Re: Alpha1
On Tue, Apr 21, 2020 at 11:10:19AM +0100, Matt Caswell wrote: > The 3.0 developers met via conference call this morning. All the > functionality that we had planned for alpha 1 has now been merged, so we > are now thinking that we will do the alpha 1 release on Thursday this > week. That would imply a repo freeze tomorrow. > > Thoughts/opinions/objections to this proposal? Given that the list of required things for alpha 1 are done, it does seem appropriate. I know of a couple things that would be bug reports against an alpha1 if produced right now, but ... what is an alpha for, if not to trigger people to look and file bug reports? :) -Ben
Re: Repo is frozen
Repo is now unfrozen. I'm planning on freezing it again tomorrow, ready for the alpha1 release on Thursday. Matt On 21/04/2020 10:23, Matt Caswell wrote: > FYI, the repo is currently frozen in preparation for the release today. > I'll let you know when its unfrozen again. > > Matt >
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [21 April 2020] = Segmentation fault in SSL_check_chain (CVE-2020-1967) = Severity: High Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April 2020. It was found using the new static analysis pass being implemented in GCC, - -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin Kaduk. Note = This issue did not affect OpenSSL 1.0.2 however these versions are out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html This issue did not affect OpenSSL 1.1.0 however these versions are out of support and no longer receiving updates. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20200421.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt 2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ vj2rIjoJHRj0EXqXhHoABqBHedilJQ== =AXyP -END PGP SIGNATURE-
OpenSSL version 1.1.1g published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1g released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1g.tar.gz Size: 9801502 SHA1 checksum: b213a293f2127ec3e323fb3cfc0c9807664fd997 SHA256 checksum: ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1g.tar.gz openssl sha256 openssl-1.1.1g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g RJFGnQf8D8U0193cmqitZZ4L63ncx8aWPMdXMookxywTnhCHm7qyNGa0a41J0iZw pRebjlrjo1rEOMFo9rNmvtoBBUs/cFD8ARsItK3Kh2ms0z4MJV4F07XJHwNkd0Wf n18+oUS6Fj7Z8TgdA+UwBFuN248kqELDp8DYntLCzyEvkweU80JIRWhC+XawjcbA W/zlD6oVfNsgYP38hSCQg14B+/djMTVYqtDSOBm3B+J7zRndYoTvsankWlsMmDD5 Tb6lOQ8IBEsgnlriOH936eKhlJ5UeTr2hPONnzDJ/cIUWn1RwX9yPGOoaf74IoHc Hg/T6vP+pD3G3mDOS51Qm87A5+nDaQ== =eNCz -END PGP SIGNATURE-
Alpha1
The 3.0 developers met via conference call this morning. All the functionality that we had planned for alpha 1 has now been merged, so we are now thinking that we will do the alpha 1 release on Thursday this week. That would imply a repo freeze tomorrow. Thoughts/opinions/objections to this proposal? Matt
Repo is frozen
FYI, the repo is currently frozen in preparation for the release today. I'll let you know when its unfrozen again. Matt