Re: [oss-security] Forthcoming OpenSSL Releases

[Christian Heinrich]

Shawn,

On Thu, 27 Oct 2022 at 02:00, Shawn Webb  wrote:
> I don't see anything on the CERT Vince site. Is there any way we could
> coordinate a response via CERT?

This is addressed within the "Prenotification policy" of
https://www.openssl.org/policies/general/security-policy.html


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Forthcoming OpenSSL Releases

[Ing. Martin Koci, MBA]

Hello,

The OpenSSL project team would like to announce the forthcoming release 
of OpenSSL version 3.0.7.


This release will be made available on Tuesday 1st November 2022 between 
1300-1700 UTC.


OpenSSL 3.0.7 is a security-fix release. The highest severity issue 
fixed in this release is CRITICAL:


https://www.openssl.org/policies/general/security-policy.html

Yours
The OpenSSL Project Team



OpenPGP_0x6D0A36D2E30590A6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Forthcoming OpenSSL Releases

[Matt Caswell]

Hello,

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.6 and 1.1.1r.

These releases will be made available on Tuesday 11th October 2022
between 1300-1700 UTC.

OpenSSL 3.0.6 is a security-fix release. The highest severity issue 
fixed in OpenSSL 3.0.6 is Low:


https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 is a bug-fix release. There are no security issues fixed 
in this release.


Yours
The OpenSSL Project Team


OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Forthcoming OpenSSL Releases

[Ing. Martin Koci, MBA]

Hello,

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.5 and 1.1.1q.

These releases will be made available on Tuesday 5th July 2022
between 1300-1700 UTC.

These are a security-fix releases. The highest severity issue
fixed in 3.0.5 release is High, in 1.1.1q release Moderate:

https://www.openssl.org/policies/secpolicy.html

One of the issues fixed in the 3.0.5 release is the CVE-2022-2274 (Bug
in RSA implementation for AVX512IFMA capable CPUs) which is already
public:

https://www.cve.org/CVERecord?id=CVE-2022-2274

A workaround for the issue is to set the environment variable
OPENSSL_ia32cap to disable the AVX512IFMA based implementation:

export OPENSSL_ia32cap=:~0x20

Yours
The OpenSSL Project Team

Re: Forthcoming OpenSSL Releases

[Matt Caswell]

On 15/06/2022 03:31, Dennis Clarke via openssl-users wrote:

On 6/14/22 08:03, Ing. Martin Koci, MBA wrote:

Hello,

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.4, 1.1.1p.

These releases will be made available on Tuesday 21st June 2022
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:

https://www.openssl.org/policies/secpolicy.html#moderate



I am guessing there is a bunch of new test certs in there?




Yes.

Matt

Re: Forthcoming OpenSSL Releases

[Dennis Clarke via openssl-users]

On 6/14/22 08:03, Ing. Martin Koci, MBA wrote:

Hello,

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.4, 1.1.1p.

These releases will be made available on Tuesday 21st June 2022
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:

https://www.openssl.org/policies/secpolicy.html#moderate



I am guessing there is a bunch of new test certs in there?


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

Forthcoming OpenSSL Releases

[Ing. Martin Koci, MBA]

Hello,

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.4, 1.1.1p.

These releases will be made available on Tuesday 21st June 2022
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:

https://www.openssl.org/policies/secpolicy.html#moderate

Yours

The OpenSSL Project Team

Re: Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL Project team have decided to postpone the releases of 3.0.3 
and 1.1.1o planned for today.


These releases will now be made available on Tuesday 3rd May 2022 
between 1300-1700 UTC.


These are security-fix releases. The highest severity issue fixed in 
these releases is MODERATE:

https://www.openssl.org/policies/secpolicy.html#moderate

Yours

The OpenSSL Project Team

On 19/04/2022 20:51, Matt Caswell wrote:

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.

These releases will be made available on Tuesday 26th April 2022
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:
https://www.openssl.org/policies/secpolicy.html#moderate

Yours

The OpenSSL Project Team



OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.

These releases will be made available on Tuesday 26th April 2022
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:
https://www.openssl.org/policies/secpolicy.html#moderate

Yours

The OpenSSL Project Team



OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Forthcoming OpenSSL releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.2 and 1.1.1n.

These releases will be made available on Tuesday 15th March 2022
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue
fixed in these releases is HIGH:
https://www.openssl.org/policies/secpolicy.html#high

Yours

The OpenSSL Project Team


OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 1.1.1m and 3.0.1.

These releases will be made available on Tuesday 14th December 2021
between 1300-1700 UTC.

OpenSSL 3.0.1 is a security and bug fix release. The highest severity 
issue fixed in this release is MODERATE:

https://www.openssl.org/policies/secpolicy.html#moderate

OpenSSL 1.1.1m is a bug fix release. There are no security issues 
addressed in this release.


Yours

The OpenSSL Project Team


OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Forthcoming OpenSSL Releases

[Matt Caswell]

On 03/09/2019 17:19, Matt Caswell wrote:
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t.
> 
> These releases will be made available on 10th September 2019 between
> approximately 1200-1600 UTC.
> 
> These are security fix releases. The highest severity security issue fixed by
> these releases is rated as LOW.
> 
> Please note that this is expected to be the last release of 1.1.0 before it 
> goes
> out of support on 11th September 2019.

We have encountered some technical problems pushing these releases onto the
website today. Until those are resolved the release tarballs are not visible via
the standard links.

The releases are temporarily available at this non-standard location:

https://www.openssl.org/source/?

You can download them directly from there until such time as we fix the website.
We will send out the normal release announcements as soon as everything is
working normally again.

Regards

Matt




signature.asc
Description: OpenPGP digital signature

Re: Forthcoming OpenSSL Releases

[Dennis Clarke]

On 9/3/19 12:19 PM, Matt Caswell wrote:

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t.

These releases will be made available on 10th September 2019 between
approximately 1200-1600 UTC.

These are security fix releases. The highest severity security issue fixed by
these releases is rated as LOW.

Please note that this is expected to be the last release of 1.1.0 before it goes
out of support on 11th September 2019.

Yours

The OpenSSL Project Team



Will there be pre-release tarballs somewhere similar to
   https://www.openssl.org/source/snapshot/   ?


Dennis Clarke

Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t.

These releases will be made available on 10th September 2019 between
approximately 1200-1600 UTC.

These are security fix releases. The highest severity security issue fixed by
these releases is rated as LOW.

Please note that this is expected to be the last release of 1.1.0 before it goes
out of support on 11th September 2019.

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature

Re: Forthcoming OpenSSL Releases

[Matthias St. Pierre]

On 29.05.19 15:05, The Doctor wrote:

For the next branch of OpenSSL is it 1.1.2 or 1.2.0 ?



The next major release will be 3.0.0. See
https://www.openssl.org/blog/blog/2018/11/28/version 

for an explanation.

Matthias

Re: Forthcoming OpenSSL Releases

[The Doctor]

For the next branch of OpenSSL is it 1.1.2 or 1.2.0 ?

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Always seek out the seed of triumph in every adversity.  -Og Mandino

Re: Forthcoming OpenSSL Releases

[Matt Caswell]

On 21/05/2019 16:43, Matt Caswell wrote:
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.1.1c, 1.1.0k and 1.0.2s.
> 
> These releases will be made available on 28th May 2019 between approximately
> 1200-1600 UTC.
> 
> OpenSSL 1.1.0k and 1.0.2s contain security hardening bug fixes only but do not
> address any CVEs. OpenSSL 1.1.1c is a bug-fix release (and contains the
> equivalent security hardening fixes as for 1.1.0k and 1.0.2s where relevant).

Correction to this announcement: OpenSSL 1.1.1c and OpenSSL 1.1.0k (released
yesterday) do not address any new CVEs. They do however contain a fix for a
previously announced low severity CVE (CVE-2019-1543). See the original security
advisory here:

https://www.openssl.org/news/secadv/20190306.txt

Matt



signature.asc
Description: OpenPGP digital signature

Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1c, 1.1.0k and 1.0.2s.

These releases will be made available on 28th May 2019 between approximately
1200-1600 UTC.

OpenSSL 1.1.0k and 1.0.2s contain security hardening bug fixes only but do not
address any CVEs. OpenSSL 1.1.1c is a bug-fix release (and contains the
equivalent security hardening fixes as for 1.1.0k and 1.0.2s where relevant).

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature

Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at
this time.

These releases will be made available on 26th February 2019 between
approximately 1300-1700 UTC.

OpenSSL 1.0.2r is a security-fix release. The highest severity issue fixed in
this release is MODERATE:
https://www.openssl.org/policies/secpolicy.html#moderate

OpenSSL 1.1.1b is a bug-fix release.

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature

[openssl-users] Forthcoming OpenSSL Releases

[Matt Caswell]

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q.

These releases will be made available on 20th November 2018 between
approximately 1300-1700 UTC.

These are bug-fix releases. They also contain the fixes for three LOW
severity security issues CVE-2018-0735, CVE-2018-0734 and CVE-2018-5407 which
were previously announced here:

https://www.openssl.org/news/secadv/20181029.txt
https://www.openssl.org/news/secadv/20181030.txt
https://www.openssl.org/news/secadv/20181112.txt

CVE-2018-0735 only affects the 1.1.0 branch.
CVE-2018-0734 affects the 1.1.1, 1.1.0 and 1.0.2 branches.
CVE-2018-5407 affects the 1.0.2 branch. It also affects older 1.1.0 releases
before 1.1.0i.

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0i and 1.0.2p.

These releases will be made available on 14th August 2018 between
approximately 1200-1600 UTC.

These are bug-fix releases. They also contain the fixes for two LOW
severity security issues (CVE-2018-0732 and CVE-2018-0737) which were
previously announced here:

https://www.openssl.org/news/secadv/20180612.txt
https://www.openssl.org/news/secadv/20180416.txt

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0h and 1.0.2o.

These releases will be made available on 27th March 2018 between
approximately 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
these releases is MODERATE.

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

On 30/10/17 13:50, Matt Caswell wrote:
> Forthcoming OpenSSL releases
> 
> 
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.1.0g and 1.0.2m.
> 
> These releases will be made available on 2nd November 2017 between
> approximately 1300-1700 UTC.
> 
> This is a bug-fix release. It will also include a fix for the low
> severity security issue previously published here:
> https://www.openssl.org/news/secadv/20170828.txt

Correction: It will additionally include a fix for a moderate level
security issue.

> 
> Please also note that, as per our previous announcements, support for
> 1.0.1 ended on 31st December 2016.
> 
> Yours
> 
> The OpenSSL Project Team
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0g and 1.0.2m.

These releases will be made available on 2nd November 2017 between
approximately 1300-1700 UTC.

This is a bug-fix release. It will also include a fix for the low
severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt

Please also note that, as per our previous announcements, support for
1.0.1 ended on 31st December 2016.

Yours

The OpenSSL Project Team
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2l and 1.1.0f.

These releases will be made available on 25th May 2017 between
approximately 1200-1600 UTC.

Note: These are bug-fix only releases. No security defects are addressed
in these releases.

Please also note that, as per our previous announcements, support for
1.0.1 ended on 31st December 2016.

Yours

The OpenSSL Project Team



signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: [openssl-announce] Forthcoming OpenSSL releases

[Matt Caswell]

In case anyone on these lists missed this on the openssl-announce list:


 Forwarded Message 
Subject: [openssl-announce] Forthcoming OpenSSL releases
Date: Mon, 23 Jan 2017 21:08:50 + (GMT)
From: OpenSSL <open...@openssl.org>
Reply-To: openssl-users@openssl.org
To: openssl-annou...@openssl.org

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release of
OpenSSL versions 1.0.2k, 1.1.0d.

These releases will be made available on 26th January 2017 between
approximately
1300-1700 UTC.  They will fix several security defects with maximum severity
"moderate".

Please see the following page for further details of severity levels:
https://www.openssl.org/policies/secpolicy.html

Please also note that, as per our previous announcements, support for 1.0.1
ended on 31st December 2016.

Yours

The OpenSSL Project Team
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce




signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release of
OpenSSL versions 1.0.2h, 1.0.1t.

These releases will be made available on 3rd May 2016 between approximately
1200-1500 UTC.  They will fix several security defects with maximum severity
"high".

Please see the following page for further details of severity levels:
https://www.openssl.org/policies/secpolicy.html

Please also note that, as per our previous announcements, support for 1.0.1
will end on 31st December 2016.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJXIgXGAAoJEAEKUEB8TIy9XK0IAI/LuJqMK0oC4MXuNqKJAtGZ
SYiUWCn0GDqsfucgyOX/OdHjMvkyIPW4Vbt8jZ1HzEmW3DRIalstOgE4MnObZe5a
W5ecH1r8cLDTdVMGmSV3u/W1UP6kZScHa5af23emteCmC8zS7s+PDBctEJAPACZm
n4olGIHA0yOes79lOsU+nnPzfSaAtNWSCHV/BRLy/Ia5c7oeR2PWnGOvY8oIQllL
UNTkNr3qx9n06zjBtHh4dF+bW78eAwLUlY0wUcb2kYRAVeJfXCrJr8nvYIULBMlg
pA+WO/GMdoG697qZ5Y6EnNR16X8Hpse5d03LH3EZQ62Gr8Dh3NodWyRMFaIkig0=
=cJ4f
-END PGP SIGNATURE-
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Mark J Cox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release of
OpenSSL versions 1.0.2g, 1.0.1s.

These releases will be made available on 1st March 2016 between approximately
1300-1700 UTC.  They will fix several security defects with maximum severity
"high".

Please see the following page for further details of severity levels:
https://www.openssl.org/policies/secpolicy.html

Please also note that, as per our previous announcements, support for 1.0.1
will end on 31st December 2016.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJWzsjbAAoJEAEKUEB8TIy9ukoH/A+KQh0TPuC5CulMeFd4OiGy
7HV9bX/nCe4sKmW5IGYt6GDPFRnhup9WR9Dvz0C/sBjwttsnF+UZOUUfYbDw2liO
YG46kiS95zbeU4yYFQwHr9Sf01o89ogEGrxCIlKQiA4aXSZwn9liI0a51y7izWUC
xdj2GEgQ/fnVnlN/AyToVmoQxlrphXJx9FigLxTuXi1X6nvSNdEYB1VtOuqjanRu
8sR4UDCWYRZNT0L3as0IEU49X7ncwm5a85NR02SkVimevdbJw0mBT1ru4Zjddo88
oO5xpgSKy2a56xC8yQXURkVPvuFqUpfvyojLwOULUnWHCpnDhzn+ygdko2Pii3o=
=XURc
-END PGP SIGNATURE-
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Mark J Cox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release of
OpenSSL versions 1.0.2f, 1.0.1r.

These releases will be made available on 28th January between approx.  1pm and
5pm (UTC). They will fix two security defects, one of "high" severity affecting
1.0.2 releases, and one "low" severity affecting all releases.

Please see the following page for further details of severity levels:
https://www.openssl.org/policies/secpolicy.html

Please also note that, as per our previous announcements, support for 1.0.0 and
0.9.8 releases ended on 31st December 2015 and are no longer receiving security
updates.  Support for 1.0.1 will end on 31st December 2016.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJWpgNkAAoJEAEKUEB8TIy9QcwH/3C7y700FjGjDBcNMcVO++GU
81cs87VqsoziuMSU9Sx8XlDWA8tH5JWXpES4+p9iWdKbks+2E0EahVZVaS5yDaLM
LY6MaUM2Pucmrd/I7mvQ02AzzMWEUrFlbk1GtFVjU7IkYc1/ZOZLhjM6H0X8M8lO
5kvqpgWTGV5lMCJdOQLr/eIGIdGTy5Xqerm3Qz/nzvhbwaOu5pjvq0eub8AWbPb3
wwdB4GIKW4XaU7YAJl61o8jNeVoy/kMTfZmZYEefQzXf/1JYO2p8oqCMTIEUrSoN
P7sT2d2DpjQvrK3j8MsIPMYUHLhxZt+MJ2+wuOLyznkPTdEIV+ylr6q0I74Wv1Q=
=gzHe
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh.

These releases will be made available on 3rd December between approx.
1pm and 5pm (UTC). They will fix a number of security defects, the
highest of which is classified as "moderate" severity.

Please note that the OpenSSL project has recently revised its severity
definitions by introducing a new "critical" level, i.e. the severity
levels are now: critical, high, moderate and low. Please see the
following page for further details:
https://www.openssl.org/policies/secpolicy.html

Please also note that, as per our previous announcements, the 1.0.0 and
0.9.8 releases will no longer be receiving security updates after the
end of this year. This means that, barring any unexpected significant
security issues between now and 31st December 2015, it is likely that
these releases will be the last ones for 1.0.0 and 0.9.8.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWXG1kAAoJENnE0m0OYESR3vgH/0R7GCsN4moof7ezQIbZbxxN
qeiwH2SGj0a5KXM/J9Ee4jcQWA2n0SfUeFbgLSvqBO8BQdz3oTJMF45Z+gXjWFqZ
OiEQ+ZFayNm/Tb46OFhglbRBhfb7Je4sy4i8cSW6wGQ2EdWz3JN/xWC0q9KMqQpi
k8IwitBK3WxZ/Je+rHZvsDzABWd3Jf2+QlDjwHXxSfrW9UBc5Wr7e+d5XMQk2KML
FGJtkucAFs+AiOWvfsJ2WzFYy373M7pYQT38ODOuvT9HxMHzDY89kj2BsFjr8pZY
yIk9fAE1BTKRoNoUPETVuYi0Wq+xFHgV5urFQztxglWymcxAILHOZ+PZDyT/m5Q=
=QGvN
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Mark J Cox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2d and 1.0.1p.

These releases will be made available on 9th July. They will fix a
single security defect classified as high severity.  This defect does
not affect the 1.0.0 or 0.9.8 releases.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVmpufAAoJEAEKUEB8TIy9yVAIALIZcV/4IW2ab7ENffcThFcz
Wlgr553L2bciqRYU99EK8w+4Peg54lKoVw/5rZOQmL4fZqS9jAV+76PNz1kQX4jM
2+oe+F6Ed9A4GgwYbh69WDzSnnIdImH5aa1ui2AOqsgsT0aCZkups0hexCqKFSCW
e5+OlHXA6FXNzsvRUTzcvfQBczakM7Z/7V4pOpTouzCwHQ+O1jriDRuI+8TVaF0w
HpFWJ5uTGfY2lP3p1xI/A+11jfoxTd/XW7ljpqybTx7xARzH7tIuWQk+5Qd7DOZP
NEdKw1YtPTXOR3MZJc4xShxv5SWFBjqUjmtVkHpF/dFmBWaMWTDYfAMhk/WOyAQ=
=yVBV
-END PGP SIGNATURE-








___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Mark J Cox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2d and 1.0.1p.

These releases will be made available on 9th July. They will fix a
single security defect classified as high severity.  This defect does
not affect the 1.0.0 or 0.9.8 releases.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVmpufAAoJEAEKUEB8TIy9yVAIALIZcV/4IW2ab7ENffcThFcz
Wlgr553L2bciqRYU99EK8w+4Peg54lKoVw/5rZOQmL4fZqS9jAV+76PNz1kQX4jM
2+oe+F6Ed9A4GgwYbh69WDzSnnIdImH5aa1ui2AOqsgsT0aCZkups0hexCqKFSCW
e5+OlHXA6FXNzsvRUTzcvfQBczakM7Z/7V4pOpTouzCwHQ+O1jriDRuI+8TVaF0w
HpFWJ5uTGfY2lP3p1xI/A+11jfoxTd/XW7ljpqybTx7xARzH7tIuWQk+5Qd7DOZP
NEdKw1YtPTXOR3MZJc4xShxv5SWFBjqUjmtVkHpF/dFmBWaMWTDYfAMhk/WOyAQ=
=yVBV
-END PGP SIGNATURE-








___
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg.

These releases will be made available on Thursday 11th June. They will
fix a number of security defects. The highest severity defect fixed by
these releases is classified as moderate severity (see
https://www.openssl.org/about/secpolicy.html).

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVde3fAAoJENnE0m0OYESRIokH+QFLMvyyCxztRQGRm54oxOGA
WugDkHsonM6meJp8TPqjnSrvk5xmKT1FFL+9lZ/7V/Y/ImhjSkxAp1j3mbA3Drw0
UoDEO59hA2ZuKtLMIIgSRH+BTUIO0wHuVDURiVRBkj0A1shlI21uoRcJFNoAuGMQ
9wymbc5lIkN3OEUYKh5QW/izmdTFEYeNBDSndTO0kg5koymRTf68gCEtQ5sh3zFB
Hnmx3rEsEr8NbWxrvHly2rPLcy8TluIe/uiIG3FBF/acyW/4KWFqvf994eCQYenw
JG57Hv64TZa7dTmmjBNZgkrN8wM89SEW3pLCRmqkbBfQ12IByJC8dYNR8ieOp9g=
=eGiv
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Jeffrey Walton]

On Wed, Mar 18, 2015 at 5:14 AM, Matt Caswell m...@openssl.org wrote:


 On 18/03/15 07:59, Jakob Bohm wrote:
 (Resend due to MUA bug sending this to -announce)

 On 16/03/2015 20:05, Matt Caswell wrote:
 Forthcoming OpenSSL releases
 

 The OpenSSL project team would like to announce the forthcoming release
 of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

 These releases will be made available on 19th March. They will fix a
 number of security defects. The highest severity defect fixed by these
 releases is classified as high severity.
 Just for clarity in preparing to use the forthcoming
 update:

 Has the 1.0.1m source code been mangled by the script that
 made it near-impossible to port local changes to 1.0.2, or
 will it retain the same code formatting as in the rest of
 the 1.0.1 series?

 Similarly, will 1.0.0r be mangled or will it retain the
 same code formatting as in the rest of the 1.0.0 series?

 Similarly, will 0.9.8zf be mangled or will it retain the
 same code formatting as in the rest of the 0.9.8 series?

 I prefer the term improved over mangled! ;-)

 The answer is, yes, all branches (including 1.0.1, 1.0.0 and 0.9.8) have
 been reformatted according to the new coding style.

+1 on the reformatting. My eyes no longer bleed when looking at some
of the sources.

Its an unfortunate side effect that its going to negatively affect
some folks in the short term, but its a good long term decision for
the health of the project.

Jeff
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Dr. Matthias St. Pierre]

I just posted an updated version of my script in a new
thread, titled 

 Minimizing the pain of reformatting your OpenSSL patches

Regards,
msp



On 03/19/2015 02:22 AM, Dr. Matthias St. Pierre wrote:
 Hello,
 
 Here is a recipe to guide you through the reformatting.
 It worked nicely for me. I wrote a small bash shell script
 which helped me do the bulk conversion, see attachment
 Hope you'll find this information helpful.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Jakob Bohm]

On 18/03/2015 10:14, Matt Caswell wrote:

On 18/03/15 07:59, Jakob Bohm wrote:

(Resend due to MUA bug sending this to -announce)

On 16/03/2015 20:05, Matt Caswell wrote:

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as high severity.

Just for clarity in preparing to use the forthcoming
update:

Has the 1.0.1m source code been mangled by the script that
made it near-impossible to port local changes to 1.0.2, or
will it retain the same code formatting as in the rest of
the 1.0.1 series?

Similarly, will 1.0.0r be mangled or will it retain the
same code formatting as in the rest of the 1.0.0 series?

Similarly, will 0.9.8zf be mangled or will it retain the
same code formatting as in the rest of the 0.9.8 series?

I prefer the term improved over mangled! ;-)

The answer is, yes, all branches (including 1.0.1, 1.0.0 and 0.9.8) have
been reformatted according to the new coding style.

It is perfectly possible, if a little fiddly, to reformat your local
patches to the new style. I have done so myself for a number of my own
patches. I included some outline instructions on how to do it in my
recent blog post on the reformat:

https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/

Long read, and lots of internal details of how your script
doesn't even work for yourown code...

However the patch rebasing instructions are *completely
useless* for those of us whomaintain private patches
against releases tarballs.  We *don't* have any of this
in a clone of your gitand we *have no way* to access
intermediary git steps from your partially botched
freeze-reformat-unfreeze-other-work-oopsmorereformat-
other-work sequence.

I guess each of us will have to spend weeks (or more)
manually recreating all our hard work before we can apply
whatever security fixes are hidden in tomorrows tarball.

And it also seems that it is nearly impossible to turn the
changes into a reviewable patch that can be applied to an
existing tree, like the various distributions (on and off
the vendor-sec lists) will need to.

So let's all hope one of the vendors will do your job for
you and transform the new releases into patches against
the previous tarballs, before the embargo is lifted
tomorrow, or soon after.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Matt Caswell]

On 18/03/15 07:59, Jakob Bohm wrote:
 (Resend due to MUA bug sending this to -announce)
 
 On 16/03/2015 20:05, Matt Caswell wrote:
 Forthcoming OpenSSL releases
 

 The OpenSSL project team would like to announce the forthcoming release
 of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

 These releases will be made available on 19th March. They will fix a
 number of security defects. The highest severity defect fixed by these
 releases is classified as high severity.
 Just for clarity in preparing to use the forthcoming
 update:
 
 Has the 1.0.1m source code been mangled by the script that
 made it near-impossible to port local changes to 1.0.2, or
 will it retain the same code formatting as in the rest of
 the 1.0.1 series?
 
 Similarly, will 1.0.0r be mangled or will it retain the
 same code formatting as in the rest of the 1.0.0 series?
 
 Similarly, will 0.9.8zf be mangled or will it retain the
 same code formatting as in the rest of the 0.9.8 series?

I prefer the term improved over mangled! ;-)

The answer is, yes, all branches (including 1.0.1, 1.0.0 and 0.9.8) have
been reformatted according to the new coding style.

It is perfectly possible, if a little fiddly, to reformat your local
patches to the new style. I have done so myself for a number of my own
patches. I included some outline instructions on how to do it in my
recent blog post on the reformat:

https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/

Regards

Matt

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Jakob Bohm]

(Resend due to MUA bug sending this to -announce)

On 16/03/2015 20:05, Matt Caswell wrote:

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as high severity.

Just for clarity in preparing to use the forthcoming
update:

Has the 1.0.1m source code been mangled by the script that
made it near-impossible to port local changes to 1.0.2, or
will it retain the same code formatting as in the rest of
the 1.0.1 series?

Similarly, will 1.0.0r be mangled or will it retain the
same code formatting as in the rest of the 1.0.0 series?

Similarly, will 0.9.8zf be mangled or will it retain the
same code formatting as in the rest of the 0.9.8 series?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Matt Caswell]

On 18/03/15 10:45, Jakob Bohm wrote:
 However the patch rebasing instructions are *completely
 useless* for those of us whomaintain private patches
 against releases tarballs.  We *don't* have any of this
 in a clone of your gitand we *have no way* to access
 intermediary git steps from your partially botched
 freeze-reformat-unfreeze-other-work-oopsmorereformat-
 other-work sequence.

There should be no reason why the instructions cannot be adapted to
patch files, if that is what you are using. You will still need access
to git to do it - but the git repository is publicly accessible.

Matt

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[John Foley]

We maintain our own derivative of OpenSSL and haven't had any
significant issues due to the code reformat.  We simply run the reformat
script on our downstream derivative.  We can then generate patch files
of our changes and reapply them to new OpenSSL releases.  It was fairly
straight forward.

IMHO, the code reformat was long overdue.  The prior lack of consistent
coding style was an abomination, making the code more difficult to read
and maintain.  Sometimes taking a step forward results in some pain. 
This was a good investment for the future.

+1 for the reformat.



On 03/18/2015 06:45 AM, Jakob Bohm wrote:
 On 18/03/2015 10:14, Matt Caswell wrote:
 On 18/03/15 07:59, Jakob Bohm wrote:
 (Resend due to MUA bug sending this to -announce)

 On 16/03/2015 20:05, Matt Caswell wrote:
 Forthcoming OpenSSL releases
 

 The OpenSSL project team would like to announce the forthcoming release
 of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

 These releases will be made available on 19th March. They will fix a
 number of security defects. The highest severity defect fixed by these
 releases is classified as high severity.
 Just for clarity in preparing to use the forthcoming
 update:

 Has the 1.0.1m source code been mangled by the script that
 made it near-impossible to port local changes to 1.0.2, or
 will it retain the same code formatting as in the rest of
 the 1.0.1 series?

 Similarly, will 1.0.0r be mangled or will it retain the
 same code formatting as in the rest of the 1.0.0 series?

 Similarly, will 0.9.8zf be mangled or will it retain the
 same code formatting as in the rest of the 0.9.8 series?
 I prefer the term improved over mangled! ;-)

 The answer is, yes, all branches (including 1.0.1, 1.0.0 and 0.9.8) have
 been reformatted according to the new coding style.

 It is perfectly possible, if a little fiddly, to reformat your local
 patches to the new style. I have done so myself for a number of my own
 patches. I included some outline instructions on how to do it in my
 recent blog post on the reformat:

 https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/
 Long read, and lots of internal details of how your script
 doesn't even work for yourown code...

 However the patch rebasing instructions are *completely
 useless* for those of us whomaintain private patches
 against releases tarballs.  We *don't* have any of this
 in a clone of your gitand we *have no way* to access
 intermediary git steps from your partially botched
 freeze-reformat-unfreeze-other-work-oopsmorereformat-
 other-work sequence.

 I guess each of us will have to spend weeks (or more)
 manually recreating all our hard work before we can apply
 whatever security fixes are hidden in tomorrows tarball.

 And it also seems that it is nearly impossible to turn the
 changes into a reviewable patch that can be applied to an
 existing tree, like the various distributions (on and off
 the vendor-sec lists) will need to.

 So let's all hope one of the vendors will do your job for
 you and transform the new releases into patches against
 the previous tarballs, before the embargo is lifted
 tomorrow, or soon after.


 Enjoy

 Jakob
 -- 
 Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
 Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
 This public discussion message is non-binding and may contain errors.
 WiseMo - Remote Service Management for PCs, Phones and Embedded 


 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 16/03/15 19:05, Matt Caswell wrote:
 
 Forthcoming OpenSSL releases 
 
 The OpenSSL project team would like to announce the forthcoming
 release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
 
 These releases will be made available on 19th March. They will fix
 a number of security defects. The highest severity defect fixed by
 these releases is classified as high severity.

I have received a number of queries regarding the timing of Thursday's
release. To clarify, we are aiming to have the release available
sometime between 1100-1500 GMT.

Regards

Matt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVCVyPAAoJENnE0m0OYESROvYH/1BdqjzpgiTMhAIYsJjDb0xt
eWM5GdqwiATa+1FqvYXN1pa3Wencl0UVAKsUh0tsC/6MaQVSqyUVkpJZNvvwTrqt
Fmn8sYrF4vFdGNCWoMWWCm0roW9r7V/BGRJrXol0O6b/t5+QrRkVTlEsHTVi3PKD
ujQS5heKS5HPNlZEkhWz+MH3i5RcWx7TVTLVGtsKhIlkc0bM5tSKiynMYQyOhkh2
dLfnNvHGC/g7qIeWg3cGXa4P5Y78SrBvKGj5Bu7IouaT2bC01RfAfYH7pJwpISbZ
3qwwKqGuNF31AC8xBM4CPFU+7MJQtRDtcDzQURHud4Vqn4C/rtmnI0r+tkxDi9I=
=99aY
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Jakob Bohm]

Nice, so the extra work is minimal for complete forks of
OpenSSL.

The extra work is also documented (in a place not linked from
the wiki) for those who maintain a git fork of the OpenSSL
repository.

But I have not yet seen a meaningful recipe for those of us
who maintain a traditional set of feature patches against
the released tarballs, nicely organized for future
contribution.

Maybe they want us all to fork OpenSSL :-)

On 18/03/2015 13:55, John Foley wrote:
We maintain our own derivative of OpenSSL and haven't had any 
significant issues due to the code reformat.  We simply run the 
reformat script on our downstream derivative.  We can then generate 
patch files of our changes and reapply them to new OpenSSL releases.  
It was fairly straight forward.


IMHO, the code reformat was long overdue.  The prior lack of 
consistent coding style was an abomination, making the code more 
difficult to read and maintain.  Sometimes taking a step forward 
results in some pain.  This was a good investment for the future.


+1 for the reformat.



On 03/18/2015 06:45 AM, Jakob Bohm wrote:

On 18/03/2015 10:14, Matt Caswell wrote:

On 18/03/15 07:59, Jakob Bohm wrote:

(Resend due to MUA bug sending this to -announce)

On 16/03/2015 20:05, Matt Caswell wrote:

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as high severity.

Just for clarity in preparing to use the forthcoming
update:

Has the 1.0.1m source code been mangled by the script that
made it near-impossible to port local changes to 1.0.2, or
will it retain the same code formatting as in the rest of
the 1.0.1 series?

Similarly, will 1.0.0r be mangled or will it retain the
same code formatting as in the rest of the 1.0.0 series?

Similarly, will 0.9.8zf be mangled or will it retain the
same code formatting as in the rest of the 0.9.8 series?

I prefer the term improved over mangled! ;-)

The answer is, yes, all branches (including 1.0.1, 1.0.0 and 0.9.8) have
been reformatted according to the new coding style.

It is perfectly possible, if a little fiddly, to reformat your local
patches to the new style. I have done so myself for a number of my own
patches. I included some outline instructions on how to do it in my
recent blog post on the reformat:

https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/

Long read, and lots of internal details of how your script
doesn't even work for yourown code...

However the patch rebasing instructions are *completely
useless* for those of us whomaintain private patches
against releases tarballs.  We *don't* have any of this
in a clone of your gitand we *have no way* to access
intermediary git steps from your partially botched
freeze-reformat-unfreeze-other-work-oopsmorereformat-
other-work sequence.

I guess each of us will have to spend weeks (or more)
manually recreating all our hard work before we can apply
whatever security fixes are hidden in tomorrows tarball.

And it also seems that it is nearly impossible to turn the
changes into a reviewable patch that can be applied to an
existing tree, like the various distributions (on and off
the vendor-sec lists) will need to.

So let's all hope one of the vendors will do your job for
you and transform the new releases into patches against
the previous tarballs, before the embargo is lifted
tomorrow, or soon after.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Salz, Rich]

 The extra work is also documented (in a place not linked from the wiki) for
 those who maintain a git fork of the OpenSSL repository.

I just tossed together https://wiki.openssl.org/index.php/Code_reformatting
Found off the main page, 
https://wiki.openssl.org/index.php/Main_Page#Internals_and_Development 

 But I have not yet seen a meaningful recipe for those of us who maintain a
 traditional set of feature patches against the released tarballs, nicely
 organized for future contribution.

Folks had months of warning that this was going to happen.  And, frankly, 
patches did not come flooding into the team. 

But I hope the above link helps.

/r$

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Dr. Matthias St. Pierre]

Thanks for the three line upgracde recipe in 
https://wiki.openssl.org/index.php/Code_reformatting
It's as simple as you stated, indeed.

The reformatting was a good thing to do. Also, it makes sense to me to apply it 
to all
stable branches uniformly, in order to simplify cross-branch merging.

msp




On 03/18/2015 04:32 PM, Salz, Rich wrote:
 The extra work is also documented (in a place not linked from the wiki) for
 those who maintain a git fork of the OpenSSL repository.
 
 I just tossed together https://wiki.openssl.org/index.php/Code_reformatting
 Found off the main page, 
 https://wiki.openssl.org/index.php/Main_Page#Internals_and_Development 
 
 But I have not yet seen a meaningful recipe for those of us who maintain a
 traditional set of feature patches against the released tarballs, nicely
 organized for future contribution.
 
 Folks had months of warning that this was going to happen.  And, frankly, 
 patches did not come flooding into the team. 
 
 But I hope the above link helps.
 
   /r$
 
 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
 
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

[Dr. Matthias St. Pierre]

Hello,

Here is a recipe to guide you through the reformatting.
It worked nicely for me. I wrote a small bash shell script
which helped me do the bulk conversion, see attachment
Hope you'll find this information helpful.

In following I briefly describe the steps how you can

 1) get your patches into git (if not yet done)
 2) do the reformatting of the commits in git, with the
help of my script
 3) rebase your patches to the current release
 4) recreate the patches using 'git format-patch'


If your patches are already maintained in a git repository,
you may skip step 1)


1) If you only have patches, it's a good idea to get
your own clone of the git repository

   git clone git://git.openssl.org/openssl.git
   cd openssl

now create a branch off the vanilla release to
which your patches apply (say, OpenSSL 1.0.1k)

   git checkout -b mypatches OpenSSL_1_0_1k

apply your patches one after the other, creating
a single commit for each with meaningful commit
messages

  (If you don't know how to do this in git, you may
   want to see http://git-scm.com/doc)


2) Now we assume that
  a) you already have an OpenSSL git repository
  b) your patches are on a branch called 'mypatches',
 which were branched from one of the stable branches
 before the reformatting (say OpenSSL_1_0_1-stable)
  c) your working copy is clean (no local changes or
 untracked files)
  d) you're running linux (if not, get yourself a Linux VM)


The attached script shows an example of how to automate
the procedure of reformatting every single commit on your
branch and recommitting it. It contains a lot of comments
to explain what it is doing. PLEASE READ THE COMMENTS
CAREFULLY BEFORE RUNNING THE SCRIPT! 

You just have to set the two variables 'branch' and 'upstream' 
at the beginning of the script (marked 'todo') to the name
of your branch and its upstream branch, respectively.

3) After the script has succeeded, you can rebase your
reformatted branch to the head of the stable branch (or
to the tag of the most recent release), e.g.

git checkout -b mypatches-reformatted mypatches-post-auto-reformat
git rebase OpenSSL_1_0_1-stable


4) Now you can have git recreate your patches automatically
with a single command:

git format-patch $(git merge-base HEAD OpenSSL_1_0_1-stable)..HEAD
 
[5) Now you can keep using the git repository to manage new patches.
Due the rebasing capabilites of git, your patches will always
be up to date ]




DISCLAIMER

The script is not 100% fool-proof, it's a demonstration
which may serve as a starting point for you.
In particular, there is no error recovery and no guarantee,
if there are any conflicts or errors in the middle of the
reformating procedure.

So you'll better try it on a copy of your git repository
first.



-Ursprüngliche Nachricht-
Von: openssl-users [mailto:openssl-users-boun...@openssl.org] Im Auftrag von
Jakob Bohm
Gesendet: Mittwoch, 18. März 2015 15:39
An: openssl-users@openssl.org
Betreff: Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

Nice, so the extra work is minimal for complete forks of OpenSSL.

The extra work is also documented (in a place not linked from the wiki) for
those who maintain a git fork of the OpenSSL repository.

But I have not yet seen a meaningful recipe for those of us who maintain a
traditional set of feature patches against the released tarballs, nicely
organized for future contribution.

Maybe they want us all to fork OpenSSL :-)

On 18/03/2015 13:55, John Foley wrote:
 We maintain our own derivative of OpenSSL and haven't had any 
 significant issues due to the code reformat.  We simply run the 
 reformat script on our downstream derivative.  We can then generate 
 patch files of our changes and reapply them to new OpenSSL releases.
 It was fairly straight forward.

 IMHO, the code reformat was long overdue.  The prior lack of 
 consistent coding style was an abomination, making the code more 
 difficult to read and maintain.  Sometimes taking a step forward 
 results in some pain.  This was a good investment for the future.

 +1 for the reformat.



 On 03/18/2015 06:45 AM, Jakob Bohm wrote:
 On 18/03/2015 10:14, Matt Caswell wrote:
 On 18/03/15 07:59, Jakob Bohm wrote:
 (Resend due to MUA bug sending this to -announce)

 On 16/03/2015 20:05, Matt Caswell wrote:
 Forthcoming OpenSSL releases
 

 The OpenSSL project team would like to announce the forthcoming 
 release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

 These releases will be made available on 19th March. They will fix 
 a number of security defects. The highest severity defect fixed by 
 these releases is classified as high severity.
 Just for clarity in preparing to use the forthcoming
 update:

 Has the 1.0.1m source code been mangled by the script that made it 
 near-impossible to port local changes to 1.0.2, or will it retain 
 the same code formatting as in the rest of the 1.0.1 series

Re: [openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 17/03/15 00:32, Sec_Aficionado wrote:
 Thanks for the heads up. Just to confirm, is this highest severity
 defect a yet-to-be-disclosed vulnerability, or a fix for an
 already known one?

This is a previously undisclosed vulnerability.

Matt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVCABuAAoJENnE0m0OYESRmtQH/RJMDjBTBfEY/Va6sM49TYlh
Zn4BVV9a6PLOtPlGS9J23bonolC63Aqgh7SWrMTl+Vosrlw2ZL8kXFCgT9ROpPYh
woX5nzrt1aLMLDf1AahjY2shnsOsp6glCVSH2YnvkUIot4OKhDaXhjxf44er/qFZ
Tc3RTtfTOjcamu/2uhpRnegaZM5QGLm9/5Rkb+iPBVFgAGCaDmIR4KqWSl5VxsV/
xhe7PU/KCXUXgWe9Wou5KrvsWKW02kuJvz5CMMSE6BcYPLaNZEbrtkyaOj5VoSBH
2qDSR4nJeMGXH+uChJSDf90q8yRhnp3Uyha0uEabxo2lzQksaDCL3Tz87NfMPkI=
=Uygc
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Forthcoming OpenSSL releases

[Sec_Aficionado]

Thanks for the heads up. Just to confirm, is this highest severity defect a 
yet-to-be-disclosed vulnerability, or a fix for an already known one?

Sent from my mobile

 On Mar 16, 2015, at 3:05 PM, Matt Caswell m...@openssl.org wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 Forthcoming OpenSSL releases
 
 
 The OpenSSL project team would like to announce the forthcoming release
 of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
 
 These releases will be made available on 19th March. They will fix a
 number of security defects. The highest severity defect fixed by these
 releases is classified as high severity.
 
 Yours
 
 The OpenSSL Project Team
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 
 iQEcBAEBAgAGBQJVByl7AAoJENnE0m0OYESRm5MIAJV4ElRSS575QkYwPcOw7VTK
 8Ulc6TMHsy2s5UvTXl/THqEoy5n92v99Cm69Y69TSWOgK9FK8aV0BuKkVZVYp3Ko
 MYV4VMr8a7YiNh/16HctRLfEPH8bg5AkY76Y4RM5i1AXafSR6wMuwlJl21TmqMI+
 J+HA39UvlWZ9zI7Lzz0v1BMoGAXg0cr8//QRcrFFgZZuUVtscwRRA9nRS65+AJhX
 ogd3ncUPUI3YEzxqv0kDfUre/2XeUNOM+N+u9pyfjoXHaMVsSX3A1HtpmEAMyzhE
 DqF+kmhTEyK0HYCVLnl6PLnBdHpPKY3qNFYd8trFyC2hpB9U6Qsut4KeKNtAi2g=
 =Uwpw
 -END PGP SIGNATURE-
 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as high severity.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVByl7AAoJENnE0m0OYESRm5MIAJV4ElRSS575QkYwPcOw7VTK
8Ulc6TMHsy2s5UvTXl/THqEoy5n92v99Cm69Y69TSWOgK9FK8aV0BuKkVZVYp3Ko
MYV4VMr8a7YiNh/16HctRLfEPH8bg5AkY76Y4RM5i1AXafSR6wMuwlJl21TmqMI+
J+HA39UvlWZ9zI7Lzz0v1BMoGAXg0cr8//QRcrFFgZZuUVtscwRRA9nRS65+AJhX
ogd3ncUPUI3YEzxqv0kDfUre/2XeUNOM+N+u9pyfjoXHaMVsSX3A1HtpmEAMyzhE
DqF+kmhTEyK0HYCVLnl6PLnBdHpPKY3qNFYd8trFyC2hpB9U6Qsut4KeKNtAi2g=
=Uwpw
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases and reformat

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The OpenSSL Project are pleased to make the following announcements:

- - There will be new releases made available on Thursday 15th January for
versions 1.0.1, 1.0.0 and 0.9.8. These will be bug fix only releases to
address build problems with the current releases on the Windows and
OpenVMS platforms. No new security issues will be included in these
releases.

- - The whole OpenSSL codebase will be reformatted according to the newly
published OpenSSL coding style
(https://www.openssl.org/about/codingstyle.txt) on Wednesday 21st
January. This will include the master, 1.0.2, 1.0.1, 1.0.0 and 0.9.8
branches. See [1] for further background information.

- - Between the releases being made available on 15th January and the code
reformat on 21st January the 1.0.1, 1.0.0 and 0.9.8 branches in the
public repository will be frozen and no changes will be made (except
in the case of very high priority fixes).

- - OpenSSL 1.0.2 will be released on Thursday 22nd January.

Yours

The OpenSSL Project Team

[1] https://mta.openssl.org/pipermail/openssl-dev/2015-January/000299.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUtowSAAoJENnE0m0OYESRjr0H/3ui088oz8ZDcHEkhXoF1Pd/
bJStjZPtWUq4BJTTKq/GTTK7TGsjW+z+OwXFuLOX6ZfvVTG0aMpCGEU4OT7PO2zt
NC76X56bTA+sFrJt65Ks3xMZ4pppBRq6irSJsvihEb1rWiAGDlTTjJJLKfgP76Xc
ZxHnQ4LKmWcqqZmuK+XFqkitf6DuVMNlPa6yJ9jjbq6gSibxSNvhbu+qTfH2M30g
9X854pWKj5j76RLmDvFBPqP+sGHNBhs45THZO7BuGPQV5lJzRvnJxQKreAcHAyhq
BihHEdsk9wKMKJNjrcVgfKSulx3PLvAIn8mZW9CIuxmEfn9LKsGyrJvwJLBk5DY=
=d482
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.1k, 1.0.0p and 0.9.8zd.

These releases will be made available on 8th January. They will fix a
number of security defects. Since these security defects are considered
as moderate severity or less no further details or patches will be made
available in advance of the release.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUqpq7AAoJENnE0m0OYESRCeQH/3i7C8kpk+n6cqwaEedjt5Mo
eU0F+d8OrxPMqzEo4qftGe+7ygvwJBdA8tb0/4fQuqmg9wBSbJMa7qku20qOpKF9
daYfOPQCXgdGUjomp5GYz86/7Aq7aND8qQLnCcWWdwBv+8ypP0Hgywilr1LW+nnv
xBNNbQSBERPayGcSIqFI0xYd2r8Q8vUp9BMKnkHoR5ty3nO43/nGQnPwEX5O3tJc
XZzWVVxrKhp/wMiAueWz44vc0juO8LdfkuWUtjJj3F9cL9qLOG877ho4cM/t9WX/
jheVNun1Cd9Z0wIn0nHYgtJUn/eVyTc9LckoVKt9pg4+HhsJd4cTC8X92HQbB6E=
=fM80
-END PGP SIGNATURE-
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

Forthcoming OpenSSL releases

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.1i, 1.0.0n and 0.9.8zb.

These releases will be made available on 6th August at some time after
20.30 UTC. They will fix a number of security defects. Since these
security defects are considered as moderate severity or less no further
details or patches will be made available in advance of the release to
any parties.

Yours

The OpenSSL Project Team

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJT3fG+AAoJENnE0m0OYESRWFYH/iwM7iIQd+LIJsQSwcMvoCWv
JyhpJaQMZADYLkvc7uxP0y+mgqh2wg+2PwvNkW+gTPmjRefgYTygs69XT32iCBcw
fwCHfy+lYI1iNx/m+e5VxukXf81hGdULlVlb66PxsOm4iS1I/0IHSYyV90KXxMKL
gH/1/mJGVAYz7w88FqoCmQBdbJHLGgvBAaYgowsv9i5UcsU4VGcZnmydcX9XHDgQ
svRnDG/WjqSZvKBkgeKDdLcGUOeyqhG2mkLgZuVG12DVrG1fhJ2nyBg7Jic/4ZW7
IcxXWr2iwqoK/uT7SljMJgixWzS7vDX6Imd8zI9600c/iGwLRv5Bs3cqLrr+2G0=
=90J2
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org