87+dqFY5Z
dWBlctsvvc/7dl0ZrovtieEXCuH6+MK4i++jWjS6d5/ON1581wkmEzIkH5tRebQO
jPaSj8rJB7H1bAZiZPd7c3Db5n4TG8NNoT+Kujk0LFTP+FjwEh6/WF8jybLDgGMg
Y6mJnkcXimLoCLpuNZmBh1V4BAntTQ==
=7K60
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.0j published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.0j released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.0j of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.0-notes.html

   OpenSSL 1.1.0j is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0j.tar.gz
  Size: 5411919
  SHA1 checksum: dcad1efbacd9a4ed67d4514470af12bbe2a1d60a
  SHA256 checksum: 
31bec6c203ce1a8e93d5994f4ed304c63ccf07676118b6634edded12ad1b3246

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0j.tar.gz
openssl sha256 openssl-1.1.0j.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DwoACgkQ2cTSbQ5g
RJGaxggAkHnv1uEc/zs/mIRvJDcBi4ITN3Fgeu2CdmbgMhcLXpKKcVAt28f/bT6c
gVgV7OGZbJPJBEz/X6Ed8hIV5+OSIDUyER8Vywo8hhKgA7P0zZKSL6UnHSanes6x
zfJCQ43+g2GSKxxBWNo3qsMtbOpgNvqRbggnsOBnrCwiNVUbNGl7BqHDmH8+KzWB
tXamWDZ7Q6g6/vpLeQQlR38LXEiC928dSUmeNhbllbEUskkmVQIyys5/uRlFkCcb
9XEHmv4/lSrC3iUe0av4jfo/YjpcaknvqytW+HBgjvb4X1QAERXO0c7qdd9vGU2R
28H8/ETVDvpdnohfEHA2w3gqrZS6Kw==
=1c3l
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.0.2q published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.0.2q released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2q of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2q is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2q.tar.gz
  Size: 5345604
  SHA1 checksum: 692f5f2f1b114f8adaadaa3e7be8cce1907f38c5
  SHA256 checksum: 
5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2q.tar.gz
openssl sha256 openssl-1.0.2q.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0D/MACgkQ2cTSbQ5g
RJHZwQf/XVVXUUPD6ybAWXzWTAhb4kECMC7ahiEuLwO82IF8dafNNGLWVKU4qD5Q
oHCBuHq8UUHPo1s+YeR+3phH0it8xZNUvpDw4BPFlLNkev16+yYJudl2YE9asVep
1Hup97zhSVfF7YS3o4r3TFL6VeAeC0XLHNItIYznldZ7oiI4iCvSH3rZ3Sb3O6lL
EpSu3CYqgpbUI09aSZDdwYaUwj7j2KGf3D+U8U+bHY7d47GdvykSk18l1Mt2m/0K
63gDR4Nl+dgkLu6BALuqT79vhkRdiKWV4+e0GhvZPpjpoWBveYY1Q7nkfjy0Sh7j
womsen61sS073bbdHZX6LoVuAsQbOw==
=WXDE
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.1 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1 released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1 of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1 is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1.tar.gz
  Size: 8337920
  SHA1 checksum: e4559f31dca37ce815e0c7135488b747745a056d
  SHA256 checksum: 
2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1.tar.gz
openssl sha256 openssl-1.1.1.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAluXuZ8ACgkQ2cTSbQ5g
RJFPFQf9G1LopuN1P3tIUTgps9Z1SS+TuC7OeRPu9TCEqOR0yO8WGyTCfLZnoXZ7
0BqFASYW4VbPCy8LH3glHLBe64NApdoA1HoMmHCvd+TxPQHEvhc0OejSaOGZKY/r
2LGUvEguiyYpjQS4bQmsl8wNl3CrYRGSMqBcbFj+qF/Rrlpa1hpKGnH4ooMxe7Nx
/Ro4AjMe46vQL/RU980yFl+JTkhAvSOxw0cltbILPO2MP6Fo4QZqMO8mYRjEnqUZ
E/Ixl/dIkSWjPC8pkkRS9FmMQHHYe66S20OK7V2Zl3Zd88FrNI+qeKgEF3ABGknR
6vR0kPkddRl43JktQ4B1QKS+GcwzHw==
=fvfm
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.0i published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.0i released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.0i of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.0-notes.html

   OpenSSL 1.1.0i is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0i.tar.gz
  Size: 5453234
  SHA1 checksum: 6713f8b083e4c0b0e70fd090bf714169baf3717c
  SHA256 checksum: 
ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0i.tar.gz
openssl sha256 openssl-1.1.0i.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAltyztkACgkQ2cTSbQ5g
RJE10gf6At9Ash5MVfgFwq03wqB0LGraQzSSKqAoraAZEgs2rTYGIaWY0HDTmeKf
Ul35obSd5fsJ4ZyaIuL6zdFadlf0HkyYCcuZvl/GcPRB3BjiWrLcIyqJzL+HR3vc
p6rxXAYAM1RV/u4+6OJ6LCh3UEB68yBL1mF1Gj2lwQNKxpIZsq+RxLD9Q9SZirzU
eVgCiAeMfGY1FcCFuKlHxdowxE7IEveq56aRHFY2OLXS2NXp/KL0lfzeK0JSkCv9
0O4MLuNJoTNdIuYvElyiFWdpSauhh7Fx3wR2sv+3Z7Chm0XdKYDgiFEaPkCc+RYN
nGk8eAsGEqP7eefHmMGXYVsA72PtgA==
=Cpov
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.0.2p published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.0.2p released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2p of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2p is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2p.tar.gz
  Size: 5338192
  SHA1 checksum: f34b5322e92415755c7d58bf5d0d5cf37666382c
  SHA256 checksum: 
50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2p.tar.gz
openssl sha256 openssl-1.0.2p.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlty0pMACgkQ2cTSbQ5g
RJGQoQf/TjfR+u6Hx2jdABRi6Vyi3T+VlGbHh8xyCP4l5c+JCqPMfxlKz/PF0Cbb
6KwIlc/2dUZZtCQOSITESxmI+xuuPWrwkSKilYetdqxe2ULWtCtDYDru/BgLASn7
M477ANTznqYoKC69vgbbiC0zYS1SdTbdw+agq1Ps+bLHk2GcbiVqRMMzTgvUqnD9
JdmTtAI4mVKJbiLejXz9c4I2Rii9MYTS1QKCpSdFg9irpNjRqLsieEwEoJ6m5eka
rVkS567eT4IF1gXLYZeC03FWABUY0PcY9ZO2PhtfuyCKa0Y3dhlIkP8btMAmQAUQ
JiIgeN2523E4DEWy4aAnOgsFqagvHQ==
=aHv+
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.1 pre release 7 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1 pre release 7 (beta)
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 7 has now
   been made available. For details of changes and known issues see the
   release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   The beta release is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1-pre7.tar.gz
  Size: 8308876
  SHA1 checksum: 1879b688f9e36665f82bda8cac4f392029683bd0
  SHA256 checksum: 
e4a54e1eba294a2e39cde62aeaf1f1fa0442169f849faf14e735136ad6cc

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1-pre7.tar.gz
openssl sha256 openssl-1.1.1-pre7.tar.gz

   Please download and check this beta release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsNRX8ACgkQ2cTSbQ5g
RJG5OwgAhQ1fmHrG57u3jCfhKn7r2t1c6CxnSfZRn7hRc1He772R3iwi9A3i6AO3
9BlEj16V8bQ/2DF6vH31FzBnPjfnP8QENDC3btwdQOdufkQLyeqvgMIjdj42VFS6
E803eCRE1fN6w0LZzVoP8TarWCIifD+Wb3c9VfFsTDWzfQ2TMQz3SKsVqhRA9m0e
+xKpkFkJNHw7MQw5B7EomuJYwCVZpERDQAJMlh78uQK5SCoLFw3f14+2C0IzLIBn
6fKVbC546TJgflWoR2uGjOSgYKZqxysya1ZcKfGTOuRy4YiBMkCxX/n0GNEEJFoy
gKxJYtMXHCmudlcEjvqcXqO0schzRw==
=HTbt
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL verssion 1.1.1 pre release 5 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


   OpenSSL version 1.1.1 pre release 5 (beta)
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 5 has now
   been made available. For details of changes and known issues see the
   release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   The beta release is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1-pre5.tar.gz
  Size: 8288689
  SHA1 checksum: 8b479a8c555a9eba57b6003e4bd7200dff9535ee
  SHA256 checksum: 
0e5ff2f216cea5fa89af6dcd429c3c142acd7c786b0c4868a039689a2641cf3d

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1-pre5.tar.gz
openssl sha256 openssl-1.1.1-pre5.tar.gz

   Please download and check this beta release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlrV93QACgkQ1enkP335
7owHBBAArOo3ChdJyOVRNN9wXPgRJtDTTv22yqadmcgpEiwh5AMWZUCg9Tl8B0BZ
mMcQruV1J0m5qi4mUgBp87ZhqCcOje7uZubyj6VKEAxlklIzyrfPaJyIUWE7CwQi
6jPrMrF9PVkj24DZ/IUPFk6+fJen9POJddeaCuxUM12faZkRD0XxxTEvyKamgou7
Odb/Zn148SFQKMMSVOgaSr0t/go9gJ3vNRaRzBUhG9ZSaxDcwzCaO5OjjwI4xrEY
XnGT54yWJNIvnSsxddhs7q4AUDEa/jNq+iCduPYVbMfuym+7YYMTlKABfnP5i1D2
gd8Ag+2hJe7rtKB6vYKOnyTKJFoMLhoRfJ12N55fJ9L4yLoy5guZEelE2Ib35YWo
twlgQVPu5YnJpZnF0uZTZmcOJruEcQ7e15B8zyZfUIBtqXXg3tcH3QD3noKUYVmf
s8+EfwebwIoLCy8kriO5bogJRVLQHvu1gehTXQa3edrD7iinZzlhdR7UPl9avlnv
7A0XhEiPEqwEmJUdHx/NGH5bydx/cb+oRgB26YTQyqhNw0meQg4znTui/xz2ARE/
r7PWifGhPPAbq8txuj+d8ipDeoyXS46KgR+sF2ncYMS3iQpAddQtCFIU1whpeRip
wGm9uMu41Ba0H3CmUbmgTNU5kE3RCR00kirPiGQfRtf/pwI5zZY=
=vyz+
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [16 Apr 2018]


Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)


Severity: Low

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.

This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180416.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJa1MKgAAoJENnE0m0OYESRKOoIAKmRnj0YtE1y89WnRiCjMk8l
Z7XAsPk6nkEa8dlrEvEsUhS90CFSf9OcYliAlfjD/+RVZXXeK4AHn8/g7HxAdDcK
62biQiHbxICBqnrE6DCe6GrMXEy3MWuefSWnoTyd/x8W1grjdhkrlmIqe68DP0iv
WItmStRVOpx4mQDcrYqw6ZKhhu1Lv007khyAornJP+S6NSlK6brdNQyRNmp3+HO4
irqPi6xQWGcaAtrdpWi8mDnomld75j5m+G98N/gCqaCAIn7Zau+kAAW1+1dO5S4L
tsQ0CifVnRfUTz0cCL51L8G3a3RWYs34AXRZvSRi3q88AiZ1L6FCF2cHZJu1KuE=
=+TYO
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.1 pre release 4 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1 pre release 4 (beta)
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 4 has now
   been made available. For details of changes and known issues see the
   release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   The beta release is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1-pre4.tar.gz
  Size: 8259067
  SHA1 checksum: 28d83c6441d269660ca1571331bb830867b082d4
  SHA256 checksum: 
df2d5fcc2a878525611c75b9e9116fbcfbce8d9b96419a16eda5fb11ecc428f6

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1-pre4.tar.gz
openssl sha256 openssl-1.1.1-pre4.tar.gz

   Please download and check this beta release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJaw4CRAAoJENnE0m0OYESR8/gH+wRA1A8TQnwUr9/keW8SGZrg
wxhgEh3q04yYTL7yGYMWn53TDLJR1TJN3viEKtS9vZ7/EIfytb7Q/Sf+dlEpy3GP
Fe5QWQu76DakiF5HHKVoVmcNyObA1sdNzqagxz/XhYkhUdjToOlqDhT0lkPg42ps
lidX68jqvZx2DfE5yjsHp4HzHwLsXVPcOILarX0OOIeG7mVS1k9fIqnVFsajnOhR
KJxMoyJ59pos0hsjA6ZHcjMpcaeXFEUYCqpPQYP/EqQz5h5q456HRovempB+GRM8
yUWAPAgaqfTlOz5Jx5+1SxFbKqFc+/Rkx2M3zpa15SuJ6R7cHZiS/JLlBXF+LiQ=
=x0tg
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.0h published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.0h released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.0h of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.0-notes.html

   OpenSSL 1.1.0h is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0h.tar.gz
  Size: 5422717
  SHA1 checksum: 0fc39f6aa91b6e7f4d05018f7c5e991e1d2491fd
  SHA256 checksum: 
5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0h.tar.gz
openssl sha256 openssl-1.1.0h.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJaukw0AAoJENnE0m0OYESRqTEH+wYF71XM5PtoMUlSPksCg7uW
HZK83MrdKZTbZpvB9Sh/5MuW+Qet9rAL8u4tJ4jhwrs/bGtoHXWXgvq1inHgPXUM
mf7hPUbLqf6wf39EmsIshbXK4xGD8amUL7lwzKL5go8hc1kS+dhD8lrVEWdwD869
32BZ9ODqCrC+/Jevrr1WSIc3NBGzQksI9dwGKM+In1QDpGwARlDz/Hq0NlLLxerf
Y6cILXvmPigJLpevH8fBRXiM7SJziFCtsTzCrlXHtUIWFzthmGtaTcoUwU2BHGxP
zLPr8DoB5TqFo50uG5frOWVNgK7RFDkx/coco3Xs6OOdh+VTk7RG20E9z+Tkrhk=
=LIxK
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.0.2o published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.0.2o released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2o of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2o is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2o.tar.gz
  Size: 5329472
  SHA1 checksum: a47faaca57b47a0d9d5fb085545857cc92062691
  SHA256 checksum: 
ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2o.tar.gz
openssl sha256 openssl-1.0.2o.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJauk1PAAoJENnE0m0OYESR3XoH/jgf9DJxh7Ig/hMSEYKsPAns
yA2gh5tLf20qhaDMDK82iOdJejz0E3MhffFh+5FbnSnHcz2RD2Yk/PQ/9wZQka2+
nRsa1sLJ8jHfByPuIBsoUlYFkB0sjOzjNM/cUtZyJi5oLexv6VmFNGFIfWZAxdJZ
zuiGNwf6k6ll3YP8WW1WzKcSWSQkaYVzgUHGylh0KJwJOMnGpDedEqdmvl6qn0Zz
XOYQJ7+zadNw9bRTER/pl/zF1nI8dHi9G0bZWZeBRC5ObAQkE4vQ+e1qClydyFii
7B8IdlOB8aLxmWoip160q0wY0XjFjymbQ87EEUMqCIgxLihuXGU0FLWwYOqZIcc=
=wl+z
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.1 pre release 3 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1 pre release 3 (beta)
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 3 has now
   been made available. For details of changes and known issues see the
   release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   The beta release is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1-pre3.tar.gz
  Size: 6552052
  SHA1 checksum: a9dee6b70334726420f483c496216d2b335a4510
  SHA256 checksum: 
b541d574d8d099b0bc74ebc8174cec1dc9f426d8901d04be7874046ad72116b0

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1-pre3.tar.gz
openssl sha256 openssl-1.1.1-pre3.tar.gz

   Please download and check this beta release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJasQkhAAoJENnE0m0OYESRf30H/1OxOdWi82Cw69+z4ly80TyR
IeWQRgFh60lar3li3R6/ns57eXFo7jGOAAws1iOZll3RGR9bkp70cLXCZtMvZoEP
79pLrfUZR6s6BwGrSs7X3fHac4muUZSQLaAdCJG5Y6Sgi2XBy0rRYFxle0qND1c3
tNeh1B6oXy236cvVaDAUNYKEC/31RzupWIdLdT9UYWLU5qYdgkaOztHO2x1pDRX/
Vs18qNND5mHIrsv0QfZPP40nvsZrRoz7rXBuZdaQwLA9ZJzS0hNxwlpkodJB8kHD
o29Q0fkczGnL3hw5rSi7c+qKgngXIVkB0ssisZBHgHVAA6WvvSPNG9SeGYJRgwQ=
=0UFn
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL version 1.1.1 pre release 2 published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1 pre release 2 (alpha)
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 2 has now
   been made available. For details of changes and known issues see the
   release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   The alpha release is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1-pre2.tar.gz
  Size: 6485957
  SHA1 checksum: 11be9034aa6b84eb8bfff7accc2a1a3f940deef9
  SHA256 checksum: 
33dbda4a90345d256942fb5316967efd90df4f2373578c7b56c90062fe21fc9c

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1-pre2.tar.gz
openssl sha256 openssl-1.1.1-pre2.tar.gz

   Please download and check this alpha release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJalV/kAAoJENnE0m0OYESRW3kIAJhmXNT0kBRffoJn4jK5VC/R
eDd+Pv25fNBq+LaNKd1m0B0BO+cZcxw6fygxM4rrsU8vchbWmquY4HH8rCaXZ7SE
iW2EsnJJR9JZk7dnhNImmct3jYhALHnabC0qrinvIYVJRWaFRmpPPOFkvVaJ3Ouy
24vQ4Np98x33fw+p/0m6r4wHZ6c5zkHMUw5W1bmGPJF6i7YkZcM8ZKpMM2svObuS
2NEZvyfqrZNiBKwtRzl2WFFOMEgk/bbDrpqUPg6Ul2iYyfyz/LGtu5O5xYGxHCbq
AptoWRILpkYmpgH+2ULJWuiVb21wIWCLcgKIfmizdMOPqsO6XmgzFJOV730HEW0=
=W0yX
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project