c88c3de510 (for 3.2), commit 704f725b96 (for 3.1) and commit b3f0eb0a29
(for 3.0) in the OpenSSL git repository. It is available to premium support
customers in commit f7a045f314 (for 1.1.1).
This issue was reported on 10th April 2024 by William Ahern (Akamai). The fix
was developed by Matt Caswell
OTC members who were not present in today's OTC meeting, please vote on
the following:
Topic: OTC approve the FIPS indicator design presented in PR#23609
subject to the normal review process
Please record your votes here:
https://github.com/openssl/technical-policies/issues/95
Matt
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: 0acf9e537ae5a0831da2a8094204bc4701ced54d
https://github.com/openssl/technical-policies/commit/0acf9e537ae5a0831da2a8094204bc4701ced54d
Author: Matt Caswell
Date: 2024-05-28 (Tue, 28 May 2024
...@openssl.org.
Matt
On 02/11/2022 15:18, Randall Degges wrote:
Hello, friends.
I’m new to the OpenSSL mailing list, but am reaching out to see who
manages the OpenSSL logo, and if they’d potentially be interested in
contributions? One of our designers here at Snyk would love to
contribute some
Please see the new blog post here:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: 95b43d3949d5dc28c119069a9613db21a6ebe645
https://github.com/openssl/technical-policies/commit/95b43d3949d5dc28c119069a9613db21a6ebe645
Author: Matt Caswell
Date: 2022-10-18 (Tue, 18 Oct 2022
Branch: refs/heads/master
Home: https://github.openssl.org/otc/technical-policies
Commit: 95b43d3949d5dc28c119069a9613db21a6ebe645
https://github.openssl.org/otc/technical-policies/commit/95b43d3949d5dc28c119069a9613db21a6ebe645
Author: Matt Caswell
Date: 2022-10-18 (Tue, 18
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: 27e90c5a782bdc500efa0c86d5e625740b4c54f8
https://github.com/openssl/technical-policies/commit/27e90c5a782bdc500efa0c86d5e625740b4c54f8
Author: Matt Caswell
Date: 2022-10-18 (Tue, 18 Oct 2022
Branch: refs/heads/master
Home: https://github.openssl.org/otc/technical-policies
Commit: 27e90c5a782bdc500efa0c86d5e625740b4c54f8
https://github.openssl.org/otc/technical-policies/commit/27e90c5a782bdc500efa0c86d5e625740b4c54f8
Author: Matt Caswell
Date: 2022-10-18 (Tue, 18
We have received a report of a significant regression in the latest
3.0.6 and 1.1.1r versions. The regression is not thought to have
security consequences. While the regression is further investigated we
have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and
instead recommend that
Supercomputing Center. The fix was developed by Matt Caswell.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221011.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.6 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.6 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1r released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1r of our open
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: 4d4adbb1222a01924656f14def143a9327ac253d
https://github.com/openssl/technical-policies/commit/4d4adbb1222a01924656f14def143a9327ac253d
Author: Matt Caswell
Date: 2022-10-11 (Tue, 11 Oct 2022
Branch: refs/heads/master
Home: https://github.openssl.org/otc/technical-policies
Commit: 4d4adbb1222a01924656f14def143a9327ac253d
https://github.openssl.org/otc/technical-policies/commit/4d4adbb1222a01924656f14def143a9327ac253d
Author: Matt Caswell
Date: 2022-10-11 (Tue, 11
OTC members please vote on the following issue:
https://github.com/openssl/technical-policies/issues/55
Matt
Hello,
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.6 and 1.1.1r.
These releases will be made available on Tuesday 11th October 2022
between 1300-1700 UTC.
OpenSSL 3.0.6 is a security-fix release. The highest severity issue
fixed in OpenSSL
Vote called on https://github.com/openssl/general-policies/pull/27
Matt
Please read the blog post about this here:
https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
Matt
record layer refactor
Got the read record layer refactor work ready for review
Rebased the read record layer PR following the merge of the SSL Object
Refactor code
Review of the ACK Manager PR
I took some vacation during July so my list is shorter than normal.
Matt
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: e83bed7a99ddb318c4e21008f86405a744f291cc
https://github.com/openssl/technical-policies/commit/e83bed7a99ddb318c4e21008f86405a744f291cc
Author: Matt Caswell
Date: 2022-08-02 (Tue, 02 Aug 2022
Branch: refs/heads/master
Home: https://github.openssl.org/otc/technical-policies
Commit: e83bed7a99ddb318c4e21008f86405a744f291cc
https://github.openssl.org/otc/technical-policies/commit/e83bed7a99ddb318c4e21008f86405a744f291cc
Author: Matt Caswell
Date: 2022-08-02 (Tue, 02
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: 22c31c1a4d4c7edb6880225b17b00302576551ab
https://github.com/openssl/technical-policies/commit/22c31c1a4d4c7edb6880225b17b00302576551ab
Author: Matt Caswell
Date: 2022-08-01 (Mon, 01 Aug 2022
Branch: refs/heads/master
Home: https://github.openssl.org/otc/technical-policies
Commit: 22c31c1a4d4c7edb6880225b17b00302576551ab
https://github.openssl.org/otc/technical-policies/commit/22c31c1a4d4c7edb6880225b17b00302576551ab
Author: Matt Caswell
Date: 2022-08-01 (Mon, 01
Branch: refs/heads/master
Home: https://github.com/openssl/technical-policies
Commit: 257a198460f3c5333f12e141af187b0cbdf905b0
https://github.com/openssl/technical-policies/commit/257a198460f3c5333f12e141af187b0cbdf905b0
Author: Matt Caswell
Date: 2022-07-25 (Mon, 25 Jul 2022
Branch: refs/heads/master
Home: https://github.openssl.org/otc/technical-policies
Commit: 257a198460f3c5333f12e141af187b0cbdf905b0
https://github.openssl.org/otc/technical-policies/commit/257a198460f3c5333f12e141af187b0cbdf905b0
Author: Matt Caswell
Date: 2022-07-25 (Mon, 25
Topic: Deprecate long and add notes on integer types
Proposed by: Matt Caswell
Issue link: https://github.com/openssl/technical-policies/pull/51
Public: yes
Opened: 2022-07-25
Closed: -MM-DD
Accepted: yes/no (for: X, against: Y, abstained: Z, not voted: W)
Dmitry [ ]
Matt
failing to retransmit in some situations
Implemented moving of unprocessed records from one record layer to the
next for DTLS in the new read record layer
Reviewed the RX and TX packetiser PRs
Matt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [21 June 2022]
The c_rehash script allows command injection (CVE-2022-2068)
Severity: Moderate
In addition to the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.4 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.4 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1p released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1p of our open
. Please add
any comments to the issue.
Matt
OpenSSL is looking to hire a Platform Engineer (a sysadmin role).
Details of the role are here:
https://www.openssl.org/blog/blog/2022/05/30/hiring-platform-engineer/
Matt
eak in the provider doall code
Located and fixed a memory leak when constructing a new provider
Started implementation of DTLS in the read record layer
Attended an interview for the new Business Administrator role
Matt
I
can see, from bits of the openssl-project list archive
that I've checked, the OMC has had no discussion of this
PR at all.
Sorry that it has taken so long to get to this point. I assure you that
the OMC have been discussing this PR and have now voted to lift the hold
on it (which I have now don
Acknowledging receipt of this. We'll get back to you on it.
Matt
On 23/05/2022 22:41, Stephen Farrell wrote:
Hi,
Back in November 2021 (~6 months ago) I created a PR [1]
suggesting an implementation of RFC 9180. In discussion,
the "need OMC decision" tag was added to the PR o
Please see the following blog post for details of the role:
https://www.openssl.org/blog/blog/2022/05/18/hiring-business-operations-administrator/
Matt
bsequently cancelled)
Helped Richard investigate method store and child libctx issues
Attended numerous 3.1 planning and estimation workshops
Attended a sysadmin meeting
Matt
The vote is as shown below.
Note: this is just converts the existing security policy into markdown
format and pulls it into the general-policies repo. There are no other
changes.
OMC members should cast their vote here:
https://github.com/openssl/general-policies/pull/18
Matt
Topic
s issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix
was developed by Matt Caswell from OpenSSL.
Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
=
Severity: Low
The OpenSSL 3.0 implement
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1o released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1o of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.3 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.3 of our open source
:
https://www.openssl.org/policies/secpolicy.html#moderate
Yours
The OpenSSL Project Team
On 19/04/2022 20:51, Matt Caswell wrote:
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.
These releases will be made available on Tuesday 26th
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.
These releases will be made available on Tuesday 26th April 2022
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:
ated an
EOF problem and other related issues
Organised some on-boarding releated items for the new manager
Investigated a security report (result was "not a CVE")
Matt
Topic: Accept the technical requirements document provided in
openssl/openssl#17577
OTC members please cast your votes here:
https://github.com/openssl/technical-policies/issues/37
Matt
Due to a procedural issue this vote has been restarted.
OMC members should cast their vote here (even if they previously voted
on this):
https://github.com/openssl/general-policies/issues/12
Matt
On 02/03/2022 10:54, Matt Caswell wrote:
The proposal is:
We should add linux-x86, linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [15 March 2022]
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.2 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.2 of our open source
er so long of continued pinging and still no activity it
gets auto-closed. Activity being counted as a comment or push from
anyone (not just a label/milestone change).
Matt
On 14/03/2022 10:37, Mark J Cox wrote:
Unfortunately the autocloses happened due to the bug now fixed[1].
But they
e future to make the change?
No objections from me. I'd say just do it.
Matt
Mark
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.2 and 1.1.1n.
These releases will be made available on Tuesday 15th March 2022
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue
fixed in these releases is HIGH:
OpenSSL 3.0 has recently been designated as a Long Term Support (LTS)
release. This means that it will now be supported until 7th September
2026 (5 years after its initial release).
Our previous LTS release (1.1.1) will continue to be supported until
11th September 2023.
We encourage all
The proposal is:
We should add linux-x86, linux-generic32 and linux-generic64 as primary
platforms in the platform policy
OMC members should vote here:
https://github.com/openssl/general-policies/issues/12
Took part in sprint planning for the two sprints started during this month
Reviewed Spectre issues
Started onboarding process for the new developer
Matt
I am pleased to be able to welcome Todd Short as the newest member of
the OpenSSL committer team. Todd has been a long time member of the
OpenSSL community and already has many commits to his name.
Welcome on board!
Matt
The OMC vote for the following proposal has now started:
"We should announce that the next LTS release will be 3.0"
OMC members please cast your votes here:
https://github.com/openssl/general-policies/issues/9
Matt
regarding "openssl req"
Backported X509_STORE_CTX_set0_purpose() fix to 3.0 and 1.1.1
Issued security advisory for CVE-2021-4160
Matt
The OMC vote for this policy proposal has now started.
OMC members please cast your votes here:
https://github.com/openssl/general-policies/pull/2
Matt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [28 January 2022]
===
BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)
Severity: Moderate
There is
The OTC vote for this policy proposal has now started.
OTC members please cast your votes here:
https://github.com/openssl/technical-policies/pull/17
Matt
The OMC vote for this policy proposal has now started.
OMC members please cast your votes here:
https://github.com/openssl/general-policies/pull/1
Matt
The OTC vote for this policy proposal has now started.
OTC members please cast your votes here:
https://github.com/openssl/technical-policies/pull/13
Matt
with shlib_variant
- Investigated CVE-2002-20001
- Fixed a bug in X509_STORE_CTX_set_purpose()
- Performed the 3.0.1 and 1.1.1m releases
- Produced a tentative fix for test_encoder_decoder failure on non-stop
Matt
. Users of this version
should upgrade to OpenSSL 3.0.1.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 29th November 2021 by Tobias Nießen. The
fix was developed by Matt Caswell and Tobias Nießen.
Note
OpenSSL 1.0.2 is out of support
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.1 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.1 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1m released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1m of our open
See this PR for a first pass attempt at writing a testing policy:
https://github.com/openssl/technical-policies/pull/13
Matt
I forgot I was now supposed to record these votes as issues in the
technical policies repository.
I have now done so:
https://github.com/openssl/technical-policies/issues/12
Matt
On 07/12/2021 10:35, Matt Caswell wrote:
topic: Accept PR #16705 into 3.0 subject to the normal review process
The contents of the proposed policy is just existing text pulled from
this page (with some minor editorial tweaks):
https://www.openssl.org/policies/releasestrat.html
Matt
I've now created PRs for equivalent policies for the OMC. You can see
the draft PRs here:
https://github.com/openssl/general-policies/pull/1
https://github.com/openssl/general-policies/pull/2
Matt
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 1.1.1m and 3.0.1.
These releases will be made available on Tuesday 14th December 2021
between 1300-1700 UTC.
OpenSSL 3.0.1 is a security and bug fix release. The highest severity
issue fixed in this
topic: Accept PR #16705 into 3.0 subject to the normal review process
Proposed by Matt Caswell
Public: yes
opened: 2021-12-07
closed: 2021-12-07
accepted: yes (for: 4, against: 1, abstained: 3, not voted: 2)
Dmitry [+0]
Matt [+1]
Pauli [-0]
Tim[-1]
Richard
Oops. Thanks Matthias. Fixed now.
Matt
On 03/12/2021 13:04, Dr. Matthias St. Pierre wrote:
Sorry, the links to the pull requests are broken. This will be fixed as soon as
possible.
Here the correct links:
#17184 - QUIC API Design
https://github.com/openssl/openssl/pull/17184
#17185 - QUIC
Please see my blog post on starting the QUIC design here:
https://www.openssl.org/blog/blog/2021/12/03/starting-the-quic-design/
Matt
quantum
- Various work transitioning our internal git repositories to Github
Enterprise
Matt
The OTC vote for this policy proposal has now started.
OTC members please cast your votes here:
https://github.com/openssl/technical-policies/pull/9
Matt
Please see the new blog post by Tim Hudson giving an update on the
OpenSSL Project.
https://www.openssl.org/blog/blog/2021/11/25/openssl-update/
Matt
As per our new policy voting procedure the vote on the design process
policy is now open in this PR:
https://github.com/openssl/technical-policies/pull/3
Matt
policies as set by OTC via a public
process.
Proposed by Tomáš Mráz
Public: yes
opened: 2021-11-01
closed: 2021-mm-dd
accepted: yes/no (for: X, against: Y, abstained: Z, not voted: T)
Dmitry [ ]
Matt [ ]
Pauli [ ]
Tim [ ]
Richard [ ]
Shane
I have proposed a new policy for creating designs here:
https://github.com/openssl/technical-policies/pull/3
Please take a look. It would be good to discuss this at tomorrow's OTC.
Matt
a gcc 11.2.0 warning
- Fixed no-cmac
- Fixed a crash when encoding a public key with no public key value
- Worked on a design process for OTC
- Investigated MAC XOF interface issue
Matt
I have now closed this vote:
topic: Accept PR#16725 as a bug fix for backport into 3.0 subject to the
normal
review process
Proposed by Matt Caswell
Public: yes
opened: 2021-10-19
closed: 2021-10-20
accepted: yes (for: 4, against: 2, abstained: 4, not voted: 0)
Dmitry [+0
On 19/10/2021 19:31, Nicola Tuveri wrote:
I believe Matt will find the time at some point to post the minutes
from today's meeting, but until then here is my recap.
We decided in the meeting that posting the minutes to the list wasn't
necessary and we would just push them to the repo
topic: Accept PR#16725 as a bug fix for backport into 3.0 subject to the
normal review process
Proposed by Matt Caswell
Public: yes
opened: 2021-10-19
closed: 2021-mm-dd
accepted: yes/no (for: X, against: Y, abstained: Z, not voted: T)
Dmitry [+0]
Matt [+1]
Pauli
FYI, the OMC have agreed the attached release requirements document.
Matt
# OMC Release Requirements
This document provides information on the OMC requirements and expectations for the next release after 3.0 and subsequent releases.
## Release timeframe
The OMC objective is to have shorter
My proposed agenda for the next OTC meeting (2021-10-19):
1) Nominate a minute taker and confirm agenda
2) Review policy process strawman
3) PR #16725
4) Agree agenda for next meeting
5) AOB
Matt
release
- Wrote a blog about the FIPS submission
- Significant investigation and a draft fix (later superseded) into #16614
Matt
On 23/09/2021 21:51, Kurt Roeckx wrote:
On Thu, Sep 23, 2021 at 09:42:01PM +0200, Dmitry Belyavsky wrote:
Hello Matt,
The link
https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-processmodules-in-process-list
(You can see the official listing for the submission
FYI, please see my blog post about the OpenSSL 3 FIPS submission here:
https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/
Matt
topic: Increase the default security level from 1 to 2 in master
Proposed by Matt Caswell
Public: yes
opened: 2021-09-21
closed: 2021-09-21
accepted: yes (for: 7, against: 1, abstained: 1, not voted: 1)
Dmitry [+1]
Matt [+1]
Pauli [+1]
Tim[+0]
Richard[+1
topic: Allow the restart of merging of non-breaking small features to
the master
branch
Proposed by Matt Caswell
Public: yes
opened: 2021-09-14
closed: 2021-09-14
accepted: yes (for: 5, against: 1, abstained: 1, not voted: 2)
Dmitry [+1]
Matt [+1]
Pauli [ ]
Tim
king issue
- Fixed a bug where we need to check the asn.1 type of an "otherName"
before we attempt to read it
- Refactored and rationalized provider locking to deal with "lock
inversion" errors being reported from thread sanitizer
Matt
opened: 2021-08-31
closed: 2021-08-31
accepted: yes (for: 7, against: 0, abstained: 0, not voted: 3)
Dmitry [+1]
Matt [ ]
Pauli [+1]
Tim [+1]
Richard [+1]
Shane [+1]
Tomas [+1]
Kurt [ ]
Matthias [+1]
Nicola
: 0, not voted: 2)
Dmitry [+1]
Matt [ ]
Pauli [+1]
Tim [+1]
Richard [+1]
Shane [+1]
Tomas [+1]
Kurt [ ]
Matthias [+1]
Nicola [+1]
essed before the final release.
This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix
was developed by Matt Caswell.
Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
=
Severity: Moderate
ASN.1 stri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1l released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1l of our open
FYI, OTC met today to discuss the 3.0 final release. Due to the security
release taking place later today they decided that 3.0 final will not be
released this week.
Matt
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1l.
This release will be made available on Tuesday 24th August 2021
between 1200-1600 UTC.
OpenSSL 1.1.1l is a security-fix release. The highest severity issue
fixed in this release is HIGH:
topic: Accept PR#16286 into 3.0 subject to the normal review process
Proposed by Shane Lontis
Public: yes
opened: 2021-08-17
closed: 2021-mm-dd
accepted: yes/no (for: X, against: Y, abstained: Z, not voted: T)
Dmitry [ ]
Matt [-1]
Pauli [+1]
Tim[ 0]
Richard
1 - 100 of 527 matches
Mail list logo
