RE: OpenSSL 1.0.0c released
That's a pretty bold statement and doesn't always apply in a product environment. I have not deployed 1.0.0b (because of the pending issues); I'm still at 1.0.0a and have to decide whether to patch the vulnerabilities, or risk updating OpenSSL completely and retesting all of its consumers. Erik -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni Sent: Thursday, December 02, 2010 6:09 PM [...] 1.0.0c contains important non-security bug fixes for 1.0.0b, so you should deploy 1.0.0c anyway. [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0c released
On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote: That's a pretty bold statement and doesn't always apply in a product environment. I have a production environment. The non-security issues in the unpatched 1.0.0b release create substantial interoperability issues with servers and clients that support EECDH key agreement. These issues are more severe than the CVEs fixed in either 1.0.0b or 1.0.0c. Therefore, if you have deployed 1.0.0b, you really must IMHO upgrade to 1.0.0c. I have not deployed 1.0.0b (because of the pending issues); I'm still at 1.0.0a and have to decide whether to patch the vulnerabilities, or risk updating OpenSSL completely and retesting all of its consumers. Starting with 1.0.0, the stable release gets no new features, just bug fixes, so backporting just the CVE patches is not necessary, you can just deploy 1.0.0c shared libraries (and include files) in the locations where your previously had 1.0.0a libraries (and include files). -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0c released
Victor I am still have issues with the default ECDH parameters in 1.0.0c. The key generation with NIST Prime-Curve P-192 crashes. static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top) { int i; BN_ULONG *_tmp1 = (buf), *_tmp2 = (a); for (i = (top); i != 0; i--) *_tmp1++ = *_tmp2++; //There is a problem here } Marcus - Original Message - From: Victor Duchovni victor.ducho...@morganstanley.com To: openssl-users@openssl.org Sent: Friday, December 03, 2010 8:06 AM Subject: Re: OpenSSL 1.0.0c released On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote: That's a pretty bold statement and doesn't always apply in a product environment. I have a production environment. The non-security issues in the unpatched 1.0.0b release create substantial interoperability issues with servers and clients that support EECDH key agreement. These issues are more severe than the CVEs fixed in either 1.0.0b or 1.0.0c. Therefore, if you have deployed 1.0.0b, you really must IMHO upgrade to 1.0.0c. I have not deployed 1.0.0b (because of the pending issues); I'm still at 1.0.0a and have to decide whether to patch the vulnerabilities, or risk updating OpenSSL completely and retesting all of its consumers. Starting with 1.0.0, the stable release gets no new features, just bug fixes, so backporting just the CVE patches is not necessary, you can just deploy 1.0.0c shared libraries (and include files) in the locations where your previously had 1.0.0a libraries (and include files). -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0c released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0c released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 o Fix mishandling of absent EC point format extension. o Fix various platform compilation issues. o Corrected fix for security issue CVE-2010-3864. We consider OpenSSL 1.0.0c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0c.tar.gz Size: 4023056 MD5 checksum: ff8fb85610aef328315a9decbb2712e4 SHA1 checksum: 5a2d74fa7fe90c80915332404b9700044ef676a1 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0c.tar.gz openssl sha1 openssl-1.0.0c.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTPfvOKLSm3vylcdZAQK5YQf/Tt5WULaVRNZJZiukBVsASX3qyZm7ksst VAC59VbpQAO2dA2XdSSy21JoGlevIboneEXhDVC/33wEETIucs8S19XEcrQGPDG5 Wfyek79CKxJe2K4yTaWtw8JbSz2XDyMD5yYBdgAaHl81et2F/0Vpd3FS4UWKkFSO 6ezgELdIwC45PWq70cQ2FJDV4U3xs7cVOQdObjcKTAZ5m5uj/qpUs2Zw69tfOpOp xf+TlOMXdIgBNBY9QN//wsUcLwplVUF0J30S4Wej1Or9tTi2npiJ7Wbpq5HH3ho0 g+IuVqXVVvyYyfUgLFka2f1ZGLvBIIFVF7T56nSaVMMdX0/+D/4QZg== =yMGM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL 1.0.0c released
Can someone point to details on CVE-2010-4180 and CVE-2010-4252? CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any references to the other two. Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of OpenSSL Sent: Thursday, December 02, 2010 2:17 PM To: openssl-annou...@master.openssl.org; openssl-...@master.openssl.org; openssl-us...@master.openssl.org Subject: OpenSSL 1.0.0c released -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0c released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 o Fix mishandling of absent EC point format extension. o Fix various platform compilation issues. o Corrected fix for security issue CVE-2010-3864. We consider OpenSSL 1.0.0c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0c.tar.gz Size: 4023056 MD5 checksum: ff8fb85610aef328315a9decbb2712e4 SHA1 checksum: 5a2d74fa7fe90c80915332404b9700044ef676a1 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0c.tar.gz openssl sha1 openssl-1.0.0c.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTPfvOKLSm3vylcdZAQK5YQf/Tt5WULaVRNZJZiukBVsASX3qyZm7ksst VAC59VbpQAO2dA2XdSSy21JoGlevIboneEXhDVC/33wEETIucs8S19XEcrQGPDG5 Wfyek79CKxJe2K4yTaWtw8JbSz2XDyMD5yYBdgAaHl81et2F/0Vpd3FS4UWKkFSO 6ezgELdIwC45PWq70cQ2FJDV4U3xs7cVOQdObjcKTAZ5m5uj/qpUs2Zw69tfOpOp xf+TlOMXdIgBNBY9QN//wsUcLwplVUF0J30S4Wej1Or9tTi2npiJ7Wbpq5HH3ho0 g+IuVqXVVvyYyfUgLFka2f1ZGLvBIIFVF7T56nSaVMMdX0/+D/4QZg== =yMGM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0c released
On Thu, Dec 02, 2010, Erik Tkal wrote: Can someone point to details on CVE-2010-4180 and CVE-2010-4252? CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any references to the other two. http://www.openssl.org/news/secadv_20101202.txt Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0c released
http://www.openssl.org/news/secadv_20101202.txt -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/2/2010 9:03 PM, Erik Tkal wrote: Can someone point to details on CVE-2010-4180 and CVE-2010-4252? CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any references to the other two. Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of OpenSSL Sent: Thursday, December 02, 2010 2:17 PM To: openssl-annou...@master.openssl.org; openssl-...@master.openssl.org; openssl-us...@master.openssl.org Subject: OpenSSL 1.0.0c released -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0c released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 o Fix mishandling of absent EC point format extension. o Fix various platform compilation issues. o Corrected fix for security issue CVE-2010-3864. We consider OpenSSL 1.0.0c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0c.tar.gz Size: 4023056 MD5 checksum: ff8fb85610aef328315a9decbb2712e4 SHA1 checksum: 5a2d74fa7fe90c80915332404b9700044ef676a1 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0c.tar.gz openssl sha1 openssl-1.0.0c.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTPfvOKLSm3vylcdZAQK5YQf/Tt5WULaVRNZJZiukBVsASX3qyZm7ksst VAC59VbpQAO2dA2XdSSy21JoGlevIboneEXhDVC/33wEETIucs8S19XEcrQGPDG5 Wfyek79CKxJe2K4yTaWtw8JbSz2XDyMD5yYBdgAaHl81et2F/0Vpd3FS4UWKkFSO 6ezgELdIwC45PWq70cQ2FJDV4U3xs7cVOQdObjcKTAZ5m5uj/qpUs2Zw69tfOpOp xf+TlOMXdIgBNBY9QN//wsUcLwplVUF0J30S4Wej1Or9tTi2npiJ7Wbpq5HH3ho0 g+IuVqXVVvyYyfUgLFka2f1ZGLvBIIFVF7T56nSaVMMdX0/+D/4QZg== =yMGM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0c released
On Thu, Dec 02, 2010 at 03:03:02PM -0500, Erik Tkal wrote: Can someone point to details on CVE-2010-4180 and CVE-2010-4252? CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any references to the other two. 1.0.0c contains important non-security bug fixes for 1.0.0b, so you should deploy 1.0.0c anyway. - 4252 is only of interest if enabled the experimental JPAKE support. It is off by default. - 4180 resolves a ciphersuite downgrade attack for applications that use SSL_OP_ALL and thereby enable a work-around for Netscape 2.01 which is disabled in the 1.0.0c release as it creates the cipher downgrade risk. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org