Re: Alpha1

2020-04-21 Thread Benjamin Kaduk 
On Tue, Apr 21, 2020 at 11:10:19AM +0100, Matt Caswell wrote:
> The 3.0 developers met via conference call this morning. All the
> functionality that we had planned for alpha 1 has now been merged, so we
> are now thinking that we will do the alpha 1 release on Thursday this
> week. That would imply a repo freeze tomorrow.
> 
> Thoughts/opinions/objections to this proposal?

Given that the list of required things for alpha 1 are done, it does seem
appropriate.  I know of a couple things that would be bug reports against
an alpha1 if produced right now, but ... what is an alpha for, if not to
trigger people to look and file bug reports? :)

-Ben

Re: Repo is frozen

2020-04-21 Thread Matt Caswell 
Repo is now unfrozen. I'm planning on freezing it again tomorrow, ready
for the alpha1 release on Thursday.

Matt


On 21/04/2020 10:23, Matt Caswell wrote:
> FYI, the repo is currently frozen in preparation for the release today.
> I'll let you know when its unfrozen again.
> 
> Matt
>

OpenSSL Security Advisory

2020-04-21 Thread OpenSSL 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [21 April 2020]
=

Segmentation fault in SSL_check_chain (CVE-2020-1967)
=

Severity: High

Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This
issue did not affect OpenSSL versions prior to 1.1.1d.

Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g

This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.

Note
=

This issue did not affect OpenSSL 1.0.2 however these versions are out of
support and no longer receiving public updates. Extended support is available
for premium support customers: https://www.openssl.org/support/contracts.html

This issue did not affect OpenSSL 1.1.0 however these versions are out of
support and no longer receiving updates.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200421.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g
RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t
vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt
2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis
Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl
aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ
vj2rIjoJHRj0EXqXhHoABqBHedilJQ==
=AXyP
-END PGP SIGNATURE-

OpenSSL version 1.1.1g published

2020-04-21 Thread OpenSSL 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1g released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1g of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1g is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1g.tar.gz
  Size: 9801502
  SHA1 checksum: b213a293f2127ec3e323fb3cfc0c9807664fd997
  SHA256 checksum: 
ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1g.tar.gz
openssl sha256 openssl-1.1.1g.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g
RJFGnQf8D8U0193cmqitZZ4L63ncx8aWPMdXMookxywTnhCHm7qyNGa0a41J0iZw
pRebjlrjo1rEOMFo9rNmvtoBBUs/cFD8ARsItK3Kh2ms0z4MJV4F07XJHwNkd0Wf
n18+oUS6Fj7Z8TgdA+UwBFuN248kqELDp8DYntLCzyEvkweU80JIRWhC+XawjcbA
W/zlD6oVfNsgYP38hSCQg14B+/djMTVYqtDSOBm3B+J7zRndYoTvsankWlsMmDD5
Tb6lOQ8IBEsgnlriOH936eKhlJ5UeTr2hPONnzDJ/cIUWn1RwX9yPGOoaf74IoHc
Hg/T6vP+pD3G3mDOS51Qm87A5+nDaQ==
=eNCz
-END PGP SIGNATURE-

Alpha1

2020-04-21 Thread Matt Caswell 
The 3.0 developers met via conference call this morning. All the
functionality that we had planned for alpha 1 has now been merged, so we
are now thinking that we will do the alpha 1 release on Thursday this
week. That would imply a repo freeze tomorrow.

Thoughts/opinions/objections to this proposal?

Matt

Repo is frozen

2020-04-21 Thread Matt Caswell 
FYI, the repo is currently frozen in preparation for the release today.
I'll let you know when its unfrozen again.

Matt