ANNOUNCE: OpenSSL 0.9.2b released
OpenSSL version 0.9.2b released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.2b of our open source toolkit for SSL/TLS. This new OpenSSL version incorporates over 130 changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). The most significant changes are: o Fixed a security hole related to session resumption o Fixed RSA encryption routines for the p < q case o "ALL" in cipher lists now means "everything except NULL ciphers" o Support for Triple-DES CBCM cipher o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA o First support for new TLSv1 ciphers o Added a few new BIOs (syslog BIO, reliable BIO) o Extended support for DSA certificate/keys. o Extended support for Certificate Signing Requests (CSR) o Initial support for X.509v3 extensions o Extended support for compression inside the SSL record layer o Overhauled Win32 builds o Cleanups and fixes to the Big Number (BN) library o Support for ASN.1 GeneralizedTime o Split ASN.1 SETs from SEQUENCEs o ASN1 and PEM support for Netscape Certificate Sequences o Overhauled Perl interface o Lots of source tree cleanups. o Lots of memory leak fixes. o Lots of bug fixes. We consider OpenSSL 0.9.2b to be the best version of OpenSSL available and we strongly recommend that users of older versions, especially of old SSLeay versions, upgrade as soon as possible. OpenSSL 0.9.2b is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ ______ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ANNOUNCE: OpenSSL 0.9.4
OpenSSL version 0.9.4 released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.4 of our open source toolkit for SSL/TLS. This new OpenSSL version incorporates over 50 changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). The most significant changes are: o Transparent support for PKCS#8 format private keys: these are used by several software packages and are more secure than the standard form o PKCS#5 v2.0 implementation o Password callbacks have a new ``void *'' argument for application data o Avoid various memory leaks o New pipe-like BIO that allows using the SSL library when actual I/O must be handled by the application (BIO pair) We consider OpenSSL 0.9.4 to be the best version of OpenSSL available and we strongly recommend that users of older versions, especially of old SSLeay versions, upgrade as soon as possible. OpenSSL 0.9.4 is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Bodo Moeller Holger Reif Dr. Stephen Henson Ulf MoellerPaul C. Sutton ______ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL version 0.9.8e and 0.9.7m released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8e and 0.9.7m released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8e of our open source toolkit for SSL/TLS. This new OpenSSL version is a feature and bugfix release and incorporates enhancements and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The 0.9.8e release includes RFC3779 support and several cipher selection bugfixes. We also release 0.9.7m, which is the first full release of OpenSSL which can be linked against the validated FIPS 1.1.1 module. We consider OpenSSL 0.9.8e to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7m as soon as possible. It's available in the same location as 0.9.8e. The distribution file names are: o openssl-0.9.8e.tar.gz MD5 checksum: 3a7ff24f6ea5cd711984722ad654b927 SHA1 checksum: b429872d2a287714ab37e42296e6a5fbe23d32ff o openssl-0.9.7m.tar.gz MD5 checksum: 74a4d1b87e1e6e1ec95dbe58cb4c5b9a SHA1 checksum: 546f6bcebdf72a633bad087469d3741a42f7b383 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBRd7loKLSm3vylcdZAQId2AgAlHAyHW6ItIicPYMJ9QXY51O42sXZlDxz fIlNHqKBZH3soo1+aRZkiJVSTKGW2f0fBzySW+TqupzFGNQrPOUVdH1QNlLAUB8X 25IgSDXg3rr9uQTHDB2eD7PgXftQJwGki2dFocJO0hKHt7DAQhkMHSsAvjrsP56F 4CXK+Qmkto3iJmIkMG0AQ3Z0IMvT6K/pCdPCuxL3xylouBa9r0D+VN/XDiIBDdTo /SsB+5NMPX3GuigaUE4Yu9RGak8kSVQK1oSk4xOT2XxqRXV9dOJ2IikBRZ4V/xRZ bH4y8N8vWLaZ2RXHFg0mkAZp6Hzn8BO9rZleHsHV8tzgoN6XZ1n5KA== =l4Se -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL FIPS 140-2 validation
Good news for developers and vendors of software for the U.S. and Canadian government market where FIPS 140-2 validated cryptography is required. The "OpenSSL FIPS Object Module", a software component compatible with the OpenSSL API, has been FIPS 140-2 validated (see certificate #1051 and Security Policy document at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm). The source distribution that generates this validated module is at http://www.openssl.org/source/openssl-fips-1.2.tar.gz. This validation means that the referenced source distribution can be used to create a binary module on a wide range of platforms, in a form compatible with OpenSSL 0.9.8, for enabling FIPS 140-2 validated cryptography in applications. Please see the Security Policy document for details on how to create a validated module for your platform and application. Other supporting information will be made available at http://www.openssl.org/docs/fips/ ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [25-Mar-2009] Three moderate severity security flaws have been fixed in OpenSSL 0.9.8k. ASN1 printing crash === The function ASN1_STRING_print_ex() when used to print a BMPString or UniversalString will crash with an invalid memory access if the encoded length of the string is illegal. (CVE-2009-0590) Any OpenSSL application which prints out the contents of a certificate could be affected by this bug, including SSL servers, clients and S/MIME software. Users of OpenSSL 0.9.8j or earlier should update to 0.9.8k which contains a patch to correct this issue. Incorrect Error Checking During CMS verification. = The function CMS_verify() does not correctly handle an error condition involving malformed signed attributes. This will cause an invalid set of signed attributes to appear valid and content digests will not be checked. (CVE-2009-0591) These malformed attributes cannot be generated without access to he signer's private key so an attacker cannot forge signatures. A valid signer could however generate an invalid signature which appears valid and later repudiate the signature. The older PKCS#7 code is not affected. This issue only affects CMS users: CMS is only present in OpenSSL 0.9.8h and later where it is disabled by default and 0.9.9-dev. Users of OpenSSL CMS code should update to 0.9.8k which contains a patch to correct this issue. Thanks to Ivan Nestlerode of IBM for reporting this issue. Invalid ASN1 clearing check === When a malformed ASN1 structure is received it's contents are freed up and zeroed and an error condition returned. On a small number of platforms where sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid memory access later resulting in a crash when some invalid structures are read, for example RSA public keys (CVE-2009-0789). Any OpenSSL application which uses the public key of an untrusted certificate could be crashed by a malformed structure. Including SSL servers, clients, CA and S/MIME software. Users of OpenSSL 0.9.8j or earlier on affected platforms should update to 0.9.8k which contains a patch to correct this issue. Thanks to Paolo Ganci for reporting this issue. References === URL for this Security Advisory: http://www.openssl.org/news/secadv_20090325.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBSconRqLSm3vylcdZAQJbiQf/U5sG7gUyWfN3P9/v4OkjSogaQmaiEv68 kQa6fCCuI3vz+fpVIV8xIrcm8n670i3OdBWzfVmJcgK1gzzAaOc+IYod/EQtB0IR E3Y4UOdNeBvgOP3a5PxrLPaAcFDDO8eUOeZ7s+VGhlbwPb5SrJwnozzt43BIsKD0 SAX7VC7nAnq9aYdfJme16NHwinsfPPIPZNRNTMMQFOpRGPy1OPJCivuzrfOQvgE+ d68lGzHpZrFpSwhZ2izk6dOKxuWkJnBNSMDqKofp8dknwRsd9ObVvYyrLpRpe+FC mxzFMh3EtL0TiICos89KXfAfuXwxjmPgfLCdM139y/X2yCgCdZkSKw== =F7S6 -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 0.9.8k release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8k released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8k of our open source toolkit for SSL/TLS. This new OpenSSL version is a moderate security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. We consider OpenSSL 0.9.8k to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.8k.tar.gz Size: 3852259 MD5 checksum: e555c6d58d276aec7fdc53363e338ab3 SHA1 checksum: 3ba079f91d3c1ec90a36dcd1d43857165035703f The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBScox0aLSm3vylcdZAQIOMQgAoVI3UZyTsB9+s2eSIEwp3rJWi53ID4Bo BKLYAkFx8L4Le+5YjoTywhqULdA1ugY3502+s2qAJLHLt4WmC4hdnuzaIvhtkakQ cW1o59MQ3dVUHqYsBh8CuDUBQj26zxow/10g6QQwObpzBOIMIa4p3Rto0Ktd2N+D W7+Dt07TFl9h+1TzMTktKymqInszu8DD/Sax3NUHhYZX12Dv6JzNQ7qUHKodeas1 WudvjYDUx9KQpcBQXJPHsqfQjehey/+mIn3rvoOZMcCckVbODIiaosapnaVMUcM2 jCYgRXdTrRmZiARTbUKpD5ZzRramSXCTjop+n4KDcBHFfsUXMskN4A== =7b3u -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0 beta 1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0 Beta 1 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The first beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.0-beta1.tar.gz MD5 checksum: 49f265d9dd8dc011788b34768f63313e SHA1 checksum: 89b4490b6091b496042b5fe9a2c8a9015326e446 The checksums were calculated using the following command: openssl md5 < openssl-1.0.0-beta1.tar.gz openssl sha1 < openssl-1.0.0-beta1.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 107 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-us...@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Oh and to those who have noticed the date... the joke is that it isn't a joke. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBSdNEV6LSm3vylcdZAQIc4gf+Ki9AQzfwES4Up5QRKJCONzIvgIzHpajQ laGz0L6QQXcMrSrLxubSMfYnnXqX/BfY67C28dLaefEK9xygZMxvbS5d56hm3+3m SWLWXqHsCrxp4LWm3Kr7senmhBl06LCTYX1AC2VP0ph/UfouQPu15UkuMCt6eDV7 SEUkYDk6TA8Wr7C0nMHnTOQdqx6r/N7OnPEaCCWkMzsMC5KxTkCP9/SGrDam29dt xV6P5+AntSgNbr9tXYAiQHgMvut9o1O8pTaGdlv2TJ/Ua2ynvmd8hsaO7Ptl3Tpt Bkaghk+rV3qZgLzWAiHjeebEWyXTSGvMPKM6r5mi8vrqjfbSF4zUKA== =qESg -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0 beta 2 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0 Beta 2 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The second beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.0-beta2.tar.gz MD5 checksum: 34fb6c357580e9b2ce012c266304c88f SHA1 checksum: feaa7cca750d35c5674b0b5229268b63a52fea91 The checksums were calculated using the following command: openssl md5 < openssl-1.0.0-beta2.tar.gz openssl sha1 < openssl-1.0.0-beta2.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 107 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Since the first beta, the following has happened: - Numerous DTLS fixes. - SSL_shutdown() non blocking I/O fix. - PKCS12_parse() robustness fix. - Updated documents, fixed typos. - Disable SSLv2 by default. - Other bug fixes. Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-us...@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSe4BDaLSm3vylcdZAQKpYwf/ZvzmcWPxKB2gttkqqotnBR/B+HGGi0h1 RivLE9Ft6O9P3fxSPzhB8/9+7yeWAC7Dxr9+2QNUgqE97ijn9Vk/Gt9wABjC1KRs +JWA3ZXmaza3OzSwf8ZfcWtLr+3b8L4e5Ys187pdftiNFJmzfwOpXYTTf3P+y6Qj k+ISqeiN9xTIqWKFP3WHo1r+FS2mxRDDqMWNoW6idvu+1vs4diJmgubaTt6EsMbE V4j6ej7pCaaSgMhfMOhQv6fvpXPIudOk8/hRMjhFhSd0sUMwAziggLGzwXzuPZ5t wbteU8a7OcZ1JMcnsYUdmgr1Yt0Efwvgc+CbnZbo/qlEK6it/4pO+w== =N05j -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0 released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0 of our open source toolkit for SSL/TLS. This new OpenSSL version is a major release and incorporates many new features as well as major fixes compared to 0.9.8n. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES . The most significant changes are: o RFC3280 path validation: sufficient to process PKITS tests. o Integrated support for PVK files and keyblobs. o Change default private key format to PKCS#8. o CMS support: able to process all examples in RFC4134 o Streaming ASN1 encode support for PKCS#7 and CMS. o Multiple signer and signer add support for PKCS#7 and CMS. o ASN1 printing support. o Whirlpool hash algorithm added. o RFC3161 time stamp support. o New generalised public key API supporting ENGINE based algorithms. o New generalised public key API utilities. o New ENGINE supporting GOST algorithms. o SSL/TLS GOST ciphersuite support. o PKCS#7 and CMS GOST support. o RFC4279 PSK ciphersuite support. o Supported points format extension for ECC ciphersuites. o ecdsa-with-SHA224/256/384/512 signature types. o dsa-with-SHA224 and dsa-with-SHA256 signature types. o Opaque PRF Input TLS extension support. o Updated time routines to avoid OS limitations. We consider OpenSSL 1.0.0 to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0.tar.gz Size: 4010166 MD5 checksum: 89eaa86e25b2845f920ec00ae4c864ed SHA1 checksum: 3f800ea9fa3da1c0f576d689be7dca3d55a4cb62 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0.tar.gz openssl sha1 openssl-1.0.0.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBS7C22aLSm3vylcdZAQI6TggAxWKuZFWcdtoBIfJpvHbdVlVJUe2O4tO7 +wHqMRANGZLx+io2KXxe1s3/qaKTOtlhP44jTDSRFxn418RLlZ4VS/I/mlKbEd7s tFgT34z8u8Et6oj5OwN8XbzwvkEGv+Ytf15Oub9DLa6doQ0xehaIKn+BHuDUeZup IVQkkAplKOMV77rfCZQWcApWVOPs6d0tP7F4uWHUNElzVFF6U2G38qKymJEIotUk a9kH7uS1EXFz0j4Fm7oVbE8tvrDQJa71Odtvt3N++Qppd+e5OgnU9klh7fnZ78Ae APfz3vPBLhItyGnpeBNwppFcKiPtG9M6Bthw+AsGVnsDiieHdHmGTg== =Wfex -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0a released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0a released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0a of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-1633 and CVE-2010-0742. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. We consider OpenSSL 1.0.0a to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0a.tar.gz Size: 4015794 MD5 checksum: e3873edfffc783624cfbdb65e2249cbd SHA1 checksum: b837a9f75a51f456bd533690cf04d3d5714812dc The checksums were calculated using the following commands: openssl md5 openssl-1.0.*.tar.gz openssl sha1 openssl-1.0.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBTAUWhKLSm3vylcdZAQIdhQgAgVHx3vHjvQbWl4jeOuIC9pJ6sv+0/8ih AK7+FHRi4RL7IfxDG09RYfIlXVgJtGJPjekg8ZfaKiRpK4N9GcGfXYDORC12tMAE wQv9BMvPGqGI3+Pp5eCY2hCyjZCnHsxSvYulKE5WnjD3VJQAtwd+czv3+ToxJ3o1 r9Haj0cRLFDKKzzqYmmm6NfGs8NuZLIQ3Vu2z3O2c3yW8v0yYuTcKYDysLtWsipY pNId06ygM2DL3lIfO5gJSGWV3m9qZzmr4WCBR4qyMcEPMlAiUOxW199tfL4a2L1l 4czRsds7gAKyj7ruJPm+Y0/VQCTt3M8Li4+Z3MQ++Be8/qRmIxC/aw== =fgq3 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 0.9.8o released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8o released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8o of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-0742. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. We consider OpenSSL 0.9.8o to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8o.tar.gz Size: 3772542 MD5 checksum: 63ddc5116488985e820075e65fbe6aa4 SHA1 checksum: 80c73afc7dca790cd26936cb392a4dfd14d4e4d7 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBTAUjJaLSm3vylcdZAQJjEwf/bzp8+qgnef13+LPMHOayDn4+q880pfhI Ao7kC62xdUr0K3JBetneCNylQQexMg5sgT4KmKqfJo9eit0OdqKG/NOdDN+PMPpQ nXByj1PCJAXeYJkr6OPK5LiK30dVxLUufj7NYGfr01SvqOVLucynX9zRwSgEjDGm 9E+FqI19Nkdul6oNRzTVl4e4VOmAAbcqlVl2qbm6P2IGsfUsQt/cjcAADTKwLc2X 0gHKYzQ4O2CzVPqjbGlhzesbggRUKD4FXlSHGSa9ftO6QSOUBY/+VvaGFTax+Bim AZrW/5jAMZzwRx+DjzqPGV5Mmq7B/WHgYQ8O5VJaHMsekAj6dO1JMw== =VGZO -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [16 November 2010] TLS extension parsing race condition. = A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. The OpenSSL security team would like to thank Rob Hulswit for reporting this issue. The fix was developed by Dr Stephen Henson of the OpenSSL core team. This vulnerability is tracked as CVE-2010-3864 Who is affected? = All versions of OpenSSL supporting TLS extensions contain this vulnerability including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases. Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected. In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected. Recommendations for users of OpenSSL = Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should update to the OpenSSL 0.9.8p release which contains a patch to correct this issue. Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release which contains a patch to correct this issue. If upgrading is not immediately possible, the relevant source code patch provided in this advisory should be applied. Patch for OpenSSL 0.9.8 releases Index: ssl/t1_lib.c === RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v retrieving revision 1.13.2.27 diff -u -r1.13.2.27 t1_lib.c - --- ssl/t1_lib.c 12 Jun 2010 13:18:58 - 1.13.2.27 +++ ssl/t1_lib.c15 Nov 2010 15:20:14 - @@ -432,14 +432,23 @@ switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - - if (len > TLSEXT_MAXLEN_host_name || - - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { @@ -452,7 +461,8 @@ } else - - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; Patch for OpenSSL 1.0.0 releases ======== Index: ssl/t1_lib.c === RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v retrieving revision 1.64.2.14 diff -u -r1.64.2.14 t1_lib.c - --- ssl/t1_lib.c 15 Jun 2010 17:25:15 - 1.64.2.14 +++ ssl/t1_lib
OpenSSL 1.0.0b released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0b released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0b of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. We consider OpenSSL 1.0.0b to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0b.tar.gz Size: 4019360 MD5 checksum: 104deb3b7e6820cae6de3f49ba0ff2b0 SHA1 checksum: cccb125b29f2fa209edb114258d22aeca4e871a2 The checksums were calculated using the following commands: openssl md5 openssl-1.0.*.tar.gz openssl sha1 openssl-1.0.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEUAwUBTOKiDqLSm3vylcdZAQJwxgf1FDJjm+Y44fA6HCNnD65b6cK1dY5OrCwo c5EvGwu//zEn6DzxFuwP2zpvX/6p7cMXxBn02ltjSpoky0HqL5A60cH21cdaVnF5 mbt/2gNWO0IJfQhCkr5kg764wAa0JAyyHxNzSLNNFhZSHd6JzVK9w5NLDD335WL7 Tng9J6aA9UeFbFDoI2EyCIaW4aUXNGvYTTrJQPP5g3Vyov7JRQoPIH3XS+7OTztS 5zzAOLu1jOxRQ0RWGIXS+zBt6NuDwm1riqX/y96rlMl2kieJk1SDxI29mZOWX1K1 xRd32oC1Si08AJIBWYU20FiY6JcPU3vaKmSXXl57g+/eJmk0uL4+ =CH5s -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 0.9.8p released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8p released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8p of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. We consider OpenSSL 0.9.8p to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8p.tar.gz Size: 3772501 MD5 checksum: 7f24047f70364c9eabc94899e356ce39 SHA1 checksum: 4ba43f4110432d7518c4f5d7be79077705ae7f16 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTOKrWqLSm3vylcdZAQI9TQgAoOc6MYIpS/f4nSH6YLD4aC91tAHoHLT1 ayU64tK3BmPjPGh3ffxfoaSl8HM/qYiZrsZfzxI+DGHOvNh516eI2Sv0vhzgQVwz ofCwwgoukJjrV2KWCF1Yjf6rVgRnDYTZJFjRpnR+GH+gnOUZnh23buCmtPDRMJ0h Tnl1G+tfYL2Wy4jGV9uuh9kA/3y41tD/B1T6sV0WGFvwy6y6yLmQC01QeVe1i09P 1OxjgJtq9S5cbaxMQr9EB5aMJ7YFOaIJjCNDAURT0zO1u/vGRVRMTfFXScfFCzLh QGYqfRPDuQ1ItM8I1lR3EsaPgrtdhI3Twkl8SUmPhpuhny11gjVSjQ== =u7Yw -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL security advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [2 December 2010] OpenSSL Ciphersuite Downgrade Attack = A flaw has been found in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. The OpenSSL security team would like to thank Martin Rex for reporting this issue. This vulnerability is tracked as CVE-2010-4180 OpenSSL JPAKE validation error === Sebastian Martini found an error in OpenSSL's J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. This error is fixed in 1.0.0c. Details of the problem can be found here: http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf Note that the OpenSSL Team still consider our implementation of J-PAKE to be experimental and is not compiled by default. This issue is tracked as CVE-2010-4252 Who is affected? = All versions of OpenSSL contain the ciphersuite downgrade vulnerability. Any OpenSSL based SSL/TLS server is vulnerable if it uses OpenSSL's internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this by using the SSL_OP_ALL option). Users of OpenSSL 0.9.8j or later who do not enable weak ciphersuites are still vulnerable but the bug has no security implications as the attacker can only change from one strong ciphersuite to another. All users of OpenSSL's experimental J-PAKE implementation are vulnerable to the J-PAKE validation error. Recommendations for users of OpenSSL = Users of all OpenSSL 0.9.8 releases including 0.9.8p should update to the OpenSSL 0.9.8q release which contains a patch to correct this issue. Alternatively do not set the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG and/or SSL_OP_ALL flags. Users of OpenSSL 1.0.0 releases should update to the OpenSSL 1.0.0c release which contains a patch to correct this issue and also contains a corrected version of the CVE-2010-3864 vulnerability fix. If upgrading is not immediately possible, the relevant source code patch provided in this advisory should be applied. Any user of OpenSSL's J-PAKE implementaion (which is not compiled in by default) should upgrade to OpenSSL 1.0.0c. Patch = Index: ssl/s3_clnt.c === RCS file: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v retrieving revision 1.129.2.16 diff -u -r1.129.2.16 s3_clnt.c - --- ssl/s3_clnt.c 10 Oct 2010 12:33:10 - 1.129.2.16 +++ ssl/s3_clnt.c 24 Nov 2010 14:32:37 - @@ -866,8 +866,11 @@ s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { +/* Workaround is now obsolete */ +#if 0 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) +#endif { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); Index: ssl/s3_srvr.c =========== RCS file: /v/openssl/cvs/openssl/ssl/s3_srvr.c,v retrieving revision 1.171.2.22 diff -u -r1.171.2.22 s3_srvr.c - --- ssl/s3_srvr.c 14 Nov 2010 13:50:29 - 1.171.2.22 +++ ssl/s3_srvr.c 24 Nov 2010 14:34:28 - @@ -985,6 +985,10 @@ break; } } +/* Disabled because it can be used in a ciphersuite downgrade + * attack: CVE-2010-4180. + */ +#if 0 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may @@ -999,6 +1003,7 @@ j = 1; } } +#endif if (j == 0) { /* we need to have the cipher in the cipher References === URL for this Security Advisory: http://www.openssl.org/news/secadv_20101202.txt URL for updated CVS-2010-3864 Security Advisory: http://www.openssl.org/news/secadv_20101116-2.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTPfvZ6LSm3vylcdZAQI9Lwf+JT3pzOySPkeMKS+OY19d/teHObhwxeI/ z/gS303F+CUmhQhmi0ueYno6gYfmpzYG/xNA+7dLwVinOjKpwTHNqZVHtLhFgwQm wZS+vqiPBjzakjTGz0YXrA1uPQG/1ASbVV3C0a9s7nKCsDzYiWJkzFrZiVTzkVat Y39Z5hTBCwUxssCyJU4VSRGNF4kcHzvbuDeNJDnK0shdz+hgNx2mNb8EFgYDRqbx ahIMGAKEtpVIn3WgeHL0r6VjG2RFaV1QLPyehAPvU/YjBnbph++PyXq
OpenSSL 0.9.8q released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8q released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8q of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 We consider OpenSSL 0.9.8q to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8q.tar.gz Size: 3773961 MD5 checksum: 80e67291bec9230f03eefb5cfe858998 SHA1 checksum: 12b6859698ca299fa0cba594686c25d5c01e410d The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTPfvTKLSm3vylcdZAQLHAwf+JYhEMSrAuzj4Eq+cBk1tF0Hmx42/5cMC PlatQwPSOLUKe0pQ1+f06MxRJEjWp/AHtd+YozAIezmjPGPdr+oawSxpb0qSMFlk /RYHjndKcroiwoPKdXXBN3U+lMlV4HGwAsndx8fdo40pNKtWZvqIjKGt33Nv+uvO KnXFpObbOeh40GzLCEL756B4aGI652L5q3WmeGOty0R7YlIvK5bBZx6A8jstdAhw O04qe2nZECfD+2upEAnDFTBKPTq6WrsI+UwOx9SOYYKdtb97oANhxB3hlxPgTk4b 2EEuE4SZK0s4ih7jj05ZlNUbrEd1ZDXXPVFIA+mSW1TDu0Gsma/nSQ== =751Y -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0c released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0c released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 o Fix mishandling of absent EC point format extension. o Fix various platform compilation issues. o Corrected fix for security issue CVE-2010-3864. We consider OpenSSL 1.0.0c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0c.tar.gz Size: 4023056 MD5 checksum: ff8fb85610aef328315a9decbb2712e4 SHA1 checksum: 5a2d74fa7fe90c80915332404b9700044ef676a1 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0c.tar.gz openssl sha1 openssl-1.0.0c.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTPfvOKLSm3vylcdZAQK5YQf/Tt5WULaVRNZJZiukBVsASX3qyZm7ksst VAC59VbpQAO2dA2XdSSy21JoGlevIboneEXhDVC/33wEETIucs8S19XEcrQGPDG5 Wfyek79CKxJe2K4yTaWtw8JbSz2XDyMD5yYBdgAaHl81et2F/0Vpd3FS4UWKkFSO 6ezgELdIwC45PWq70cQ2FJDV4U3xs7cVOQdObjcKTAZ5m5uj/qpUs2Zw69tfOpOp xf+TlOMXdIgBNBY9QN//wsUcLwplVUF0J30S4Wej1Or9tTi2npiJ7Wbpq5HH3ho0 g+IuVqXVVvyYyfUgLFka2f1ZGLvBIIFVF7T56nSaVMMdX0/+D/4QZg== =yMGM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
New Sponsor for OpenSSL - The PSW Group
We are pleased to announce the PSW Group (http://www.psw.net/) as the latest sponsor of the OpenSSL project. The PSW Group joins Opengear as a recent contributor providing significant financial support. The generous support of such sponsors contributes to the continued maintenance and improvement of the OpenSSL product. The PSW Group and other sponsors are identified on the acknowledgments page, http://openssl.org/support/acknowledgments.html. Some additional sponsors have declined an explicit acknowledgment. Whether publicly identified or not, and in whatever form received (donations or paid sponsorships, software support contracts, paid consulting services, commissioned software development) this support makes OpenSSL possible and helps ensure its continued vitality. For further information please contact the OpenSSL Software Foundation, http://openssl.org/support/funding/support-contact.html. __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.0e released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0e released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0e of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for CRL vulnerability issue CVE-2011-3207 o Fix for ECDH crashes CVE-2011-3210 o Protection against EC timing attacks. o Support ECDH ciphersuites for certificates using SHA2 algorithms. o Various DTLS fixes. We consider OpenSSL 1.0.0e to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0e.tar.gz Size: 4040229 MD5 checksum: 7040b89c4c58c7a1016c0dfa6e821c86 SHA1 checksum: 235eb68e5a31b0f7a23bc05f52d7a39c596e2e69 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0e.tar.gz openssl sha1 openssl-1.0.0e.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTmYhdKLSm3vylcdZAQLNKAf/aNREhkHO+IuVjLCHmXfFMn+0WxJE9W9p Ni0lTfQX04iOmUKYsDVL/YOmrXDoIgl9Q+pZ45FyFKnrDXb9JXfqmDlPzN07f3RB n1Te8HH3Lk4vovLHBJg0kDXdtCr7JhvX2fuHWY8d736bh/inf7kxqVA45lAAqKej WkGecK1c5awdxiFnMnPu1EfhVv7I8yfaK7NUz8+UZENQfOnVOS5GXRohzwwP7ZMK vV1NVh5XSEHeEC3svbuX2n7n9GM+HgfbmdMXmBywcXbZv6kcu9180L90bxxMC3ev rW49q92R0uliKp5gudhPmGpsxYj1+oF0x8yY4aSxdkWw0xmnVdOX4g== =dsPy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [6 September 2011] Two security flaws have been fixed in OpenSSL 1.0.0e CRL verification vulnerability in OpenSSL = Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past. (CVE-2011-3207) This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of OpenSSL before 1.0.0 are not affected. Users of affected versions of OpenSSL should update to the OpenSSL 1.0.0e release, which contains a patch to correct this issue. Thanks to Kaspar Brand for identifying this bug and suggesting a fix. TLS ephemeral ECDH crashes in OpenSSL ===== OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. (CVE-2011-3210) This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft" ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d. Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which contains a patch to correct this issue. If you cannot immediately upgrade, we recommend that you disable ephemeral ECDH ciphersuites if you have enabled them. Thanks to Adam Langley for identifying and fixing this issue. Which applications are affected === Applications are only affected by the CRL checking vulnerability if they enable OpenSSL's internal CRL checking which is off by default. For example by setting the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL. Applications which use their own custom CRL checking (such as Apache) are not affected. Only server-side applications that specifically support ephemeral ECDH ciphersuites are affected by the ephemeral ECDH crash bug and only if ephemeral ECDH ciphersuites are enabled in the configuration. You can check to see if application supports ephemeral ECDH ciphersuites by looking for SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH, SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback, SSL_CTRL_SET_TMP_ECDH_CB in the source code. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20110906.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTmYhWqLSm3vylcdZAQKsnQgAsD+GwbfpXuZyhLNcHrJjTiHgfVWQLiFq 6RupYmgfxPiCrGdSEvp6Uh3Y+bcOOoDXTXujk7T6RTRU4iYiARFkXo8bUtH47dWO AfwOyMxiM88G9TYj69RUjKNP70j1rEATIz+m4kpnDgmmsodDNsPj56k4gptsoELc S4Cb4+97uCBv1mkVFgvu71RVXbIwqOMt/vveHUttQQLEcdu2XcUylbMarDaOcZui e9AjYX3LoqdhPRl2v01tuJf3c8wmNTE+GtsO8hwda6eo8Mu/BAnqtFsiFRVjmJ2M vgj1Ot/SPQHcpDu7N3V3GY4tdY8iDHWZ5FfbyaoXvzM6guS+o4cDww== =xfeL -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 beta 1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1 Beta 1 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The first beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.1-beta1.tar.gz Size: 4445727 MD5 checksum: 2501e8caf6724c5ad747ac0d6df00c3d SHA1 checksum: a97fd63356a787e9ddc9f157ce4b964459a41f40 The checksums were calculated using the following command: openssl md5 < openssl-1.0.1-beta1.tar.gz openssl sha1 < openssl-1.0.1-beta1.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 52 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/ or CVS (see http://www.openssl.org/source/repos.html) to avoid reporting previously fixed bugs. Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-us...@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTwMMMKLSm3vylcdZAQIx4Qf8DULWe5abAiYw1s7Eu1bcC84ffEbtxvo7 qdnz1PWs2RXYFl47jH+B8BA45cJp4WylDhk3KLgkOpEKJk0xHkmPc0Al3vCzRcFg +XzSyQ6lrUrw3b8s3hL8wA91brRF7LLrnmv/0KArh7Mmh5GilSwSHlrLCC/NL9vG 0rEmURWAMTfDpcRd3wlC7Jh3Uev5N9pjFMWorZcIlX/rCBy9xwTnulO6MmU9Vr03 2WHu5ZEeqdoFraryCGRFBMhb0IV7BKus5X/wTQl1amA3cTL8tUV6yCyg5FwCdL/e GHKa/KA9He3/M6Ab4RjBlE6Hduy2ui1rR6f9g5+ZSWhsP8aXqxCmPg== =tftU -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [04 Jan 2012] === Six security flaws have been fixed in OpenSSL 1.0.0f and 0.9.8s. DTLS Plaintext Recovery Attack (CVE-2011-4108) == Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann and Michael Tuexen for preparing the fix. Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s. Double-free in Policy Checks (CVE-2011-4109) If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. The bug does not occur unless this flag is set. Users of OpenSSL 1.0.0 are not affected. This flaw was discovered by Ben Laurie and a fix provided by Emilia Kasper of Google. Affected users should upgrade to OpenSSL 0.9.8s. Uninitialized SSL 3.0 Padding (CVE-2011-4576) = OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes: those that call SSL_CTX_new with SSLv3_{server|client}_method or SSLv23_{server|client}_method. It does not affect TLS. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. However, in practice, most deployments do not use SSL_MODE_RELEASE_BUFFERS and therefore have a single write buffer per connection. That write buffer is partially filled with non-sensitive, handshake data at the beginning of the connection and, thereafter, only records which are longer any any previously sent record leak any non-encrypted data. This, combined with the small number of bytes leaked per record, serves to limit to severity of this issue. Thanks to Adam Langley for identifying and fixing this issue. Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s. Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack. Note, however, that in the standard release of OpenSSL, RFC 3779 support is disabled by default, and in this case OpenSSL is not vulnerable. Builds of OpenSSL are vulnerable if configured with "enable-rfc3779". Thanks to Andrew Chi, BBN Technologies, for discovering the flaw, and Rob Austein for fixing it. Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s. SGC Restart DoS Attack (CVE-2011-4619) == Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. Thanks to Adam Langley for identifying and fixing this issue. Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s. Invalid GOST parameters DoS Attack (CVE-2012-0027) === A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack. Only users of the OpenSSL GOST ENGINE are affected by this bug. Thanks to Andrey Kulikov for identifying and fixing this issue. Affected users should upgrade to OpenSSL 1.0.0f. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20120104.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTwSwVqLSm3vylcdZAQL8nwgAtNob9cIjI0SlNW1sLrlzP9bLPpNV9o6p +sD9jIMBKsoMZcB9ANMMgcu6bMAz5Hm+7//ff35WJP9oDN4vYnw/cAzXuj8+dclm qQLs9jR+qkyDtjh4Oiyabvjsq7uAgEp7D88pgFK+PF+0TRaH/2hyZgGNlg1JOrNR SoFN5rVwNhIybkMhd3kNjU8cIkA2lI0vjNqmGOafZ5xTyWhViHuvN014hRyffiNS JE4icLuQV25DidcZkvxjuiaHiJz70DZgerSOds5H8kNeoNlIevPxPzWEaZ7HMsuL loK+hqE/nMMaL3lk29+a7k1lcqNvljt3M5dX/CVbevvV0NCV62bojA== =56UI -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [18 Jan 2011] === DTLS DoS attack (CVE-2012-0050) A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack. Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20120118.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTxbTZqLSm3vylcdZAQIVsgf/b+bSo2XrK9aWx1MCvgcz9Y1rJS8mOfLS c1E9ZpIp2uXcHai9PNhtJ8MRW3pVpyHMxqNQ/9ULXYBjRwVl9YT2ipDBN4iZda9M 3Rh3g6vuWwbpNDNnd9xiuTVq8y7cVk1U0VXoOZ9tXIkkKgEITXiAqH1qmo9nthkT Rv/5cgWmfplnhz0gMANHreRh3cZr/BhQaKHZAZ8Fsa2EqRHdyZagGlwspGqQab85 dT8jiNYABnQDWju28tjpMT/W8vnW0/zTXll21hbNj/R+D/L3lhLY8XNhYsoQrCZo UIY+quRAsdggLWrFizDA3vxsEdtU1z/5yE+4bs5hzaJhTe0RJUieNw== =Dkux -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 beta 2 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1 Beta 2 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The second beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.1-beta2.tar.gz Size: 4447371 MD5 checksum: ef66ad92539014e1a8fe33bdd8159bad SHA1 checksum: b92b1d3c019d094bc5b3079dfd60acc2bf925b53 The checksums were calculated using the following command: openssl md5 < openssl-1.0.1-beta2.tar.gz openssl sha1 < openssl-1.0.1-beta2.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 52 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/ or CVS (see http://www.openssl.org/source/repos.html) to avoid reporting previously fixed bugs. Since the first beta the following has happened: - Avoid handshake failures by fixing heartbeat support. - Security fixes from stable releases. - Other fixes. Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-us...@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTxxXVKLSm3vylcdZAQKTtgf/c+YpXId1s26gkdEw9YjL3T0zRbj7826T +iB1uc9hgiRg2FrWuyRTBz6IG8s6oVhh8YOnOF4PR9CAvmcDsaAtklu70tql3Fae KSw1s2T2uotHopbuE0XVWap8AGVgg0Ab0RzJtBx09620TCeOeIpywPqY+ZwmsXbp L4iVXnv1tUjJ7l8+T9SMSoszjey3IcRmalQWuCtE9aSxQ87JlY1HCOkatcAiCnqL dGD9M2mEIXAthxgEmlIP8151moCsB5O4QmIkPZEp/fIeWqkFReff3pUYr2S06ww9 jp1UCzjQM/ubPntjG78Ci36JNh60Yl8qu0rmub7pRzdoDw9kcHFCcA== =YQut -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 beta 3 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1 Beta 3 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The third beta is now released. This is expected to be the final beta depending on the number of bugs reported. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.1-beta3.tar.gz Size: 4451351 MD5 checksum: dc141587e0d374bdb0c7b97f770fff5e SHA1 checksum: 32105cbcc1bc6bc959102b2d70eb16ed1da732ce The checksums were calculated using the following command: openssl md5 < openssl-1.0.1-beta3.tar.gz openssl sha1 < openssl-1.0.1-beta3.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 55 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/ or CVS (see http://www.openssl.org/source/repos.html) to avoid reporting previously fixed bugs. Since the second beta the following has happened: - Improved TLS v1.2 client authentication interop. - MDC2 signature format compatibility fix. - ABI compatibility fixes. - Other fixes. Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-us...@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT0bJ2qLSm3vylcdZAQJv1Qf9G5Vf7BgbdhHW+psSd3s6Z8zeijxSkZl1 cue84LkJEDRr7Tkbyk2eGuLR5cNiuH5u9waPlf31zCWsoh2cOl2fMDm+3LTB6Wqk 9zU8gkaarUFZxYxbRJa2VVDTOEzbW/qO/Gabjt/dkh/0xb2iKZvTVGr8G8xK0PVN aYhehHEHl6yxJv2V8uPZgxOC0KIMRXIj3zy/Db/Aeu9FRH1vFCHg4o+HjvaMfXRd Ahhwsh4HLaKQ3GZZKHGBlIzFANd6QJM0Q96tf2rVdINq9CZ3iw7KnbHUXNH26H3P VSfxF0sZcbl2PvQ0EnTKuKLt3QXkea9Ihtf7h7srTP4VikKbkAeh8Q== =27QW -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL security advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [12 Mar 2012] === CMS and S/MIME Bleichenbacher attack (CVE-2012-0884) A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages. SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code. Thanks to Ivan Nestlerode for discovering this weakness. The fix was developed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u. References == RFC3218 URL for this Security Advisory: http://www.openssl.org/news/secadv_20120312.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT14b4aLSm3vylcdZAQLNTAf9GZmm+2oCVvpOx1DPv/byirbrVgKzxGUe bE+KDVFbRFt0t/MkC/CoWAQDZs7ef2E9YZ8R8jy7cEriUTbipuBIetBah2+oTZnM j3g1LeUth8gYBy//9epcVRTtpjkZ/oZVKYsjbdWnQIgW1hTvpgaqtPRFX3aDWIZv ArpUSG5YmX+Zg4NYwB3ZMa+je4d2jTQmItqNsTUYv6jdxYYn8LwUQfa3r3f5mkMt usI7YP2QFaR3q0iTknMM+BmzzxNOcs/3Y4VfXASWiVVVd4i0jltSxgqsvTB2lH3G woUBIL+tF6KylHGfu9TMdvwj17eD5Q47y94Bg/rxf+hUn/AlPjsWRw== =aUDu -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1 released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1 of our open source toolkit for SSL/TLS. This new OpenSSL version is a new feature release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o TLS/DTLS heartbeat support. o SCTP support. o RFC 5705 TLS key material exporter. o RFC 5764 DTLS-SRTP negotiation. o Next Protocol Negotiation. o PSS signatures in certificates, requests and CRLs. o Support for password based recipient info for CMS. o Support TLS v1.2 and TLS v1.1. o Preliminary FIPS capability for unvalidated 2.0 FIPS module. o SRP support. We consider OpenSSL 1.0.1 to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.1 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1.tar.gz Size: 4453920 MD5 checksum: 134f168bc2a8333f19f81d684841710b SHA1 checksum: a6476d33fd38c2e7dfb438d1e3be178cc242c907 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1.tar.gz openssl sha1 openssl-1.0.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT2CkBKLSm3vylcdZAQJv6wgAmrvhkXBB0rOI2Yt5YkgShq7BqqogFJk7 TBCHP6gR133L08e+WibwLc3HZS8eU2oAyyOYjBiTjO2Dyg5jkkslku2pyX9R8iZd vb0k/ZTuzmNO/6dDYwejbYdLjrPmTKWrcofa9GooWhiFBOzi3fbY0pAIWjHBoY07 LK8HxVzqQ+v/fg3ingqNpD5qJ6y13i4S8wzMPRL/4ox3evRSsEZ2ZTRqCfxwIbQk hZHfNL2sCZ+i/BoPKYxezhRweftDKQJtAm17femzymbQ0NVZfKi2i4kcd0GXS4Ow eaeMwpXdAGDGcj/HzaqxH1lEkKDQB+H9fo9MT2gqawjntiRt6K/oyQ== =yHMc -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [19 Apr 2012] === ASN1 BIO vulnerability (CVE-2012-2110) === A potentially exploitable vulnerability has been discovered in the OpenSSL function asn1_d2i_read_bio. Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp. Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc) are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected. Applications only using the PEM routines are not affected. S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or SMIME_read_CMS *are* affected. The OpenSSL command line utility is also affected if used to process untrusted data in DER format. Note: although an application using the SSL/TLS portions of OpenSSL is not automatically affected it might still call a function such as d2i_X509_bio on untrusted data and be vulnerable. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley for fixing it. Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20120419.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT5AJh6LSm3vylcdZAQII+Af/dPNEQrJZ6YHlytaMW6zvkG64pvYBLuoO BdJQnFBR3oWolOIQDyFD7byECly/czVHA5mTifsG+XyHeLHB5Zr2PsnLBLj3d6Su verXPt8JU/XQb+Rhn1P9F32qTMwhZkgNcjV3eOprpUBD7qNz+nQd1pJtlKX3asmK wtVYyX6Dbbe61GQ6nDxT4fLpAL6Yk/YJH3jRA/R4MW/0vyJzYCALKiCsFuAzp2Fl Ov5n3Gkn+Y+1jaaGpqNxdWv1F3OI8vieC4lN4CfbaDDkQxNCNBRwcucK/tBBKAxK 3gravlQDuqnGn3M6GOpVJ89hZaPscMvsKx80jUKZtn2kPBaC7NxYeQ== =91XR -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1b released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1b released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1b of our open source toolkit for SSL/TLS. This new OpenSSL version is a new feature release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix compilation error on non-x86 platforms. o Make FIPS capable OpenSSL ciphers work in non-FIPS mode. o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0 We consider OpenSSL 1.0.1b to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.1b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1b.tar.gz Size: 4456651 MD5 checksum: a1da58ce63baef3812004714fa302c47 SHA1 checksum: b6222cbbf835c27d9ad6db22262da6e4a2aca8b8 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1b.tar.gz openssl sha1 openssl-1.0.1b.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT5kur6LSm3vylcdZAQIBMgf/ZWCdMY1Invtng4OhB7+3qE8HBBr7U3+y /t6WPhsKzKMT2vdS0DEs+MOGe2CKaPFBcHnkOrRfclVoE2xRpZgIsKljZ+acYKU5 Ch52TWyzoBU4OmNIH11PzG6hXixmLb3fJZP2O5lxoLWPxCzL8edWBicEiTSJ6mXs xf6snQCqqjldCxNZmVWTR2mcxQ1lMhL9lafUnx51F0c3JVjyhcNLuPOAOufyalP1 ESJcuIrB2L9+fv8WMpxIugUFHveV3FB6DXTsJIVFmWvShjLgK78wQWZMxQeT8Isg R/e9vqpPHF8YuagMUicazJXOWHectkWnESKQsL0j0bVvyHTCOE0TQQ== =rfoQ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [10 May 2012] === Invalid TLS/DTLS record attack (CVE-2012-2333) === A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers. DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 and later. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. The fix was developed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20120510.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT6w226LSm3vylcdZAQKTzgf/cksRhBmKkc5BWGXHxRuNEpr7SplMvM1k 5HcyLrlUKE4E2tredaylgYhbpy9+50e8euv8cWdD5ErBklJ9SGso2YKl/FVOSO0e T5MyGgOeQ4jAeyLlBahw6O74bUYrO3WntVyLJDrH6gRGN1dDjenMPErPUKUQGUMw 8Yy0JXbxIVhw731ymL6Iv2DuleFZvGCdSgPXbX39qXrAe5mD5wd5jGP50f7S0mEO mj6/3zPxAHLrn5H9XXwqgebEylQkCHWdMIxSqYihea865/BShT5lXJdLief7YDlh YEJVquVjGlRgTJZeq6YZab5c1Lg+Jlc9cxtniQv1QaAgfryEJ5biPQ== =/mgW -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [05 Feb 2013] SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x Note: this vulnerability is only partially mitigated when OpenSSL is used in conjuction with the OpenSSL FIPS Object Module and the FIPS mode of operation is enabled. Thanks go to Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London for discovering this flaw. An initial fix was prepared by Adam Langley and Emilia Käsper of Google. Additional refinements were added by Ben Laurie, Andy Polyakov and Stephen Henson of the OpenSSL group. Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) = A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack. If you are unsure if you are using AES-NI see "References" below. Anyone using an AES-NI platform for TLS 1.2 or TLS 1.1 on OpenSSL 1.0.1c is affected. Platforms which do not support AES-NI or versions of OpenSSL which do not implement TLS 1.2 or 1.1 (for example OpenSSL 0.9.8 and 1.0.0) are not affected. Thanks go to Adam Langley for initially discovering the bug and developing a fix and to Wolfgang Ettlingers for independently discovering this issue. Affected users should upgrade to OpenSSL 1.0.1d OCSP invalid key DoS issue (CVE-2013-0166) A flaw in the OpenSSL handling of OCSP response verification can be exploitedin a denial of service attack. All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x This flaw was discovered and fixed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20130204.txt Wikipedia AES-NI description: http://en.wikipedia.org/wiki/AES-NI -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBURETXqLSm3vylcdZAQLE2QgAuHTRN3khjkmt/NRS4hg/mT+YRD+aJMsU mhCoqYvVuW0GVJHCY4yiBUoj0bgTfwWyazQRaWSFX8ewc/mHqNKYoVBSczb9nxqZ Kh41maLcKGMHtDNQlb5bINa95+9Ix9+J9Izdd7dWycpApN/azCV+r/kkXVArAq8J jYZ5Wl7PtSELArAtN5R56TgmSpcZvnIkqm7dV9rkJZGE9PBXskiLJjozWqPHgvQC HcAXNuAgrWJjuCKimictGoC0gP+tmF7tMIqYKT8/16qAqWs4vBk/Z0rxpQ4wV6pU 6jWjcFL+dVQm/59RKtYwsnBPmXgH9zg7kS2y0xcHTWJG3EKucxe8zQ== =BgHn -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.1e released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1e released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1e of our open source toolkit for SSL/TLS. This new OpenSSL version is a new feature release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Corrected fix for CVE-2013-0169 We consider OpenSSL 1.0.1e to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.1e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1e.tar.gz Size: 4459777 MD5 checksum: 66bf6f10f060d561929de96f9dfe5b8c SHA1 checksum: 3f1b1223c9e8189bfe4e186d86449775bd903460 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1e.tar.gz openssl sha1 openssl-1.0.1e.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBURkV6KLSm3vylcdZAQLBrQf+K6HyVp8KXHB/7JFHC+KBVh6nHcOQ5Xcs t/ZEW+yM1Zw049JFr92k/L5o+QoYtGqa7kMjW1amocTKT+DlnqC9l+VcDAyU6CIP 0cN0a7Q1o87alw4tsE+C+Nh2NI1HGjEskJP7Q+J5+BJMfEDZle3lO1Dlkmf0Lc4V FNrqtypdK+IT9t0y6Id1G43PGu71O3PeRO/E0HTM53R0nZan0fWBKFt27Mawy1mv UP8hXE2QcysF0ANBuOWWgDMzkXP5kqvyKIQXsANRn7RZeQOJvJCrEPxfLsH82+zx dOe+FBgSXlPOziCwPjqg1fHYP+iC+ZsXK9OVY2v/mUyUItmRqZjX9w== =DK7i -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.1f released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1f released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1f of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1f is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1f.tar.gz Size: 4509212 MD5 checksum: f26b09c028a0541cab33da697d522b25 SHA1 checksum: 9ef09e97dfc9f14ac2c042f3b7e301098794fc0f The checksums were calculated using the following commands: openssl md5 openssl-1.0.1f.tar.gz openssl sha1 openssl-1.0.1f.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUsq/XaLSm3vylcdZAQK5/AgAx1HqSKhgQLhemACA0F01WvxzFhDymOmE 7ztwfKb0+8Sd1BRCMZKDBBnO4SZEBzKQbUYv6Xo4mH9V0Yfy9/UTh8Xl8rnMsRPg iXEFkDMIeuaZ3+rvP7q7igdITSyx8e2Mixs7SAcro9cJe6QcEQJAV614egusIXNw 1V/thIAwRq/sOXUf00JzxU5die57FCvkpA/EgYAqMEisWT+Hn9Xt4iF/RGRSsGTJ Nzhm8v6D7v6zB/Pa/hlRLesTZpfZUatHtMK8EhgV4R8DYBLS1WZDAIviJp7AVIjx 60BmJxUms99gNDg1C7IRPbJGk/hfZEPuFWhSihHcLO95WQrwAIwr8w== =w978 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.0l released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0l released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0l of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0l.tar.gz Size: 4089622 MD5 checksum: 3847c1e3edb02b43188ff77d22f56877 SHA1 checksum: f7aeaa76a043ab9c1cd5899d09c696d98278e2d7 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0l.tar.gz openssl sha1 openssl-1.0.0l.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUsrFbKLSm3vylcdZAQKxiwgAkot7xJ+VHjzjUgo+fE0TmjyWQlLMs3xr 1NZlXFEq9RcWub5uoYJ/SQCAzSBSrhN4sNr9B++4RPUa19i6uEL4jMN1+6My0Iu1 QFNnhoXLkvQNUlXMb0qxQR2gXjF478YO2r7/RUP883YAbhd/8xL3AhMdOK/AlvI5 e1ECe0pZAtMlsywRXrmF5XcGpa8AdxmDa/T8CoRaoQSrEqdd2noQqXOIzxKlO+3V CjnJz6KjwfSuJBghlM3MmlJX3SlH+RNOL4rgPv4oWmNcfiXKMzaF4lmIsx8s0xtm hNcup1TV2kmiaYtjE/jYtmUjfC5PKyt713aXqzK2osl4LLm9C7xIZg== =46cf -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.2 beta 1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2 beta 1 = OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.0.2 is currently in beta. OpenSSL 1.0.2 beta 1 has now been released. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2-beta1.tar.gz Size: 4901640 MD5 checksum: 59e8a227d50851dbe8db2a754ea22be1 SHA1 checksum: ecac4e7d59eec90ce1c5e75ac4ab4236637c321d The checksums were calculated using the following commands: openssl md5 openssl-1.0.2-beta1.tar.gz openssl sha1 openssl-1.0.2-beta1.tar.gz Please download and check this beta as soon as possible. Bug reports should go to openssl-b...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUwtOb6LSm3vylcdZAQLOTgf8DN51+L5/DHCKBB2SNKk/C8NfY33oxers 059ZNH7J+i6dkC0c20LuxD88KODK5cZiqe9eCz8LTS3ChIaVnMjabEVGmgJamJH0 tg6GmhxpELK9svAGmJa3LvE0FteXk2R/62qR5FrYiIET3ZPJ9oaDfRpP4Zp+Arxf jcsLRmwHkIwH4/gYxumluK3bmwZOffRbvwuFx9qOIAuEyQPq78fZfxGmtOTlnAyr UlbBy/eWjAoXyEOiuaTroK/qfV3rhn+/mcVdC7zn3vVlDaalwzBBTL4pX3yuphFT 0wfEAJCyGzS2znBKYyFEoEbSKHhn0qWR1klm4s1hlnX8Sp6Mk6eecQ== =tbPL -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.1g released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.0.1g released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1g.tar.gz Size: 4509047 MD5 checksum: de62b43dfcd858e66a74bee1c834e959 SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c The checksums were calculated using the following commands: openssl md5 openssl-1.0.1g.tar.gz openssl sha1 openssl-1.0.1g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1 ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k +gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/ 4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6 pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0 kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k iI/CjhJrI2B83C48m2kE =lxo1 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [07 Apr 2014] TLS heartbeat read overrun (CVE-2014-0160) == A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/ QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/ OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd J37YgDNuefzrsA+B5/o7 =szjb -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] SSL/TLS MITM vulnerability (CVE-2014-0224) === An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. This issue was reported to OpenSSL on 1st May 2014 via JPCERT/CC. The fix was developed by Stephen Henson of the OpenSSL core team partly based on an original patch from KIKUCHI Masashi. DTLS recursion flaw (CVE-2014-0221) By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. This issue was reported to OpenSSL on 9th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Jüri Aedla for reporting this issue. This issue was reported to OpenSSL on 23rd April 2014 via HP ZDI. The fix was developed by Stephen Henson of the OpenSSL core team. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) = A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. The fix was developed by Matt Caswell of the OpenSSL development team. SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) === A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. Anonymous ECDH denial of service (CVE-2014-3470) OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. OpenSSL 0.9.8 users should upgrade to 0.9.8za OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. Thanks to Felix Gröbert and Ivan FratriÄ at Google for discovering this issue. This issue was reported to OpenSSL on 28th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. Other issues OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" Reported by Yuval Yarom and Naomi Benger. This issue was previously fixed in OpenSSL 1.0.1g. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20140605.txt Note: the online version of the advisory may be updated with additional details over time. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJTkEfyAAoJENNXdQf6QOnimv
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] Resend: first version contained characters which could cause signature failure. SSL/TLS MITM vulnerability (CVE-2014-0224) === An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. This issue was reported to OpenSSL on 1st May 2014 via JPCERT/CC. The fix was developed by Stephen Henson of the OpenSSL core team partly based on an original patch from KIKUCHI Masashi. DTLS recursion flaw (CVE-2014-0221) By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. This issue was reported to OpenSSL on 9th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Juri Aedla for reporting this issue. This issue was reported to OpenSSL on 23rd April 2014 via HP ZDI. The fix was developed by Stephen Henson of the OpenSSL core team. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) = A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. The fix was developed by Matt Caswell of the OpenSSL development team. SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) === A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. Anonymous ECDH denial of service (CVE-2014-3470) OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. OpenSSL 0.9.8 users should upgrade to 0.9.8za OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. Thanks to Felix Grobert and Ivan Fratric at Google for discovering this issue. This issue was reported to OpenSSL on 28th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. Other issues OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" Reported by Yuval Yarom and Naomi Benger. This issue was previously fixed in OpenSSL 1.0.1g. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20140605.txt Note: the online version of the advisory may be updated with additional details over time. -BEGIN PGP SIGNATURE- Vers
OpenSSL version 1.0.2 beta 2 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2 beta 2 = OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.0.2 is currently in beta. OpenSSL 1.0.2 beta 2 has now been released. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2-beta2.tar.gz Size: 4872101 MD5 checksum: 14da0421bc318478522ecc64341e3ebb SHA1 checksum: 3ef423fefcad9e2210fd222192f2cd4ed25a3666 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2-beta2.tar.gz openssl sha1 openssl-1.0.2-beta2.tar.gz Please download and check this beta as soon as possible. Bug reports should go to openssl-b...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJTzsntAAoJENnE0m0OYESRlpsH/2rSViKgMChsfcAviMHCb0xB ZobYZFDjjs+X6dCoeeY7+tBuy9aEhZFOcoz4PKelPMC8I+QFDSzhvQuaYGBXXV/N QoKxZK4xPG2Z0kSXN4PL3WPerCxEqZ6HJnMFtZlnXIBgxJh6HxtEGrL8ijPB/Yv0 OcVhfEokhIG2ENQkLugcwooqNWnZmOKnV1zw/QZFpNJRnz3G6D1CdkY1bJ7xIFdR IxVDVsN414VR6o5VCqk56P2PFfO70V5yaomcnndU/hBihf/0bJyR24iwJYVG3uHB nekyn53mVS1JM5O6wSVAbqqBidCrUH82bo9VaTcem9EyWW7R/CJb/4onvhuUc1o= =UpLQ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.1i, 1.0.0n and 0.9.8zb. These releases will be made available on 6th August at some time after 20.30 UTC. They will fix a number of security defects. Since these security defects are considered as moderate severity or less no further details or patches will be made available in advance of the release to any parties. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT3fG+AAoJENnE0m0OYESRWFYH/iwM7iIQd+LIJsQSwcMvoCWv JyhpJaQMZADYLkvc7uxP0y+mgqh2wg+2PwvNkW+gTPmjRefgYTygs69XT32iCBcw fwCHfy+lYI1iNx/m+e5VxukXf81hGdULlVlb66PxsOm4iS1I/0IHSYyV90KXxMKL gH/1/mJGVAYz7w88FqoCmQBdbJHLGgvBAaYgowsv9i5UcsU4VGcZnmydcX9XHDgQ svRnDG/WjqSZvKBkgeKDdLcGUOeyqhG2mkLgZuVG12DVrG1fhJ2nyBg7Jic/4ZW7 IcxXWr2iwqoK/uT7SljMJgixWzS7vDX6Imd8zI9600c/iGwLRv5Bs3cqLrr+2G0= =90J2 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [6 Aug 2014] Information leak in pretty printing functions (CVE-2014-3508) = A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected. OpenSSL 0.9.8 users should upgrade to 0.9.8zb OpenSSL 1.0.0 users should upgrade to 1.0.0n. OpenSSL 1.0.1 users should upgrade to 1.0.1i. Thanks to Ivan Fratric (Google) for discovering this issue. This issue was reported to OpenSSL on 19th June 2014. The fix was developed by Emilia Käsper and Stephen Henson of the OpenSSL development team. Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) == The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack. OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i. Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering and researching this issue. This issue was reported to OpenSSL on 2nd July 2014. The fix was developed by Stephen Henson of the OpenSSL core team. Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) == If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. OpenSSL 1.0.0 SSL/TLS client users should upgrade to 1.0.0n. OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i. Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this issue. This issue was reported to OpenSSL on 8th July 2014. The fix was developed by Gabor Tyukasz. Double Free when processing DTLS packets (CVE-2014-3505) An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i. Thanks to Adam Langley and Wan-Teh Chang (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 6th June 2014. The fix was developed by Adam Langley. DTLS memory exhaustion (CVE-2014-3506) == An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i. Thanks to Adam Langley (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 6th June 2014. The fix was developed by Adam Langley. DTLS memory leak from zero-length fragments (CVE-2014-3507) === By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i. Thanks to Adam Langley (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 6th June 2014. The fix was developed by Adam Langley. OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) === OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. OpenSSL 0.9.8 DTLS client users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS client users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS client users should upgrade to 1.0.1i. Thanks to Felix Gröbert (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 18th July 2014. The fix was developed by Emilia Käsper of the OpenSSL development team. OpenSSL TLS protocol downgrade attack (CVE-2014-3511) = A flaw in the OpenSSL SSL/TLS server code causes the server to
OpenSSL version 0.9.8zb released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zb released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zb of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zb is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zb.tar.gz Size: 3727934 MD5 checksum: 65c5f42734f8ecd58990b12a9afa6453 SHA1 checksum: 4f0079d4d924ab618d5f846cb91f413184bf8dea The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zb.tar.gz openssl sha1 openssl-0.9.8zb.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT4p4yAAoJENnE0m0OYESRbLQH/iV7JquY+VLmnKbv0HaOZA/4 qwK3AJH2iq0CofbtNdLu82bEowzPCW2FYMewkBdMfmjiauGvlJZ+kF+9cJguXhOM 3nLJtursQPhjACYuBfqRJBmGepquPDF3g9m7X8+f6drY7OHAyUxRGCb3prarx5Fu 070ElVF/bsMjpXM9Cy5izA9oGgfVnegB6lJGUQh+fxwIrLK8A4+NFd3qgwpjBSdr DXtIZkXCyR4h06gGPDiE3sAndsZ1Mg5nfZKMjKP32PXe/lwnhcRO38cuC3Me4b0Y lW9BvtdvKTLkD6fdgOzQkRnh14hl6rpI4TsrVAIromvEtsJcP6agPmP/8Yspku0= =R39x -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.0n released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0n released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0n is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0n.tar.gz Size: 3994771 MD5 checksum: 7d4c7a0462e32b0ec1e37216e4ca6178 SHA1 checksum: 2d0d95d52dc93e4a0d80b1bf45d67e5e9849d819 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0n.tar.gz openssl sha1 openssl-1.0.0n.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT4p0kAAoJENnE0m0OYESR2TUH/AjrNKfkat3zr2Tg9gT8vcs4 VWhjNrshyk+By8EaQD+cWv90KbAkdYv/bFF2ube4w1YbhzFM3fJ1vCDOP7fFacxY URsXkq664afCF7+UXWpwmFOdz/GhbZeuFCH4NU8FhkXnBiLtqri9TlUvN+e7gtUz 0r9alejK8HqUXvIGEoKugMflCNzUzCdnPIdh04DvHKLRJO8n1ZuRM8TZ5nBC7faz heVjZbC0dedDLbEsEiotLSveTmZ10McOwNpkBJocEYIlHnWxlMowDQn/GALccIgB nPEtXzrdWNTOoj7lTy/qtF56Ck0Ge18WkIX4C23NGjUJGAVmIslWVPmM/UOEQvY= =yz7j -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.1i released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1i released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1i.tar.gz Size: 4422117 MD5 checksum: c8dc151a671b9b92ff3e4c118b174972 SHA1 checksum: 74eed314fa2c93006df8d26cd9fc630a101abd76 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1i.tar.gz openssl sha1 openssl-1.0.1i.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT4pu4AAoJENnE0m0OYESR5EoIAKZ/2u7QKuaW3bKVMGeUfM0A 7er31QvpHBuy0ZqrzoeATy/AMF9gypGPaNxtOfVW/O1e+DrTHnGBlDK6W94ecRro 3GMVMF3N3v8a7w8dWAml+PFd1cC9T6caleGg2+cFlfO6YJBWU17cbyPeQ0cPsHOp S2AQNrdw9pnGx4AnCXRcjng8QGpkulBog/gjEgfhXGQR5AlaKCoNbNJLEUCF5g2G y0Szo+5JGlJN/e6aUo8zNHQY34GmtM+hopX8Ruhsu46HgEi/syaIS9tYo/ehBV3I dMOZWgv3lJKow7cD4rK3o1hHdNCapwrKnsu8G1sb+KHb/h9qqiGqy/EiTzXXKmk= =l21w -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.2 beta 3 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2 beta 3 = OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.0.2 is currently in beta. OpenSSL 1.0.2 beta 3 has now been released. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2-beta3.tar.gz Size: 5149260 MD5 checksum: 10f39b6dc541a16e939b811d4af54a6f SHA1 checksum: 9435f53d2bc625d80f7f4a7ab986e5e5bd18d01d The checksums were calculated using the following commands: openssl md5 openssl-1.0.2-beta3.tar.gz openssl sha1 openssl-1.0.2-beta3.tar.gz Please download and check this beta as soon as possible. Bug reports should go to openssl-b...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUJHuvAAoJENnE0m0OYESRiK4H/iRe7Hj+fHF1qUjBHxzJm2AG GxUEC37vOfaWXW5aNAx3BsjM85pQWLDjcpD7XRBGnqAclD8CS87V41oH7iQ8Ou5j 9b9JdHMSmwOijHh5Lva1sf2fXIsyiN88CybrB/FRfYT4h6sWqWg+ZHg6heVqHpxA U/PaWqRycIYoL7p1olcpyNYPzwqWEduNXxhXIllAQq+VuU7xOEq3low7+jdP62PO OcECL6M17nT08u7C67hG0lsvWm9UAUmQZXPspOgnzYcay7J9nyZ9V4MTsvKjPrNj dwGRXyBpWrsScLFCUdjOI7B7EG6QuUmezmYoQX0Ah6Gz1Bgzgnqy/pGE+j5y9oc= =qScT -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [15 Oct 2014] === SRTP Memory Leak (CVE-2014-3513) Severity: High A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. OpenSSL 1.0.1 users should upgrade to 1.0.1j. This issue was reported to OpenSSL on 26th September 2014, based on an original issue and patch developed by the LibreSSL project. Further analysis of the issue was performed by the OpenSSL team. The fix was developed by the OpenSSL team. Session Ticket Memory Leak (CVE-2014-3567) == Severity: Medium When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL on 8th October 2014. The fix was developed by Stephen Henson of the OpenSSL core team. SSL 3.0 Fallback protection === Severity: Medium OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 https://www.openssl.org/~bodo/ssl-poodle.pdf Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller. Build option no-ssl3 is incomplete (CVE-2014-3568) == Severity: Low When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014. The fix was developed by Akamai and the OpenSSL team. References == URL for this Security Advisory: https://www.openssl.org/news/secadv_20141015.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUPnPYAAoJENnE0m0OYESRaBsH/Au+URgDVRsG/LJT89adeBnA jPEdxf2CV2M4aH5bs2FRES43iWQNQUtDHkmSfOfyICLHYN8no2/78QqMhPr1/euA bRGB7+P+Epac8LRjXGR9+CJx46Oc0LqDgXdU/7nGe2qB8qo0oR6S3M+ZUsuSB6IU XbQC0wTeDRXZKJ0dLXLj1ro7JaFd2F692XKilUVdg4cLUuK5IbxdXWzp2ttgoQGB EbBNHSbbSbbNODUyr/oyna+c+FImAbcTOee0PuGOukEmsDQh/wofbRDb9tn0JdZw /ZJDJtU1VVeIl+j+uU9fQ0aG/TTjPBMeT5uelA9P/t4SPh+7JDneHbuhY5GCfnI= =ic92 -END PGP SIGNATURE- ______ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.1j released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1j released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1j of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1j is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1j.tar.gz Size: 4432964 MD5 checksum: f7175c9cd3c39bb1907ac8bba9df8ed3 SHA1 checksum: cff86857507624f0ad42d922bb6f77c4f1c2b819 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1j.tar.gz openssl sha1 openssl-1.0.1j.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEbBAEBAgAGBQJUPm6fAAoJENnE0m0OYESRkJ4H9ing12otDoFR/IvmUU7tFIci plQS1tlqZmniU1ikymLigbN/FNzRGHOLC/5HtCeKHvDG6AZkRrjJ6xQ5aug0tl+k tJxyG8+g97hFqEiGwGtCMknb9tr/qSX+WkHaDFpLMsb6WNfQiOeRy/CGbFMPEPGW fvUNnBkDI2w007oJjUfyD8YwPO01z6OfR8NWq+jP2uM0MeGnz8WrV0Q+4IZwyk1X 557rlL6lQCRNQe/sERFCMgDU3sASjvFrplK8BhhAUbVyfhM8BfS4YvI/F2cHjQ7J JV7sXgeNtmAJ6u/ehY/dz6hOm83smbaxPzpAaNYaOGPmSnVLkkMNFgZuJL0SIg== =o1Qd -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.0o released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0o released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0o of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0o is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0o.tar.gz Size: 4003271 MD5 checksum: 473b311354b7b19d624a4f291580e82e SHA1 checksum: c258be34c3d20967c881c9fff46b0d4730f1b7d3 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0o.tar.gz openssl sha1 openssl-1.0.0o.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUPm4AAAoJENnE0m0OYESR1dMIAK+3GVv2D4G55yRErzlj00m3 AcHQkk+7XeqTLXcM8LSj00jehDA1EoKUb7/RV1VziPSTjMHj6n5EEF7nF+gMRrGK YlNmg5eKXcBBbj3nr2QJgqoA3mcHyuox7plofj9Q9X/j0qsPFM5rzY6WaG7/3+/P SEgB9McCdXUtQfS5b11m0YTqn92gisaGC8U9wqgv6zq6y2i6AwdGPepaWUAww3Cl +EXvo81eZzh0tgNiSjl8ivuozb+5Zc02NX/FsQXgLcRERaUiHlQNYon7wDXZ7lXB gUi0c31Cbulb/STWiaQMsN9cVBMUidxLiVScohjr4v6CV/g9pB8/0gHcqXgYPSU= =2Pi5 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 0.9.8zc released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zc released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zc of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zc is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zc.tar.gz Size: 3735406 MD5 checksum: 1b239eea3a60d67863e7b66700e47a16 SHA1 checksum: c7c4715b09d1b68aec564671afd7ec416edf764f The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zc.tar.gz openssl sha1 openssl-0.9.8zc.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUPm1GAAoJENnE0m0OYESRdV4H/Ru7FVmravb8pXFkhyOV/OVC ujwTDySxsz99vntee4/35nsqApTbC91Y0RRh/yGPwK82uAB97wimf/ZozwPko9xM B96+r4IbMNEz4kkTL8OHINtd/DUqeQFe0IZ6mEUT00teUaZVu9FtcnOqXccty2ku zwSXztG6L52TDHf4VGE+e3ZIIAb52sXObqVOLgD0ON1EUjUZMvOz1aH0qfnrzkcy AFuqxuRukLyxn+HYb9jkBCoMXM6pGn8O2OGp0tiEn32OeuPvJzCMA+Hfi/rpcFa7 ImsJzBmglxCSso6jcprj23xxtSRGpvV2p0PS2M4Jfjk0W2MWbGNaN81u0BRBeAk= =kBYh -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 0.9.8 End Of Life Announcement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL 0.9.8 End Of Life Announcement == The OpenSSL Project is today making the following announcement: Support for version 0.9.8 will cease on 31st December 2015. No further releases of 0.9.8 will be made after that date. Security fixes only will be applied to 0.9.8 until then. Yours, The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUPop/AAoJENnE0m0OYESR/d4IALZm8mKyFhJnOdUXyY6u4hUJ Nc+HqEFI6IThTZrLisPeW3OSeW8EvAnLwy7Ie3HK1X8LoMvyoeJ/r8Mlcg1MYTlM 9n3IxCnDTI4avkMTUoeyen2sedmBcvxkyBAofqxi+A/3sZbGSNDQwIjPSdorv9xh TY/yoOoelOECR7QetgJoOD+mYMG7Rt6xgF1EsFwna1Z5UKcXcVz/Yab8A3sF5ohz XySf5TPSQJhaISWzXmCIYntUGVbh9mKz+KgJ4DUcri4xbuTqm1XoL1ZaYwxOGKDQ K44RwGj/e3QfPBhXAZkAFzIjvqVG0mfHCWhy8ufrMkkncUIklVBOnvDIdmGmHpU= =zZcP -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majord...@openssl.org
[openssl-announce] OpenSSL 1.0.0 End Of Life Announcement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL 1.0.0 End Of Life Announcement == The OpenSSL Project is today making the following announcement: Support for version 1.0.0 will cease on 31st December 2015. No further releases of 1.0.0 will be made after that date. Security fixes only will be applied to 1.0.0 until then. Further details about the OpenSSL Release Strategy can be found here: https://www.openssl.org/about/releasestrat.html Yours, The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUmfUFAAoJENnE0m0OYESRxwsH/iTt11CUTKXj7IEJ6glp2TO4 EH8EaF1QJdh7nEDe71JHciEzLOJctEW+c8DSJUb54VmhxUAehSALQ4iU/SQGnlOK YZlg3jYhEE0WSfd+UtLsh6I5xK2l11z3fb3ncOlaqCHZMsuatFJRyZtKIKSIIFdG e/TaYmaZnBgTw3wQ9ThaVkeWGFTHtwlOyBIgbw9jF9DC7B/KRwpk7230/6Yv7Tz+ XDqeruYLiSj2IxW+hD1lWqoetLfHAWhvxSELjUxfH6BR5E/+kliDgHWlji/VfFl3 tl9OcAKbqUUVNMxYKDxgh7mkvdcATHrBoQ7spbR98EKG6QeNtVTYEEaCGFrYBIs= =tmun -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-announce@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.1k, 1.0.0p and 0.9.8zd. These releases will be made available on 8th January. They will fix a number of security defects. Since these security defects are considered as moderate severity or less no further details or patches will be made available in advance of the release. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUqpq7AAoJENnE0m0OYESRCeQH/3i7C8kpk+n6cqwaEedjt5Mo eU0F+d8OrxPMqzEo4qftGe+7ygvwJBdA8tb0/4fQuqmg9wBSbJMa7qku20qOpKF9 daYfOPQCXgdGUjomp5GYz86/7Aq7aND8qQLnCcWWdwBv+8ypP0Hgywilr1LW+nnv xBNNbQSBERPayGcSIqFI0xYd2r8Q8vUp9BMKnkHoR5ty3nO43/nGQnPwEX5O3tJc XZzWVVxrKhp/wMiAueWz44vc0juO8LdfkuWUtjJj3F9cL9qLOG877ho4cM/t9WX/ jheVNun1Cd9Z0wIn0nHYgtJUn/eVyTc9LckoVKt9pg4+HhsJd4cTC8X92HQbB6E= =fM80 -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-announce@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 0.9.8zd released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zd released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zd of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zd is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zd.tar.gz Size: 3737538 MD5 checksum: e9b9ee12f2911e1a378e2458d9bfff77 SHA1 checksum: b9a6356d5385e0bd6b8af660576bfdef7b45666e The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zd.tar.gz openssl sha1 openssl-0.9.8zd.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUrpVNAAoJENnE0m0OYESRDe0H/3AKK345ct3rR0QEQ1YN6d33 T4upEE2CKGaDhhqfPl0iHPDVxec+st98JxF3Yg5wQxWO7DxMe5bbKCYl/hM0ZSQd zTzeECDH5WtzlyXTCp5TZdLMwpPL3kkW0Q7D4q/RXZ6DE3fNVLDsxJOiVa4cWtHL JnuJCCqwSC5a5CfhcyAu5Tqt2/0xoFxcai8NmmhIWe806pfrwsN9PoD0YW9ARlLC hySrcCLy4MHtZYie4dv7JIOtVb1PPyX6qNsoKriGdpwb+drPvRtQFxSkbif+2gkf Y7YkDs8nKCdLwJvgonprl6HgcHh4eeBNpxOgfwMo/Vnw02HZvm7na2t4jxvmm+E= =+Z6j -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-announce@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.0p released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0p released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0p of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0p.tar.gz Size: 4008663 MD5 checksum: f66da50ff3624aeaf292948f27d8ae7d SHA1 checksum: 04dd495c47c7a11f7f311747121b6b77e08abb5b The checksums were calculated using the following commands: openssl md5 openssl-1.0.0p.tar.gz openssl sha1 openssl-1.0.0p.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUrpJ5AAoJENnE0m0OYESRXL4IAJ66ZB4N5/nhxPCYV0vGMjCE A6jBTMPNfcF+CX26rFr3nWTX85zvmAFW9r+nIddlvnLSsWtDKtOpZsyWiFzFSrtK gp7xPhI3B//Di1bkDk0zkhUcAT/7DU/8yp8Nm5J0XMu71H+3Uxh/QP6ZpyW1ZSJ7 eWeZGr+PoVaC0gcRR2HBPtaArL0fhbgGI7HggRslvNupiwBqJ42Z0wDY12ONaA38 Be6jiUBElRQqr5VmjPOSdezX0ZTErI7NZ5It1DCtsLuglbVsmrim57PSpOkWwVh0 FRi39qNR7T4/2SEcUN01EX7VENarqZaxIxJuYCIx6v8DXYQQ8NloUudBe6icmE8= =9lIN -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-announce@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1k released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1k released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1k of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1k.tar.gz Size: 4434910 MD5 checksum: d4f002bd22a56881340105028842ae1f SHA1 checksum: 19d818e202558c212a9583fcdaf876995a633ddf The checksums were calculated using the following commands: openssl md5 openssl-1.0.1k.tar.gz openssl sha1 openssl-1.0.1k.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUro4+AAoJENnE0m0OYESRxuQH/2TFznmtvL92IMO6rjeCClYM bBqxvIaVs/l7sflcsENo67HNCn0/RmblmfULVY96Pvoin7z19wMyEFL+3NSM1w8v HkX2mRz23V8PEDxn23f3i1ltCCZgc+aQyKoOf6Rbo4WHxgIHKXdKqm8dhyVj6ODw s2Go3TvaUNtG1BoW6AJtr1ZHosq+WKaOjq5yiRdFb1o/00GipSOb6gRsT2qJHEXS NpFEJm1CRguJ7qe3SPgu7gGyQ34MVl9jO1onRlMqsE4anvZBtm5sK97YXRrc4fqK 0E/SO1sW+mz359fHJMYmYnefG0hs1+KNnA1ydEfLLrf1Bc8Lqft37rN0cVfKdzg= =oLV9 -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-announce@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [08 Jan 2015] === DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) === Severity: Moderate A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k. OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) === Severity: Moderate A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion. This issue affects OpenSSL versions: 1.0.1 and 1.0.0. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k. OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p. This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also provided an initial patch. Further analysis was performed by Matt Caswell of the OpenSSL development team, who also developed the final patch. no-ssl3 configuration sets method to NULL (CVE-2014-3569) = Severity: Low When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The fix was developed by Kurt Roeckx. ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) == Severity: Low An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) == Severity: Low An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. DH client certificates accepted without verification [Server] (CVE-2015-0205) = Severity: Low An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered. This issue affects OpenSSL versions: 1.0.1 and 1.0.0. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. Certificate fingerprints can be modified (CVE-2014-8275) Severity: Low OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the
[openssl-announce] OpenSSL version 1.0.0q released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0q released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0q of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0q.tar.gz Size: 4004090 MD5 checksum: 8cafccab6f05e8048148e5c282ed5402 SHA1 checksum: de1268a7240106bde2c865b77cd5538313db4bca The checksums were calculated using the following commands: openssl md5 openssl-1.0.0q.tar.gz openssl sha1 openssl-1.0.0q.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUt9UeAAoJENnE0m0OYESR13UH/270WK9BRjPBTvFnb2GukF/K 3W61tLqompMuIFhFbAV2N4/zQBNT0L6/NnAEFBUkmBOhN7u8vhOawEargoJAViWG mdUZAUce78AgILTxYUavfDq9tu3SZQbWAJwB1BjQ3iA+yLe7sLoZMmlTidyHJqIw QybOYOg0hwKqZ1uymO0yFMY4N+EosFkFUAZe7F52002iB1UQjH69CkzE2arHrZjI fJgAhEjzNGB5cp9wc2TJtnWZiauhdm9yNY9b6sR4xafERjY40wvZ3tdgrtP/rPdX x2eAH5tJ1KY9DPnUxWrlHanIPGkz5KhowsW5y/PWkvLLzQYGRW3MK4UDOKmhFtQ= =nWh1 -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 0.9.8ze released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8ze released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8ze of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8ze is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8ze.tar.gz Size: 3734873 MD5 checksum: edcca64ac2fbf2b03461936d5e42a262 SHA1 checksum: cbfbda630b3ad6d89a15a80c0dc15ebce2c1b7b2 The checksums were calculated using the following commands: openssl md5 openssl-0.9.8ze.tar.gz openssl sha1 openssl-0.9.8ze.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUt9daAAoJENnE0m0OYESRmXUIALecJ514/CzORM23LL6oJgZZ lq55Wq3J1mw7yIC2Z+3wotERDMb9IFaBXmxk+e3Z3MRT36AJkmw6Q+wx3RAXN4DY 8sFKWhIhnV9xWydJdBRMPJc9wWe3j1HFD26xqmwcVRaDbXuL2TeddcOn1r9gLZxR R6NGxtc+RG/k3hkdX3Dd3sYgNXkScQLUlFBhWjL1zd0NIgv1a/T+CHPE31dUZ18A AM7r6HBT+if/gota/LMrz0j7e3UX94YP+DMUiDeXWMAkMYGG9uLa6wc+4cLnEAPe 9fk5TAP0Tm/C+DAZN7y43GDraoMwWJbCbeFLocEVhfpWmBdX8V5uB4WOewtBVsw= =t/Sk -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1l released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1l released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1l of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1l.tar.gz Size: 4429979 MD5 checksum: cdb22925fc9bc97ccbf1e007661f2aa6 SHA1 checksum: 4547a0b4269acf76b1f9e7d188896867d6fc8c18 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1l.tar.gz openssl sha1 openssl-1.0.1l.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUt9J+AAoJENnE0m0OYESRFp8H/0aafnd6C3+WnyTmc6YYvOB0 RHrPqGJG+LAFWNEGSeFVXGW7JLmjmJqRMWj97Wvdj6jZ5ldSWsSEhHAkfXsdnD9O VnoRj5VYcKmbA1LQeCrUYa/OuUJjcL1sDvIxdX9gBnRuYnfZ03rc7H/WCxHoS7CK VVJehwmlIor8lORdLgH2soBqQ4aDHlh0BUkSPu8HG0EGuEWUmESs1/LPkj6VOfoG cUZzxsJp2O8fwkt73kgYEQdoEBJpy0yDK6hrOAPRAO4W5ps06xZNT3E4q9EwAHQX ds+t6xYtVk9VnG8NbjFsu4cXHaKXg3NFsWjLVzBtTG+jdcnehagHprDydFv2H74= =eWWG -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2a released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2a released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2a of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2a.tar.gz Size: 5262089 MD5 checksum: a06c547dac9044161a477211049f60ef SHA1 checksum: 46ecd325b8e587fa491f6bb02ad4a9fb9f382f5f The checksums were calculated using the following commands: openssl md5 openssl-1.0.2a.tar.gz openssl sha1 openssl-1.0.2a.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCs+pAAoJENnE0m0OYESRxPAH/RnASp6tS9gdV3luvD4FbAr9 EoASYKCPWAnlNdVYobRaAPVreoNC1xGrV2YwpFwh0z3D19Nz7O7utzrEEAgtlTa3 /H3jm91cNOJWldPh+fNIAerfESghf96tVrPFAzHZ2PpGSDvX/oNV8IWgqixtChCe cQLa/EYT1VnFSiLOyoWWVFfICmzqk2Ke+aWKnnXgkS2gEOKTdCgdmkfmzTdRYGok eVHzoFXN5AMY/zxvv4LVbpfdYmp0zynI2HWDRo2F5S3AQ+olVj3qmtJERW4DRlNT ctZ9YStZzT39hbvOFVtE0XhhaERkO/tZMcso4Ouq8CU6qg4A6e7+X3gz2maWjfI= =Qbok -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1m released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1m released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1m of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1m is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1m.tar.gz Size: 4533406 MD5 checksum: d143d1555d842a069cb7cc34ba745a06 SHA1 checksum: 4ccaf6e505529652f9fdafa01d1d8300bd9f3179 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1m.tar.gz openssl sha1 openssl-1.0.1m.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCtFhAAoJENnE0m0OYESRqp0H/jPPpLlFSwsSn7IASUzQL9/r 9e7KWLaHw1u2OH9MjgdfvWFSJAczNsc6l/UizpmJNcv26KVMzGcfk+wEGwNS6erO SxlO3IYkQA8HJhRIyOlbkq75NbmOMO/ECfY+yc6NY1uciQpuO5sSk6GKuDiTvh03 d4VyubmKx55ITlmXnj2YTY2igFA1WY+QmHKVAtGN/b0OdakhjCFXY+IdZpbJujw+ UmkjwWrpBngBz/jJ0mRln7i47gT+tAlAw/O/bGLxHb4pMLtRLnT9QkeyKduOCNp8 S/2s+fHs7y2yEQ+hyPVwnp7IaRj+q/bIyg5+kpL/viT7FczXrfEqnbNmRjNumQA= =umSV -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.0r released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0r released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0r.tar.gz Size: 4095201 MD5 checksum: ea48d0ad53e10f06a9475d8cdc209dfa SHA1 checksum: 24508ff8c4ad94bcf1070441a737097f04480c6b The checksums were calculated using the following commands: openssl md5 openssl-1.0.0r.tar.gz openssl sha1 openssl-1.0.0r.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCtJnAAoJENnE0m0OYESRX3AH/1erQLZ5BkGvGE+6yFkB0/Kv 0sDk3GrGEu1NjH3Fwg7ibnfrggr3m8XUc9oO89+cFWdu2pX0m2JC5wBqsGnXWBdu H0kdS6C1v/vDUDZOUfozlnZjop8kwNtXFWpc7K3ALuKHssTyJi/ZH7+PfFUXwyDq d+FVBmishi8UIcxk5Wltg+YrFZkCe7098AL2Yf1wQ3t3aa9zCR5zsHFnsY6nSViI m12a8PIyrJLbKG7gLdxWAZ6y8Irs2avWnegcFomlB1vLmTm2yU302/vYW3DD3qUf hQK7W63NUQ4bKDY1wieWroB8GfnZyf5EXHJaWRf3ECONhSIxMTimAR3YlI5Qsws= =3kWK -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 0.9.8zf released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zf released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zf of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zf is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zf.tar.gz Size: 3822386 MD5 checksum: c69a4a679233f7df189e1ad6659511ec SHA1 checksum: 3f2f4ca864b13a237ae063cd34d01bbdbc8f108f The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zf.tar.gz openssl sha1 openssl-0.9.8zf.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCtNyAAoJENnE0m0OYESRylAH/RYLoFCCjLXCQUzLcwI2d3gq 6Hysl+GiOixeqEaHwMbAyrhkvym8sRGHuCUL94lAos6yhlePrAkcGMk8J5sVfNKN tczUswpQj8EZYTPsb0JdnOEQnBrezauhJphwDMwDPXjR5KGYzYTBpGL4AZIvJ9OT xIodpg/ACqI8Tk6wnc+LHROMjUpAEkpUqbZbW6NilXT0Ajh6NjmDIYy/OT74Y/Cj YzDb4V8pch/WhoF0t62dmOlq4cuBWYDNkw6oKPa5koBCURB2MsoZzF6H/grVgdU6 ADkw8ZSORVsESjVGhSRU9Ptni37BHx9DaIEsj2hLfGzAAcNgf6zUE9/u7iK/uJo= =wJnL -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [19 Mar 2015] === OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) = Severity: High If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 users should upgrade to 1.0.2a. This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team. Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) Severity: High This security issue was previously announced by the OpenSSL project and classified as "low" severity. This severity rating has now been changed to "high". This was classified low because it was originally thought that server RSA export ciphersuite support was rare: a client was only vulnerable to a MITM attack against a server which supports an RSA export ciphersuite. Recent studies have shown that RSA export ciphersuites support is far more common. This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. It was previously announced in the OpenSSL security advisory on 8th January 2015. Multiblock corrupted pointer (CVE-2015-0290) Severity: Moderate OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 users should upgrade to 1.0.2a. This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development team. Segmentation fault in DTLSv1_listen (CVE-2015-0207) === Severity: Moderate The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invocation to the next that can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a. This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The fix was developed by Matt Caswell of the OpenSSL development team. Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) === Severity: Moderate The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. This issue was discovered and fixed by Stephen Henson of the OpenSSL development team. Segmentation fault for invalid PSS parameters (CVE-2015-0208) = Severity: Moderate The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parame
[openssl-announce] OpenSSL version 0.9.8zg released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zg released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zg of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zg is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zg.tar.gz Size: 3826891 MD5 checksum: 0a912b6623ac95a8627ea2bd0e0abf1b SHA1 checksum: a73005583ba8d5edc3bdcc1f99a1e33ee0ed41f8 The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zg.tar.gz openssl sha1 openssl-0.9.8zg.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZkpAAoJENnE0m0OYESRzLcIAKhsW3bm1latn1wLoQk0cJEf GQVf9ztRkxivgodycUYhkuGhq2O+djeYHqKMXnedso+KnkgE/FnhTbDkyX6G12bs H17ZMgWOIypjHnwGW6jT1GlH+qb9tlzJYAuqsIEbG+hwE5KIsUrwtjAb1MhUuZFC f11jP5VFf4YXsN681TdyXxlhIdmeImiIDMjsVMGLIZ12zDV6AEJ4LrLkyyaaJxnd cryKY+Ai4AqBW3Mnv/tVddDvUdgmvjyNHBXEyBUkhy8oIpHe33RMLmGyK6w4P6os rTKsQzliZ8FSmBfbrOeFUTfPh/N1POqTcWV4VEBjD7mNZbnk3dHQZ3eFLBz8QGs= =kj2n -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.0s released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0s released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0s.tar.gz Size: 4102101 MD5 checksum: fe54d58a42c6aa1c7a587378e27072f3 SHA1 checksum: 3df4b9a87c0a37e6fd589360f9d43a6be2252b62 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0s.tar.gz openssl sha1 openssl-1.0.0s.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZeTAAoJENnE0m0OYESR/qoIAJRa63Si5UbI8hrJVsTCDAb6 VBfb40NrzOA3x7XpsS1MQxHK9ixPokdhMSHsjAkk4D3tz703I5ig9BDymWr8U2tF 2XvNKm4JBwn8SGfPgI/sy+YgaD0Adzt84eeAek+elPReAdQZGTJ83YFbycs8tSH5 g35JNrEOO8eXADq1WTsM3iqgPt4rXW7RJFQuI4yOtZZA1aqeD+d3WGQTopglt5Az /+CVViskrnlBihRiOZKfEk4qinB0s7TIJPZifPRzDFdhvMqz6VIndYsPmFhgQMSn jkhhwHhNB/NXZyNUGBdrxeq2ySX88ObXFlMvUAHFnj0CpaGuHyA2XIEL3vmHdtg= =8O7B -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1n released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1n released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1n is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1n.tar.gz Size: 4545564 MD5 checksum: 139568bd5a56fa49b72a290d37113f30 SHA1 checksum: 2f6ea1e0f2724aca1805392e4387df8361442ace The checksums were calculated using the following commands: openssl md5 openssl-1.0.1n.tar.gz openssl sha1 openssl-1.0.1n.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZWaAAoJENnE0m0OYESRqlwIAJ1ncajYk0swYcFxXEbCs02q dI220NF3q9ohvXSzUVvM18Az8Lrr4u/bkZUNhmWkW2GwY7HF6DHUzgg7yWTWZ3h3 pxz33OxxNhBdXA0bkIl4d8q8SW9m7Xo+JZ2Pky2BC8MO3FTd5N8p9zfyJY63dtYV W9pOV0M/LzD3CkFMyX1NdAsoy3KNxB4NFoGKxuaYyOSwyrYCkHBXsBZM5O4BhvDt JeZMAcZagu4kNZ9fdNDNo28AxSOQicGuCqW4SOYnC/XACcsVvpuZYvMFdoqDRBN4 vWS91UAoor1Ld2IsdNsqe2D7S/35NKokvxdeUjbPKzyxPMoX5sgtJJyQZ6IUM0s= =d4VL -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2b released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2b released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2b of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2b.tar.gz Size: 5281009 MD5 checksum: 7729b259e2dea7d60b32fc3934d6984b SHA1 checksum: 9006e53ca56a14d041e3875320eedfa63d82aba7 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2b.tar.gz openssl sha1 openssl-1.0.2b.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZNdAAoJENnE0m0OYESRYscIAKrJik5qyPifnVhWRHVTUXot NYhfl+h+ooHequRyz9ug7Wz3vdUioftuOYlX0eJBBZ+YvskVk27U9tjY+plFnRjq vpdNKfa6bSL9rjztZObupvbCnhYRdDkcJRqLi8HfPb53UlZS/ALIbpDi1FPqIErs Bc7D/toD0nDoQUONLVQw/aSZNWWCaACO09326K2xX/jZGEsQbhCWdlkERfO3RzRW RBN0RnR+k8XBaqy6TRELF1vlYdHe83Dqxg1h3KBTBJ+yOFXvQblPoZO4GnkAyoNA 8EGhbzgWsjg6OIroUbnbbq50avvya/2eDmY+N3gNg5wOrYBNZlWShy91WGZ4378= =rcRW -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [11 Jun 2015] === DHE man-in-the-middle protection (Logjam) A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n Fixes for this issue were developed by Emilia Käsper and Kurt Roeckx of the OpenSSL development team. Malformed ECParameters causes infinite loop (CVE-2015-1788) === Severity: Moderate When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are affected. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0d (and below) users should upgrade to 1.0.0s OpenSSL 0.9.8r (and below) users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 6th April 2015 by Joseph Birr-Pixton. The fix was developed by Andy Polyakov of the OpenSSL development team. Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) === Severity: Moderate X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 8th April 2015 by Robert Swiecki (Google), and independently on 11th April 2015 by Hanno Böck. The fix was developed by Emilia Käsper of the OpenSSL development team. PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) = Severity: Moderate The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 18th April 2015 by Michal Zalewski (Google). The fix was developed by Emilia Käsper of the OpenSSL development team. CMS verify infinite loop with unknown hash function (CVE-2015-1792) === Severity: Moderate When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 31st March 2015 by Johannes Bauer. The fix was developed by Dr. Stephen Henson of the OpenSSL development team. Race condition handling NewSessionTicket (CVE-2015-1791) Severity: Low If a NewSessionTicket is received by a multi-threaded client
[openssl-announce] OpenSSL version 1.0.1o released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1o released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1o of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1o is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1o.tar.gz Size: 4546659 MD5 checksum: af1096f500a612e2e2adacb958d7eab1 SHA1 checksum: b003e3382607ef2c6d85b51e4ed7a4c0a76b8d5a The checksums were calculated using the following commands: openssl md5 openssl-1.0.1o.tar.gz openssl sha1 openssl-1.0.1o.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVevjeAAoJENnE0m0OYESRBTYIALl9NdRXPLxB+VZtVFVmOIHq HjC5IMBJCtsNCvUg3dOogSR+ZyrY82jPimxNY1+w5XCOQQ4Ro90Auw9OMoRwRo1y 7Y9+mZkxIrJUdudlNDmfsHw8wE5peThdhZnI9vnTgJSLBKbjqqVsHsxnUJ8dzNsc M2e2qa/poSPapWakfgafRRCblM9C/9zK/++n1m+t2SLHdM1dPanbiOIodnxX7XKp t/6UQzclDAPDpnG74bYPzHTI2rfcruezD8RiB3dNpma9n0uGRjorGEHjn/6PcgFy Rn1vgybhsoXpmQWT9kEQcLeRjgHEwyzxBlmVYnC3SFItlMma3h/bGYniCR89Huo= =WGaf -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2c released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2c released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2c of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2c.tar.gz Size: 5280670 MD5 checksum: 8c8d81a9ae7005276e486702edbcd4b6 SHA1 checksum: 6e4a5e91159eb32383296c7c83ac0e59b83a0a44 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2c.tar.gz openssl sha1 openssl-1.0.2c.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVevZ0AAoJENnE0m0OYESRAGIIAI+OThnhcwcrZoA3pddNL5+s mVGDd+ZstNkiqLFJSOn2Enh7Hx8xvUwaONvSAGqyiuxgmkyOSmnhc9NeE2LU+knl 8vMqF4hrTWV39JJZkkqqwEv5HRr17IWtzBL3N3/1mygvFmge6SFbGeRPk+XpyP/L 0aEWRzm7g4nq+g4Oa4/HeXsVeEwldMhgHoxbS0R3RHXPOlGb3VjZUDzg+0Nwqt5O q/sncMZAaC2TGauqsAxS19C+7hVEeZdvPKgX+DClf+NMe9+j8gWz1zmD7q5zJSQ8 ZH5+4ifFaVBSn1vuxPK4cLF5j+aUnotmWFkhJ3yZOAt+tYEH95MNB2aP4k2UCgc= =QIqW -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1p released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1p released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1p of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1p.tar.gz Size: 4560208 MD5 checksum: 7563e92327199e0067ccd0f79f436976 SHA1 checksum: 9d1977cc89242cd11471269ece2ed4650947c046 SHA256 checksum: bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1p.tar.gz openssl sha1 openssl-1.0.1p.tar.gz openssl sha256 openssl-1.0.1p.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVnmeDAAoJENnE0m0OYESR30AIAL5Dj1V2k1/eGDxAbThI4Ics +YEozTm8q6ymBFcInczADe3qe8mXllOu5mBCdOqesdxuuaE0VnsVo0Vm241LMUee blcelAD8pqqlHPenPRPVO+bpvqdJrWGFTOpdJbaTBCslT9E6YaTfpG1xZI1x4yrM VMR57CkdksDi4mm7TuG0m1w3liUN93pdDyIyesI+nkO7NwZpQ2xeM44z4wlUaxiB oZwnB4VTysVOOM7ZZqdZkDH2BO0nDs0SnPd4byL4AdjhrTIxf0qEKTIcm7WTvnU4 FGpkVJT7/Sm15xdJQ1keZLcRJ5oTHgWuLT7rsX01T4MLWQ8qT1afDkx/O2oF07o= =1BNN -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2d released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2d released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2d of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2d.tar.gz Size: 5295447 MD5 checksum: 38dd619b2e77cbac69b99f52a053d25a SHA1 checksum: d01d17b44663e8ffa6a33a5a30053779d9593c3d SHA256 checksum: 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2d.tar.gz openssl sha1 openssl-1.0.2d.tar.gz openssl sha256 openssl-1.0.2d.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVnmMAAAoJENnE0m0OYESRszEH/RFG+H+im2svvgRoTLI/J8YH czX5u5aNqVWDPqQCZz7OQZOq8l7c9lQ8RMuB6AZWECSzn8IUaAF7dNdKC9qSM2Ax 1Sl1fwFeWHXRASvMm4SDUIQxmU8tBmiopBWM4J2a5LWO3zK6pG8pN72HIBIjuJmk 5Sp02BUMCbI5+FpZju1SOClfkZiAappAcdvJiWhv5ef3dJfdIUE3YBtLlEhzH4Ou cfX64gHcsFHWo8ZnHSwrB+blL6Eb8SnGOn+lBAUCIJhh5MY91PSjhfUVL5e2AYY7 Xqm5EFsghLrfxOZeUUNaCHlkdodR0XAabqvq8TQkSk3QQg8N8UFKxr+HnymtMGc= =ay5A -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [9 Jul 2015] === Alternative chains certificate forgery (CVE-2015-1793) == Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. Note As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. References == URL for this Security Advisory: https://www.openssl.org/news/secadv_20150709.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVnml8AAoJENnE0m0OYESRlcYH/iUe62/m2oZiuBHkKQvLBUbH VrLDp7xEXEg6ozByLyxughAFwY9XD2r9WkXehxw66af2pmNHphXH3Gbfpcebki0r HuZJ3CbGD/RSomWdAqkzRfV8MjNxmN4Pyi+sTsf7F+nKv80Ts51iUN1pPjkddAR8 ooKw0VMIENeMboWQ9SyQ3r7TYYywK+lXUG71Ekva9ByzABBwC/1CzZeSLJmuewnJ +9TjwQ4otH/mUJ/klvw+G2eTSn64AnA6UEFR+sBL4aNpIgdrtjonJRt2ko05Z92N HN/ibu5okd3iUbtkM0dTMGAr2NCrNYPr2dYLMPemwkAq1cRlhjGouRDDeb6TUYk= =oUAa -END PGP SIGNATURE- _______ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 0.9.8zh released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zh released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zh of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zh is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zh.tar.gz Size: 3817665 MD5 checksum: c00f014c64dfac1ec40dc7459d9673e6 SHA1 checksum: 77cc99e7c83794a212bc7b047480d8288addf9df SHA256 checksum: ea1a43a47900b90e014360572d752f85617fb119fa048800872c1b37db04fad3 The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zh.tar.gz openssl sha1 openssl-0.9.8zh.tar.gz openssl sha256 openssl-0.9.8zh.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWYFkEAAoJENnE0m0OYESRs8MIAJNsinLBj9zDUwXMMO7f289r oOfwzhCsnjdNb40N5/j6EEiqYC3TwuFBEm6BD59Jr8R7GaUthpFoc8isIAMu+xYS rNFCneu8cM4vX23Wefg7e9MC0RAOG2GTlYmmbxDUXQUv3z+LX/DNc1rxCcOPbnf1 1TQdAiXBpU14kXNuauFbxj9y2mHslkmaiE/4riaQZKgMOU9oJKbMH/aDGHZjmzaf AEeLV0i51JxjUQ3aLvOYZnn+fSxPTJDkv3U3n2+sUYfPwqxTp365VKJ240YbjIx+ llYgloiU1chJo09hBBp+HavaBNcB1uorvsRCKo1PDYxQt4qeFirfM3VNJ1fESug= =Q6ea -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.0t released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0t released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0t of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0t is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0t.tar.gz Size: 4091806 MD5 checksum: 62f5f2127c9bdd3d2768c78c8306039e SHA1 checksum: 949ecd8aa821b0cc5fde12862e4dde33c0320682 SHA256 checksum: 7ce1c3cab7a33bf494330074f70039a10856a972f6b8c430ef4b73db844bde50 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0t.tar.gz openssl sha1 openssl-1.0.0t.tar.gz openssl sha256 openssl-1.0.0t.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWYFgZAAoJENnE0m0OYESRXuEH/iRgWMcdta23AqUGiPEhBZs0 GWj9VY85g0477EsWqS2wz+kYlnIcbXLGnt1IlPvuXv++VboAyhAyGVpqGMyvka8q pxLxUM7wDdUpdSCV/+wKrbF1nmZCYIhQFdbLHwGKw195+vWM/PlDUGpKTBfrZECf HaBF4FsrRnGew4ZIORyvJSD49/Qc8GCygR5ZB3+cGguCjo/+pCRgAA75DeTxbkjb hf7xZ/8umZZdBgE+ZsPu5+aM8pMKsTc42bv4cPqqwGvygEJPWyMEL16rkomOVshe m6vXPLFYcNNkd4JEUWpZRMQEelpw8/kKSu8ZGNZ3G3RW4EJipMuN7nxUSEmVvfE= =6tot -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1q released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1q released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1q of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1q.tar.gz Size: 4548189 MD5 checksum: d1221e2f88085b0953670779656b452f SHA1 checksum: 8f390cd667f87d9c393464ff91d42df89a6df3ac SHA256 checksum: 68f3b2f0f1e8da770f89c38eadf7e6c4dbf690fd4bb648f651addd3b92a9ddf1 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1q.tar.gz openssl sha1 openssl-1.0.1q.tar.gz openssl sha256 openssl-1.0.1q.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWYFa1AAoJENnE0m0OYESRUnQIAKtEW4xb1nGTdJmGCevAQIS7 GjmIIJsIpKhNGx7j2Cm02F0HFKG6IQOy4gLcl84eNkxkgAnc6D4/H4MroFQQe7/x P9jrWjNqXNtoHKm8OdMUKVFDpzv0AGbVz/3r0XRCPS/zxj5ig8bq7IirrcWx137N /mLgm0OIuNnL99GBSSjUdji4aW50GwCYFZBtr85CdhKU5EMg6hQld6q72VbBBoBi cTRgRnTvl/s1dxqi7DTMTyUXglcYNvm+/QYBKNK10IMXuhhu20MIwUNIy9WVgkCo +bRkdNhHE7A1RklSEQyOCoJXkElTdXDwTElSlYhCdhcgRSX2eM63rOvwm9Zp45s= =9n6L -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2e released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2e released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2e of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2e.tar.gz Size: 5255719 MD5 checksum: 2218c1a6f807f7206c11eb3ee3a5ec80 SHA1 checksum: fa4d6e94084e80478d4a7749b97d955e89f04ec2 SHA256 checksum: eee11def03647aa2267434a779608af6fca645023c9a194ddb82f14426835537 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2e.tar.gz openssl sha1 openssl-1.0.2e.tar.gz openssl sha256 openssl-1.0.2e.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWYFVTAAoJENnE0m0OYESR+VYIAJjA5F9echoXC39pYUw1SmdT DIy2ExFbfXsWJXhoRA2H/OImo9rWxo715BGvkHSNWHZQxXaisFUkB3OLuU0BwGRR U5yUbQDSFIBXH0p2OXKburS7LhzI61SFSirQb4jiRnkohidC9crxl2VDGbeP7yhe M6d1AHwkZp7pnAC8RG3RpzP5sU2oMHPnWTMajAQNZpnrcY0sN4QcW5Ko7kPCHRNv mCUdc1fu2R99HWpky6pySVu5efheGxGDk+W+rjNYDzb1RuFdWStBZTbfEFGI7+ER O63SPMm7bqAkIpfopRsLNpjlHcLpx5C15tj9QQUlTTlTOORq7ZDTFFipY1aYpok= =cM6W -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [3 Dec 2015] === NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) == Severity: Moderate There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. This issue affects OpenSSL version 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2e This issue was reported to OpenSSL on August 13 2015 by Hanno Böck. The fix was developed by Andy Polyakov of the OpenSSL development team. Certificate verify crash with missing PSS parameter (CVE-2015-3194) === Severity: Moderate The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2e OpenSSL 1.0.1 users should upgrade to 1.0.1q This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne (Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL development team. X509_ATTRIBUTE memory leak (CVE-2015-3195) == Severity: Moderate When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2e OpenSSL 1.0.1 users should upgrade to 1.0.1q OpenSSL 1.0.0 users should upgrade to 1.0.0t OpenSSL 0.9.8 users should upgrade to 0.9.8zh This issue was reported to OpenSSL on November 9 2015 by Adam Langley (Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen Henson of the OpenSSL development team. Race condition handling PSK identify hint (CVE-2015-3196) = Severity: Low If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data. This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0 and has not been previously fixed in an OpenSSL 1.0.0 release. OpenSSL 1.0.2 users should upgrade to 1.0.2d OpenSSL 1.0.1 users should upgrade to 1.0.1p OpenSSL 1.0.0 users should upgrade to 1.0.0t The fix for this issue can be identified in the OpenSSL git repository by commit ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0). The fix was developed by Dr. Stephen Henson of the OpenSSL development team. Note As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these versions will be provided after that date. In the absence of significant security issues being identified prior to that date, the 1.0.0t and 0.9.8zh releases will be the last for those versions. Users of these versions are advised to upgrade. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20151203.txt Note: the online version of the advisory may be updated with additional details over time. For
[openssl-announce] Updated OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015] = [Updated 4 Dec 2015]: This advisory has been updated to include the details of CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix included in the released packages but was missed from the advisory text. NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) == Severity: Moderate There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. This issue affects OpenSSL version 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2e This issue was reported to OpenSSL on August 13 2015 by Hanno Böck. The fix was developed by Andy Polyakov of the OpenSSL development team. Certificate verify crash with missing PSS parameter (CVE-2015-3194) === Severity: Moderate The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2e OpenSSL 1.0.1 users should upgrade to 1.0.1q This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne (Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL development team. X509_ATTRIBUTE memory leak (CVE-2015-3195) == Severity: Moderate When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2e OpenSSL 1.0.1 users should upgrade to 1.0.1q OpenSSL 1.0.0 users should upgrade to 1.0.0t OpenSSL 0.9.8 users should upgrade to 0.9.8zh This issue was reported to OpenSSL on November 9 2015 by Adam Langley (Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen Henson of the OpenSSL development team. Race condition handling PSK identify hint (CVE-2015-3196) = Severity: Low If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data. This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0 and has not been previously fixed in an OpenSSL 1.0.0 release. OpenSSL 1.0.2 users should upgrade to 1.0.2d OpenSSL 1.0.1 users should upgrade to 1.0.1p OpenSSL 1.0.0 users should upgrade to 1.0.0t The fix for this issue can be identified in the OpenSSL git repository by commit ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0). The fix was developed by Dr. Stephen Henson of the OpenSSL development team. Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794) Severity: Low If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0 then a seg fault can occur leading to a possible denial of service attack. This issue affects OpenSSL version 1.0.2. OpenSSL 1.0.2 users should upgrade to
[openssl-announce] OpenSSL version 1.1.0 pre release 1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 1 (alpha) === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 1 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre1.tar.gz Size: 4990889 SHA1 checksum: a058b999e17e0c40988bd7b9b280c9876f62684e SHA256 checksum: 79da49c38464a19d1b328c2f4a3661849bd2eb3d54a37fdb6a56d9b8a18e87bd The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre1.tar.gz openssl sha256 openssl-1.1.0-pre1.tar.gz Please download and check this alpha release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWaYrRAAoJENnE0m0OYESRh5gIAJ8WrkPPV8CW2xWmtyIjAxpz 7FvvpxBWHaBgJcCrvNomh2JJupXa+enWCTsskIyH0+FtS85VeOKNvQg68xbCOvLl I0dWxMNb8SCxuagvEje8xGEnf8by8pZdYaK8ERASlNoGVIgN8CwppiKnY8c1yRYn Ti0dUZLyVZvT5Qm2Q3k4pOvfS/+rvFjHiuUllFzfHlp6mdk4573w5eneoTINQvRK OC8iAnSiINQWQvuiavLVIgw7VFBD1WC2iKWuSA3+31YuM8CUpvbbnJHh2QUfGkIw oNTkflxgQJhk/txwqvCSzZsVddhvQLZtiRZYQcG4WUuskygCENeieJGPOXN6ioI= =LY4X -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1r published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1r released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1r.tar.gz Size: 4547786 SHA1 checksum: d2cfa980ef4548da6079fa1e51fe1fb2e5a53e99 SHA256 checksum: 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1r.tar.gz openssl sha256 openssl-1.0.1r.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWqiPkAAoJENnE0m0OYESRcmgIAJidxSVl5K1TE23gWxVrj75z tYY1YGGi+DjyYMJCxuXaKKZ/Yidhj8w3d+b0HnUs8r2YJNRjDQmh+BvGtA4FIgcq WQlypzUL/hmyicdvhTz/Y0r3O0DNOpYFIrjkWGkJFiYYm2bZIwDqkx4UAImOM3r1 qh0SfUuILDsHhwsi/EMexmTNKOuqcXWc/UVy2a5q074Va7BRJnUvAApD/jBpZgdh fIWOlVs1BnVE87wPddyXHK6UlyUd+5Zuc91ytvxYQayqx9D/t0AZ73isfzoE1jj9 dDS9H2+SJyN+WwJI1UUxZ8QthmPbnWwKpR733xtMUZ5r0M2e+V92eOgTNfcVvEI= =AYwY -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2f published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2f released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2f of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2f is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2f.tar.gz Size: 5258384 SHA1 checksum: 2047c592a6e5a42bd37970bdb4a931428110a927 SHA256 checksum: 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2f.tar.gz openssl sha256 openssl-1.0.2f.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWqh5GAAoJENnE0m0OYESRsd8IALq/rtH2LTBSva5EahcoHWbp wa/bcqnk84tWhBtFdsPY6bc842I7KUuajdlb/O/tKket/7XDBtO8Ud+xwajCDjUR 0Ui56bWUD6KzDCKOuarTQ2zSdrnbBvO20x4WZlpNQ67ZsEQ3DuSouTetFGRmNgfb Te2BNteBZ//OGsqfvzuegbMbAuaePwwOO8XurNqwm4O1F1dphz7BuBx9IiCsHypa ISmmx27WzGYUS30nQuseFTHj8wd++zaJVRX8xM/alqoDdOT6qkavqpVku8RhwKuZ gnmeIXPRPzktYagQ1w+Py5ZGEIEZhvJpf/UQktuGw6xJ+D8PXC3D3i1Rth9UHIA= =ITZs -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [28th Jan 2016] = NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES ONLY ARE BEING APPLIED. DH small subgroups (CVE-2016-0701) == Severity: High Historically OpenSSL usually only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. OpenSSL before 1.0.2f will reuse the key if: - - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not set. - - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is an undocumted feature and parameter files don't contain the key. - - Static DH ciphersuites are used. The key is part of the certificate and so it will always reuse it. This is only supported in 1.0.2. It will not reuse the key for DHE ciphers suites if: - - SSL_OP_SINGLE_DH_USE is set - - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the callback does not provide the key, only the parameters. The callback is almost always used like this. Non-safe primes are generated by OpenSSL when using: - - genpkey with the dh_rfc5114 option. This will write an X9.42 style file including the prime-order subgroup size "q". This is supported since the 1.0.2 version. Older versions can't read files generated in this way. - - dhparam with the -dsaparam option. This has always been documented as requiring the single use. The fix for this issue adds an additional check where a "q" parameter is available (as is the case in X9.42 based parameters). This detects the only known attack, and is the only possible defense for static DH ciphersuites. This could have some performance impact. Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact. This issue affects OpenSSL version 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2f OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 based parameters. It is possible to generate parameters using non "safe" primes, but this option has always been documented as requiring single use and is not the default or believed to be common. However, as a precaution, the SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r. This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe). The fix was developed by Matt Caswell of the OpenSSL development team (incorporating some work originally written by Stephen Henson of the OpenSSL core team). SSLv2 doesn't block disabled ciphers (CVE-2015-3197) Severity: Low A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2f OpenSSL 1.0.1 users should upgrade to 1.0.1r This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and Sebastian Schinzel. The fix was developed by Nimrod Aviram with further development by Viktor Dukhovni of the OpenSSL development team. An update on DHE man-in-the-middle protection (Logjam) A previously published vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). OpenSSL added Logjam mitigation for TLS
[openssl-announce] OpenSSL version 1.1.0 pre release 3 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 3 (alpha) === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre3.tar.gz Size: 5024305 SHA1 checksum: 5b2257c1d7d8db6400c9951865bd7ef58dc758b3 SHA256 checksum: bb0ead36155dcf6122bfb0555205ba562ad5a82bb6067f2bfc9111ca4a4e6442 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre3.tar.gz openssl sha256 openssl-1.1.0-pre3.tar.gz Please download and check this alpha release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJWwhryAAoJENXp5D99+e6MnDwP/juSt7tF3GZRWnR9qVtJOOna BI8xqEt18S0c396m51+kNJrZ6CMyPOLjA16Jwl+6YRdB634TlrVjxfbyTeMRKCjr kXWloh/ntOSKEWUql7auJyMZYFnvHg+fwLWRBsmrqnoXmV6044tDIF168qW1i/Sm 9g0aCx2KIKyXkWZ6e6VXOzSIckCCQbzvxhgUAIAVRLTivOwQmCSVSnqI5XzNXhQR Jm0j16ViMuHd1si/DsQDXtqFzygw6Gnh7IcLsC0S4DHcUKnli9mhcUk+AsiIqtAN s5tYfZPzyoRbAgqrN4PDBaDMhSK6TFW7b5GmxJMjbEp1UFUxPO7XhyMg3OOL9kx3 MXpCvp7J+azvppXqFgcbRq097jRVv/eS45SA92y64ucZt0Wk6mdGIpD9UJQ6njxd EiexAf3WwceLo8kxsBcIDayIzjb/HjqzUjHF2qcgfD0qQH19IYACVr2Mu4HyqDCx GIx0IUg2oltjtynVkJeaTnoApgaUF5dPTgRLKyjir1gIYdquP0mEe35+3ubTNVci n4X5FPog3U5lDHKMsHWywes8Gm8gynza6KxvaeIUTmQyWOIZwTMpvjKGuMMdyaH8 rEGJ8Xxv4WKmlJRKLrnU0KkICgEPT8sSNGQFABB4xLwxYGrHVOXVaZQ7FXvkEkZT so0emsh4V0fnfx5rNuOX =zaOF -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1s published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1s released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1s.tar.gz Size: 4551210 SHA1 checksum: d027e1a00c26da7fede7d537d5c7718c3cdb4653 SHA256 checksum: e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1s.tar.gz openssl sha256 openssl-1.0.1s.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJW1ZviAAoJENnE0m0OYESRVY8H/javcOAnFG3l1uzYuSrcgHrA 52x/A5gqFOW7rx5KE4jUjahSFePpNahqaR+A9m8dte2pvAJIySSk73z1IChhrtkF 14CALui+okl0KolF098sULmBy/GKoRQmiGMqQHxukXZZ8ihiqtfiEX1yCf0CiH8U crE4fHw50hBRV8BeT8KEE6A29Cpi9LQ0b0I3pPl5k/q0DtkdyNYMRcA7JKrSsI72 X/tyJcHaoAEZaBoVCqdlj/G1qOA/YlDtNfa9lkMZQaLz8wFLlZTo8/obuonVmaPH uJRj3oylvVkGWYIOpq+7jTJxjHlJweRrKbU8+W//rCSPNfbPBvAAQS7q9lKz/SA= =3wfG -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2g published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2g released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2g.tar.gz Size: 5266102 SHA1 checksum: 36af23887402a5ea4ebef91df8e61654906f58f2 SHA256 checksum: b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2g.tar.gz openssl sha256 openssl-1.0.2g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJW1Zr6AAoJENnE0m0OYESRegcH/RzJkSQo2TT7wl55DKd5/7a2 3PaUxlNQOxA7E1Z7DAs9rfhox0+GbqaIOASBP+yVyP1+yHafMPuM3mpIQNg1fwT8 Oaxfh84a3XpfNO76xVWoKrgp62jYOaug2kfpnJ53uQuBqbhkjCW48KCxBELQZr9Q CsMy3SHtVwNfQQbOTDEsTjPFRpJ4UYO0EUtLV11Q78Gq4cxwWmOB0UCKJ/ucpUcl K8750Ijz27tWUK2cLOjJPAKQBaz1Rol8k0hZC0/Gtgiq/u+IFlx17HU3Yc2ZjLWu Op4KQ95vNu1icTxKUxfz4af3f/XEvC4ZjEC/2dMfUxy/zktLR4yRoG//xi7v8bg= =ovbL -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [1st March 2016] = NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of SSLv2 due not only to the issues described below, but to the other known deficiencies in the protocol as described at https://tools.ietf.org/html/rfc6176 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) Severity: High A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server. A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on 19/Mar/2015 (see CVE-2016-0703 below). Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they've not done so already. Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers. OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN: SSLv2 is now by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. In addition, weak ciphers in SSLv3 and up are now disabled in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell of OpenSSL. Double-free in DSA code (CVE-2016-0705) === Severity: Low A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 7th 2016 by Adam Langley (Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson of OpenSSL. Memory leak in SRP database lookups (CVE-2016-0798) === Severity: Low The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currentl
[openssl-announce] OpenSSL version 1.1.0 pre release 4 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 4 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in beta. OpenSSL 1.1.0 pre release 4 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre4.tar.gz Size: 5325012 SHA1 checksum: 58119f6c784055a50622afc75b5b817eeae2a365 SHA256 checksum: a2fe0bd293cdedde193ff0377cab75cbd042a9c20c11622d6b350890855a0a69 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre4.tar.gz openssl sha256 openssl-1.1.0-pre4.tar.gz Please download and check this beta release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJW6ZYnAAoJENXp5D99+e6MLLEP/jqfZLP8ziXZ/LwOCvtIwe7x aCyYmRff8lsNfFbgb6IWFoUqA5oEwq2nAUSeJ5FWX4hhsIdvLrBskT5o47cDo+fA 8CQBXYfEcEq9Qvdezw20242TPpCpBDFBFh7L972yVElbvwGgsV0OaiJ5oGss7u1A ZWXhrnpiYBr04Ovx5CtN5QedtV4U5ZEhQOumKpM+BgWD3lt2AlYGRrc9f3DytdQ/ cIVW5p2NlixQkKp2qqcsa5tXMtPoPz1IwJi3BpBR5ViBWCqzlSWAUqxuHL8t0piH AQZr1dN+ABiSoM9B7wa1PHUZWNlUlK4aF8t6o4sg0deaaHOZbi/skitKgPhbuYtW Zs4/et2SA7lctNODKPjwYL80KVCrvx+Hk3rUf6tLWhcCyfcAIIR0Bg8o86nD9SNU fJ5fEoe6HpADWdF/RcoWVsWkLJbqq33VouXYuOlOrQTJ+11bxVyraMdwoC0NmnBm 4PdHkjVcfH3t1GwKp02aRw33VL/xa6x6gTT3OtTkVhwXXF0q5nDtxbUf421lVPvo ZMB2UHnhnaNZhDO9X6m2ZBkizzjLMooqeMuAIiAXdwQZ4+Tee/Gcrf4wMP34pa6j FvDqEBTa19BC6joLhC+mmfHgmQTTQWg7GiZ0a9VAjmnom9CxUNBzYVAdL4SYrk4z jf78Hj1qn1w+4dVLo/o1 =O2sR -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.1.0 pre release 5 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 5 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in beta. OpenSSL 1.1.0 pre release 5 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre5.tar.gz Size: 5289112 SHA1 checksum: 1cbc066e471c831ae8c0661abb80361b4d211a70 SHA256 checksum: 25acbdfa5e0259ed20159670e88ddb4257970f80ce923427bd201133e6e580db The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre5.tar.gz openssl sha256 openssl-1.1.0-pre5.tar.gz Please download and check this beta release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXFkd3AAoJENnE0m0OYESRpHgIAIZpsbqsYSpoHzkT8TtJ8C83 I8pi4lgq3vWvQddKpM+iUqgeOzUUeQaCqFZmdoF2nvD+cqxlG58q9hUvm8hmbxF+ FN9a1n4WlihR626cipxBbOQz4WfFw7zmszCSYuEPT5MMFRQQR0fRgGidn6eBbAQk 37q6RDWHpwHvqIwNgwxH3qzmoV+jzqGYfZIBV/JrT2KL4M4x6L/Y5/g9WrubkHQe oi/QjIKsXNA+bb+E0zUzhA1Yxvgz+x/VJ96yrGFrzotqLzuHR6w2TVSh4Mx/LxS0 LAdEn8h62Ts04HMyS1+9Tj6pAmJf3cq2EtR6QA+vzNgqfmA8K0jPCdzUSklgqzE= =Wv2a -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high". Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, support for 1.0.1 will end on 31st December 2016. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJXIgXGAAoJEAEKUEB8TIy9XK0IAI/LuJqMK0oC4MXuNqKJAtGZ SYiUWCn0GDqsfucgyOX/OdHjMvkyIPW4Vbt8jZ1HzEmW3DRIalstOgE4MnObZe5a W5ecH1r8cLDTdVMGmSV3u/W1UP6kZScHa5af23emteCmC8zS7s+PDBctEJAPACZm n4olGIHA0yOes79lOsU+nnPzfSaAtNWSCHV/BRLy/Ia5c7oeR2PWnGOvY8oIQllL UNTkNr3qx9n06zjBtHh4dF+bW78eAwLUlY0wUcb2kYRAVeJfXCrJr8nvYIULBMlg pA+WO/GMdoG697qZ5Y6EnNR16X8Hpse5d03LH3EZQ62Gr8Dh3NodWyRMFaIkig0= =cJ4f -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1t published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1t released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1t of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1t is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1t.tar.gz Size: 4556447 SHA1 checksum: a684ba59d6721a90f354b1953e19611646be7e7d SHA256 checksum: 4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1t.tar.gz openssl sha256 openssl-1.0.1t.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXKKyEAAoJENnE0m0OYESRqdwH/19mvgPkcFwhZf8BEOcLNp8R ZMm6Equ16mZ6V/cpFiQX8YgFE3+4xAZu8c7K8luolVB/T5Y6DT7hk6j0T2HNyg39 osuKPrJI88MBGSGOyxE0mxtoktbM5TKQpkEhlUrqRkr3CA8Lr6IVDyG5xNHnKoPx 1BX0UdbCPWn3hHqcCVbQ4c5ShkDO8fRvtBp0btiwjdui8j2sTMzYHwvpWYhjj44o kOHeqXYmi++rWE9yRlH0ZhKg2RiRR7a2PEoe4eVgz3OCmiY9l4HsvJgA+yxkA0PH 2ZkitzB36UGDOEZm/6+/BbH2GzwXByrK3j01NGNAZlIQIehHepG/DT3THwE6kk4= =L527 -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2h published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2h released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2h of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2h is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2h.tar.gz Size: 5274412 SHA1 checksum: 577585f5f5d299c44dd3c993d3c0ac7a219e4949 SHA256 checksum: 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2h.tar.gz openssl sha256 openssl-1.0.2h.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXKKvFAAoJENnE0m0OYESRrO8H/A2os59q+XwypwIsCVMw7TQF VlWEifT5DymXQosTQEQCZObi+JYsKNtl4ZijSiW13ZLKHC7hmTq4ml8AOEjZ+jfr V7fyvd/Mmz+6hut2F0b1/HhUKiOQkmvMksNSHhBk7NT+Kqb8MahCjDVqg6MbCx4r wdLLL5NEg4aUyAy6imK/KWsGuj6UfRXY+OaUmBslLMKwunvFR2SUht9E/iL1a492 9SSA+geJ0YQfqKTIVNaVzsz39gwUKrA2JVXJhUPF7e+9VElB5RyBB8IVuK5ce+5K xkzzLpqJE9U0yIN/os40b5jxwjNulHgnK/2xeAnAo2qT5nQWj2MPpYheJWA+jjU= =sGzF -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [3rd May 2016] Memory corruption in the ASN.1 encoder (CVE-2016-2108) == Severity: High This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. In previous versions of OpenSSL, ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does not normally create "negative zeroes" when parsing ASN.1 input, and therefore, an attacker cannot trigger this bug. However, a second, independent bug revealed that the ASN.1 parser (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag as a negative zero value. Large universal tags are not present in any common ASN.1 structures (such as X509) but are accepted as part of ANY structures. Therefore, if an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger an out-of-bounds write. This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations. Applications that parse and re-encode X509 certificates are known to be vulnerable. Applications that verify RSA signatures on X509 certificates may also be vulnerable; however, only certificates with valid signatures trigger ASN.1 re-encoding and hence the bug. Specifically, since OpenSSL's default TLS X509 chain verification code verifies the certificate chain from root to leaf, TLS handshakes could only be targeted with valid certificates issued by trusted Certification Authorities. OpenSSL 1.0.2 users should upgrade to 1.0.2c OpenSSL 1.0.1 users should upgrade to 1.0.1o This vulnerability is a combination of two bugs, neither of which individually has security impact. The first bug (mishandling of negative zero integers) was reported to OpenSSL by Huzaifa Sidhpurwala (Red Hat) and independently by Hanno Böck in April 2015. The second issue (mishandling of large universal tags) was found using libFuzzer, and reported on the public issue tracker on March 1st 2016. The fact that these two issues combined present a security vulnerability was reported by David Benjamin (Google) on March 31st 2016. The fixes were developed by Steve Henson of the OpenSSL development team, and David Benjamin. The OpenSSL team would also like to thank Mark Brand and Ian Beer from the Google Project Zero team for their careful analysis of the impact. The fix for the "negative zero" memory corruption bug can be identified by commits 3661bb4e7934668bd99ca777ea8b30eedfafa871 (1.0.2) and 32d3b0f52f77ce86d53f38685336668d47c5bdfe (1.0.1) Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) == Severity: High A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. OpenSSL 1.0.2 users should upgrade to 1.0.2h OpenSSL 1.0.1 users should upgrade to 1.0.1t This issue was reported to OpenSSL on 13th of April 2016 by Juraj Somorovsky using TLS-Attacker. The fix was developed by Kurt Roeckx of the OpenSSL development team. EVP_EncodeUpdate overflow (CVE-2016-2105) = Severity: Low An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the PEM_write_bio* family of functions. These are mainly used within the OpenSSL command line applications. These internal uses are not considered vulnerable because all calls are bounded with length checks so no overflow is possible. User applications that call these APIs directly with large amounts of untrusted data may be vulnerable. (Note: Initial analysis suggested that the PEM_write_bio* were vulnerable, and this is reflected in the patch commit message. This is no longer believed to be the case). OpenSSL 1.0.2 users should upgrade to 1.0.2h OpenSSL 1.0.1 users should upgrade to 1.0.1t This issue was reported to OpenSSL on 3rd March 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. E
[openssl-announce] OpenSSL version 1.1.0 pre release 6 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 6 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.0 is currently in beta. OpenSSL 1.1.0 pre release 6 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre6.tar.gz Size: 5100538 SHA1 checksum: b4c4b64c56813a4dd824b9bb2735ac15331845b8 SHA256 checksum: ca869f843b8a947fb64ca7d7bebb2afe47a48d7bb5e9becc54d9c8fe674535c2 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre6.tar.gz openssl sha256 openssl-1.1.0-pre6.tar.gz Please download and check this beta release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXo0qTAAoJENnE0m0OYESRj8sH/2sBz0vvkdGHZmNIttjbsrXz Xyx+nZHUkpuNwnQXzq7QuHMrUk+DtPOfgjxt7IOwVyzz/yyDMO+txhTRpgQH0y4e bOjsx+xUz1Bz3AioP06tREGkUdrZSkthVypkF1bKdb043rTZhY4EQ8sr+kw8cha6 sr93CFug/M52P0DLEksQQY0JXWkCvZvBbJK4YcC+ToyVhJ2Iz4og8KeN6X2/bNcB h5+RjdQnaLBMZIWe4MNt4flgtw59vt+3DbwPHiu5WDVl/RngUyGf22qxVV+y9XIu DEJ56V5TKvn7/BonIoUdFthx9s9wzzCcnm71LcfFzW1El9oOP3wOwDpCriRDkhY= =q4/S -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.1.0 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0 of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0.tar.gz Size: 5146831 SHA1 checksum: 15e651c40424abdaeba5d5c1a8658e8668e798c8 SHA256 checksum: f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0.tar.gz openssl sha256 openssl-1.1.0.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXvw7WAAoJENnE0m0OYESRmhkH/1UTJ3I1v52w3NDWKK5XGyxH HKr/EMgjo05IdmtmY3lLB0aPwN50am5Y9w8SmFnXA8+bsKwH61+G5Sr9L+ABuhI2 95QQzxAyQBHf0IxH1hYBLZxI0Hr46O9qefphr7lcBIh/XrFu6Hg96s8lo/87UEEC LUzOAGAEpM6kicBA4bxrLdXSV+IR+j/2mRrkGvw4Ecb9aQYxWJ6daWxJcvXKKy8N S8Gw4DNJH2636UyKsbY/6bMGlBWbjmL9GLzbD1YT+NxvSsWPPRkrdDhMKxkxDrP4 gIBBSE4C7mZgqvSxVIo2GQszQgTUdroyd9UStUDsBF/xYK2a8bvoL0PtihZF+0E= =Zq4E -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0a, 1.0.2i, 1.0.1u. These releases will be made available on 22nd September 2016 at approximately 0800 UTC. They will fix several security defects: one classfied as severity "high", one as "moderate", and the rest "low". Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, support for 1.0.1 will end on 31st December 2016. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJX3+BCAAoJEAEKUEB8TIy9nfIH/1E4FiVRQggShTN1CZgLv0rl YDh2t71b96K9UOf7wmK073Kzu+oKB7jNvwtEmLqc7SNK7CD/Zl3ExebF9ncvgN3E 45+LJ5MtLw6wyPofzEwpB/v/t1h2123UHQ90ijKZKJE8RR/Z7Md0BsLpZiFMTIDt hfQznqSVSvS6jRS7G8w3c33wMWd4d/iUk5yulylMyicgt/KOWAwp5aAUVgPTIIOQ kmDgU5Ypd9MVxJ6qXV5EL8EZEfneau9Ggp0bbQYfitpYSg1R86SjUBz0Octeobmw tXOeTglXtY0TFllChc/1Gkr9kqqSX4HpWTB9Nj+Ngy888l0AZI7R7zHScIj8tL4= =wHYV -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1u published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1u released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1u of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1u is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1u.tar.gz Size: 4567068 SHA1 checksum: 93e542696598517862115fbe76a93ab66369661d SHA256 checksum: 4312b4ca1215b6f2c97007503d80db80d5157f76f8f7d3febbe6b4c56ff26739 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1u.tar.gz openssl sha256 openssl-1.0.1u.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJX47LHAAoJENnE0m0OYESRBtwH/3+HUEkaq0AjniBI23BI3e42 AiU2dCKv4DvHo4x1lNHw79GCywY06saybIcdsIri8exR7JJqi2IJ5n7inL5GA0ss 3ts98r7mDmu3qd0Qo559avsb5ChVN4PIgAXbI76uoohmbpFYowHO7pVX75kXu6Eh STzjVxjlzkM7ka2CmE/D19x1sRWvlpwaWoBQ/DwUOC+1qpyMbTzqM/RODBucwT3T pqjivwSM6mgMYoWuAUMq/r4pvFCvS08GBOSf8XLNqLVNEgmO5b3FkuxxXnoR1m2R IjDqtn3d0aRTSruKsUXfVSwWgk+la3m8Hr8sCNACRZu03GSa0NwLXrc8vYH2iMM= =Ozj3 -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2i published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2i released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2i.tar.gz Size: 5308232 SHA1 checksum: 25a92574ebad029dcf2fa26c02e10400a0882111 SHA256 checksum: 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2i.tar.gz openssl sha256 openssl-1.0.2i.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJX47F5AAoJENnE0m0OYESRetYH/18tGdVDBTKEEhDxYQZ+UYCk CQpQK9Bjamv8/zD8uhj+jN92gSccTR3cPZGA88lMu5SbM48G+eU5znA8xopeHtcQ nLhiQ4XTq/Y31nGXpyAwXQElRAiEXix5QP7CA3kSAJDLF18TTzbzJWXv4wFfUPKS /5smGDQyv+40P82uo0KcS0ZRGJTH933LQCK8qqrtduxxtQRdBMU+BYuLPJZrMyFt iN05WawKk1527tqN4pmqzEVBghzd1lGe/D5VKnm77UH8zYXYPWeVXNoUoKGldMFv QCnuZ1thYCLnaolLvfzM9L4bRtIT0cOsermmes6myjRJBXUQhipjcRm4z8UGQlY= =6DTt -END PGP SIGNATURE- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce