OpenSSL version 3.1.6 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.1.6 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.1.6 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.1-notes.html Specific notes on upgrading to OpenSSL 3.1 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.1/man7/migration_guide.html The OpenSSL 3.1.6 is available for download at these URLs: * https://www.openssl.org/source/ * https://github.com/openssl/openssl/releases The distribution file name is: o openssl-3.1.6.tar.gz Size: 15672690 SHA1 checksum: 2ab959fbc11283a0bc7a39e33b8f6862372cfc9a SHA256 checksum: 5d2be4036b478ef3cb0a854ca9b353072c3a0e26d8a56f8f0ab9fb6ed32d38d7 The checksums were calculated using the following commands: openssl sha1 openssl-3.1.6.tar.gz openssl sha256 openssl-3.1.6.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmZfItwACgkQ2JTizos9 efVb5Q/9GEh1L3F0bHg5aKH5yD5EwFcQ8Vjj2Prd2O7JDWaZ7Nj9pTzW0R+Fqlst F2oFM8mPGGP41NNfF6otPKvFfen/mKkygX0HvvmTzH88wn+4hBsTngOs5xSnNrZD pUc7RTdtBVaQN3M7Rg9EVN2bqJBLhiw+d/zGTU72SD/f3fr0rmt6ViZiuUNLkj6B +wZKxCELMiLP2Sl1bfC+SF+gCjBR+4iZG0viL8U891PzuD77dp+Zzs637pjD1Qsd k8BRu+fxd9dz7D6OAt2eHyDwqvR/0rlzsiE40Cx0KamF3Ck1c0sqcxcfc/SXmGyr OePg8aI0qUHDjgZN5v3z4aSfmcymNayTVoEiCYdb4MYsKY/ydLjDS/VnfR4KtfI5 FGaiW+Fua9JDLS0wLcREiq4bjdfae3dzEUlClO4zMesP+3pDNWcPbam9DptG36pc RPIe55X3VoJDEEPju6flyvA6ZlyFDc1Qf/1G+9gXYke3r4EQIRrAIibZucVrGs8k 926hHSJOGX1s0sJOMJv7PkUsZO+8W7xwHHUH/WQzMoigrXnFhQvK+vPHCz3nnyQX WmSedMR2UNHyn26AuPDhS3pHCCkYHZQcKJDPsMmgEQaMrAhs++4ob91/L/uBJIuz 9Cb7yo7JIgAAqUSkZApLb5As8Qo8qoWzPAY7QNznVkpcnCTkzIw= =qMw6 -END PGP SIGNATURE-
OpenSSL version 3.0.14 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.14 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.14 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html The OpenSSL 3.0.14 is available for download at these URLs: * https://www.openssl.org/source/ * https://github.com/openssl/openssl/releases The distribution file name is: o openssl-3.0.14.tar.gz Size: 15305497 SHA1 checksum: 80b67212212a5ba81b071026d1ad851d6cbcca93 SHA256 checksum: eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca The checksums were calculated using the following commands: openssl sha1 openssl-3.0.14.tar.gz openssl sha256 openssl-3.0.14.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmZfJFUACgkQ2JTizos9 efXypBAAqsEyCqkpJkOZQDiPn0nyFhlCaHaA15MVeQjHUxcGbcEWj7EMOVUDb1UG IXkywtTRpoGzPnT8wHcQFXEpXEDP4QyuEJ1s4il5gg17TRoA5arLErul8uq2HeqT wnPe2WAkt1UP1dYIDq+WnKhQUsFl81g2hmF9wtNwyIH7mZyxJhSDKJVcA3ojJL6q AvjRQBr8gBy67WsIvoJbnmvqkjNkLYYP0nvm66Qcx9kAxhL86XKPEyhOKHv/OP1v lgD54+kPaRV2fFkr3sdqc1IrfsRVpG4GIpLZQzaxRl4coItXWeDdooIUsQHVrlb2 WyfBMyWlhQt6nftoLgrv70ACwqXjrkO6vULmq87OW6rZTytb1iv/U57lzOsg2NLQ BfvvSV/6QYLYhssOZKC8EG/+cwzs91XJpzmx0zlT4uxoam/GUxMbq13ULnZZq/XW Ogj0axmyAGSgEQvOR//sRW7HxQNweeQJTKoZiYQYLT9gPkpTC2Tr4ZJ7Gm4BCjG1 g3j4cfgbBM4a4rk1u5oK5fciAhJj4Z793PcKWgnuAWHb60/2QyCa2rUibZbgVgQq WPFVTzgAxSrvqGwyI2GcbllYFL1hOhn6H2dTg/nWfZ5WgpdyrIHKK0RMs/Ifw1+9 h+P0reR5ua8VGlCzJnl7vhOexehJC5bhl+8P0f19DjglDIgwOUM= =ThVk -END PGP SIGNATURE-
OpenSSL version 3.3.1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.3.1 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.3.1 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.3-notes.html Specific notes on upgrading to OpenSSL 3.3 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.3/man7/migration_guide.html The OpenSSL 3.3.1 is available for download at these URLs: * https://www.openssl.org/source/ * https://github.com/openssl/openssl/releases The distribution file name is: o openssl-3.3.1.tar.gz Size: 18055752 SHA1 checksum: 7376042523b6a229bc697b8099c2af369d1a84c6 SHA256 checksum: 777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e The checksums were calculated using the following commands: openssl sha1 openssl-3.3.1.tar.gz openssl sha256 openssl-3.3.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmZfDj8ACgkQ2JTizos9 efWupw//W5wxuesxX8vrNS5p1k1Nut8gw8xNLMK0vCL904DuxDZOoIzydIf2lD0x B5KKOiH0oI4mp9FlzDln4TqlN6z5F9mfSSrSfVn/9T+7KyvBq1FOqJJ3qVsrQtdA 2dOK+lSKmbQRe32YNrDWyuFt/0XDAoolRcUdFs+Z84wL0VfvVyNcT7DGBcsuYA3J jomMmtHHvzcBiu4/9OK+30Tfa1L+JPoeIQy3lABpbRi8UUt1RMG1Ud9MbqEwQKuA hxPnFhS3f5PGkED1EmNCOqi+XAQ6d9h5p1SYUvYHJwr0kK1XqiEo6a7w+xj/oZ3D tUY48H2AM6x7InyGdWO1Hcbv+dyAVVSYS0tPvp7DcdlkjB+FheBiuEeLF4DoIQBo 0eLIKfpti+1HAPwyHi0Pxb9Rn+iMgP0CzXlLSHAgsjRh0a1hDe64Q0tqE4AOPAYU 52U6/DlkdJbpZtSZjXpdVTt55DPnMAo5tgftojEMYjKD6MyetdWhezh0f0AoK+qZ 6tgCMn3AYhZS/DHB+UoaEmHf2k1kKQOxQljWy7Pn9EDXHckWxQ3z26W/YaiCIeXB C+Y8fZn3aL7J/COx9o84k3/5bh9pGkCfEpQOjPD8y9r3XBMbnbvdHXzIfr4MeSpf mo4tWLoT2P5HgDwZexN32HLKhQwzipAQk/ARBVCSb4KACRgNTW4= =3f9G -END PGP SIGNATURE-
OpenSSL version 3.2.2 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.2.2 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.2.2 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.2-notes.html Specific notes on upgrading to OpenSSL 3.2 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.2/man7/migration_guide.html The OpenSSL 3.2.2 is available for download at these URLs: * https://www.openssl.org/source/ * https://github.com/openssl/openssl/releases The distribution file name is: o openssl-3.2.2.tar.gz Size: 17744472 SHA1 checksum: b12311372a0277ca0eb218a68a7fd9f5ce66d162 SHA256 checksum: 197149c18d9e9f292c43f0400acaba12e5f52cacfe050f3d199277ea738ec2e7 The checksums were calculated using the following commands: openssl sha1 openssl-3.2.2.tar.gz openssl sha256 openssl-3.2.2.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmZfEBUACgkQ2JTizos9 efU4ihAAiyA2vUL0OFnXfXpKi3hnRnKkwJxxuBwYAqAsPFejwJ6+u4oe1GesZewE q3wmVhp9JVjpxBz3ExLmss9SRty4fPOUJhfw43TZ9Wes6RmWPsFtb/QyNhvi4v41 MAlKkxYtjP9e/cVJvPVVJLxfCScGdiwwJ7jGxQNpaDCa99phVfMor2mlvlxBkNxu attWRc+S7NGUQEfAxMrgDFgUV3sihkadzYFPDiCVqUBXgZkoHcjyCl78fnqPjNEP juSORGglJbyOK0IydiluRqOsDWswWKkMrLO4uxbtgJkpRM+u7+MAqVfQQeCFiBAU z2v3grMtM+FcMUC0ABF9jQY8y7KKpTy7jj4bOE3DaoPyrJVCFq+oHyqbNazErCAD qgerxI2NbaUAOqI+LxyZOwtfLYX93cjMGpydfF6J46uy9i8U9g4qv0ruZAhSyigb /tKBYNflwjF0zm4YAlM7UZHBCQJjlFNiodvsMUG36o3D/6+FXXAWXw/++KxRipl7 HFI0HpKE9p7z7+vJtvJovrbtyokUjuQHU6RhAzBJGT9UqV8wJa1G0qqbqqR06dm5 iP80abrTtKUxq1h9DthLWe1kqU0VWnz41+WiMxwzDOAPGKsozBTOAxVBFMBJHWcj KIMKq3wsqrK16pK8yaugCRAlDvWNurPxjWTqtta3lZOnY9HmHio= =B/li -END PGP SIGNATURE-
OpenSSL version 3.1.0-alpha1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.1 alpha 1 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.1 is currently in alpha. OpenSSL 3.1 alpha 1 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.1 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.1.0-alpha1.tar.gz Size: 15343477 SHA1 checksum: 91a7cbcb761c4bb8a460899bccddcbd5d047d3c3 SHA256 checksum: ef10f70023f4e3f701c434db0b4b0c8cfea1e1e473a0eb3c9ccbc5c54f5f5566 The checksums were calculated using the following commands: openssl sha1 openssl-3.1.0-alpha1.tar.gz openssl sha256 openssl-3.1.0-alpha1.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmOIqpASHHRvbWFzQG9w ZW5zc2wub3JnAAoJEFJ0ZqIcp55tWrIQAJHT40JekEs3DacHjQrTmGLc56TmzaFD oDp8Md2E0RpX/vuANdIVGB89zGQMag13TPa9CzT1yk7wFBilPoiuapolmo8N0nvF OnMLIQjF+sbsQN0gqchuMKKD98omc1ZNNcijq/GlKM9wH6ey1uHnFAi2aXF4f6ai 2SviauJvHQDgDOe9tFfA5lDF1EdYZt20D46Yc+yJf/zr4MJZFcX2T2qmo+oew6VA djZ+cRPeeNmRXrl5Banqpfcy2iH4N57wvEcM4dtGaGY+4Pwr0H9XN6MxfamGUbLv oSySdFpTagPENPGDBPoRilPSXdapCD5m8Xd2FERM1HF5E1GaemqaQKUYiXbANqL/ SDBftayilhYf+tXg3/22xksZVEkEjFD79M0mj75dn+UgQilOTR/AOdup2imTB7PG 7Cgq2HGz93ppO3kG0iuTS5uc95Gfu9AfkjgfcydA2eZf+rmHAoocm8kpThdxD/a5 avpMudgklyXysmO+2MJ16806Sa27L8N52YTPzy4Zthx/SLR/RA//bXBnlSlguRGw 7+hIDPncmaCfegaI65yq/TgtU9z/OLhNTPmYaUQi3IFtsCrAahZNVYg8qZtnMtgC iaVYQkNZsqE0wSDalgJANJkZUa8VHdh2O3sOBSYbZvHWEiYJJ+9ATgLSLDjiGq0e l9cvtybysQsx =upN5 -END PGP SIGNATURE-
[openssl/general-policies]
Branch: refs/heads/master Home: https://github.com/openssl/general-policies
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [01 November 2022] X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) == Severity: High A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 17th October 2022 by Polar Bear. The fixes were developed by Dr Paul Dale. We are not aware of any working exploit that could lead to code execution, and we have no evidence of this issue being exploited as of the time of release of this advisory (November 1st 2022). X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) === Severity: High A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was discovered on 18th October 2022 by Viktor Dukhovni while researching CVE-2022-3602. The fixes were developed by Dr Paul Dale. We have no evidence of this issue being exploited as of the time of release of this advisory (November 1st 2022). References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20221101.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhRdsSHHRvbWFzQG9w ZW5zc2wub3JnAAoJEFJ0ZqIcp55tARIP/R4TFlh4N3wH4enjT74oJowxjmwNIu0q uRTmmwtMwJOd1Nw0tfydVEtd3qaN/KMcMnnBMzIzvCdzQ202g8SRSzX7zeHZtAEe idu9qQyQep1ECK7UGybdN+4Ahey30Py6J99okWejCmdHSpxo7+OOtADFdraqrV5A 5vwyojD1Iv95Z0/RqYxMmMBEoJZitsGxeraw1IxBJCqw6sL2WwDelGb9NZwKFee1 BrfeF+dwaXlAZ97Hsaai6ssDf8VOoTNbCDsrsnbo4MAbFAc6ZraynMcWMm9kwF96 y+pO+0P9etzWeHkP+qHAeCCHZqU76Rexr58XtuWQpTdmbPbmLpnwr7wgwBAZxHA0 RkhpR244vPLYrF3cIssNxEstHCi2NFX0cMtOnbY84lJfmnxgHTJqH/7LvUmHibC6 FBNM9CCSezZgEiSvERB0R/auHZnpODj9riCyWWq82sXTkk3XrqkdnN3mAjgVpnDK 3Cacx9vJxpUDl2U4ObEVCE1I1qHKomAcKVAErAMmLLsdkbzoK9dUquG2VhFaJYJW 3TtqDMhQM0fqRgRu750P42w6dm1glH/UIK41viB0eVwbBZ0RdaAnI3+Tuk2NXH2o nZdH5Lx6scgS+l4K+IF2WzO+WCYThG0Sg22hC6NnFbdksoGA/XaXl80Kf5Ec1LJr QLeTSjQDj6Fc =8mrQ -END PGP SIGNATURE-
OpenSSL version 1.1.1s published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1s released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1s.tar.gz Size: 9868981 SHA1 checksum: d316e1523a609bbfc4ddd3abfa9861db99f17044 SHA256 checksum: c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1s.tar.gz openssl sha256 openssl-1.1.1s.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhEsESHHRvbWFzQG9w ZW5zc2wub3JnAAoJEFJ0ZqIcp55tB9sP/0xTGoi3fCQNWE3tq2iSLbhMeoXNSrnT kcKF98Dbzu1fuA+HRbb6rUr4Fnm8lp387cTM2ZQZQhpcMD8R16fwasZCkimaE64j o9Szand1G6OauVqUSCumzyM7ZEYg3PMvCwM9tOdZoUwxAt7cXagXEl8d+WDX9Xdm Gz8pAGTc2qk1oVfd25tBZkm6ievKq9a5B6QLmJdfYiycbRRLJV8bAcNrRNAy6EK/ aZDuQA7eYRgtg/K0LcwWKi0XYUT5zVTN1/GEEy4MzGASOw0UxWZ3B+gAje0bq2V0 3nt6+Ys/9THy418s3F16VRl9HiffZMICqDCPEYV7wQaKlm6dVTvc6kWQiGWR2C91 A1F/wOcvJzPuvNrqwwjmAzRJYdpyIS9FWhz39mOCbkm8C+ZAKyuhLzsZKeqDDGST oNgoIcc+ewn3O3ZKT65n7cgllvco2YpfIkdkh+afmhC8Jyy4wOpvA1qo5fQb20bk 2/K+qj+oLWSwqUzDQ14Lij3QY6p9IJY87dY8wIheJSAaGsRx+59JIlKuc7Y+QMah XJkugpXoht63j3phi8sDfz+be+oNNYNw9b43kkxPjT1T3403s5Eae3E8pPgj/ns3 12+nyNYe+e6O+i52QdjNVFG8DbIswrCWU2gm+5DZvd3ARffvWUykSZMuUGqz2d3R vlAteLLJJpw/ =ysWZ -END PGP SIGNATURE-
OpenSSL version 3.0.7 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.7 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.7 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.7 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.7.tar.gz Size: 15107575 SHA1 checksum: f20736d6aae36bcbfa9aba0d358c71601833bf27 SHA256 checksum: 83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e The checksums were calculated using the following commands: openssl sha1 openssl-3.0.7.tar.gz openssl sha256 openssl-3.0.7.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhKfISHHRvbWFzQG9w ZW5zc2wub3JnAAoJEFJ0ZqIcp55tI3sP/0LX5X5pav+ajK9Vr0noUbAJwouA3YHi QMqkY30JjoUEc47PE2IJlEAObWebkeePz09UixdlNyQv/sZ8OdhKlDvzHJ1LxMM2 LfetggGkASQ4nQkjFxiyNDTdaP0feKQGzBfo/rjTz+H1plY7D6u7AtIeCnJW0qZX 7a4yzTV8FxEdHvr81XCYyYsuUlWYwoZk4iEstGR4jG4lzA12jh1DXuCfKhV6siTm 7530FQ4kid2R0eAwffiaZPPSG53AOUsRbc7M2xgjl3HKOdTCEIInwpVtUWqFOufo L/vkxjmFq8Xyq/DKUjCjcysiqX/Q4or0riMMzYkqqoIIQHGPyUrH7YvidEJ/ynPz BexjXLSFpx+McUxs711BR7p6pHOrp/Acu1619EKgzhVOGdgqxd3PW2/maVqx5YIZ ntsy5XNHE7UZ3tMTNz8gkVBAgZvQhl0YUN+LW5K6V/6VGxXqwFe6ZjyeyHvbv95J TRfZvC/T7ABmeWKAblQ5LL3EeLXyLSOL3mV/fp+dRNUyuFJFuHQmUTGFNRgx191c 2PbAbtHTd7Wihx4M/mEhRiklo/VQI9jdRq47yjtKgv6tji6+9v+txK7f7lMlVZP9 IxsHYgcomMo92vpj+FTCVQcOTXTiCfHi9A6PBSltd4sodMR2XxED44cNJ/FyJPj6 nuPkN6wv8d59 =9cNh -END PGP SIGNATURE-
[openssl/general-policies]
Branch: refs/heads/vote-306-pull Home: https://github.com/openssl/general-policies
[openssl/general-policies]
Branch: refs/heads/new_koca_branch Home: https://github.com/openssl/general-policies
[openssl/technical-policies]
Branch: refs/heads/master Home: https://github.com/openssl/technical-policies
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [5 July 2022] === Heap memory corruption with RSA private key operation (CVE-2022-2274) = Severity: High The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html AES OCB fails to encrypt some bytes (CVE-2022-2097) === Severity: MODERATE AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. This issue affects versions 1.1.1 and 3.0. It was addressed in the releases of 1.1.1q and 3.0.5 on the 5th July 2022. OpenSSL 1.1.1 users should upgrade to 1.1.1q OpenSSL 3.0 users should upgrade to 3.0.5 This issue was reported to OpenSSL on the 15th June 2022 by Alex Chernyakhovsky from Google. The fix was developed by Alex Chernyakhovsky, David Benjamin and Alejandro Sedeño from Google. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLEEkUACgkQ1enkP335 7ozR5g/+Ofu4COpLp2VjRUuH268vwfaRCPgr9nbv3v9/KwW7FLzAWS/JqLqTmJiI GDP2TOM7jKSVh8oG8vnQ0c9DY1CULk28gaH6fp9jhfhvsblpva9Hdk74xYy3ebbR 5gLI++3WlROoGYf486R/t13X5vTLLJaun5R+3khf/i5+6SwDKrw4WM3UXNHLOxjM SFJ/hIPuVSFIHagZAzwcLMwOG+qa5JVU4i5TL9hio40Bl2gDKEkpDmj5UTWBT1Tu FZ66FMveM4sTlX3QrjWAQjAX2iq7S5Ng7PXWKsNYB4lckigG88jj2uC30oS+S8Bs /V10Yp9zlkfPAVZNo/qjy5ui+1KrZidF/deGPCs36ULbE2e9/aYFz6xfz0zfdkmr 8hgZBhMwJ+49woC45Vo67PPf7dHGvGh3OpPbApkeX0VtwPIElanf7uK8YQ/yCvYK +T8wKSDE/qcl9trTDZa567KTcv341LmxMFuVP5Ohxzfr+O1fKEPGCWepxOaP2GZY zx5MmLQmahcoYDInWr9iJD0OkySaJKWbEUM90oBHvjwY5+sW770LAX0nt8Uthb6J JPRyAeu6Un70u63GmXuPEvtuUGjYYnQsSke9/M2IgnE+1E+Hj5rfhCjWMQURUcvZ cC/hRphJ80ReuR8vEyBaN81tdr0/Dp6MUuvDnvkcYSzNHrgJL1o= =bJgr -END PGP SIGNATURE-
OpenSSL version 3.0.5 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 3.0.5 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.5 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.5 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.5.tar.gz Size: 15074407 SHA1 checksum: a5305213c681a5a4322dad7347a6e66b7b6ef3c7 SHA256 checksum: aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a The checksums were calculated using the following commands: openssl sha1 openssl-3.0.5.tar.gz openssl sha256 openssl-3.0.5.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLD/PsUHGxldml0dGVA b3BlbnNzbC5vcmcACgkQ1enkP3357oz2hQ/6Aqr3SwG5AmuS61OCOBHySdXb6FqB PuF9pG5vAbpVLka5dk23IsmbUuvcNFQo6xOxY29YFk+1zVhnwDE/C6pDKtk9og8c 1jt/lueXd85/H6uWeSMxffoH0P406yQYiwGdSSfHz9hLLLip6/iyhKrE1iL7DgLG P0mhDG2Y4/gHzeWFP11BttOL9noM2f/tcpoDeOkaPfsDkXb27z2T5QFTqRHC3uP4 GQkTJTPrif9HsWaOnTWOgLQ1UBcjqnmx9yus34Vhu5qyOY6/1D+MhX55L9CithHo LMqxvZ8kxgbsEox4N3Z0xEgDRNg89fg/3ye39q56+CHKu8Sohj5Ap9UgcbrPc+K3 cOjZx9QdjNERtkXGlWFM7MEuSJYXrOhCgrZ9PM+QNVkYNEabQrP5n6OIQkB9y2j4 tkvN4QSO0xxOKASpts+/h4+ji3cFztBoFv4fDWR3RQ3JnYDanTyKZfOs7bc11l3C AgeqSb/jsAY62/stv/Ze4SNEVcHKC9kAdTu/LiBqhMPB0Fw2H70qc62/8ZSRCWBU g2Yu1pbVC1LJkOtvhrGwFSG1htANNjCCrI3NC2KMUPNxXXADHsP2bzvSvLU/Saj8 GOzF84W7o8hjzM2mcxGsp4onB17LJ/iWM1fijmg1F1x9GxSLxvJD0NMVXMzIM4cJ aXzaEhySuU+6tm0= =09pr -END PGP SIGNATURE-
OpenSSL version 1.1.1q published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1q released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1q of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1q.tar.gz Size: 9864061 SHA1 checksum: 79511a8f46f267c533efd32f22ad3bf89a92d8e5 SHA256 checksum: d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1q.tar.gz openssl sha256 openssl-1.1.1q.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLD/5gACgkQ1enkP335 7owfLBAAl5chNOum39VsNAKvkIb2zHcQ3Sa9/wWgWXMBgANolbnbGUExDv107DdK RCcePIow2lymubul/+86/iV9N6d8XMVTnQJC/yvrwt+p1ie5U/U4XN/gndYUOj0r Sx74j5dB0ekOqkCQuqETDJ7Cf1uuNRIg4cA4Qa6VteMwxxJdYnXEItvsDbLtIR5j tk5ywJyKaQDAGvDJYVmQmADfL5ekB5R2P1o9FhT8qtY+R84rNYX5jXBd+OCj/Hq0 MVQ4a/Oa4bYleEPdZqgnoDUq3dmFnP2ZbF+QQ8gHcdJpgWGjc6TdAQFdYw9kPl2X LacBUupfa/mToDiDr3ogKJpDUGP6SiF8qSLhNxy80t1lKrBxzjv4EU006Guly4dR rp75tRYEsUXHrj3HjteBGXwjqBvaxhdv8EFY/kN/QoL4JjUoUsK972/kqTfFN8FY bHGOR8Ai2UWomzpAzmz2zSymSJYfeR460bX+CPkxpBvgdAKslEJSBcU83kMZXkmv 1ciucDaX45OR1ZgfTOdgxpg3HhTaH6GKwpqu7BqhoYjYTvG3zmsLUKFmBAJRcpcV 8eS6bshQG+5C8uyZsmFtSVBWEiLdgNblvdlUSR15t/PZnuj6aHPpHgXMHNcp1ETO 0KH3ydbczWsPHm/ELD2lmW01jCK2VXfKOF6vowr1yws7eW/Y0Ho= =55yH -END PGP SIGNATURE-
OpenSSL version 3.0.0 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 3.0.0 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.0 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.0 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0.tar.gz Size: 14978663 SHA1 checksum: 3be896f1b33bc01af874ccca701a6f700af9de20 SHA256 checksum: 59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0.tar.gz openssl sha256 openssl-3.0.0.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmE3US4ACgkQ1enkP335 7owe+w/9FdP6I9XEuuo5O6ZOhYyzTuS8v9DGuzIzBEsBWpsA+gfOxF5Bx4WlnGAt kB+2qfNfOgt00OrSUHntgn1+ubFvN+xteaslYsF3fN9FCPX2iQzXMPVM47UqYpA5 tCm0XrJo+PAZB4mEnOH6QBXZWPTE7E84HGUNyS8LfYeEbbLKEcc/xQBPpRovL3fA 6TnMrAvypIwEqgljyNzuMq7iD5WDA0Y26JwjCCtk0vNOVkDQDooGQHMY180BLfQT Rk65hEt3/UkpLVCwCknrZsMWixXzTgcFb+403EPXMisyyQLEgxevrsGpQgINxraD 1JyRNnwJpIJuxl+j1oYjpdCbNQrQr7QKAj8pL5OGNVxXvyuZe9YyLrKmHvh09Q6M nxbJFQmCyrZQvxCya+YR2VU9KxkYiXbiX2pHl06qN8n3MOhtVaxJPKM6WUwJLlo9 qD9JmLtW4gXCH4qHcqnb8jS0Zoxja1bzWwgvQx1A9XI4s2drhRvXkQmt+lxEUdcM MiT3LrBgjfKgNa7XWmTOZxyLa74WyETVcjvI3ovJxiS4RAB7s7ssDVa8tnTUeeZG gtXSTv49+l0j+DQcz8nxQeILimOusHzE5JO3JvGQKPbSQbdUQbNrsbTEvz5mIMu9 k/VuvJd1ezjYySp9pnZ3UTxrB1RozJ97iupq8MSzwElkSfUigrg= =R5PX -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha17 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 17 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 17 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/manmaster/man7/migration_guide.html The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha17.tar.gz Size: 14551193 SHA1 checksum: c026f0451988a4d3799b0ac8cc6aae45d05eddc5 SHA256 checksum: fcf7f7d732209904a8f994d6af5df10b1ca5df7bd18618e40805a2e32aa44f47 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha17.tar.gz openssl sha256 openssl-3.0.0-alpha17.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCmZHoACgkQ2cTSbQ5g RJFr9QgAiw+HwvyEf+uTsqeGMaKnfgUrBxZBsjDH4AwEhomsF7vZlA8TDDabf0s3 tHoAwjlqOlEO3LDUGy+xraofmkA/NRvJsEgdXHP03WSYkQwb+iYnJ1RPPwjSpny7 ujq2kFfDU9l7uwnucD3FHRzhUH/lvTVSl2sg3s9bNKhArcu6vLVCSYWRhz4ISKfe BxYpp1HjYNE6jS6lIkUVaE50PKL+L29UDf0VzZhQCHQrBvRJq9cj6rUMx50e5vbF PUEQhqkHFZpQgBnanQ8auf0Lzr+4EUdvJ52Y24uPb6bZAZMoAP/UYc3YM0jjGxhp x9G11J5xuS6H/76XUevfyo8RnqXoXA== =vyTR -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha16 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 16 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 16 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha16.tar.gz Size: 14491795 SHA1 checksum: 9719fde1203a21f768c5688dd7bd579c6b5a8ae4 SHA256 checksum: 08ce8244b59d75f40f91170dfcb012bf25309cdcb1fef9502e39d694f883d1d1 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha16.tar.gz openssl sha256 openssl-3.0.0-alpha16.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCT3csACgkQ2cTSbQ5g RJFT+AgAr7HK6rYxwu3cmgutVCaMH1kZyvwaQPowm7br7xMiFM1aJpd2hTCqETTw NydbsWOFL7M8ASowY1HjLjEL+NzFV0o9WMF3oi7SUkSny32eIQozwFTia1NDqf1i aD1Ou7Y/E4RLykXFGpSyhtNudFjGWtNVgTzsjCEN/1XrkJqHmWliKvHt0y2phoWR cR9sBAyHlkBzoYxjYDBDTlkt1/Q8n79giIb6CSsTU+XaOgClUCuJ5NEPrBqOitPC Plt6WcOKEXXotezJFrL+alB/0mhCxZa+TWAb8AiTN0ptDHRSg0PBmfJED+yRfwLh j+COkLymdQvO9XWp/jevKgEyPxwGTw== =X9gN -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha15 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 15 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 15 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha15.tar.gz Size: 14423249 SHA1 checksum: 57be66515f808b77d5b163a55474801f8bd764f4 SHA256 checksum: 7ebc12910a19d94c13ce589024c5ab655a81152823fe37a3b5753436f3706831 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha15.tar.gz openssl sha256 openssl-3.0.0-alpha15.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCBfbIACgkQ2cTSbQ5g RJEHcAf+MXdyMT9BzBSoEjQdcXfwWDjl7r8R6dXinaI9BIvN80qf1HHGEy5thMc7 lu5IPLF4iz61B1s8h37WtqksZpC+Ydjbw++LyUDVUfJBWYE0XRGuK+FljN+vESmX +yqnv/Ll3lSce6HCFlWQDMp16Os8sCWl4DqaUOqsCo1Pi0ArLigNIwf1lmp0/FC8 d7vCp9jSTq9fvG33L0tbIZ6X6YdD9tiWh+Ae8IDMDli4BVTixgrf6Mqa8vrC6JZu PWhlTuq/KZq4TjLdVPWsVC55MBItesGgYIDCOcefwSWaWfVk1WZF/ojbMBkpBWc1 BprBrZjgnoqQrtsqVVTD7dgfY5atRA== =0woP -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha14 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 14 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 14 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha14.tar.gz Size: 14392548 SHA1 checksum: 255708727c8772f930d1058d723341d68d6ed005 SHA256 checksum: 78a935e1d314d66cccaa68931702a52d42015b47c3c44bec631de9f5705cb6c0 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha14.tar.gz openssl sha256 openssl-3.0.0-alpha14.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBu8/oACgkQ2cTSbQ5g RJHWPAf/QqZmFy8ukDYogNnOYb6dJIccXM2603+RU587PBN2hb7yFXo0T/ODs2q/ LgU4xRd2leks1IkEPlBn6XeJPwyLVKGXieRHvZzoZFSML+R+ZcwvZc9c7tdHcACn dsrOTvJkFcawI++BErtZdE03VHq0dxDfTCBHPgm7rvzkBPFPMBqoO7cwcu9z09SJ mv9wK45uDP6jNdxkTrLv4YRa9AYW7Ya8wfZvxxSLMji8L5yUpZoezo7vvzOim4A0 CwMUoIFJnkfS2aYGm15LDbMzh2x0qQ1WQNxL0zWByz6BGp+EfvC/sXOnNZC3lOdb TMpJgX9Jdhrl6SNfARp1Fou/j6uDcg== =2FSP -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [25 March 2021] = CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) Severity: High The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz. NULL pointer deref in signature_algorithms processing (CVE-2021-3449) = Severity: High An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was developed by Peter Kästle and Samuel Sapalski from Nokia. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20210325.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBcl6sACgkQ2cTSbQ5g RJGvnAgAtG6I7rfokDC9E5yB26KC3k0Vasfq5iH/aZz0CNRyOokWJBUyyNIVjqr0 2eZP7VsQT7zRM+tgh9c8MwH3FIghtpwJRJls4qZDHKoXts7JH4Ul4NLPd546x7xA GcKNwTD4NkZbTqtZ72NTgliInzrj0MCC8jqQrIIkcAIleGNzvZ0f64jdE+vBXoqX M2FOhWiA/JkAKtB3W7pthIt25qkOwHbrpTy+UUp/S5QD779NJ/EOYcsOFBRfLZiP gA6QILuW2L55lhG6Y2u+nVE3UI2hqd2hGgSAvDIPr2lVJxq0LQpgHca7Gj5bfIRo GLDz7n0FhN6n7NBqetP+nlHmYivcSg== =XIXK -END PGP SIGNATURE-
OpenSSL version 1.1.1k published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1k released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1k of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1k.tar.gz Size: 9823400 SHA1 checksum: bad9dc4ae6dcc1855085463099b5dacb0ec6130b SHA256 checksum: 892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1k.tar.gz openssl sha256 openssl-1.1.1k.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBckA0ACgkQ2cTSbQ5g RJE5lwgArWHJ+bjtnno8MtRH22cC4YjvDvTtwKsm2ESDKPnNMtMVDM/GUF3g9R5L 4H5WTWNCGFiQ/GqCIsty0tcV3NFMqKLBtl/5rm4+SQ+EG6oyKvjDBOOhwOoVS6Wy Kam+sM+6u444JY0GjKxjXKwFLGZKhtetXH1kMbi5rZw/5ln+DOh+NfyAN6YxPfOD KSV5K3sEA98ppeyE4ac+06lllXOZ8LfTGSxRojiQ08e6MkXDkWC2Vq5C963mm4Tk 1rmJTN3w3DoFh0IuZdTiCQzqUmam+jb3g8S95yKR7pjfydfbCtmkgIVAXFJ2UJR2 rUu1Sv19POSyy39WUnNb9s2PtoviTw== =f54Z -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha13 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 13 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 13 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha13.tar.gz Size: 14211501 SHA1 checksum: 754aab6dc677668255fec676c6340a3a191e8135 SHA256 checksum: c88cbb9d330b4daa3dbb5af1ed511d5062253291a56e09fd17e9ac013a20f8a3 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha13.tar.gz openssl sha256 openssl-3.0.0-alpha13.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBKH2UACgkQ2cTSbQ5g RJGU0gf9F6POd8koanFFrOBR9BlnlZyhFqYgn0s0404f4FIv0ntX9ClJ/GU4CruD hch4riFzD4uGtX9vpEHMs6cdWmMQmaoQendH0kIbHqLubxm3R51S8L5sIxQRnc0B pXDEteafEPd8jQyZmcg5Hd0aQI1Ju7hw3B9H/0C8JkPbSyfP7XOanWJJh9dinOEb HpswBhQWNmY6OwyIv9mmJQ+BtEbTXrADpMTsBWH1s84oQ8xT64e3Jzkwyx4DDnBi dKDYJjhjAV6mm7GVTBgT3nier3p9CgvbmViMRf1RNbwOpX7lhd+VgWN0QfvOF2dT rKbOZXDnSjbTt2lDr4VvOY+8B870/g== =1LTf -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha12 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 12 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 12 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha12.tar.gz Size: 14142492 SHA1 checksum: fbcb255c1bf11928f4bd52b8cf68ab8341238d4f SHA256 checksum: 8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha12.tar.gz openssl sha256 openssl-3.0.0-alpha12.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwwACgkQ2cTSbQ5g RJHuyQgApX0LV7z8tmxqPNyMIfLMMnlFfV7m4YcblXN6YO+wDwFiX3KgnopGvfim 0B8pGPxkwJjPhLQxGyZ4fUkTMEJ3jtp+ncVf7+ccF7JfKkh1bjBmmSBZ0GhJPqhB HGxdb+cNe0rQFxXoWU5s8YmV4ImmPzUOhMKMP3b/lUJZpzlmriMw5QxbTc/dk96J 5wVf36sHbMPbAQlVrzRXLDWSacUXLVk4D4C9KJ1xt3Ri6RsWdlx6Z4N+dzhxOwP3 kyIzJAckQ8x3f8cAYu9CEgncLquUVO9vnC3CsbK6rfqNuGu6FzhDGYRzf5nn6NVd 4AAM/zKCkUlyufNVGQa7O96mkG6fsQ== =BcMo -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [16 February 2021] Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) Severity: Moderate The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from Google. The fix was developed by Matt Caswell. Incorrect SSLv2 rollback protection (CVE-2021-23839) Severity: Low OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel Luellwitz from Trustwave. The fix was developed by Matt Caswell. Integer overflow in CipherUpdate (CVE-2021-23840) = Severity: Low Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix was developed by Matt Caswell. Note
OpenSSL version 1.1.1j published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1j released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1j of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1j is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1j.tar.gz Size: 9823161 SHA1 checksum: 04c340b086828eecff9df06dceff196790bb9268 SHA256 checksum: aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1j.tar.gz openssl sha256 openssl-1.1.1j.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45gACgkQ2cTSbQ5g RJFhXAf7BMbLDUqKxw1YnGpUTXRTKe1TSzrOPI/m/yfyn3YHm64HYwTxNy8Idm9Y V+78djXqhs3VMDDu9ZOmopSLEOOOHvpKE89kj7pHrYnOJcmPE+HNmS0qneOyQZtb slvYbDhqeyEqNxy/jVlz6Bm/BV57HdbszpAzhv9zTP6hf6aYvNwIFJoPpHznu028 Knn+qrlkcHizKPY9zG1h8zfK9m6CWGV+S8qeKHERgvlKBz6hAOYC/3f6sZumRr7K m7jEEjkEvjVzcojXKoY2+C9yeRwJdj8GM2Haa+kdwcW34o4uCOrP+mW+MeBg+4qM id26+r6cNtTdv7jE4gPWLCKoOZ7CsA== =baPF -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha11 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 3.0 alpha 11 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 11 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha11.tar.gz Size: 14104901 SHA1 checksum: 7c934bab3e310884e97b0f4a53dfe9fb3d97bb76 SHA256 checksum: 2a18f18df6a7ba33cfcc423b77d93990bf70939c06aa2b599b1eabf6e222ea74 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha11.tar.gz openssl sha256 openssl-3.0.0-alpha11.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmASt0cACgkQ1enkP335 7ozLXA/9FQJ01swsFc5qzW0+Bn7vu2B4qykmyKhQURuyvR7BAbtiUaRIjaJf9sgY ah1Rx8Pik8ff4BEnCnPfK2CEo0M1T4A8V94Liqico0JAYabUUMa3rAoy6muQnsMh 0CKdYSKcptWZL9zNEKAuB0WUmAFnaT5fS01/STpsjfb8zfS5YQCSAOZ0UZbjxFM2 Qpx7xxNYBJcaspu6xKcWm+c2nyRBh1eB8kTDtK1s54TVdCRLLO+zFYHZXH0mOdww N+obyMk+GmD0tylSCMEHuXZzEfYO8fNjTL5gbnmlapdVpxk7vDCkTSiD0cT+dMlU zZMpXWoVLSTQKlbQuozPAt3Crz2fmmij2+SZRxVKWBbVvmlEqAsFarvNhzuR0T8o NrtKpKDHc2zEMXfeuRd9Wed/cxxiUe/nRjeh7kQ3K0eSciq0Cc2fSLGGZ/OihWQj QnGE8a31NPXZnqaugiUktS0xK4lDSvObtSch7hkMbRd/2r7tPoa+iwWlQ1ZVXck9 ZH39sFtX56dbjzVp2d5jqls76O2A8oON4kvW+Q8TPa8uHvojb2ulgvPZcB+SurRE sRYUzexVVZubMx1xvUIguDtsPeR0etVdWaRvLMYnoeMlfeb/DXR/7xGFvxLIjoEx TKNGgLSRxdZlnkRyyUWukH9VQLqGmf8DZC+nF1DAkyyjPjJu0XM= =m6RZ -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha10 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 10 released = OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 10 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha10.tar.gz Size: 14084047 SHA1 checksum: dfeb99f9bdb270d11f723039d07fda1478a31219 SHA256 checksum: b1699acf2148db31f12edf5ebfdf12a92bfd3f0e60538d169710408a3cd3b138 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha10.tar.gz openssl sha256 openssl-3.0.0-alpha10.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/3ESsACgkQ2cTSbQ5g RJErmQgAj74iDsxOIigH87UxtnKLUqZc7ewbyZxM41XK52G/OPAzqSzGlMxhsYit gvN7k+4qHWGuzyP5UGoTnxued/eG3tggUJh/WeuTmZ8DdrdV4C8Mhfb9ZkocDZZj /wCnVGfb4xS5SPVnHU0qqtn0bWrltddjvdAzmuKvzQmyhftH6d/+VyUA9b9oUTkr ygAvJYI6sJ/WBBSbRzONhwO16GKiLi5AzpPTuW9z7ZJS3YdZCCFFCYKPO255To9y 1GgxhGns9VksvN6NR3AFeTKMQyet3Uo2tRmigtRYZvaJDCE4am40zSuhdFmujwMA HFVox7b+u1PJrUdxzOGJe+A+1I0R9A== =yDQs -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [08 December 2020] EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) == Severity: High The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. OpenSSL 1.1.1 users should upgrade to 1.1.1i. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users should upgrade to OpenSSL 1.1.1i. This issue was reported to OpenSSL on 9th November 2020 by David Benjamin (Google). Initial analysis was performed by David Benjamin with additional analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of this issue on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20201208.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PloEACgkQ2cTSbQ5g RJERNQf/d8G0r7APrOuxlwOL2j0j4JX5HZoR/ilD1eD6kSj3uZmCbl/DTZgN9uhj hMN9UTCVdF+NcWlqldwUVLLSq16/P821QLrbqKs4Q6i2NDwHIAU6VCneRZOUIOpl VOyQ+BJDavvqQ2gNziDK29sjG8JxWUqQ10fdphfrV1vS0Wd1fV1/Kk9I0ba+yv5O RiIyvbJobCEyNz52JdqbBsKjrSCtPh6qMra3IYm6EDJDnp+T8UpliB3RBIBuIPfU ALRageyqmE9+J5BFYxbd1Lx37mHXq1PZsSYd6L09Y9Wg5fJLHzWffd74SfJHwRza xZ/UTvCvkbGUbspT/U4mkuHwHzYXcg== =41vP -END PGP SIGNATURE-
OpenSSL version 1.1.1i published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1i released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1i.tar.gz Size: 9808346 SHA1 checksum: eb684ba4ed31fe2c48062aead75233ecd36882a6 SHA256 checksum: e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1i.tar.gz openssl sha256 openssl-1.1.1i.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PfcIACgkQ2cTSbQ5g RJGTdAgAg4vCZBf6Ugf0JojEHlqfxvdYTDPaz7C8vT4KFOsXW7vYr7Flc0O7rgfH hL/N25f8Ao4AlX1mtlq5whR6adf3dA3Ny3T5r8WNXy8a2GdC/AH7zSVI1+0yQ3L8 C1ohbRYUHgP9o6DjjSBylSgJzmwSK7CfBFbiq4MX/FeEqon+fy8Er5LMW7Cor2Tq 07a5532Gb67zuRPu/U5D6fFsXBDvzeDsT/c9ZMt0eImvmpU6wJNqALC+I0qI/pKY AY6FmljuYM3gr1aWbuCeyMbcGutRCFOLGrNl/VpQZFM5m7Rs6NQsQ+c3O5EICpoU NKmPlsXfAabUZpEaWKK/4mzXLgMxfw== =MgEX -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha9 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 9 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 9 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha9.tar.gz Size: 14058484 SHA1 checksum: 9b5faa69485659407583fd653f8064fb425fc0c4 SHA256 checksum: 5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha9.tar.gz openssl sha256 openssl-3.0.0-alpha9.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g RJGGWQgAr12trYLeMYhAMzTnfQXOv+M16DrJyPZoyZyVNee3rcmOUA18Uiiji45F BlauG3D/ShIJZ4zMs/jjVRnc/MqAZBphgO4Ow0XlFl+fkqess9hk/buerNZs9lbu Xp/yRPO8d9hTB3ni1VPnaFlnRGKVZydR7p0s2b5j/ps6o0OVKwBxjFnX3Lr9loPs HkiXZMdmZp2woTJc+Ch5KCzpZcVAWs14v6ZgKsMLIxkD3iU1NjSacR4AAEdwhd4m 4X3GSOMTzHniOWEGaRKJM8nYiaKyajnq386re5wsqK1J6EqRTQ73QgXhK0Ge1lC0 Eh9Mmg/7ajFmjLThcWqJVgy2m+9/Gw== =t8pi -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha8 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 8 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 8 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha8.tar.gz Size: 14011376 SHA1 checksum: a6063ebb15b4e600b60fbb50b3102c6f2e3438ff SHA256 checksum: a6c7b618a6a37cf0cebbc583b49e6d22d86e2d777e60173433eada074c32eea4 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha8.tar.gz openssl sha256 openssl-3.0.0-alpha8.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+kBlYACgkQ2cTSbQ5g RJHOmQgAhqFZMut75DD4WChUdbwnlt+liy4SBVq+uG5zxSX8ayyiWoxkaQxMrI55 eyYWkLc05imDlM6dPgQQnBbLgDBUj6lPPN3bzAu/jPNC8Wk+9zwPdwLxKKnbMnoX gHGVFEuAJeILT6jldQwyHL1O+YV0KFANZE09jt/jBqaMtnT8pcVgxe+9txLtWVPw zLnh+t2Z9Pzhi8jz9I7LArVqgYOrnHHrFs1plzqz6YkTXCahGAoP5wtKFL1AS9eo J3EPrLNpLcYjLJWAt6kIgIP6J7pBxmqp5411b1dKAqSzNd6RTm8N11YNOP6lDCy9 28Mu393UJc5I8GvB+taGs8oMXxQCIQ== =Zocb -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha7 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 7 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 7 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha7.tar.gz Size: 14005200 SHA1 checksum: 1d05682f62b34038a37b196c7c43a21013f5f507 SHA256 checksum: 2884219ad2fae614c0f0d57b77af2f0720f32ffa3a569ac70bbf506bd8732298 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha7.tar.gz openssl sha256 openssl-3.0.0-alpha7.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+IS5sACgkQ2cTSbQ5g RJGBOAgAidOQVOhw5N3tLVOD1EqNvg+0FoEugGtM0lXSBFXXbcKc12jV/e1INyw6 iaZImtypZtlrEfIYFQUkTfEzfGAYXK8E9Xx6GTIV41tacd516MWz7NtMJkZlp3Fb D2DcEutqTO3Xi3XS+pPElLxSMzuSgGt8ZqqTv7ZqgseN+1uB/tdKUPZqDO+DTSpz n/0oMnpsqJsEXqv3N5sS/2ASa9paLkLsIoChDeJzc5j41aKnMTgwAPqF2r8vLBfo k851L5S/gsMw5Y9M3ljM4IYNiU0/lneGnT//uYOnLAKY/s1I9hNcWC/Q63xrOoqT zukZ2NoqTcCYC+a0Vg3yBpjwSYuaSA== =hL/2 -END PGP SIGNATURE-
OpenSSL version 1.1.1h published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1h released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1h of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1h is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1h.tar.gz Size: 9810045 SHA1 checksum: 8d0d099e8973ec851368c8c775e05e1eadca1794 SHA256 checksum: 5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1h.tar.gz openssl sha256 openssl-1.1.1h.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g RJG6pAf/Y6B3I9pwD6MG7lm3ywEqp2dAwYym84l39K6LrBFPOg76GmHLby92Se5/ N2S5uHPCcXrBdtHLZZTi1Tn3rwMN6EAJmedZJvMwoxeKJxNjZ2f8K8SjgUkuimSa dKbXtv92uDNRpD4X3Fv+uRatmbvygdjduwJWqgJ88ahz/IM7x1lv8E8GNnkPNBfA 9M9rDP5ThiQAetbefHBq9vb6wywwbi0FGTnXkeaYpyKDXmob0VWUdI0olMFLIUAG ZAQAD8XEPnJBVh4qCOlVy0n/5+jzcOiqcwJyORQc/U0wkV71I9XigW9H7wgg6skD iVQQe2QEODbEbtx9iMPsN4Ssmfk+VA== =OYam -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [09 September 2020] = Raccoon Attack (CVE-2020-1968) == Severity: Low The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and does not implement any "static" DH ciphersuites. OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH ciphersuite is used. These static "DH" ciphersuites are ones that start with the text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these ciphersuites all start with "TLS_DH_" but excludes those that start with "TLS_DH_anon_". OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS connections in server processes unless the SSL_OP_SINGLE_DH_USE option was explicitly configured. Therefore all ciphersuites that use DH in servers (including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a response to CVE-2016-0701. Since the vulnerability lies in the TLS specification, fixing the affected ciphersuites is not viable. For this reason 1.0.2w moves the affected ciphersuites into the "weak-ssl-ciphers" list. Support for the "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause interoperability problems in most cases since use of these ciphersuites is rare. Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at compile time with the "enable-weak-ssl-ciphers" option. This is not recommended. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w. If upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure that affected ciphersuites are disabled through runtime configuration. Also note that the affected ciphersuites are only available on the server side if a DH certificate has been configured. These certificates are very rarely used and for this reason this issue has been classified as LOW severity. This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to allow co-ordinated disclosure with other implementations. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of this issue on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20200909.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335 7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb 5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280 dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3 fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU= =U7OO -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha6 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 6 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 6 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha6.tar.gz Size: 13963353 SHA1 checksum: bac4e232f5238c5f267c3e108227cfadbd4b7120 SHA256 checksum: 1e8143b152f33f76530da2eaedc5d841121ff9e7247a857390cceac6503f482b The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha6.tar.gz openssl sha256 openssl-3.0.0-alpha6.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl8r/u0ACgkQ2cTSbQ5g RJFJhgf8C6Wv+1W8JolzZ2erbPSDFXTUjOJGvqnR2+73wtYMkzZKMnYTpqiW9Jrx 5V6zQ2WIYhnWZ97nSP0woo/h3tr8rQIj71Cj3TPqO11zOrXda9Op+P9ncCNNXTuz /BS4HmnicV/pmrd2JMnFmo58tka9K47DhcACMKxuWPr32F40DJcr/yjvYnlf6k7y s5EWK7tv7NLYWu+UN+JO6LpJrTFWRTajQj2OEZh3+Gm07Qv98TaXXr3QeiEpimu6 xbDi8oCcAzA+bKr1WpTCNYIU9H6QZIc0QqPjhSsS9o64RDlK7laRQ6ETMmePxDUK u812RauTlxNuJHjy34a9k38kirPHaQ== =uzj7 -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha5 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 3.0 alpha 5 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 5 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha5.tar.gz Size: 13919931 SHA1 checksum: 0e2aded2b2bd2104bcee6bfcd10132a8aec87776 SHA256 checksum: 09ad89af04cbf36dbbce1fc7063e18fcc333fcaaf3eccecf22c4a99bac83e139 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha5.tar.gz openssl sha256 openssl-3.0.0-alpha5.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAl8QVLgUHGxldml0dGVA b3BlbnNzbC5vcmcACgkQ1enkP3357owlsxAAsESoir2B2o8zLiBgZpo24k+FGcsb zu6unJnYp0IZH+UkK+EXU4q440vpOcXaxC9zyXUKrdUp7e6iXzsVhqkTHFqkG+sE wiEjCO5VS/gPWo3Alrr1Lyzuc9EFLk5XzU0/p2MEVMwjxwHGuqshmJe5dgkv/NCa /SebPbzbKpCKnfnUhmEiiXzG8Sujit8zVl0bKSXsF0hgfm6bWzeuBUj2wqoUFmFe OlPuZ53cYYaF6Hw0XjSiW20RVJ9wD+jgJoQbos7l8QORzuOGsgxYExG0+M+0ketY W1TttXKZrPyO4qj/mdojrPOZWQQT3v5yInGI0wWLzPvXFBs4bKB088uKZQUyicd1 VJyvJBYR5K64podAoQSSjATo8zDZxts1A8JcfGKeLuIeXhhcOf+h75X0pk4+Sqaz +YQLj7lupg9Hksu8UGIcFZNc4zDvDdeFMxphAUkbnlBt7wB+sGSKMcxciYYGh7Vf 8PBTqFS3QcTe33m8KFJMNSwSNDyFILbqskltRQ4vxIquNQu3b1pgfNpKetGnQZJs hv1Ruc4o8rtkntMXx7xpY/uRnWDkdPtybZJNgUMc/iUe88p6YjXFq7q+PDtVAhYk 0EVNlU2lVjM0DZoi4aWKtqCWExJ/rFzuAeCNEXI8oFMSV3/wwE5WFv/uQC45vDuS yuGJQvyOaBjoJws= =uL/G -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha4 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 4 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 4 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha4.tar.gz Size: 13884897 SHA1 checksum: 056194ea4ec57234ce3cb16b944d99c4d2a8b650 SHA256 checksum: d930b650e0899f5baca8b80c50e7401620c129fef6c50198400999776a39bd37 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha4.tar.gz openssl sha256 openssl-3.0.0-alpha4.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl70rYcACgkQ2cTSbQ5g RJFWeAf/ZOGaHZbcAUy9Xm/R8x56qPJWD+3D8qGOgjNgKc/5r3kXII3I7NH7lc1j zFSt/FA9NhqU7dIh/8/SlyZaBbFW/XZBRiczDqRSqAkAfsxhlj5tOq8xZoXuTqlN it3DICC96jgh2xGo3LJUPgY1o0evsPLX98L/BtRZcZMcZed0ImZEEmJra3vEDr7H C+Hu4/+gNDlAISDENSDygAE8vDB5hBDmk0YCySPKZpDbWPdV2/WF8oBlgRpNBjY+ zbk/V32xZkhf/x/nhRGNs44CJI8ymsDtp6UyV2e7ZW6LZNMGX7l0M8ZuJvLTFJJM ZqQo7Xhn1EFdIRwTd+B2CvY2k73Pzw== =khAk -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha3 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 3 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 3 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha3.tar.gz Size: 9622261 SHA1 checksum: 4e5856fb85b1383d309d38874795043a787891ea SHA256 checksum: 354f25ff6c7ed90271e2f0718054ecab253cc4252942aa0e89b265e2795ae040 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha3.tar.gz openssl sha256 openssl-3.0.0-alpha3.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl7Y/ZwACgkQ2cTSbQ5g RJH5+QgAi8M5sH+m8xnDTV+i9NFc9EAyzs1NMVY2B1/Yhzn+tSbKfR9tocKjFEB/ RV3cAjB1RBHtMxK9sI+O4PyE7Bkk81JB64RjAawY3Dy1kETWEJsulnzgkrpKtrM2 FbyCubL2sZgFevWVB4fDbUIr983o9Dg7idZehvq0zvVzg++bKm6edDDTaIBgisA3 gr+rA00bD++bddmqG7vm31HhN2/fYa+g719trXdfIcsyHhY+bsFtFqMOnO1D0N6f d6dWBNIP8SjuYQ8GJPdPU+Ryro8uJpIUd1DlP7xDg1y21vUoWrzIStbUTIeZh+51 0Qy2tWa52xSBgYQN3tu11MN17rLEPQ== =w062 -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha2 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 2 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 2 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha2.tar.gz Size: 9601205 SHA1 checksum: 9224a8957232db61b1e9cf1a80b3a19165f47236 SHA256 checksum: 9077d53d889f9708c261ee8a698df10575e2fd191de6924d89136b97dc8bc0c0 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha2.tar.gz openssl sha256 openssl-3.0.0-alpha2.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6+miwACgkQ2cTSbQ5g RJFqZggAhQGdzxbmbIa6aKeaX3sNpIYEpnu1W3htP/d2tMuqUlv31qG+IKZEnqHy kk/rhpHj9XU08MurpZ9caALayA3WNSpZXCwzpG85pgIm/KlwM2YN2CdmFCuh/G4K sMyU8UgSEcuEfF7BpYNgmfifYxDdRJjlrnrHwBPpFRJ0MdvS+8GN0a9n9b3o2eOm u2Dnub85W7NUH4St4YdKqDfxUF3rIPg+hvgOllb8JjZAqbrnCkeFek2SL9fVYJBM ORy3QODr2ahOo5sOYi61y7qe/MpcLdyjr5btm0L/xggWjBJ+EOo7m1iG2eQdzE88 AvcvALAtph/vmvfU3uPGWL7ms3z9Jg== =ixcT -END PGP SIGNATURE-
OpenSSL version 3.0.0-alpha1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 alpha 1 released OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 1 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha1.tar.gz Size: 9530120 SHA1 checksum: 4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06 SHA256 checksum: 9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha1.tar.gz openssl sha256 openssl-3.0.0-alpha1.tar.gz Please download and check this $LABEL release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8 hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F hIr11rxXNxtBRKUSlOUyJATZn0sV6g== =uRpM -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [21 April 2020] = Segmentation fault in SSL_check_chain (CVE-2020-1967) = Severity: High Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April 2020. It was found using the new static analysis pass being implemented in GCC, - -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin Kaduk. Note = This issue did not affect OpenSSL 1.0.2 however these versions are out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html This issue did not affect OpenSSL 1.1.0 however these versions are out of support and no longer receiving updates. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20200421.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt 2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ vj2rIjoJHRj0EXqXhHoABqBHedilJQ== =AXyP -END PGP SIGNATURE-
OpenSSL version 1.1.1g published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1g released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1g.tar.gz Size: 9801502 SHA1 checksum: b213a293f2127ec3e323fb3cfc0c9807664fd997 SHA256 checksum: ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1g.tar.gz openssl sha256 openssl-1.1.1g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g RJFGnQf8D8U0193cmqitZZ4L63ncx8aWPMdXMookxywTnhCHm7qyNGa0a41J0iZw pRebjlrjo1rEOMFo9rNmvtoBBUs/cFD8ARsItK3Kh2ms0z4MJV4F07XJHwNkd0Wf n18+oUS6Fj7Z8TgdA+UwBFuN248kqELDp8DYntLCzyEvkweU80JIRWhC+XawjcbA W/zlD6oVfNsgYP38hSCQg14B+/djMTVYqtDSOBm3B+J7zRndYoTvsankWlsMmDD5 Tb6lOQ8IBEsgnlriOH936eKhlJ5UeTr2hPONnzDJ/cIUWn1RwX9yPGOoaf74IoHc Hg/T6vP+pD3G3mDOS51Qm87A5+nDaQ== =eNCz -END PGP SIGNATURE-
OpenSSL version 1.1.1f published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1f released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1f of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1f is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1f.tar.gz Size: 9792828 SHA1 checksum: 238e001ea1fbf19ede43e36209c37c1a636bb51f SHA256 checksum: 186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1f.tar.gz openssl sha256 openssl-1.1.1f.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6DNO8ACgkQ2cTSbQ5g RJFAHAf/c5tRSC8FNTAwXj8pEniovI/XeIHgyJG37mKXt2V5ziXwCaJCTs6Tdvth b7nGgcqHWmqTdDlYdOzhexWOESfCTEhipmh1E9wHX/fntadHn0LwzfXBIbE6CsW5 ksn2bXXHTLuY3E8GWzmdcDDZ6sjsAYCsfE6rnJqgPKl8+XqZsjlrMBLc1iXa7pvR CMNmJ5ITo98OlqtFRsmR0G7nXCwm4NLGCv9DojfR5gfyoUWZZXInyZZ3RReZEwoH fGRObO3/5E80+TxFJda8uDM0dSHUPzXJ7JA+h+uQRG+PGwXe4R8jZ8BJfjfVvmuk d72zRaRwkGrHvCo93S8xI8W2jBAqHQ== =TvT8 -END PGP SIGNATURE-
OpenSSL version 1.1.1e published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1e released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1e of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1e.tar.gz Size: 9792634 SHA1 checksum: e7105567d3e7e6353a0110f1adc81f69dbc8f732 SHA256 checksum: 694f61ac11cb51c9bf73f54e771ff6022b0327a43bbdfa1b2f19de1662a6dcbe The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1e.tar.gz openssl sha256 openssl-1.1.1e.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl5w3zsACgkQ2cTSbQ5g RJFdTQf+OeJkXlBCQvdJTv7ky6y7MGesCiMjcQsuFSLlWCHC6k2rNcgrZUH50vOB E6SH/VPvmreM+TNy95hP2uzGtFkpliIoZHu6NXJSo7QW9svBxzdqo8x7nYN3jhJ1 pEDjfk2vFz2Z/2uzoZdZVe4P8C4O4bFz79UmFUsXNffYcO0mDSih1jrjupASzSJH 0HB68p4lrdoJbiL6KIfGDLS5D+jn6KNU6gHT/6fhCalLQJ1StajpArrXXKrC2apP YAMTLYH5qxFReobKguOk6RwZnNI2Mdl75qWJ+Wu4PQORPryPeMJ00z82jx6Wv5zF vWQ4F8zoaiPfUSmyzOJgJQuRwrnNfg== =1uA3 -END PGP SIGNATURE-
OpenSSL version 1.0.2u published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.0.2u released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2u of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2u is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2u.tar.gz Size: 5355412 SHA1 checksum: 740916d79ab0d209d2775277b1c6c3ec2f6502b2 SHA256 checksum: ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2u.tar.gz openssl sha256 openssl-1.0.2u.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl38yAQACgkQ2cTSbQ5g RJHhkggAgL/QJ1zRY8yppCnf9zT1h3DW6t6nHC+n01GV5Fu6L4lvJqmJEtR+Vr5l u/z+kNDWdeTdic73MAdD9RO/k+sraZ13kAaj5VaQ7Sn16LIok0cQl09Q0yVYaXlC aEVcQ3RUcOneqI+sMLlpIWE26tMCn9MvNmuFNmyOHvYDotJbHQc379Qt6qoYmqHd Hn9vJrIAgjtuwtb2InA5Y29788dwQPXS9qPOWWN/xMOq2t4dSM43vvwrC2jgyTtR tT/l/FZQuu8Y1oVKwuHB43tDM8Gnvpot9DwSxXSxBPcSKxNpKVqvyNUrYohYaruB a6I9lBE7rbRojDiAvg9nUF3PTG0O/w== =IOW8 -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [6 December 2019] === rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) === Severity: Low There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue. However due to the low severity of this issue we are not creating new releases at this time. The 1.1.1 mitigation for this issue can be found in commit 419102400. The 1.0.2 mitigation for this issue can be found in commit f1c5eea8a. This issue was found by OSS-Fuzz and Guido Vranken and reported to OpenSSL on 12th September 2019. The fix was developed by Andy Polyakov with additional analysis by Bernd Edlinger. Note = OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates. It is unknown whether issues in this advisory affect it. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20191206.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl3qhRUACgkQ2cTSbQ5g RJHQvwgAhVefbdppxDZbGhiIjc/MLTeZmYC5U57rGMvGQ7WL8+xbkGVYmFPu69kp dN+kGPVJAZySmbhJZVmbrdxgl/zCvwE1WXPh5ILQCvA8cF0z762TCJpxbDJksy/9 igmavYVMxWLePMz7+HsVo6VCcvmBNGykg8zpJm33v2/wc9dBE+c/sJoep/pcXYNI fLrcLUnsnJoWhg23VNUXEkW8Ru4jkaXTtg4v4sdxHzPbp0qBbekdhj6GAekyFRjn Zpv4buJDxohcJw91rBK36tXU/PZARW4tO6TR6CdVuB16T7XMye0wKp3kRNd0QPE9 O/LGrT1Jq8cFTxYHfFYeOrkVJKpgog== =6Z6t -END PGP SIGNATURE-
OpenSSL version 1.1.1d published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1d released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1d of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1d.tar.gz Size: 8845861 SHA1 checksum: 056057782325134b76d1931c48f2c7e6595d7ef4 SHA256 checksum: 1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1d.tar.gz openssl sha256 openssl-1.1.1d.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13oWoACgkQ2cTSbQ5g RJFGjwf+IA34TBZZt/lwjtsALggJuoRrYyCBCDbdwJA+rBO2uQV2h+f7Tj5FBcuI ARRhbUJqCDq7MFl1+6O5jPhTxZK0P1z242rOTvW50w4MFy+FZCwZjloxRBtgOlTy y4t7yzuvCU1RidKiK9B42a6KypgQFEEHSlCkepNAjX94OLQhB+iF20vJ86gSFzrv keJTUDXEbAa7I9MyK9p7SQbqHgFbTt0QAIYj/afNGOGv6ZyjiVrbp+4I29I0IG98 Dn4+4dp0xaY+oC1FTyO+lqfTLXuSnVR8TGDACHFyeQHCjf6wfSbFlxfH40CfeQzv 8vakK0+YhIAij7Pcm4te9ffUaSeNHg== =jsdh -END PGP SIGNATURE-
OpenSSL version 1.1.0l published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.0l released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0l of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0l.tar.gz Size: 5294857 SHA1 checksum: 6e3507b29e2630f56023887d1f7d7ba1f584819b SHA256 checksum: 74a2f756c64fd7386a29184dc0344f4831192d61dc2481a93a4c5dd727f41148 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0l.tar.gz openssl sha256 openssl-1.1.0l.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13okkACgkQ2cTSbQ5g RJFu5wf9HCvluEc1W1UwNqaw48n3g1ZclRdexYFO12HtUTTtriUwu0BPorvzHVmo x4I0JzUxLeRXyS2kdBBPJC0OlPlrZMkWfwNy9IF2BRFGcMuGhjIOu60FfRNkGOM8 63RdIuSy1oPnwL4kUOdQi4pru1UcQVx25l4tpB6pLMKKgioGc1x75mP+C/lxhM16 PvPSo8pETU60V2QFaxzbfOqbS8LJhbO2m+dYCzgGy6Rjrd2CyzyZbtKC/bWoyMhW s3jQ4oBjGh28y/mrzLup9oXP4f4/GlWajxd+pFXsj8xRfwEN7Zwg7eLlg6uZh6Cq 4KhsFKHIKgvba/lekhASdh71BdVVSA== =na1Q -END PGP SIGNATURE-
OpenSSL version 1.0.2t published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2t released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2t of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2t is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2t.tar.gz Size: 5355422 SHA1 checksum: 8ac3fd379cf8c8ef570abb51ec52a88fd526f88a SHA256 checksum: 14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2t.tar.gz openssl sha256 openssl-1.0.2t.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13pssACgkQ2cTSbQ5g RJFr9wf/X0fke/exS13hQb4h9RqE9fYouVbSNKTKhLp9X8BtYUOtUTjO5ispKt+1 BGWBotApoXBTopOsdJVXhzLtYst2YdKEtvyJAEFyxfpJa2PL4jmo5zxk93qWjDjA u0HXR1Tu4XTLlE3EfqbfV/8bVO4kntTCk/xvg0gql1LUCVIRtjmqmsKOe7MJAHkH 94yb3kRFMpXb2YB6/zrK+ZuruL5ejTZCcXG7Dx9+LH5X7E/8KFDknk0Zo6w6970I LbrXjtAOfHtVEK5XAFESCkMkjNqahopOs90AtemiOt1oOsNztjr7bVFHqJ3/oBMf OYamiO1W2IhyxnPbet6zUDYG0FtYpw== =sBvh -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [10 September 2019] = ECDSA remote timing attack (CVE-2019-1547) == Severity: Low Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. OpenSSL 1.1.1 users should upgrade to 1.1.1d OpenSSL 1.1.0 users should upgrade to 1.1.0l OpenSSL 1.0.2 users should upgrade to 1.0.2t This issue was reported by Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley. The fix was developed by Billy Brumley. It was reported to OpenSSL on 5th August 2019. Fork Protection (CVE-2019-1549) === Severity: Low OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. OpenSSL version 1.1.1 is affected by this issue. OpenSSL 1.1.1 users should upgrade to 1.1.1d This issue was reported by Matt Caswell. The fix was developed by Matthias St. Pierre. It was reported to OpenSSL on 27th May 2019. Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) Severity: Low In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. OpenSSL 1.1.1 users should upgrade to 1.1.1d OpenSSL 1.1.0 users should upgrade to 1.1.0l OpenSSL 1.0.2 users should upgrade to 1.0.2t This issue was reported by and the fix developed by Bernd Edlinger. It was reported to OpenSSL on 21st August 2019. Note = OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 ends on 11th September 2019 so 1.1.0l is expected to be the last 1.1.0 release. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20190910.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13vK0ACgkQ2cTSbQ5g RJGJIgf+Me900bLV9TrVDWvNRQbuRe0tOPPhP59J4tJAJiRZ1GG0JV2YITQynjTP hrz9mvajgWbkGYlTZmPVFOdJr7LKbrUrxk7shEfXqmiiCLG8tHYiCe3PF+/Cy7gA X1vY9CDfv//3VSqOLM9RM3CCcWAAv3KeP851X0PgCiMVvGAJbYOu3bmB+KsEKFzm fWRDabUMbl1KCSgCIvvlNv0bKR/GfpW3cWruUvG0sfjyPWwS+yn8z0T3/ibFJqkb Cmuqa3/kC9uZg8AhiODR+nz6D1mC2UiNZ2Wa/XO6O68rO/y3ZKbaiMGLze1qJep5 3PnybOw8b3JvpVRFYw09YwgLObBX8w== =8bP1 -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [30 July 2019] Windows builds with insecure path defaults (CVE-2019-1552) == Severity: Low OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. The mitigations are found in these commits: - - For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e - - For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and b15a19c148384e73338aa7c5b12652138e35ed28 - - For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for mingw, while the 1.0.2 mitigation documents the issue and provides enhanced examples. This issue was reported by Rich Mirth. The fix was developed by Richard Levitte from the OpenSSL development team. It was reported to OpenSSL on 9th Jun 2019. Note = OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. Referenses == URL for this Security Advisory: https://www.openssl.org/news/secadv/20190730.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl1AU3sACgkQ1enkP335 7oxnEw//ebb9FK16oXpvW6nifNgSHUBYRaq+3ApvSfGG8Er1M0Zn80iD/WY8wzM7 ZabUUNlOdnOs0iQivMYzy+8QzP9NRaqX2WZk/Q1koNT5WAt9+VDCw6hhbp6FN8B9 9aeRvdawNME9JPysl3KOR6DnYJQnpJgV0yQ2pJM2yMKNuDFkvy6E9ieMoWAGx5Ya 8JZ4KGFubA1vDPj5xowkRDxZo+SLdAaEMQw0YG8DWSK5BViZV+3d4OMAAL1RjnZy s4OSghqi7wUbgo8XO38/roN4y4BEgmEXU0IpSRNf1xrwCoFM82hEgOO3xWxPtbZk EtDcMUTtMYa1g5IMdGIkVvS4wnNr2j2BAi8WECkPf5QCzCoaX/Xc9jutslTw20M/ UoZnyGgVoOQCsO6ECwLUnSEp772mhS1056c4OKb62kfhlIcGkWi5vk5wjWVZFxEx rXJC7xabp29e051mnrJtLr85UWUv5B/ywREPyvbdjWg6lJBxB0dOYXMQLpJi6B5i /bDX7czP/1EeOg+FDSGOR174JGIyMYmPqpyzGpdds72GfOQqtGHC2z41FlvHMglB 9VobSZnF97MIan4/9H4ge+gUUq0PeIZ+invvgCHzuW4oYBOngwwVD5QXfSQUjA9a etYHkJx+3t4hPrPKAT/J0jHA7AbWtYK7dL6qTxSwli2Gl/D4ipk= =gxli -END PGP SIGNATURE-
OpenSSL version 1.1.0k published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.0k released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0k of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0k.tar.gz Size: 5287321 SHA1 checksum: aaa2ddad0285575da7c9fa8021c26e5c8433ab15 SHA256 checksum: efa4965f4f773574d6cbda1cf874dbbe455ab1c0d4f906115f867d3070b1 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0k.tar.gz openssl sha256 openssl-1.1.0k.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlztMKgACgkQ1enkP335 7ozB7BAArso7v+Yy6+3TiPPaH+EAYkEr2J+WQ2D17s7M9kpW8errvyX7B/yMIVSh 1ZEPfWWtmDdd9CDqfpM/P2ttipjHvrPvwh01+Re8sm+pE8me3j9N1UkqXLpRPQuW eSAwjSYcVTgGlDlJnsDW7Yxf1vibfjA7hDHL+7MY3tdPna2rb2TICOmX1TmwR4ha Xc6E6JAH049Rjzh9NCgcxANnembTnPqRAVmxyf6ziMmvHeDe6voYQZrtagC1CHbY x1Y+Q3GMLtvebm7YRqoy3o29WFMPUPErcfPsun9aizmTR+UgePjQ9Tjq6bF9umTL 5Z1lt4JJsC0gUmKLTpPL0SNhAf1/TS59Usvk4pMefSq7ejteSzX1xoHY/VQ4U8pO pO8Vsn7k8U4azuRgi3diprYhgtMDeK4udyepFTI53Bqk/H7Gm0v+R7tYYH2Zbwqm 49UuvMlP/7XHKwo0hIoV6Ul3xrNprxoXQmTG+Tm4+AoA4Qn9jELvMe96CaeLAPxG V7NjqK7Tr4Iosso4h+Pq2oEsu3GLzXVdFYA5RORkakuX60Y8+jznKAP4WNhPS/rs zPr8fVghb0kpctodvq2px47DVQSsUf2nYGVwu205bHpGyTKuB1ZWkYbC6cQEg3yB SPlFyHmHWYjqk8RSmSKZSiN33x0ysG8kwr3PEJOEEe8bvF3r7cM= =go9J -END PGP SIGNATURE-
OpenSSL version 1.1.1c published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1c released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1c of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1c.tar.gz Size: 8864262 SHA1 checksum: 71b830a077276cbeccc994369538617a21bee808 SHA256 checksum: f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1c.tar.gz openssl sha256 openssl-1.1.1c.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlztM8MACgkQ1enkP335 7ow2lRAAirwJYIX4XunYXMV88tQILxAB6iCDiN04c5r5ayJqmF5Zr3QKGDG7Vj+l q6NEmKIYpyjAxZau3orl0OC5L4Us+URFpyFpCe8BOpXjasFQYk7jycr3MI1BHYcO dl9gVx09BZriR+q9w5xBJad34leCvuCD950+9eG/DY3+xSSWLDeagzz+dhOgTnOj +YyMo+o/f+VucjsYddL2ehL5v744xdqu6Pu4JMceLaRdSfmKXRqwlob2w2UtCgoD roy4+pPVLA9FYBOOYy1n2PFGopp/c67xfQX1yB35mjAB5y3FSJAWFS0gvPaHvzj1 D+zbQSxYVksOyUSrK33KnJmouaml5+CQgYRS+Umn8549A2apkIB/yRLo2K65Iuqd KHgZGbI4cGUBEdbIxUDtvhsIr/+JlujJPvs5Eyiwm8+K/WPiZ3Hw8EXmdqTl9ITK 7URwWM4thq1sikD7RKHl4h9gEzvB6iqTd+dPbUE8jIc29HD7rPJWCw3m+gOGEoAu L0rU4palNa1Ab6kMZ2SYsXv/rH4pl0iHBBrzVOStay/k4zPYS3eD6kytyB0vLt6g f0u4heD4G4QiohqIFaDHjs8eSq1Paz3eA3Ylly8JKweBFTrHHssyz22ItGDCcQwz cOb7H3o/AdXGZOSHxHtLBQqxsUcCuUID0YTyUB43bRuLnVmWs6I= =EHRv -END PGP SIGNATURE-
OpenSSL version 1.0.2s published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2s released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2s.tar.gz Size: 5349149 SHA1 checksum: cf43d57a21e4baf420b3628677ebf1723ed53bc1 SHA256 checksum: cabd5c9492825ce5bd23f3c3aeed6a97f8142f606d893df216411f07d1abab96 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2s.tar.gz openssl sha256 openssl-1.0.2s.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlztMAcACgkQ1enkP335 7ozPdRAAnUKK6jxlMa3O2GeVDU0ZZNS3A3zyMJd2yPCB3I3b0BMxy/ZWw4A6Vtyd l1M+GhP7/SG+kom9f6Ky2QXTW29lYQT4ImNZwU/hRI/nLKCqFw9Kzq4wqZnwlavx pI54Loz86Ysp2PIAtWJrOPxWT7HEculhhR0yOXxWAlAkRmrbrG3JdTba3UIH0T2P 3xoncvI0ODXWE6eW3hNCtxb/npo/czcAolO/EEN60tRcZm849ODgzNqpiV5zegoF cogfVaQFGcOncv4bYdxQIPBDBLWVEEkT+05agnFfZkv6hpIL8h2jrG4b46ULs+ZM 4iNznwLEVNVhF6Qm6RIffC3xrKIhmDZkGH8Y/ypBOTVk/vUhvot+a7Ab05fvnqeR O5BwxUVwNsxQdZ4v4BKJM/RE1ApHuQoezOCwfPfMT2NZd3StVueQxkwSrRhtEx8k ZnRrgtqYM8zCjqW7uVOvSIB08EZvJpIhMofIMqlfEixdTvmSvHQ8iPCQrKS0dmjA CtWdSgFbc7NYXwj5lqfr58brKhhoap/B8MFvVaGkcqhsCp5pE/a8JO79ESI7TVQD uxs28qhEj7RXNH61m9viOvu75ph6lfVxI/4Hat7yi/pzr4jpYYJXWM6Iz9PTf2PS admaUdGLOUB7L51Z7/uTHuACV16SwXryJn4b0OwuTmUQ9rsdDRA= =aI2x -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [6 March 2019] ChaCha20-Poly1305 with long nonces (CVE-2019-1543) == Severity: Low ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. The 1.1.1 mitigation for this issue can be found in commit f426625b6a. The 1.1.0 mitigation for this issue can be found in commit ee22257b14. This issue does not impact OpenSSL 1.0.2. This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developed by Matt Caswell from the OpenSSL development team. It was reported to OpenSSL on 26th February 2019. Note OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20190306.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx/5b4ACgkQ2cTSbQ5g RJEXSwgAgHQkb/CyWdubYozRAeUDBT9o6gt/kgsBwPYBxAV75lRo4qwBxzfkeQ6P 6EUFSzEPhabQOhpnTY4QaqphzG2FAl4BbtDalYN+zPOZxppmH7O8Kje+j+onInDI O4jbjXLgAlgmf5jw5IyhfxQKcaFbdLtcFGzh1t4rMEhT+ehx8ePnGnklPTjfh4ea bN+BlM1Fm6Au3i/IJB2I6e8ayxFnTx9mAegPvV/RRYma43Ee/Hpvb6eBaTfTZ9yp lOp0jG4iViB4r3EP3H/l5oVC9fWCAI0Am+vcLq9PsWl632fc39hDREhPrRMfnOds 40ayI4NwoUu4Z89Qdae1iWEUkgjRgA== =Aub4 -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [26 February 2019] 0-byte record padding oracle (CVE-2019-1559) Severity: Moderate If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). This issue does not impact OpenSSL 1.1.1 or 1.1.0. OpenSSL 1.0.2 users should upgrade to 1.0.2r. This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. Note ==== OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20190226.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1U+gACgkQ2cTSbQ5g RJFnlAf/U9yZtCz59BjgD0Kh7Eya5KxlmUWItdBu1r3DwbY4KDgL/Wwh4UxG3Qim D7Ht5Xsta4iAywrMRI/iPEdEQct8pcpWjq4/65lEbTYjToEnNWhIeWHH/Lw3Jfza gcVpIfbWoWc7OL7U4uPQuGWcb/PO8fJXF+HcCdZ+kIuut0peMSgN5sK/wBnmSdsM +sJXCei+jwVy/9WvCBMOooX7D8oerJ6NX12n2cNAYH/K7e2deiPZ7D/HB7T9MSv/ BgOi1UqFzBxcsNhFpY5NMTHG8pl0bmS0OiZ9bThN0YHwxFVJz6ZsVX/L5cYOAbm/ mJAdDE24XMmUAOlVZrROzCZKXADx/A== =8h8L -END PGP SIGNATURE-
OpenSSL version 1.1.1b published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1b released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1b of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1b.tar.gz Size: 8213737 SHA1 checksum: e9710abf5e95c48ebf47991b10cbb48c09dae102 SHA256 checksum: 5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1b.tar.gz openssl sha256 openssl-1.1.1b.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1SgkACgkQ2cTSbQ5g RJEc5QgAoB+R93O6fi3QBaLM6zcZQWcq0y/c2fEo+tybClP4DfUudJij5cjlfzfN W0srK+qq15PJPxbH02fUcUdIBHF5OdQv0XMIS5ueN1clvGTcvpqdmyvE7INqouFd xUGbRzNw8hN4BY/skamuc1uxMXQUFx4ek2W12q4D/oCSOuPrS411uSev3pACLyK8 Bchcs/TLSreaz46ckRC+fiQ9jgBKjcA5q4pC/kIn+KGrfoRZz+no4cQlZS84NFgN BbT4bn9mV1+f1PksSlBZ6r+YSeaFrXP/e0sfTuMGYiXUx+XPQ+uMHjiljAGuYYz3 Nr2GqL9nHLvJ5xMBJmJCes4zkd0J9g== =Wh0M -END PGP SIGNATURE-
OpenSSL version 1.0.2r published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2r released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2r.tar.gz Size: 5348369 SHA1 checksum: b9aec1fa5cedcfa433aed37c8fe06b0ab0ce748d SHA256 checksum: ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2r.tar.gz openssl sha256 openssl-1.0.2r.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1S0oACgkQ2cTSbQ5g RJH9UQf9Gi2WrDyOwxtlu84f7vlcQX1zfG+Fs10OZgYi6rvD6VprJJewsWaJI9S+ O5LDv0p1aCFNgcTc57oNZCb+Or8xWdhvTOc5cNa408nFVK4wVazTdzKRFLECZEL4 E0vs22XNEIhrPHuHAJnuYaP12232Wymn9VHSbWeNl2ZR7Vj64rJ8Lqp8w+YpBU5+ eGidbLSKC29r8VV/6/9ei8PUSGEpy6ci8Tp+oMn6iVgMx6fuAnVDWDL32kWbzdAB r/OUee06D+QQFQMAJGAiDRxbC4XuNaLCiysr8a7QoltsxJjCaq7H9zRlArv3iE27 /fuwegvHE+upW2k3J1ZCL/Dlq+MuxA== =MwGd -END PGP SIGNATURE-
[openssl-project] OpenSSL version 1.1.1a published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1a released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1a of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1a.tar.gz Size: 8350547 SHA1 checksum: 8fae27b4f34445a5500c9dc50ae66b4d6472ce29 SHA256 checksum: fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1a.tar.gz openssl sha256 openssl-1.1.1a.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DbQACgkQ2cTSbQ5g RJEs7Af+K00VWk3I/Eqo+HfIwVenGBE18xo26yCNjB7anxBi0ic4b/06ilME7lcT WANVlBcWg/ea7g8k8dEFNdnKlcdcQWRo51mfVelyC1L3OrVNfNzP1BrKTutaRq9S Hv8WvGGWaNlAdtLmy9rqmZVxuUMKYf0bC+9B8QqZ4hP1FjZry/wLSgU87+dqFY5Z dWBlctsvvc/7dl0ZrovtieEXCuH6+MK4i++jWjS6d5/ON1581wkmEzIkH5tRebQO jPaSj8rJB7H1bAZiZPd7c3Db5n4TG8NNoT+Kujk0LFTP+FjwEh6/WF8jybLDgGMg Y6mJnkcXimLoCLpuNZmBh1V4BAntTQ== =7K60 -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.0j published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.0j released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0j of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0j is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0j.tar.gz Size: 5411919 SHA1 checksum: dcad1efbacd9a4ed67d4514470af12bbe2a1d60a SHA256 checksum: 31bec6c203ce1a8e93d5994f4ed304c63ccf07676118b6634edded12ad1b3246 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0j.tar.gz openssl sha256 openssl-1.1.0j.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DwoACgkQ2cTSbQ5g RJGaxggAkHnv1uEc/zs/mIRvJDcBi4ITN3Fgeu2CdmbgMhcLXpKKcVAt28f/bT6c gVgV7OGZbJPJBEz/X6Ed8hIV5+OSIDUyER8Vywo8hhKgA7P0zZKSL6UnHSanes6x zfJCQ43+g2GSKxxBWNo3qsMtbOpgNvqRbggnsOBnrCwiNVUbNGl7BqHDmH8+KzWB tXamWDZ7Q6g6/vpLeQQlR38LXEiC928dSUmeNhbllbEUskkmVQIyys5/uRlFkCcb 9XEHmv4/lSrC3iUe0av4jfo/YjpcaknvqytW+HBgjvb4X1QAERXO0c7qdd9vGU2R 28H8/ETVDvpdnohfEHA2w3gqrZS6Kw== =1c3l -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.0.2q published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2q released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2q of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2q.tar.gz Size: 5345604 SHA1 checksum: 692f5f2f1b114f8adaadaa3e7be8cce1907f38c5 SHA256 checksum: 5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2q.tar.gz openssl sha256 openssl-1.0.2q.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0D/MACgkQ2cTSbQ5g RJHZwQf/XVVXUUPD6ybAWXzWTAhb4kECMC7ahiEuLwO82IF8dafNNGLWVKU4qD5Q oHCBuHq8UUHPo1s+YeR+3phH0it8xZNUvpDw4BPFlLNkev16+yYJudl2YE9asVep 1Hup97zhSVfF7YS3o4r3TFL6VeAeC0XLHNItIYznldZ7oiI4iCvSH3rZ3Sb3O6lL EpSu3CYqgpbUI09aSZDdwYaUwj7j2KGf3D+U8U+bHY7d47GdvykSk18l1Mt2m/0K 63gDR4Nl+dgkLu6BALuqT79vhkRdiKWV4+e0GhvZPpjpoWBveYY1Q7nkfjy0Sh7j womsen61sS073bbdHZX6LoVuAsQbOw== =WXDE -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1 of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1.tar.gz Size: 8337920 SHA1 checksum: e4559f31dca37ce815e0c7135488b747745a056d SHA256 checksum: 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1.tar.gz openssl sha256 openssl-1.1.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAluXuZ8ACgkQ2cTSbQ5g RJFPFQf9G1LopuN1P3tIUTgps9Z1SS+TuC7OeRPu9TCEqOR0yO8WGyTCfLZnoXZ7 0BqFASYW4VbPCy8LH3glHLBe64NApdoA1HoMmHCvd+TxPQHEvhc0OejSaOGZKY/r 2LGUvEguiyYpjQS4bQmsl8wNl3CrYRGSMqBcbFj+qF/Rrlpa1hpKGnH4ooMxe7Nx /Ro4AjMe46vQL/RU980yFl+JTkhAvSOxw0cltbILPO2MP6Fo4QZqMO8mYRjEnqUZ E/Ixl/dIkSWjPC8pkkRS9FmMQHHYe66S20OK7V2Zl3Zd88FrNI+qeKgEF3ABGknR 6vR0kPkddRl43JktQ4B1QKS+GcwzHw== =fvfm -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 9 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 9 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 9 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre9.tar.gz Size: 8411103 SHA1 checksum: 01a42e93a34746340974b9fafe960226f7d10ff7 SHA256 checksum: 95ebdfbb05e8451fb01a186ccaa4a7da0eff9a48999ede9fe1a7d90db75ccb4c The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre9.tar.gz openssl sha256 openssl-1.1.1-pre9.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlt8Ah8ACgkQ2cTSbQ5g RJGYTAgAm4xPeNBGKAsmA9eoRm8FkQHew1zhf9G2P677n26+JKwoUBx7O6c/zhKV c9wP5xjvDl3KlUNw3gga2URIE95wj4RGMOcLUxWEVci+oR7luRXDocJKcAfppLcl 50T4OKL/5tqtAodI700t42SlA4EWyZIv+Kt5YMzQnkbbelGqFA8Loi1yDks+JwWU 2xlx4ukAvCNUuHvKIs85QaRi5PSWRZHE4o49ijP+ynUSxSqjGTLpeW+Ij6pHOH+e 2rKAScmx1Ll3ZK50dVnlWif6H7hjftWclqbNXrGy76SUQjmmzi1vxAm8ftmgUZEP qXxGwJpfpCirNBHPSXeaMSe4thZeCw== =etGy -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.0i published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.0i released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0i.tar.gz Size: 5453234 SHA1 checksum: 6713f8b083e4c0b0e70fd090bf714169baf3717c SHA256 checksum: ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0i.tar.gz openssl sha256 openssl-1.1.0i.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAltyztkACgkQ2cTSbQ5g RJE10gf6At9Ash5MVfgFwq03wqB0LGraQzSSKqAoraAZEgs2rTYGIaWY0HDTmeKf Ul35obSd5fsJ4ZyaIuL6zdFadlf0HkyYCcuZvl/GcPRB3BjiWrLcIyqJzL+HR3vc p6rxXAYAM1RV/u4+6OJ6LCh3UEB68yBL1mF1Gj2lwQNKxpIZsq+RxLD9Q9SZirzU eVgCiAeMfGY1FcCFuKlHxdowxE7IEveq56aRHFY2OLXS2NXp/KL0lfzeK0JSkCv9 0O4MLuNJoTNdIuYvElyiFWdpSauhh7Fx3wR2sv+3Z7Chm0XdKYDgiFEaPkCc+RYN nGk8eAsGEqP7eefHmMGXYVsA72PtgA== =Cpov -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.0.2p published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2p released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2p of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2p.tar.gz Size: 5338192 SHA1 checksum: f34b5322e92415755c7d58bf5d0d5cf37666382c SHA256 checksum: 50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2p.tar.gz openssl sha256 openssl-1.0.2p.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlty0pMACgkQ2cTSbQ5g RJGQoQf/TjfR+u6Hx2jdABRi6Vyi3T+VlGbHh8xyCP4l5c+JCqPMfxlKz/PF0Cbb 6KwIlc/2dUZZtCQOSITESxmI+xuuPWrwkSKilYetdqxe2ULWtCtDYDru/BgLASn7 M477ANTznqYoKC69vgbbiC0zYS1SdTbdw+agq1Ps+bLHk2GcbiVqRMMzTgvUqnD9 JdmTtAI4mVKJbiLejXz9c4I2Rii9MYTS1QKCpSdFg9irpNjRqLsieEwEoJ6m5eka rVkS567eT4IF1gXLYZeC03FWABUY0PcY9ZO2PhtfuyCKa0Y3dhlIkP8btMAmQAUQ JiIgeN2523E4DEWy4aAnOgsFqagvHQ== =aHv+ -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 8 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 8 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 8 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre8.tar.gz Size: 8334954 SHA1 checksum: 6bca29b8b9b6cf399ad9ee585ff72c314406a757 SHA256 checksum: 1205cd763dd92c910cc590658a5b0774599e8587d89d6debd948f242b949321e The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre8.tar.gz openssl sha256 openssl-1.1.1-pre8.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsqaTYACgkQ2cTSbQ5g RJEDPgf+MNjzRojgEzlu1IQmBthLgE2u9FL1IzTqeDGLBHolCws136AP0C8meHMi kJUS616C5Xe8P4NYJKHQhrRoJoB8iY92aJRJTjWLEic/KWR/SmTfLLuUCQ35iArP sT95NOhtHiYhc5iHAk0cDt42kf8ukgpLi1DcobNwzoFUma9M5y973V6fMg7OpIWu gdSFFRjajmGJnWWmlW6+25XPBW+2otu07yRTIM+O08CEl2EcYf0TxDmncCoHS1Zu vHt8HmRVTTzZ27hFndeD2HLeiVUe/teUfHAWe5VyqRhLcNoa20zGX2F/cvzZH8Zb 7qmwRpfVFJX0llNccuhCQVKnah1kjw== =6mX8 -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [12 June 2018] Client DoS due to large DH parameter (CVE-2018-0732) Severity: Low During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i and OpenSSL 1.0.2p when they become available. The fix is also available in commit ea7abeeab (for 1.1.0) and commit 3984ef0b7 (for 1.0.2) in the OpenSSL git repository. This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken who also developed the fix. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20180612.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsfnTgACgkQ2cTSbQ5g RJE9Twf/VSgXaFPlW+JyA2BAiwGREMr/oMQe8mhmka3WQgNb7oMQRxk4ZqwRvLi2 ggPVOQilJ+tkXgeifEQ3SDRxDnnmcUvxbWB8Lt+7tjhM6O+GYGbGbzupnkBs2IIY 72vll4l7ySMQ8/fcdU/uuNyObfigLC9XndH3tEewxffs6uvDxMyGhZmNQpq1aZNj rGj3dETUuO/Ln8siAD7nkv9xodRINViMP76fSKAtdaikvZa3uhLBMhX5tOzpR/ta tc2+6uthdU9JjSRZZpfDlzzhsOFqMrLfOLrJQIIXshxUNeOZyJCkmT9ED8XZRDMB twb1kOxCKz8Ky+Xm/Rki9uRVoZFjBg== =kKic -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 7 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 7 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 7 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre7.tar.gz Size: 8308876 SHA1 checksum: 1879b688f9e36665f82bda8cac4f392029683bd0 SHA256 checksum: e4a54e1eba294a2e39cde62aeaf1f1fa0442169f849faf14e735136ad6cc The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre7.tar.gz openssl sha256 openssl-1.1.1-pre7.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsNRX8ACgkQ2cTSbQ5g RJG5OwgAhQ1fmHrG57u3jCfhKn7r2t1c6CxnSfZRn7hRc1He772R3iwi9A3i6AO3 9BlEj16V8bQ/2DF6vH31FzBnPjfnP8QENDC3btwdQOdufkQLyeqvgMIjdj42VFS6 E803eCRE1fN6w0LZzVoP8TarWCIifD+Wb3c9VfFsTDWzfQ2TMQz3SKsVqhRA9m0e +xKpkFkJNHw7MQw5B7EomuJYwCVZpERDQAJMlh78uQK5SCoLFw3f14+2C0IzLIBn 6fKVbC546TJgflWoR2uGjOSgYKZqxysya1ZcKfGTOuRy4YiBMkCxX/n0GNEEJFoy gKxJYtMXHCmudlcEjvqcXqO0schzRw== =HTbt -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 6 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1 pre release 6 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 6 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre6.tar.gz Size: 8286337 SHA1 checksum: d9aa6121ea9e8bfc4632566c72b376620c68ece3 SHA256 checksum: 01f91c5370fe210f7172d863c5bdc5dee2450c3faa98b4af2627ee6f7e128d87 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre6.tar.gz openssl sha256 openssl-1.1.1-pre6.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJa6GGbAAoJENnE0m0OYESRnqwH/jMNw6OXpGYriZphZxLNDBlR YGJcNypVPcW1y5aDPlhBp9GUTAot4NPtbYpbBegPdvWaI4tA5O3+2gnCRh3xoE9e k704SlJP+mmBOJSL2/9xSH1tJHNrSmXkHOpfZCr4nKJfayFDnl/H+vf6yNz3CzeB Oys/VDpLPrV2ev10QNpeypu37es4shNSIRU1OEjH+iDrmTBzt9LzU6dS1rYjtuiV QK/rdKV8ql0SFNIsrpLHNCT2EMfRqT/kbLcqObrczNBSunZXQF98W4XVhp7dlFBT GrE8gc/KY8YGfX6kF+1Vy+9vDDKNwaLyzRKXMKUZRLnxkSBbZBREerfwaQT7m0o= =O0aC -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL verssion 1.1.1 pre release 5 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 5 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 5 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre5.tar.gz Size: 8288689 SHA1 checksum: 8b479a8c555a9eba57b6003e4bd7200dff9535ee SHA256 checksum: 0e5ff2f216cea5fa89af6dcd429c3c142acd7c786b0c4868a039689a2641cf3d The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre5.tar.gz openssl sha256 openssl-1.1.1-pre5.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlrV93QACgkQ1enkP335 7owHBBAArOo3ChdJyOVRNN9wXPgRJtDTTv22yqadmcgpEiwh5AMWZUCg9Tl8B0BZ mMcQruV1J0m5qi4mUgBp87ZhqCcOje7uZubyj6VKEAxlklIzyrfPaJyIUWE7CwQi 6jPrMrF9PVkj24DZ/IUPFk6+fJen9POJddeaCuxUM12faZkRD0XxxTEvyKamgou7 Odb/Zn148SFQKMMSVOgaSr0t/go9gJ3vNRaRzBUhG9ZSaxDcwzCaO5OjjwI4xrEY XnGT54yWJNIvnSsxddhs7q4AUDEa/jNq+iCduPYVbMfuym+7YYMTlKABfnP5i1D2 gd8Ag+2hJe7rtKB6vYKOnyTKJFoMLhoRfJ12N55fJ9L4yLoy5guZEelE2Ib35YWo twlgQVPu5YnJpZnF0uZTZmcOJruEcQ7e15B8zyZfUIBtqXXg3tcH3QD3noKUYVmf s8+EfwebwIoLCy8kriO5bogJRVLQHvu1gehTXQa3edrD7iinZzlhdR7UPl9avlnv 7A0XhEiPEqwEmJUdHx/NGH5bydx/cb+oRgB26YTQyqhNw0meQg4znTui/xz2ARE/ r7PWifGhPPAbq8txuj+d8ipDeoyXS46KgR+sF2ncYMS3iQpAddQtCFIU1whpeRip wGm9uMu41Ba0H3CmUbmgTNU5kE3RCR00kirPiGQfRtf/pwI5zZY= =vyz+ -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [16 Apr 2018] Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Severity: Low The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i and OpenSSL 1.0.2p when they become available. The fix is also available in commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git repository. This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. The fix was developed by Billy Brumley. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20180416.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJa1MKgAAoJENnE0m0OYESRKOoIAKmRnj0YtE1y89WnRiCjMk8l Z7XAsPk6nkEa8dlrEvEsUhS90CFSf9OcYliAlfjD/+RVZXXeK4AHn8/g7HxAdDcK 62biQiHbxICBqnrE6DCe6GrMXEy3MWuefSWnoTyd/x8W1grjdhkrlmIqe68DP0iv WItmStRVOpx4mQDcrYqw6ZKhhu1Lv007khyAornJP+S6NSlK6brdNQyRNmp3+HO4 irqPi6xQWGcaAtrdpWi8mDnomld75j5m+G98N/gCqaCAIn7Zau+kAAW1+1dO5S4L tsQ0CifVnRfUTz0cCL51L8G3a3RWYs34AXRZvSRi3q88AiZ1L6FCF2cHZJu1KuE= =+TYO -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 4 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1 pre release 4 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 4 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre4.tar.gz Size: 8259067 SHA1 checksum: 28d83c6441d269660ca1571331bb830867b082d4 SHA256 checksum: df2d5fcc2a878525611c75b9e9116fbcfbce8d9b96419a16eda5fb11ecc428f6 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre4.tar.gz openssl sha256 openssl-1.1.1-pre4.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJaw4CRAAoJENnE0m0OYESR8/gH+wRA1A8TQnwUr9/keW8SGZrg wxhgEh3q04yYTL7yGYMWn53TDLJR1TJN3viEKtS9vZ7/EIfytb7Q/Sf+dlEpy3GP Fe5QWQu76DakiF5HHKVoVmcNyObA1sdNzqagxz/XhYkhUdjToOlqDhT0lkPg42ps lidX68jqvZx2DfE5yjsHp4HzHwLsXVPcOILarX0OOIeG7mVS1k9fIqnVFsajnOhR KJxMoyJ59pos0hsjA6ZHcjMpcaeXFEUYCqpPQYP/EqQz5h5q456HRovempB+GRM8 yUWAPAgaqfTlOz5Jx5+1SxFbKqFc+/Rkx2M3zpa15SuJ6R7cHZiS/JLlBXF+LiQ= =x0tg -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [27 Mar 2018] Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) == Severity: Moderate Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. OpenSSL 1.1.0 users should upgrade to 1.1.0h OpenSSL 1.0.2 users should upgrade to 1.0.2o This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. The fix was developed by Matt Caswell of the OpenSSL development team. Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) Severity: Moderate Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. OpenSSL 1.1.0 users should upgrade to 1.1.0h This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg (IBM). The fix was developed by Andy Polyakov of the OpenSSL development team. rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) = Severity: Low This issue has been reported in a previous OpenSSL security advisory and a fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was released at that time for OpenSSL 1.1.0. The fix is now available in OpenSSL 1.1.0h. There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL 1.1.0 users should upgrade to 1.1.0h OpenSSL 1.0.2 users should upgrade to 1.0.2n This issue was reported to OpenSSL on 22nd November 2017 by David Benjamin (Google). The issue was originally found via the OSS-Fuzz project. The fix was developed by Andy Polyakov of the OpenSSL development team. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20180327.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJaulEjAAoJENnE0m0OYESRc2oH/2E5ya4GF745SK7VB7ZjCWu6 tN5q3CNr1gUiZKcsvK4nl/OdP5h+KToHYQR1RBy0tusk1cFHYRuztsZhtb/mm0DD Z3adXvnz8VFeCyNC/aptwOO0OoPbUHgqhf1L5deNaXMZJDqEjz/6WlVfFQezSeVf h0Sy72SmX2h+Jt1Zh+VYjfX/xMTnX6CWrbyC78KKZ88s4dSYbMsYdJuJSqpar/C1 zQpgCD6Stk0L9J4DB4DYr3MAInMJXRIMyFOZlrOm4oTbZqSdcFxIglCMVPlXpES2 Ke1Gse5bab+O0sr+Ue4Vk0zsi3wv7zaUk8d7YchMpUlqJWKeY3N3i40jnacx1fU= =ATWc -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.0h published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.0h released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0h of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0h is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0h.tar.gz Size: 5422717 SHA1 checksum: 0fc39f6aa91b6e7f4d05018f7c5e991e1d2491fd SHA256 checksum: 5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0h.tar.gz openssl sha256 openssl-1.1.0h.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJaukw0AAoJENnE0m0OYESRqTEH+wYF71XM5PtoMUlSPksCg7uW HZK83MrdKZTbZpvB9Sh/5MuW+Qet9rAL8u4tJ4jhwrs/bGtoHXWXgvq1inHgPXUM mf7hPUbLqf6wf39EmsIshbXK4xGD8amUL7lwzKL5go8hc1kS+dhD8lrVEWdwD869 32BZ9ODqCrC+/Jevrr1WSIc3NBGzQksI9dwGKM+In1QDpGwARlDz/Hq0NlLLxerf Y6cILXvmPigJLpevH8fBRXiM7SJziFCtsTzCrlXHtUIWFzthmGtaTcoUwU2BHGxP zLPr8DoB5TqFo50uG5frOWVNgK7RFDkx/coco3Xs6OOdh+VTk7RG20E9z+Tkrhk= =LIxK -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.0.2o published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.0.2o released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2o of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2o is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2o.tar.gz Size: 5329472 SHA1 checksum: a47faaca57b47a0d9d5fb085545857cc92062691 SHA256 checksum: ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2o.tar.gz openssl sha256 openssl-1.0.2o.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJauk1PAAoJENnE0m0OYESR3XoH/jgf9DJxh7Ig/hMSEYKsPAns yA2gh5tLf20qhaDMDK82iOdJejz0E3MhffFh+5FbnSnHcz2RD2Yk/PQ/9wZQka2+ nRsa1sLJ8jHfByPuIBsoUlYFkB0sjOzjNM/cUtZyJi5oLexv6VmFNGFIfWZAxdJZ zuiGNwf6k6ll3YP8WW1WzKcSWSQkaYVzgUHGylh0KJwJOMnGpDedEqdmvl6qn0Zz XOYQJ7+zadNw9bRTER/pl/zF1nI8dHi9G0bZWZeBRC5ObAQkE4vQ+e1qClydyFii 7B8IdlOB8aLxmWoip160q0wY0XjFjymbQ87EEUMqCIgxLihuXGU0FLWwYOqZIcc= =wl+z -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 3 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1 pre release 3 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 3 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre3.tar.gz Size: 6552052 SHA1 checksum: a9dee6b70334726420f483c496216d2b335a4510 SHA256 checksum: b541d574d8d099b0bc74ebc8174cec1dc9f426d8901d04be7874046ad72116b0 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre3.tar.gz openssl sha256 openssl-1.1.1-pre3.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJasQkhAAoJENnE0m0OYESRf30H/1OxOdWi82Cw69+z4ly80TyR IeWQRgFh60lar3li3R6/ns57eXFo7jGOAAws1iOZll3RGR9bkp70cLXCZtMvZoEP 79pLrfUZR6s6BwGrSs7X3fHac4muUZSQLaAdCJG5Y6Sgi2XBy0rRYFxle0qND1c3 tNeh1B6oXy236cvVaDAUNYKEC/31RzupWIdLdT9UYWLU5qYdgkaOztHO2x1pDRX/ Vs18qNND5mHIrsv0QfZPP40nvsZrRoz7rXBuZdaQwLA9ZJzS0hNxwlpkodJB8kHD o29Q0fkczGnL3hw5rSi7c+qKgngXIVkB0ssisZBHgHVAA6WvvSPNG9SeGYJRgwQ= =0UFn -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 2 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1 pre release 2 (alpha) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 2 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre2.tar.gz Size: 6485957 SHA1 checksum: 11be9034aa6b84eb8bfff7accc2a1a3f940deef9 SHA256 checksum: 33dbda4a90345d256942fb5316967efd90df4f2373578c7b56c90062fe21fc9c The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre2.tar.gz openssl sha256 openssl-1.1.1-pre2.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJalV/kAAoJENnE0m0OYESRW3kIAJhmXNT0kBRffoJn4jK5VC/R eDd+Pv25fNBq+LaNKd1m0B0BO+cZcxw6fygxM4rrsU8vchbWmquY4HH8rCaXZ7SE iW2EsnJJR9JZk7dnhNImmct3jYhALHnabC0qrinvIYVJRWaFRmpPPOFkvVaJ3Ouy 24vQ4Np98x33fw+p/0m6r4wHZ6c5zkHMUw5W1bmGPJF6i7YkZcM8ZKpMM2svObuS 2NEZvyfqrZNiBKwtRzl2WFFOMEgk/bbDrpqUPg6Ul2iYyfyz/LGtu5O5xYGxHCbq AptoWRILpkYmpgH+2ULJWuiVb21wIWCLcgKIfmizdMOPqsO6XmgzFJOV730HEW0= =W0yX -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] OpenSSL version 1.1.1 pre release 1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1 pre release 1 (alpha) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre1.tar.gz Size: 6406872 SHA1 checksum: 83fee0570c8aff4701700f88d193fcf785b595ae SHA256 checksum: dd291d0a81d77219d40b21b9caf4713daaf43416fe8d6eae0b96df39b8b17e6d The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre1.tar.gz openssl sha256 openssl-1.1.1-pre1.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: ttps://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJaguyiAAoJENnE0m0OYESRQSoH/03mmxlj3zAcOgiWcQW7Nsfv bDr6TArh2zplEv/KUxrZiy9CCCKh3p9KI2VlUclObj327pkknMrQfx2TvYDztqfn UsbBL2XA+aiTlF0qgzDQMxg4bdfzYMKL5MUxQvsteVyyTrz5Wm1EWnwjn/mtKh6f p+nJPM9slFeV5EYTdNWIsugl55xU3oueFdVKdOqdZIUkKf5yAVe0/7UH/zVHYRt9 Mq7KZP6suRWhOgcK+g16tevO03+KkY/4O8rwE05DG3gjBbpT/hQvMcluV6jpHgIK KhMUurwOwjN81TZhYmkdKf5gBRvJ03zaJE+LeZHIKR6xdzOQBURsM4m+xPAs7i0= =ZT+8 -END PGP SIGNATURE- ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project