OpenSSL Security Advisory
and commit 99472514130 for (1.0.2). This issue was reported on 2nd May 2024 by Joseph Birr-Pixton. Additional analysis was provided by David Benjamin (Google). The fix was developed by Matt Caswell. General Advisory Notes == URL for this Security Advisory: https://www.openssl.org/news/secadv/20240627.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmZ9PXcACgkQ2cTSbQ5g RJEIfQgAvZAwWKfgrrsYeS2MpgADl2oJXLiKWt02H6r6YqnFV1pyWcBnf2wY3ynC 68lBa6cifxzr2j44+mpQtMOm+/imho7CFaolJjseB/fU5oCnSqRm5k78KR8FbrwI Plt+eajpSwL2NlkKeu48BqcR6JSdq5GzlnEQdD7mBtM67983hN9KJo+Z2AVWBmch WX9eWOEn2EX1cUb7L/3N0Q8gSMLskIGK5eM81wGvHkBtDDXp0DHxbLTMsxART8Ly 0xFoUfbTTyLNfXHlORXtusBjmFrqU5D5WXVagCMOn2ODfUzwXjaC2ZVDlD9lsBUP cAREgXKTeGbcFXldAIXxzA2MVASkeg== =A6hJ -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [28th May 2024] = Use After Free with SSL_free_buffers (CVE-2024-4741) Severity: Low Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. OpenSSL 3.3, 3.2, 3.1, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 3.3 users should upgrade to OpenSSL 3.3.1 once it is released. OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released (premium support customers only). Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit e5093133c3 (for 3.3), commit c88c3de510 (for 3.2), commit 704f725b96 (for 3.1) and commit b3f0eb0a29 (for 3.0) in the OpenSSL git repository. It is available to premium support customers in commit f7a045f314 (for 1.1.1). This issue was reported on 10th April 2024 by William Ahern (Akamai). The fix was developed by Matt Caswell and Watson Ladd (Akamai). General Advisory Notes == URL for this Security Advisory: https://www.openssl.org/news/secadv/20240528.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmZV9w0ACgkQ2cTSbQ5g RJFleggAunT15ijQEKk29rztc82qEl01c/mDCAKCNLD0WqCr/D00lIjYhOjAcj7W f4h9c7N8TqX4fkc1pBmV3KMM4qCzMkNdFE+lxYiDn2A/HAsZgSmh+WGpcMju7obI 5TvaINrBZbndXTa3o+10Wo4QT7oVGji/WLwsc06QzofZRLWj7BxU1h7i2JDR9Gd/ SYkg5ivgwixAgMzxpy7nQetQYKAfl6spKSUDHDymkYk0ATTvr9P14pQ5+Sr2T/gT V8V5uTOYcxjpJCRipUbUPDN5ZUy379thry3XmR9wd2GE0AeXoVOJQMpOVK7TDhzm TFookLZ04kCDtSU6gM0XXI8WAoEDUQ== =UFjh -END PGP SIGNATURE-
OpenSSL version 3.0.13 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.13 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.13 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.13 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.13.tar.gz Size: 15294843 SHA1 checksum: 18b985dcd3fc0bab54cc4bfc10fa9a80ce9e345d SHA256 checksum: 88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.13.tar.gz openssl sha256 openssl-3.0.13.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmW4+XQACgkQ2JTizos9 efWzABAAm65eK1vrasrwasUuMYvMMX1xom23BF8yhRwlpPc5yGdMyBvTzaU7huZt L2MrWzRyR6ekKbr3JOa2V9LZUPIQYRhBXnPa5f+x90Rvl+2QSa2eqxleA54lFWfi Myv78Pvz+6jqWzyJuFzY/M2sAJiwi2bpD4H8LhZHoyVqktuRm9pcHXACFIWVRIzN 4yc//7AwSqm1vVpbFXH2xepCguU3U00MVbucs1NwOa0XM7WgRNsU5dIINHoGNqp6 PuXA3r4EQnCQWjjky99BJ/+4o51EyKo6Zon8UDty7acynmBdl7fIPnqZKnHjvkWB 0svGqMr8zevQu4vYEk2lDPuSZQGeEyhhmRelATAUtjr5aJiF6Ua7XMJfWxcR+TYy E2gFvwSf9WlMpgJCuXIj1+VNGVeNFSfkfJae12XX3//HDbdbQdOdIAVpQqbYi9n/ SVpBoHVL2tqEGObr+oAvu7wbE3XbCYrKoA+raFamzFxE33lR3PnaV+gdsjrJTuh6 qFNuBR+ffB+neokNQAanQgT+2oC5U2ccxQ7v6sq7MwTG20hRLBig8VweL2GofY/h S6uh5zeT66mgytC9L63o3+Mp4boAY1PiQhM/T94Av8WNOnaNiBje14A+MgVWN6Ak 0w580JFLU/JPUMh5kjCf8Hl95xxwBjSHIXfhELlkxqMmQGItE2A= =OrM2 -END PGP SIGNATURE-
OpenSSL version 3.1.5 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.1.5 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.1.5 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.1-notes.html Specific notes on upgrading to OpenSSL 3.1 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.1/man7/migration_guide.html OpenSSL 3.1.5 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.1.5.tar.gz Size: 15663524 SHA1 checksum: bae9e00477fb036e28f1c2e9a837fb6992823c57 SHA256 checksum: 6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262 The checksums were calculated using the following commands: openssl sha1 openssl-3.1.5.tar.gz openssl sha256 openssl-3.1.5.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmW4+AcACgkQ2JTizos9 efXh9g//e33Ntw5QWAVpQydsyBpW91hbPbckwsZJv6eLzpJA4/KICeV7uBsoml+6 ufMOjzYGJuMWZWB3iRON252hS9U/snQagbmdrcg4OVMHc71dXmDdBcdO/q8E3b2P WDjUL5nrVCv163YswzjCy5ac0iKu5rgZyG/Si1gQ8VndR7fHi8BZZKKuHM/B87KJ 7bdhGxvpv4Nw8iWtPpQqa+7TQlVXPRPkGpR+KRdnQi7CxXY0fCqATnVbHutEcqFh 2RIZ1SQVv3dMEJFgC2HCQtY0IhCVzh1hnWEaTz8uYSEogaDa9wF5VS0mE2C9u93t RjwSOj4M2w/XJBCWOJTdTU0ALujQ1OwbEQ8/k+VlGoV4XiR7mShj2Dda5xE5RXi4 A6Um/U8aQTxTG2p8GkrEi/H6n/mtGNJD0u4eMwKCvcudexqO6dC3+CDVPZoDo4XZ MCEmBLdgGFrED515lvjJBS0CDPyW585mPl5ACVb+X+crepSMJXpCoieKRle88UvT GNZE9RvZD8O4Jwd4QyV2XSZ0lTJj/4H2iT/kdp2TvtuNCsLAHydHRjVe7Z/eC6rO S98npL1FKw4Ki+6eUMLU+ZZmhFP1Ivc83SfMALgpnpNWve5e5+ok2bZ+Dn6eWsf5 3eS8tpQlEjQ9yASzu0wYLPJCRDnC43q3RYFkGSCKI2raaIBM2TA= =le9Z -END PGP SIGNATURE-
OpenSSL version 3.2.1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.2.1 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.2.1 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.2-notes.html Specific notes on upgrading to OpenSSL 3.2 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.2/man7/migration_guide.html OpenSSL 3.2.1 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.2.1.tar.gz Size: 17733249 SHA1 checksum: 9668723d65d21a9d13e985203ce8c27ac5ecf3ae SHA256 checksum: 83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 The checksums were calculated using the following commands: openssl sha1 openssl-3.2.1.tar.gz openssl sha256 openssl-3.2.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmW49lwACgkQ2JTizos9 efWKaQ/9HVqMs/IvA0v7SpYysYsceGLhNzyWOtbNZwXNm/JETu4nU6YmqF8N1ihE f3+gnbJgLP4QTvPez/8ZeL0wKK1JUw5ngx0cgf2fsBeLNEwKe5yTkEjizp6tyNL5 149kbLk0VQxe01TxtRJvR++T19HQcnLil3KX8Hn2LpENKF/TYQkcQJvL5rbEjwuv BhxRVpo/8JEBSPPy6HvTN4y9QT9EqQJ3nc93J0WVqWcicw6C9goiGPV23DlP4Z1S Ht0f10rDa1dSZ4H4QakUpIXuAXBKAzBuJJzvtKcoqIU4mF8KEAnLUTBqM9VDEMk2 9QGYynIZupCDcqOpWxtd3mcbX9+m575y5azRN4HbLntxJCEh8jtuPNVRafqeXtoS KSZp8lpVZk0z3UtXM4JheXyzn4CkrlklQAbBoeoVXpS5cOZfw7TFKuB1RozMSSu8 4RVvNNL/CWB6d/3ZgIkiQhAfGPZc7sH0YyI3CXo/WBBQH/kybdaofNGF2Ij/EQaY dRT3qo4VXbQp39XZz3I3iA3zkCCX9cTd3BYTOTFm2va5LmhHVqbiyk14JvqsmPJ4 BbZw45GUHU6+6Vajz9z+EiED9Fo8/crQU+YMojog7pyK3pSVA5nWspVo7Dtoowex +mDwpPq+ROHF1smIJ2VGaa5NjNMXJYFQCohyEt5430R9YP+7v7g= =JmZ6 -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [25th January 2024] = PKCS12 Decoding crashes (CVE-2024-0727) === Severity: Low Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. OpenSSL 3.2 users should upgrade to OpenSSL 3.2.1 once it is released. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.5 once it is released. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.13 once it is released. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1x once it is released (premium support customers only). OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zj once it is released (premium support customers only). Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit x (for 3.2), commit x (for 3.1) and commit x (for 3.0) in the OpenSSL git repository. It is available to premium support customers in commit x (for 1.1.1) and in commit x (for 1.0.2). This issue was reported on 23rd November 2023 by Bahaa Naamneh (Crosspoint Labs). The fix was developed by Matt Caswell. General Advisory Notes == URL for this Security Advisory: https://www.openssl.org/news/secadv/20240125.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.htm -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmWyq2gACgkQ2cTSbQ5g RJFubAf/QN+25L2Kmev6Lk9P1BK8E2jZG+l9sa2O82tJwOyjRIimPQ0BW7KXwnKx M+oEr952wwiCu/1I7dECn3/BOtQ/TDBVaELvS2W40RVyn4gGd2jD3igkrMsNb+Xu U5oAu+kwfHp+PHhhCBxiGHVxj9cea17H3qH5DQZ4YK/X0ygdq16vvOBjNwkP8WTV adfnWr107NvqUGCxhCDexyx1+YUWAdKuVfaKjkw6jBfR/MUPwH6qqBttfpqPUr1Z o6bptN12iCuK9pQxFrUypL1OjsV83IMuxsBr0SOkrOH8+J7E9n33/xJZ7USRGSDY rTBsL12SFQ8nxODAzgJOVT5QOp5Ayg== =BQuZ -END PGP SIGNATURE-
New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.1.4 and 3.0.12. These releases will be made available on Tuesday 24th October 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these two releases is Moderate: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.1.3 and 3.0.11. These releases will be made available on Tuesday 19th September 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these two releases is Low: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
Forthcoming OpenSSL Release
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1w. This release will be made available on Monday 11th September 2023 between 1300-1700 UTC. This will be the final public release in the 1.1.1 series [1]. Ongoing access to security fixes is available to premium support customers [2]. This is a security-fix release. The highest severity issue fixed in this release is Low: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team [1] https://www.openssl.org/blog/blog/2023/06/15/1.1.1-EOL-Reminder/ [2] https://www.openssl.org/support/contracts.html OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [31st July 2023] == Excessive time spent checking DH q parameter value (CVE-2023-3817) == Severity: Low Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit 6a1eb62c2 (for 3.1), commit 9002fd073 (for 3.0) and commit 91ddeba0f (for 1.1.1) in the OpenSSL git repository. It is available to premium support customer in commit 869ad69a (for 1.0.2). This issue was reported on 20th July 2023 by Bernd Edlinger. The fix was developed by Tomas Mraz. General Advisory Notes == URL for this Security Advisory: https://www.openssl.org/news/secadv/20230731.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security fixes for 1.1.1 will only be available to premium support customers. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmTH1M4ACgkQ2cTSbQ5g RJGhtAf9E3HklBKezKOXvAbsPmCqcjySMVTV/JrBjrDn14UIRjZmhVoHd5QGusN2 ReRtA3bRL41UQYdLKDkdYjp9XmlDDFb5hKO3G7P0ldtDaw21TkIQeI/90OKjgsQu A+vpf/TcE1a1Pbz8cIRKYBjIaS3z9yIDW4eB0gytWxsqMxze+9IOYNuAbDa0KsqO PFTUiHr5xu01wsdVdHeUMpZ01E8tGbVwgyY7tvCUAUJcjjLcTb9+gXQLn6cmVRJt 6kU8jsamkiYpL1MoKI5yQvYx0nXZUxXbH1ICPltytC4pBsMEypCCnJTkcJKhRRNt 76Z4/x3XDqMzapYMPimIRifdzPV9FQ== =Ve/V -END PGP SIGNATURE-
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
Re: Forthcoming OpenSSL Releases
To clarify, OpenSSL version 3.1.1 will also be released on Tuesday 30th May 2023, and is also a security-fix release with the highest severity issue being Moderate. Regards Matt On 24/05/2023 05:06, Tomas Mraz wrote: The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.9, 1.1.1u and 1.0.2zh. Note that OpenSSL 1.0.2 is End Of Life and so 1.0.2zh will be available to premium support customers only. These releases will be made available on Tuesday 30th May 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Moderate: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
OpenSSL 1.1.1 End Of Life Blog Post
Please see our blog post about the forthcoming End Of Life of OpenSSL 1.1.1 on 11th September 2023: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ Kind Regards Matt OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL version 3.1.0 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.1.0 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.1.0 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.1-notes.html Specific notes on upgrading to OpenSSL 3.1 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.1/man7/migration_guide.html OpenSSL 3.1.0 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.1.0.tar.gz Size: 15525381 SHA1 checksum: 323b175eda887b33fb23f5806ef307b4dda2df00 SHA256 checksum: aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4 The checksums were calculated using the following commands: openssl sha1 openssl-3.1.0.tar.gz openssl sha256 openssl-3.1.0.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmQQb54ACgkQ2cTSbQ5g RJHt3Af/bFny61DzEOha4SnmJ0NTn3M2Y22t5rnNZKK1Fqm7pILJ2xn13eavoC85 SsQCAdwklK9uhIaqr/RqJFSB5M9FhFHAbSr0rj2ngDViWwGf/8Cdp69X9n8NSSkO iqcBWLKePp3p4sYYnm0V+DKTR0u9x+LLKhEBup445PccJ2bVVT0z4Wc9z0kUvH1/ x3c2aavOyjJYgr8zhNY7mmUmKOKbvf2JbQvovJUZZ+o/3I3XYk8PtKfgAVpw+qA0 9gZKPCu72VBM6cQ3/eLAKyKWNvQTfCLwKm59iSljRJpYix0eNCclzbGLTUKNfSM6 R6xRAUVFYJbkv3EVVc/XzIukRAvDzA== =cJkN -END PGP SIGNATURE-
Forthcoming OpenSSL Releases
Hello, The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg. Note that OpenSSL 1.0.2 is End Of Life and so 1.0.2zg will be available to premium support customers only. These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
New Blog Post: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
Please see the new blog post here: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Withdrawal of OpenSSL 3.0.6 and 1.1.1r
We have received a report of a significant regression in the latest 3.0.6 and 1.1.1r versions. The regression is not thought to have security consequences. While the regression is further investigated we have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and instead recommend that users remain on the previous 3.0.5 and 1.1.1q versions for now. We will issue a new plan for the release of 3.0.7 and 1.1.1s soon. Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [11 October 2022] === Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) Severity: Low OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.6. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 9th August 2022 by Chris Rapier of the Pittsburgh Supercomputing Center. The fix was developed by Matt Caswell. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20221011.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFgFcACgkQ2cTSbQ5g RJFEZwf/WiGIlYQfuis0lbwvqPHEpBZkuQgnXtkZ2nOe2SAera+fUNMKGf6/Pmbx 3orhrG9xEpTyZjczccRTjZ1pimGRpF0Lyvnv/N+RjrywpD3nTpanhKPlw8cnpH6p xlqSNEgXog9E5i3y27SYbdDw2Pu4I61vZe/zzJfI/pnpgsFkJRwAKFOPDHnS9hgh J8DdaVa6iW8/cOtWBiNHpNKebpjJ+pl5ZpbGt8CYMBHAAc1V/hmuOTesybyGeI9a I2qL5WXXl0VR5bPNNkUXLLm+q0XYFahL58lx7R2qn/HL3r3YeNtFVd7u/UV581vM dLhh43faekIct7eN3TXlsSkpKEwCQg== =EO32 -END PGP SIGNATURE-
OpenSSL version 3.0.6 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.6 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.6 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.6 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.6.tar.gz Size: 15101953 SHA1 checksum: df7c98f7780babdedd0810fb3c2b55332a8f6b89 SHA256 checksum: e4a10a2986945e3f1a1f2ebd68ac780449a1773b96b6a174fdf650d6bc9611f1 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.6.tar.gz openssl sha256 openssl-3.0.6.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFY/AACgkQ2cTSbQ5g RJEGTAf8DfSCPD4kU2ybbjdsP9S11gVwMWFFNbA+IWFoL434JywzZTerfHDWcC92 tyRBf4WsP+Dtv0+6E8+B20WluCp2uKHCmiHb3Zmgz6Ljg2kNhvYu6bZXwbzPE1pW 46VIqJ8FrSm81B7UoTPLkHC4WDW+YX2iEDPFTBgSdlWZliNLoXjgqVBUO5DaP/oT sdPPvc/M6x0XCc8rvM4eteHHZ+0naLKQX661tRtNcTdnledA6NcomPG+Y5Xk8h2O tRAITh3huTNdbiMJJkhveIs2Zyd9vNUYD//pebXjD8IghX6G5NBC2fXzo6th3Bis Aq3AlcbjTfaibXycCYtu59fs3WgVVw== =szfs -END PGP SIGNATURE-
OpenSSL version 1.1.1r published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1r released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1r.tar.gz Size: 9868506 SHA1 checksum: 1a7d07ebc91a4e834be3db861453a79b0fe8d259 SHA256 checksum: e389352ae3d5ae4d38597bf8a54f1dcb6fb3c8b50f4fe58a94bb1bf7f85d82a0 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1r.tar.gz openssl sha256 openssl-1.1.1r.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFZYwACgkQ2cTSbQ5g RJGuSgf9FDZQeKdowwxbXRamGvcoQflKsRypla/nMBOEyWpR6zS2HnbYtlcNxlfg 2+cilT/KRK5BQ/egMcCqXJ8bpQRcdbh9NixUdN3z9qhedp4NTwK51X12s1EdUZOp 4LCn31IDRYvYqY55ufvgLz6g8EC3eZADM9Ph8H/rawyGN8ieM8SVrzSxd/4RNcov iVqX4ECejMRW1/s3iZmkBhMDUw6HDUc/8Wbbq1Dychr65L8l3r7k58MSN1b/ZUyQ u8Vsjt3UZoJ9WE5uP604j+LNCiU9kODWGrMuCl2ElSyLIPqU4iH1b/ckHxThfYGG fi7r97ZvDrFvX7f2PLYODtwTqvSzrQ== =p2qv -END PGP SIGNATURE-
Forthcoming OpenSSL Releases
Hello, The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.6 and 1.1.1r. These releases will be made available on Tuesday 11th October 2022 between 1300-1700 UTC. OpenSSL 3.0.6 is a security-fix release. The highest severity issue fixed in OpenSSL 3.0.6 is Low: https://www.openssl.org/policies/secpolicy.html OpenSSL 1.1.1 is a bug-fix release. There are no security issues fixed in this release. Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [21 June 2022] The c_rehash script allows command injection (CVE-2022-2068) Severity: Moderate In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. OpenSSL 1.0.2 users should upgrade to 1.0.2zf (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1p OpenSSL 3.0 users should upgrade to 3.0.4 This issue was reported to OpenSSL on the 20th May 2022. It was found by Chancen of Qingteng 73lab. A further instance of the issue was found by Daniel Fiala of OpenSSL during a code review of the script. The fix for these issues was developed by Daniel Fiala and Tomas Mraz from OpenSSL. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220621.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKx1vMACgkQ2cTSbQ5g RJFo3gf/XY0cjt1lXtTrGBGu5lDf6Gou7USlUy4lo0wQwkHJ11b2PDxINS+xGNzp GoOSxCGcQEPrUPkQTwbTtVxSDKuIkQmQG0py155zUrKzsRTad3rIsHy+NzfweBW+ RSwTYZT702J5XRMkeaLhzqG2WY5fxibydaKRKIU2IcyvOQP4tEdrRBQ1taaYKORG ZZmlcL8Et96YgbFDotLJAeZQ9nbOnHEti7zGCvp48klOqc4llH+0QnHmRsJFxO2F QHNd0ZUsb0gzVajEOz1rBEIotS4tYDltRCkgJz7evJSPrXrbbacXflfHGsveWjgw h8Wr4I7UK1liE3lmb5LuW/BXf7CAQg== =31ys -END PGP SIGNATURE-
OpenSSL version 3.0.4 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.4 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.4 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.4 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.4.tar.gz Size: 15069605 SHA1 checksum: cde0c343646ce10600e6b28fc7000e9096e7959f SHA256 checksum: 2831843e9a668a0ab478e7020ad63d2d65e51f72977472dc73efcefbafc0c00f The checksums were calculated using the following commands: openssl sha1 openssl-3.0.4.tar.gz openssl sha256 openssl-3.0.4.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKxyBUACgkQ2cTSbQ5g RJEQbgf+OKc54bvXn9b9y6HsTIO5mRr1DqVzSkg8l6UC3T2TJSTDIQJVp0JaQmMr xNo6v/jYq+ZSVyX6lIa0+0YukJsnvlhaUc857KuuqnS6plBA7K5RIeUhjC2MZayw XSjAw3styH45l8Mm3v0R4s9pGySUC0h3t1mLwcJ+gv1XgQYbDxqWUabsLPoeDRJz j3Ph10KvSPBDNR9FxYwK0BGhkuPkz4bZaNXJgd5MJCBF+0inUr+owDdprIAARve+ hiP+qBFIfQsokbJDbn7hQ5OB5LyQRLekvNUb3euaKSTlc2xpmsyoVIgLtCrAWp5F DMinUzLD+q+/YgW/g4i3vFepc7R7Tw== =vtQZ -END PGP SIGNATURE-
OpenSSL version 1.1.1p published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1p released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1p of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1p.tar.gz Size: 9860217 SHA1 checksum: 707daabab923ef2d9f05fdb8e0664944be7f5eba SHA256 checksum: bf61b62aaa66c7c7639942a94de4c9ae8280c08f17d4eac2e44644d9fc8ace6f The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1p.tar.gz openssl sha256 openssl-1.1.1p.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKxyiAACgkQ2cTSbQ5g RJGpiAgAp0GN7gCRELpsJNvHnvuwwgOxUx3ata0EhCKfmj2tpJLQ3E+ImnuQBs5m +EDaOwRSTNORqJguy+BLlez1ySTAK9Pce8AHAYiC0VaUE18Y7X3S/E4t1sEjmHLl LxQi8DHEwIpuYe3ITO881cZ26tGo4gflrpqwVWPT1aqfRExguNY3GAzJIEMxDHNb oGsRH2sEMTBhR/ToLRV+ryr9L5rB7i29lSAT9GTPNCHko/j30cJ+9l1b2UehkZay N2oJu/2nvXORcXbLDY5m4jiBwfTQNMzGrAjtz/LLDqnFhC79gUPui90Q53o8EmSJ kJAF+DR1hZM9xnsgGZp+WSLrf1pfKw== =iyXg -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [03 May 2022] === The c_rehash script allows command injection (CVE-2022-1292) Severity: Moderate The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. OpenSSL 1.0.2 users should upgrade to 1.0.2ze (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1o OpenSSL 3.0 users should upgrade to 3.0.3 This issue was reported to OpenSSL on the 2nd April 2022. It was found by Elison Niven of Sophos. The fix was developed by Tomas Mraz from OpenSSL. OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) = Severity: Moderate The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. This issue affects OpenSSL version 3.0. OpenSSL 3.0 users should upgrade to 3.0.3 This issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix was developed by Matt Caswell from OpenSSL. Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) = Severity: Low The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common This issue affects OpenSSL version 3.0. OpenSSL 3.0 use
OpenSSL version 1.1.1o published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1o released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1o of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1o is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1o.tar.gz Size: 9856386 SHA1 checksum: 860fa10381ff0a121833583ccaa011bf266bcc63 SHA256 checksum: 9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1o.tar.gz openssl sha256 openssl-1.1.1o.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmJxMQAACgkQ2cTSbQ5g RJH4Tgf/QsyDzhnR6G+WdEb7HYGHvVhHrmI+aJ7X+h4pmySoLUQ6bFIfRowndsyl 0sfpkmMTqbRBS6B5buehZYyL7pN1VMizOOvYtXznw5iRM6gTMZNSioD775pglp2H K1JMiWHUFrfcFwukr82F8L7YO19vRf6QC1FQAoA3qBKhrW9t67ihyrJMWtISYNS1 gu7B2Mu5cGlur+V9wlJDqSA9vc8gXRNIhc7bzTTtIv/zrhXGi/izTgruj9XCe5rA JiWMm4qpa/IRlpsdHTOcAglbNbumC0mCLUig4UFCpK0T9d/h2eBeXQH+dKmUPV73 iV+sJay2B3B6vlmywKp91C29LIzwRw== =GnSQ -END PGP SIGNATURE-
OpenSSL version 3.0.3 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.3 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.3 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.3 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.3.tar.gz Size: 15058905 SHA1 checksum: 1138de3f1a2f573ae69302ab52ecd9bbf5e063ca SHA256 checksum: ee0078adcef1de5f003c62c80cc96527721609c6f3bb42b7795df31f8b558c0b The checksums were calculated using the following commands: openssl sha1 openssl-3.0.3.tar.gz openssl sha256 openssl-3.0.3.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmJxLtUACgkQ2cTSbQ5g RJFbOAgAktEl5DvfJrwinwX7AJmS77kgDKwgFYJo9RgKzSPUOzFJVMxrmrMH2uzF hErm1DgaWMKFChI1Vb3d29gblvT43hDDG77yEH4qVHx0bWpUc8fr9JHfUyEz3ziQ 66V7t4NhHo67ifw2YOgiA/9wOGLvIxRYKGKLVBRnn+Jckz6uo3qZ0HS/irgqjREs lVt775WtXdH/RWkEpLSRFMVo77HaGLFzMv9qZ/jKB0TgjW+QuoET34x61+iLc5x0 SqdKWr7YZzR7ixmoiumBpICcvzXZEdeFicvrdut2uyOD7EyIbuX5kY3S7TopDw2p HrIsnnUXqOvipX4VqFF/txW/zA4gfw== =Ydig -END PGP SIGNATURE-
Re: Forthcoming OpenSSL Releases
The OpenSSL Project team have decided to postpone the releases of 3.0.3 and 1.1.1o planned for today. These releases will now be made available on Tuesday 3rd May 2022 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in these releases is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate Yours The OpenSSL Project Team On 19/04/2022 20:51, Matt Caswell wrote: The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.3 and 1.1.1o. These releases will be made available on Tuesday 26th April 2022 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in these releases is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.3 and 1.1.1o. These releases will be made available on Tuesday 26th April 2022 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in these releases is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [15 March 2022] Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778) == Severity: High The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1n OpenSSL 3.0 users should upgrade to 3.0.2 This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. It is affected by the issue. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220315.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwtOcACgkQ2cTSbQ5g RJGd6wf/VColq7YEnA1dKQvd75ytnFkV8tUhb1uQ9eCjhxk76ASg3QToEar3yDd3 ykGXJZy5oPCl0zG33GORz9Pq8oWjIoCDLfhlTh3aORjWZ9uMkd+RWxVEjxyidgZp 4Rb8p5qSncxJ1EcYLoeUWu/lrDh67q1hDnwGNtNxyzVC0sqxWz++YoFXGJA2OH0m lcYZilUdZ4HLVKmFKEfQGX/xwdvxj3VTaJNjsEI+2h1xysXBN+TpXsEL2yOGx8Cq KzQXnRUrNhsdIQYEAJ7i3HXYmY0wHehTXvBoZsI/2yWiC19WWK8u/qZxdc3Y88v3 JDKNJRCyKGbji+ESZPnWB14yE3yZ0g== =9ROi -END PGP SIGNATURE-
OpenSSL version 1.1.1n published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1n released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1n is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1n.tar.gz Size: 9850712 SHA1 checksum: 4b0936dd798f60c97c68fc62b73033ecba6dfb0c SHA256 checksum: 40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1n.tar.gz openssl sha256 openssl-1.1.1n.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwpMEACgkQ2cTSbQ5g RJHEZgf+KWdz0hwZ32JMsmgKGLpfMtPBuKEJy6fgYQltp8CBdN5TgJxdlfI50rW4 6NjECRsbkfvl9cz3eMmxpktPoYtvP99vC3gTrHgBf1rvTrlPjDoJhh/nVUI5e7FB MpEg79NzrbK8bnu+2/mIx7IcSVhuKCr5vS5nYxovSbtgBbivr+PErFpq9363DB3O UDhlDCOl/dZh63vtyvEtsXkZlTIY3Je3XX600kqVMgs2Obm8IAT1UkyRkKyYLV6y zWBvl6jkH9j6Aa2bDR0kBLyaiTfTlrVEvO45sQT/EjOa8oWCE6OxeEscJRRGppyD IHFS/t/e7gvlfyoJvxKIbLZJv5mv5w== =+pTj -END PGP SIGNATURE-
OpenSSL version 3.0.2 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.2 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.2 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.2 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.2.tar.gz Size: 15038141 SHA1 checksum: c97166014243779a4b1b3613e1fce6087f2e17bc SHA256 checksum: 98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.2.tar.gz openssl sha256 openssl-3.0.2.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwowMACgkQ2cTSbQ5g RJGM7Af+Kx4G/JDh14Djb4NQhnq3pryEv55PTG3MChJBzsEWFhzYc0aXmz6LaPl0 YugY2OT09LRPMTAijoDJ6AVeObS2QAniFpIPS58UnHK5gzoNLmzRpuflp7oeSzv2 lxqtfL36FNfnGhEWJlfG8IYLIeQnjaEw05PY9FWNScCjN7vt9y0OsDxdv9jsOt8q OEw42b/EESSF568E2LQuZRLLf/DL4KQc9F9atGaPjtAldZI+GgQM/rl8hea/xooe BIMWRruhFM5yGP1tx9CC+9los8uvccULtuhni6eI6N9ryu5HBHEdGmRHvjW7ZdkT 946RJUuJjfJ2PgUpO20HxKDAMdjyqQ== =XQgF -END PGP SIGNATURE-
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.2 and 1.1.1n. These releases will be made available on Tuesday 15th March 2022 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in these releases is HIGH: https://www.openssl.org/policies/secpolicy.html#high Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL 3.0 LTS
OpenSSL 3.0 has recently been designated as a Long Term Support (LTS) release. This means that it will now be supported until 7th September 2026 (5 years after its initial release). Our previous LTS release (1.1.1) will continue to be supported until 11th September 2023. We encourage all users to upgrade to 3.0. Yours, The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [28 January 2022] === BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) Severity: Moderate There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. If that applies then: OpenSSL 1.0.2 users should apply git commit 6fc1aaaf3 (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1m OpenSSL 3.0.0 users should upgrade to 3.0.1 This issue was found on the 10th of December 2021 and subsequently fixed by Bernd Edlinger. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220128.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmH0AK4ACgkQ2cTSbQ5g RJG4Agf9HqZVxd3uG7Jq8TnM4HIR5lrQaJAq6pszxqGvSSmjmK6fkVf8G0PI6I4M J8gmlLMfnvDiE2a1yfmzAlXQu3+nTFRMlkkrpfPoBPIrX3ceHa+uRLIlvDm6jTeu vEV+Zko71AlgDb4cGGP9beAEh6l2pPS2DZ94nEiK2LWl6nIUTaTWuV0WACVHnadk Xj6YrDtbM9LpW/yELg4nUvrLCn72D+T3rjaDZVfQHCjw97/TJnSOApv5u0EgBiIi lT3zXBT83qHDsPEfXvQ3Mk4wQiloAmOO4g9B68S84qXq/J8JSowydCQBKhOVQ9uo u3EDFqOsMHS6ahex7RfBnvML0FBXbA== =RvBK -END PGP SIGNATURE-
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [14 December 2021] Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044) Severity: Moderate Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. OpenSSL 3.0.0 SSL/TLS clients are affected by this issue. Users of this version should upgrade to OpenSSL 3.0.1. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 29th November 2021 by Tobias Nießen. The fix was developed by Matt Caswell and Tobias Nießen. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20211214.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4zbUACgkQ2cTSbQ5g RJG+TggAsQHgwpwy2j4FPzKFAar5hM+3cMI9hZUECu5VJBZaVUQM3fBY5Um16T5L n6weB9EFe+xpA2ncuuDeUWGvACW5oj6j/obfse4cIRc2K4XfHNydzCi/EB1cG1Qi d4/dqw4I8KgyZkk7iyZawtQ+vslSefsUbYSqrslBiETK7VMGjIrxNy7ohMadFdA7 E8dYicPPjkYX/4+vs/W0RiAe4kFAHKTFZIvh2ab65CBubAOGDS0CFavd57FvC10Y UquSKdBIWIIlfueQ8IhYx3v/VEOvS4Q8OpkPkfuoRu0j3qX8lvyHV+gipHD9MK9q zI7Kj9oa+mUqyT5cp3mhIbSqq3Qm0A== =xJgY -END PGP SIGNATURE-
OpenSSL version 3.0.1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.1 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.1 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.1 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.1.tar.gz Size: 15011207 SHA1 checksum: 33b00311e7a910f99ff041deebc6dd7bb9f459de SHA256 checksum: c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.1.tar.gz openssl sha256 openssl-3.0.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w10ACgkQ2cTSbQ5g RJETYQgAjRoCClgeA+HaqG8t+dnYgBdlvXtRqdcPaBpWPO0E4hoSE09jgfJrs2Hj oKiH844DXxfQTDAexG08X5sw/YL1hp5bchoHGz2L8ZzbaXNSt/4tUYRM+/DKo3t0 SWMCNNeu6PG2HUxv0VaDujAUnPqG0K7bZ9zjeXP3OepTSa8FR0QQG4oN+dBamYQi k8rL6+VOxxq2mjcAfBj8pybKcxiGXtEy+evBwSGdVPOXhogvzIO0JyPfpS08UZke CvIMcqR0k4CzmBlVeveKUKqF+EOJWTgcYDPjIzuP9FKFdYcEis0+dzMzg5CeLPbn MMMnbatP918MZIIeC4L6U02AT3I4Ew== =0RgY -END PGP SIGNATURE-
OpenSSL version 1.1.1m published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1m released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1m of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1m is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1m.tar.gz Size: 9847315 SHA1 checksum: 39d424c4411e45f1570073d7a71b1830b96007ca SHA256 checksum: f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1m.tar.gz openssl sha256 openssl-1.1.1m.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4vAIACgkQ2cTSbQ5g RJFRjgf+LXWwOHLNWh4XBVIwbQgaCF7mHMQqfa0LGzke/xA+K41Mb7h5+LRGsyDS NxHPiI1Qj4brhpVDQWF4D0aNi+BaWYU72tb7vaFneO1lVvRXBntYxw8ioyCKGRfZ weCw0Jl9+fH5KKQ2SMoSeXKwdeZWgm+JaUcIgIt9oDrlNHhv2lTYbaqXWZ9t0dwY HMjR78zdbcnmOJ3mqBzVlwfdBuGqC6iuk+J9SgZNTCn//X5PDj3gbcDjS22CWMQH ViMHOaN+ZxZii1HMELpEWE0RBotC5UxlWXq8PZFqXvwLISGeyokTcTCElxTuh3os OnZf+Jd35FlKihCKqaYFiRGboOKPjA== =Ac7r -END PGP SIGNATURE-
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1m and 3.0.1. These releases will be made available on Tuesday 14th December 2021 between 1300-1700 UTC. OpenSSL 3.0.1 is a security and bug fix release. The highest severity issue fixed in this release is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate OpenSSL 1.1.1m is a bug fix release. There are no security issues addressed in this release. Yours The OpenSSL Project Team OpenPGP_0xD9C4D26D0E604491.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [24 August 2021] == SM2 Decryption Buffer Overflow (CVE-2021-3711) == Severity: High In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l. OpenSSL 1.0.2 is not impacted by this issue. OpenSSL 3.0 alpha/beta releases are also affected but this issue will be addressed before the final release. This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix was developed by Matt Caswell. Read buffer overruns processing ASN.1 strings (CVE-2021-3712) = Severity: Moderate ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l. OpenSSL versions 1.0.2y and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2za. Other users should upgrade to 1.1.1l. An initial instance of this issue in the X509_aux_print() function was reported to OpenSSL on 18th July 2021 by Ingo Schwarze. The bugfix was developed by Ingo Schwarze and first publicly released in OpenBSD-current on 10th July 2021 and subsequently in OpenSSL on 20th July 2021 (commit d9d838ddc). Subsequent analysis by David Benjamin on 17th August 2021 identified more instances of the
OpenSSL version 1.1.1l published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1l released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1l of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1l.tar.gz Size: 9834044 SHA1 checksum: f8819dd31642eebea6cc1fa5c256fc9a4f40809b SHA256 checksum: 0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1l.tar.gz openssl sha256 openssl-1.1.1l.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmEk9nQACgkQ2cTSbQ5g RJFk2QgAr9NfJzaDqFFDnjCS7bCGyOf77I4P7IFKfD2Ip4BFYUAS//x7rHjyBs/+ LvbXGm1uht8QWvqA+j6jgq/FwHJS0NhYiw8JPh9E/ATqjhx0K3Pe133u8oy4KOWL /yZvc7bm99Fh9kTb+41hYRYqDcnnLvTyjhMT8zTtuZiva3/152zXgSSfbglF9/A5 nnvWRqJMtGX058EuGNpprHT+1HMN/yUr9lkpKR4iHqHTPm/Y+UgQFnwyJnEUDIy3 1yEFiU6FRGyqZL+lLWmv0mORwJRbgFyk1016xMtvR3NsPWITyt9XlkWwExC9mDlG reN5SLCrLyA9mUVzED6ARSMQNINDbg== =hKcH -END PGP SIGNATURE-
Forthcoming OpenSSL release
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1l. This release will be made available on Tuesday 24th August 2021 between 1200-1600 UTC. OpenSSL 1.1.1l is a security-fix release. The highest severity issue fixed in this release is HIGH: https://www.openssl.org/policies/secpolicy.html#high Note that due to this also affecting OpenSSL 3.0 beta releases, OpenSSL 3.0 final will not be occurring this week. Yours The OpenSSL Project Team OpenPGP_signature Description: OpenPGP digital signature
OpenSSL version VERSION published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 beta 2 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in beta. OpenSSL 3.0 beta 2 has now been made available. We anticipate that this release candidate will be the final beta release and, barring critical problems, that the final OpenSSL 3.0.0 release will occur in the next one to two weeks. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/manmaster/man7/migration_guide.html Two items of interest: * FIPS 140-2 algorithm testing for the operational environments is currently in progress and OpenSSL 3.0 will be submitted to NIST for validation before the September 21st dead line. * Engines are deprecated and will be removed in a future release. The new provider concept should be used instead. The beta release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-beta2.tar.gz Size: 14912360 SHA1 checksum: 261ea1ad4bbf7738622bea5caa97da0283fc3166 SHA256 checksum: e76ab22879201b12f014393ee4becec7f264d8f6955b1036839128002868df71 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-beta2.tar.gz openssl sha256 openssl-3.0.0-beta2.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmECwXsACgkQ2cTSbQ5g RJGIogf/d+wGwy6MQ5sYFU1skRVvJ05xXOgV9c9YwxO5UmyC3V2p6YHd6oXOhi17 lxbd5o8l9mtuIWKIMo9r222LIE8DtSrwdnO8BMpRBzxT56pUKHuF+qVmMnxOhuU6 jGkKjK6Tel8k4jLCJriRF8G0EWnWClqmvuz6z2rQkzVVcTh/TrtIJn+uMzjg1ZyZ 9T5/TljLQTtsAnx0F6i3TxgOShNpYhObWxyy4byncDX6YPdcedwHREJkhpS3pIh7 DKySPOZicP5jgHDSmp2Ip1Zl6/yTTpcQ1ncd+MHK2fPLtKmr50aCD3MF9qj49kgQ JoXg93pEYV1gdf5aya+TgS+j5VjKeA== =JLdr -END PGP SIGNATURE-
OpenSSL version 3.0.0-beta1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 beta 1 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in beta. OpenSSL 3.0 beta 1 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/manmaster/man7/migration_guide.html The beta release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-beta1.tar.gz Size: 14878832 SHA1 checksum: 4b48947969bb3c989ba95ac4bdc4a78e70212d2b SHA256 checksum: 7bfedc9a1062cbd2aabc294acc93cbd5259e6e7bd5bbe38e454cc6a32564029f The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-beta1.tar.gz openssl sha256 openssl-3.0.0-beta1.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmDLSDUACgkQ2cTSbQ5g RJHPJQf9GACe9xem5BnK1EPAJtWkXxKZS3NOThT5rp6mCArFCVX3Vvrmui/PUgL2 +EPA9o96G6SJ/AypFyH/SUYfK2weC7LmPGgZ4kk0Od/rn/JE+Pkbk1IyqTb3QnUz LlMIB69m8vx/IJqP/FSCY224iP+gtCzyQvktxra1dLab7SJtDiTtcvvSKv20jd1+ 9V9GSPIrl1G7dU+aWG/jZRZ1g8lmVEoZ/d3wKpddU3A31mSWxyt8Yc5/gRC74NmU EGCHY+6hrrRIoJkIiywlk9HoFQNHf3OT0pK1F8Igfredos6dulUKxcK2jk0gJjQY IG7aAF+ZcysQZ5y0iUksHhb296mRNA== =Jk01 -END PGP SIGNATURE-
Forthcoming OpenSSL release
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1k. This release will be made available on Thursday 25th March 2021 between 1300-1700 UTC. OpenSSL 1.1.1k is a security-fix release. The highest severity issue fixed in this release is HIGH: https://www.openssl.org/policies/secpolicy.html#high Yours The OpenSSL Project Team
Forthcoming OpenSSL Release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1j. This release will be made available on Tuesday 16th February 2021 between 1300-1700 UTC. OpenSSL 1.1.1j is a security-fix release. The highest severity issue fixed in this release is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAix4IACgkQ2cTSbQ5g RJEObwgAkM5/Nx3KjqX1Uj69C6b+8Cxx2ijdfei4wQjkVhLqZLteZpKDE0QBAHsV wGc3cwv1AyPnNfgWvfUwj0k5mRr67fYkz+iAJiNisLc40k0+xPd9F2F804TvKQh2 6HPRY2+AEpQD6nuxJejIOBZruDbFaXRzh1rloQggE9tqUoLslQbYhkrR6BRiePqN zQarux5yBZDfkQzkaYTDqFH5M6RLrb3w5hlJiJ4uJ1lLz4FNyeUtADofluiIrJuj zDRZxocOVoyUt2wIZZ+2xhMY894hlilwnBE+fXvWu5d4HakdZkHe4p+HFvP/O0IY AGn/qXIQfYGt9jH93jCPFdrgO/jvWA== =ZcL6 -END PGP SIGNATURE-
Forthcoming OpenSSL Release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1h. This release will be made available on Tuesday 22nd September 2020 between 1300-1700 UTC. OpenSSL 1.1.h is a bug-fix release. There are no CVEs addressed in this release. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9hObYACgkQ2cTSbQ5g RJGmDAf+IPnGTpXB6XpHpuvlWWE6v0aTEOHntLgeYbqp9v3/5ay4i0qwFZk2M4Sn 9J5C/057OqqLVMq0UyXXAwhyS52KIR6VfcJKTCc/2NkgPHhee+/W5Q8SgGpXMnOP 60EIrHD5cfkestIO9fvrCHZ19RFFWlFQJnPmc64nLYyhQJ83a/AKGoug459oaxm7 lj90Rd+U4oQvEJyltsA5Urv/IAjQV24EYej1pCLb4zqerW4rLYnoATBrurclWVOa 5AXZgzuhNvtMV3/nVB7aFpfQIsg2FUaTnRW3ok+7e72oiXHndgxYW6TP0GxGOMdu RDB1ZlWWwt7LzYz8BlWTex+s23SNZA== =wNcz -END PGP SIGNATURE-
OpenSSL is looking for a full time Administrator and Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL Management Committee are looking to hire a full time Administrator and Manager. Details of the role can be found here: https://www.openssl.org/blog/blog/2020/09/05/OpenSSL.ProjectAdminRole/ To apply please send your cover letter and resume to j...@openssl.org by 20th September 2020. Regards, The OpenSSL Project Team -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9TVxgACgkQ2cTSbQ5g RJHKGggAn1YGhR7UwtgVXTMWUKiv4jYpXd5OaHonAaUwIFdkXUzBmmEq9PP1Thw/ A4rQ/anDZ6SfRlFaGxQB1Fyz5LRyNDhHA48lM0v/Yw55S6NfSrMaPcGRuU8Odikf 4Nd7zzD3RcOgfhphdHEXz7ykMi90ATVcLTVnaoQtkvw5LHeiXzqzBLT9+WEcENWU 4z2WLJRGTpwIBfYfm6/NQPTDzsy/VBoVW/nl1mx6jkvL2UxuOdp4rfTMz9lu3IPk CnkujXxDIVSn02xSiRccj3ujnFqOq4lwtSiOzOl/HowlCDY6DmRhIvsu1PnPzJ15 v5JbQhDpk4kHjalCsJq2QfdcP41pDQ== =h9gU -END PGP SIGNATURE-
Forthcoming OpenSSL Release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1g. This release will be made available on Tuesday 21st April 2020 between 1300-1700 UTC. OpenSSL 1.1.g is a security-fix release. The highest severity issue fixed in this release is HIGH: https://www.openssl.org/policies/secpolicy.html#high Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6VuVwACgkQ2cTSbQ5g RJEGGwgAnvbo6LVTEz8PdAOoKPgHiz1ObbB8M/fNANk1Oog1w6CF7a8JPEuB/LlQ ZS0/31x+69xE+GzD4kPBglG6IVnt7F1mlXSc1YEh5c5zs2T5w5Gak5AIzJNZqEFK EmplFS8eZCpKJZc+0YKgMisF4Q+VbRjI+KVtYQKBn3sHRNH04z4Ti6jlS14R4pQd PCB4ftXS/LnISkrxL1uVf1seY+5SpmQjk3FR8ZgrR3vuYAyLcD7aeQNKf+unsS4W u8VnDmqONHa2JfHjsr5PezLZfWa3YTvK352gamyq5sn6y2ciTcI+fABeSD4OYjvQ I6t4kQrzfCdMrBNY8G2D5NYOi5cOKQ== =5CII -END PGP SIGNATURE-
Forthcoming OpenSSL Release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1f. This release will be made available on Tuesday 31st March 2020 between 1200-1600 UTC. This is a bug fix only release. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl5/MPUACgkQ2cTSbQ5g RJGnaggAjtB2r56ufZaOUAy7/stpy+Cj7R4Jq+RZb8Ja6c9hU9FwHx5/eESxs1lC XQKr5RGcPZbIvgoDaFCBVXBswl6Ivhde/MuWLoeoag+sl4TBztx/Aash6YAT78ij h/NvRcYDn2mcBrclxJckh9sags5ei13d+GWug349X8d7dVdfHooFTBgq0Th4ehfZ UBaNgQTnqnd/8PD2paGkQtHOr8Qr2TTPH6HyQ5Vlea+x0AzjnAbWjbr/wvu0yuFE 2RqE6RnVy65M+Nx1wIXh1ZJT0EfyN4lqRFYuTWViJVPfPDT61UkIKSbxzRtVWEl8 Pu4T2r9cKHl8kFnuA0kqc0/5/jG2EQ== =KWO3 -END PGP SIGNATURE-
Forthcoming OpenSSL release
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1e. This release will be made available on Tuesday 17th March 2020 between 1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551 previously announced here: https://www.openssl.org/news/secadv/20191206.txt Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
Forthcoming OpenSSL release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.0.2u This release will be made available on Friday 20th December 2019 between 1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551 previously announced here: https://www.openssl.org/news/secadv/20191206.txt Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html This is expected to be the last 1.0.2 release before its End Of Life date on 31st December 2019. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl35aKkACgkQ2cTSbQ5g RJFTrQgAs5QMVDvkcEaSqKCKxYqTRaFlBCevtyEV/GaMdhWBEwGDsRfn+8jDSD20 i+UbtL6ymCf7xWrIFHbZaY4E/vyT1UhxkBYXj9DCS02eMRqwy7ileWxqs3xZ2Tiq vqCd+PR13hUdfnOZ62P8Uly9MaR7mTnf+bdJ1vvfOMI6DaUy1HqGghI9YHVwuwqE p6TR/jSCp64BpdsWSNKFTIwvd5u/LkpApO2ngLa5pB8BfUFPwu00ekYNtyb5qrya Gu3dIqJrirPl5ePaci/SC2lkjT2LjKcxIbXn1/rXN1WtsCItV9ztBdrjJvt/rbGM r8O+JOLIa0jEDAgC6fwgmeB7ryNY1w== =PqVo -END PGP SIGNATURE-
OpenSSL Blog Post
Please take a look at my blog post that gives an update on OpenSSL 3.0 development, FIPS and 1.0.2 EOL: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/ Matt
Re: Forthcoming OpenSSL Releases
On 03/09/2019 17:19, Matt Caswell wrote: > The OpenSSL project team would like to announce the forthcoming release > of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t. > > These releases will be made available on 10th September 2019 between > approximately 1200-1600 UTC. > > These are security fix releases. The highest severity security issue fixed by > these releases is rated as LOW. > > Please note that this is expected to be the last release of 1.1.0 before it > goes > out of support on 11th September 2019. We have encountered some technical problems pushing these releases onto the website today. Until those are resolved the release tarballs are not visible via the standard links. The releases are temporarily available at this non-standard location: https://www.openssl.org/source/? You can download them directly from there until such time as we fix the website. We will send out the normal release announcements as soon as everything is working normally again. Regards Matt signature.asc Description: OpenPGP digital signature
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t. These releases will be made available on 10th September 2019 between approximately 1200-1600 UTC. These are security fix releases. The highest severity security issue fixed by these releases is rated as LOW. Please note that this is expected to be the last release of 1.1.0 before it goes out of support on 11th September 2019. Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature
Re: Forthcoming OpenSSL Releases
On 21/05/2019 16:43, Matt Caswell wrote: > The OpenSSL project team would like to announce the forthcoming release > of OpenSSL versions 1.1.1c, 1.1.0k and 1.0.2s. > > These releases will be made available on 28th May 2019 between approximately > 1200-1600 UTC. > > OpenSSL 1.1.0k and 1.0.2s contain security hardening bug fixes only but do not > address any CVEs. OpenSSL 1.1.1c is a bug-fix release (and contains the > equivalent security hardening fixes as for 1.1.0k and 1.0.2s where relevant). Correction to this announcement: OpenSSL 1.1.1c and OpenSSL 1.1.0k (released yesterday) do not address any new CVEs. They do however contain a fix for a previously announced low severity CVE (CVE-2019-1543). See the original security advisory here: https://www.openssl.org/news/secadv/20190306.txt Matt signature.asc Description: OpenPGP digital signature
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1c, 1.1.0k and 1.0.2s. These releases will be made available on 28th May 2019 between approximately 1200-1600 UTC. OpenSSL 1.1.0k and 1.0.2s contain security hardening bug fixes only but do not address any CVEs. OpenSSL 1.1.1c is a bug-fix release (and contains the equivalent security hardening fixes as for 1.1.0k and 1.0.2s where relevant). Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at this time. These releases will be made available on 26th February 2019 between approximately 1300-1700 UTC. OpenSSL 1.0.2r is a security-fix release. The highest severity issue fixed in this release is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate OpenSSL 1.1.1b is a bug-fix release. Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature
[openssl-announce] OpenSSL 3.0 and FIPS Update
Please see my blog post for an OpenSSL 3.0 and FIPS Update: https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ Matt -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Versioning and License
Please see the following blog post about OpenSSL Versioning and License: https://www.openssl.org/blog/blog/2018/11/28/version/ Matt -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q. These releases will be made available on 20th November 2018 between approximately 1300-1700 UTC. These are bug-fix releases. They also contain the fixes for three LOW severity security issues CVE-2018-0735, CVE-2018-0734 and CVE-2018-5407 which were previously announced here: https://www.openssl.org/news/secadv/20181029.txt https://www.openssl.org/news/secadv/20181030.txt https://www.openssl.org/news/secadv/20181112.txt CVE-2018-0735 only affects the 1.1.0 branch. CVE-2018-0734 affects the 1.1.1, 1.1.0 and 1.0.2 branches. CVE-2018-5407 affects the 1.0.2 branch. It also affects older 1.1.0 releases before 1.1.0i. Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL Security Advisory
OpenSSL Security Advisory [12 November 2018] Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) === Severity: Low OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. This issue does not impact OpenSSL 1.1.1 and is already fixed in the latest version of OpenSSL 1.1.0 (1.1.0i). OpenSSL 1.0.2 is affected but due to the low severity of this issue we are not creating a new release at this time. The 1.0.2 mitigation for this issue can be found in commit b18162a7c. OpenSSL 1.1.0 users should upgrade to 1.1.0i. This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. Note OpenSSL 1.1.0 is currently only receiving security updates. Support for this version will end on 11th September 2019. Users of this version should upgrade to OpenSSL 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20181112.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html signature.asc Description: OpenPGP digital signature -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL 1.1.1 Blog
Our new Long Term Support release, OpenSSL 1.1.1, including TLSv1.3, has been released today. Please download and upgrade! There is a blog post about the new release and the status of the older releases here: https://www.openssl.org/blog/blog/2018/09/11/release111/ Matt -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0i and 1.0.2p. These releases will be made available on 14th August 2018 between approximately 1200-1600 UTC. These are bug-fix releases. They also contain the fixes for two LOW severity security issues (CVE-2018-0732 and CVE-2018-0737) which were previously announced here: https://www.openssl.org/news/secadv/20180612.txt https://www.openssl.org/news/secadv/20180416.txt Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0h and 1.0.2o. These releases will be made available on 27th March 2018 between approximately 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in these releases is MODERATE. Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL wins the Levchin prize
Today I have had great pleasure in attending the Real World Crypto 2018 conference in Zürich in order to receive the Levchin prize on behalf of the OpenSSL team. More details are available in my blog post here: https://www.openssl.org/blog/blog/2018/01/10/levchin/ Matt -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL release
Forthcoming OpenSSL release === The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.0.2n. There will be no OpenSSL 1.1.0 release at this time. This release will be made available on 7th December 2017 between approximately 1300-1700 UTC. This is a security-fix release. The highest severity issue fixed in this release is MODERATE. Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016. Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
Re: [openssl-announce] Forthcoming OpenSSL releases
On 30/10/17 13:50, Matt Caswell wrote: > Forthcoming OpenSSL releases > > > The OpenSSL project team would like to announce the forthcoming release > of OpenSSL versions 1.1.0g and 1.0.2m. > > These releases will be made available on 2nd November 2017 between > approximately 1300-1700 UTC. > > This is a bug-fix release. It will also include a fix for the low > severity security issue previously published here: > https://www.openssl.org/news/secadv/20170828.txt Correction: It will additionally include a fix for a moderate level security issue. > > Please also note that, as per our previous announcements, support for > 1.0.1 ended on 31st December 2016. > > Yours > > The OpenSSL Project Team > -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0g and 1.0.2m. These releases will be made available on 2nd November 2017 between approximately 1300-1700 UTC. This is a bug-fix release. It will also include a fix for the low severity security issue previously published here: https://www.openssl.org/news/secadv/20170828.txt Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016. Yours The OpenSSL Project Team -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2l and 1.1.0f. These releases will be made available on 25th May 2017 between approximately 1200-1600 UTC. Note: These are bug-fix only releases. No security defects are addressed in these releases. Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016. Yours The OpenSSL Project Team signature.asc Description: OpenPGP digital signature -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 0.9.8zh released (corrected download)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 0.9.8zh released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zh of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zh is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zh.tar.gz Size: 3818524 MD5 checksum: c813c065dd53d7bd0a560a870ddd0af5 SHA1 checksum: 3ff71636bea85a99f4d76a10d119c09bda0421e3 SHA256 checksum: f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zh.tar.gz openssl sha1 openssl-0.9.8zh.tar.gz openssl sha256 openssl-0.9.8zh.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWYJIdAAoJENnE0m0OYESR2LoH/j+PPvqiLnh1AgcXMFXlJ+2L 1GxJXVhUVW/d6ws6P1u0ogvX8/W6VCtiWHEcP08zhzQKoQNrga6EvxYlSNQgE80s z+GTC1fI2F8gnz9my1s4IowKQOCumSUKU39YhhZ+JpicbThj3tTE3eC07mnJtHYK bCl3Ec6Q4K5HRq7KxHRFLPwD7Mt3gJ4SCMLgRLT/Q/kbHdV20luMFqS6YsI0tdpB mPBZYeNrU0n8OtRS4aXu8O0+iYHN6xsnaLhGNGVtqkbb9cy3GFcU7clP990D67Td R6XHEae4hA0gxsI91/ARfkRsbwr3HToOmjqasmYWdzS9YfULtyXCvHGwPYJv8O8= =ps/C -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.0t released (corrected download)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 1.0.0t released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0t of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0t is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0t.tar.gz Size: 4092302 MD5 checksum: 7b7e9f6039a97e4a453b596055912435 SHA1 checksum: ab41cb253405a974063392063a034951a30076e9 SHA256 checksum: 5ab6e348c6c2a95d457e7a00e0aa653bfc7eb4df7b24e7c9ab63163ac0299097 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0t.tar.gz openssl sha1 openssl-1.0.0t.tar.gz openssl sha256 openssl-1.0.0t.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWYJFjAAoJENnE0m0OYESR1d8H/3j6OADtQxQY6bLoQ6Nv65OM oztdsyGQz9hU7ttWwaFi/n2h0sC71fRsEVPR2UkewwnCnX4+VyduVZMg+fhMBP5d TyxN7fbNKfRZD7kus3odVIjUrJX/Rp0LdG5+5hc3fPlnvLJ/QSb+jAVZJy6HWLEO 4M5yJOvcPFaiWEuoVnIEhUuJ5K9xfKNk8nwURkA/aiFi88NgI1d/NZ10SX8IjyGV 1Znfe6ck2c09zA09iKLngmbXWDBwXMzFnvtBdk9Xni/Usn1m/fEkf0LehRVy8cKp woVKGUcWKEGt85l6RitjFXkNmMrPuimRiBYoajFQ7JNTPYbUaqh+xtnowSemTbc= =ygoc -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.1q released (corrected download)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 1.0.1q released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1q of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1q.tar.gz Size: 4549898 MD5 checksum: 54538d0cdcb912f9bc2b36268388205e SHA1 checksum: c65a7bec49b72092d7ebb97a263c496cc1e1d6af SHA256 checksum: b3658b84e9ea606a5ded3c972a5517cd785282e7ea86b20c78aa4b773a047fb7 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1q.tar.gz openssl sha1 openssl-1.0.1q.tar.gz openssl sha256 openssl-1.0.1q.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWYJCeAAoJENnE0m0OYESRQqsIAL/W3CN6X1Lm5cySm0ludaxX 7GZTIIjQjoPLu5UFhgHb0MlYFxvU2CgeahpR8wCFI/s10/enGs7bD54chlBJMqZC C+7+QWq6oY45f2Jnb5toGWK7jkWSW6ASkwTfvK086D+XlIGwgokI1cy3nL+UhdVl YHPb5hoR51l6rMQBB3uR1k2SXp3CEanMnJ1vL81gY05gPkc8qGfFaDj7JrteyOcB o+vwqaGg/J6VIPQIlxC46xeANAg6H3uDXHHjbOYyGHdNRhkQHaFx7c85dIHv8WJ5 J1XXcEmAae4Th+LCQkSu7IKr4Qezr0sw2xMnRgne7oytgYQpyY4xbkTdBFoFtTA= =2dkv -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL version 1.0.2e released (corrected download)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 1.0.2e released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2e of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2e.tar.gz Size: 5256555 MD5 checksum: 5262bfa25b60ed9de9f28d5d52d77fc5 SHA1 checksum: 2c5691496761cb18f98476eefa4d35c835448fb6 SHA256 checksum: e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff The checksums were calculated using the following commands: openssl md5 openssl-1.0.2e.tar.gz openssl sha1 openssl-1.0.2e.tar.gz openssl sha256 openssl-1.0.2e.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWYI+hAAoJENnE0m0OYESRdz8IALIWuYoQnsCnwISeaIDuKMqj VDYdPtJRHz3dLXIal6tHtuqPP/NAq+EY+7WMCufUiCLJaVLOm5baw/G69ksF7RMd yeaLsBw7Lq4B/glSFXfPopi2rY6zmhQV6/DdGQ/BvCH9Z38nH8ZR/GTYR546XN7o GLWyHwe18HEUoRQok7UbGopC2iZPMDah0V7KB3q1fHIOIfeVstw33khNMBBZ7O8R m4SsUyJ1tVgpSv2UB1L2rkxuKPfCYBrS+7sw8ZH2kyNMVeAuHPxcG9LKoDCMSii5 00b0XcIC7MoOXeTmXK93N7NDRRYhKfeJYCSwBBBAshJrGtj27avAZR4jB5PpdsU= =JPLJ -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh. These releases will be made available on 3rd December between approx. 1pm and 5pm (UTC). They will fix a number of security defects, the highest of which is classified as "moderate" severity. Please note that the OpenSSL project has recently revised its severity definitions by introducing a new "critical" level, i.e. the severity levels are now: critical, high, moderate and low. Please see the following page for further details: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, the 1.0.0 and 0.9.8 releases will no longer be receiving security updates after the end of this year. This means that, barring any unexpected significant security issues between now and 31st December 2015, it is likely that these releases will be the last ones for 1.0.0 and 0.9.8. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWXG1kAAoJENnE0m0OYESR3vgH/0R7GCsN4moof7ezQIbZbxxN qeiwH2SGj0a5KXM/J9Ee4jcQWA2n0SfUeFbgLSvqBO8BQdz3oTJMF45Z+gXjWFqZ OiEQ+ZFayNm/Tb46OFhglbRBhfb7Je4sy4i8cSW6wGQ2EdWz3JN/xWC0q9KMqQpi k8IwitBK3WxZ/Je+rHZvsDzABWd3Jf2+QlDjwHXxSfrW9UBc5Wr7e+d5XMQk2KML FGJtkucAFs+AiOWvfsJ2WzFYy373M7pYQT38ODOuvT9HxMHzDY89kj2BsFjr8pZY yIk9fAE1BTKRoNoUPETVuYi0Wq+xFHgV5urFQztxglWymcxAILHOZ+PZDyT/m5Q= =QGvN -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] OpenSSL 1.1.0 Release Timetable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL Project team would like to announce the publication of our current plans for the OpenSSL 1.1.0 release timetable. This has been included in our release strategy available here: https://www.openssl.org/policies/releasestrat.html Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+UFyAAoJENnE0m0OYESRZiIH/0oT1j9Ipizi/IVjMSuE6BHY wDdvGuobNSwVUOb61TMxJejI6VX2mowZNjZrc8IdULYIVNnHNyF+iDNBrYQR+KcN bdVE8b1T6nzkKn8e7paI7cqdTYll59vE/p1fJ6uiZb0Y7oOLJ46jWuoRjtQB5xbw bJt8XweO7zR34ungk/kNLb76D8ZSKxGeaJsgD68ymJgOJdFpWHv4/phpg4eLClmk g+8g90COCfwQh9BskhVpUr5fT1+zxo91FA4HgQp3WdRhtcmYAbgoScc6/MWc73MH jIXEGBDURKaR0M2/WLf0Ezz/666ZxltjUhHNtOrhdv6waHmlpjsnYn1M7bxNh+Q= =R/23 -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg. These releases will be made available on Thursday 11th June. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "moderate" severity (see https://www.openssl.org/about/secpolicy.html). Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVde3fAAoJENnE0m0OYESRIokH+QFLMvyyCxztRQGRm54oxOGA WugDkHsonM6meJp8TPqjnSrvk5xmKT1FFL+9lZ/7V/Y/ImhjSkxAp1j3mbA3Drw0 UoDEO59hA2ZuKtLMIIgSRH+BTUIO0wHuVDURiVRBkj0A1shlI21uoRcJFNoAuGMQ 9wymbc5lIkN3OEUYKh5QW/izmdTFEYeNBDSndTO0kg5koymRTf68gCEtQ5sh3zFB Hnmx3rEsEr8NbWxrvHly2rPLcy8TluIe/uiIG3FBF/acyW/4KWFqvf994eCQYenw JG57Hv64TZa7dTmmjBNZgkrN8wM89SEW3pLCRmqkbBfQ12IByJC8dYNR8ieOp9g= =eGiv -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
Re: [openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/03/15 19:05, Matt Caswell wrote: > > Forthcoming OpenSSL releases > > The OpenSSL project team would like to announce the forthcoming > release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. > > These releases will be made available on 19th March. They will fix > a number of security defects. The highest severity defect fixed by > these releases is classified as "high" severity. I have received a number of queries regarding the timing of Thursday's release. To clarify, we are aiming to have the release available sometime between 1100-1500 GMT. Regards Matt -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCVyPAAoJENnE0m0OYESROvYH/1BdqjzpgiTMhAIYsJjDb0xt eWM5GdqwiATa+1FqvYXN1pa3Wencl0UVAKsUh0tsC/6MaQVSqyUVkpJZNvvwTrqt Fmn8sYrF4vFdGNCWoMWWCm0roW9r7V/BGRJrXol0O6b/t5+QrRkVTlEsHTVi3PKD ujQS5heKS5HPNlZEkhWz+MH3i5RcWx7TVTLVGtsKhIlkc0bM5tSKiynMYQyOhkh2 dLfnNvHGC/g7qIeWg3cGXa4P5Y78SrBvKGj5Bu7IouaT2bC01RfAfYH7pJwpISbZ 3qwwKqGuNF31AC8xBM4CPFU+7MJQtRDtcDzQURHud4Vqn4C/rtmnI0r+tkxDi9I= =99aY -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVByl7AAoJENnE0m0OYESRm5MIAJV4ElRSS575QkYwPcOw7VTK 8Ulc6TMHsy2s5UvTXl/THqEoy5n92v99Cm69Y69TSWOgK9FK8aV0BuKkVZVYp3Ko MYV4VMr8a7YiNh/16HctRLfEPH8bg5AkY76Y4RM5i1AXafSR6wMuwlJl21TmqMI+ J+HA39UvlWZ9zI7Lzz0v1BMoGAXg0cr8//QRcrFFgZZuUVtscwRRA9nRS65+AJhX ogd3ncUPUI3YEzxqv0kDfUre/2XeUNOM+N+u9pyfjoXHaMVsSX3A1HtpmEAMyzhE DqF+kmhTEyK0HYCVLnl6PLnBdHpPKY3qNFYd8trFyC2hpB9U6Qsut4KeKNtAi2g= =Uwpw -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
[openssl-announce] Forthcoming OpenSSL releases and reformat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The OpenSSL Project are pleased to make the following announcements: - - There will be new releases made available on Thursday 15th January for versions 1.0.1, 1.0.0 and 0.9.8. These will be bug fix only releases to address build problems with the current releases on the Windows and OpenVMS platforms. No new security issues will be included in these releases. - - The whole OpenSSL codebase will be reformatted according to the newly published OpenSSL coding style (https://www.openssl.org/about/codingstyle.txt) on Wednesday 21st January. This will include the master, 1.0.2, 1.0.1, 1.0.0 and 0.9.8 branches. See [1] for further background information. - - Between the releases being made available on 15th January and the code reformat on 21st January the 1.0.1, 1.0.0 and 0.9.8 branches in the public repository will be frozen and no changes will be made (except in the case of very high priority fixes). - - OpenSSL 1.0.2 will be released on Thursday 22nd January. Yours The OpenSSL Project Team [1] https://mta.openssl.org/pipermail/openssl-dev/2015-January/000299.html -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUtowSAAoJENnE0m0OYESRjr0H/3ui088oz8ZDcHEkhXoF1Pd/ bJStjZPtWUq4BJTTKq/GTTK7TGsjW+z+OwXFuLOX6ZfvVTG0aMpCGEU4OT7PO2zt NC76X56bTA+sFrJt65Ks3xMZ4pppBRq6irSJsvihEb1rWiAGDlTTjJJLKfgP76Xc ZxHnQ4LKmWcqqZmuK+XFqkitf6DuVMNlPa6yJ9jjbq6gSibxSNvhbu+qTfH2M30g 9X854pWKj5j76RLmDvFBPqP+sGHNBhs45THZO7BuGPQV5lJzRvnJxQKreAcHAyhq BihHEdsk9wKMKJNjrcVgfKSulx3PLvAIn8mZW9CIuxmEfn9LKsGyrJvwJLBk5DY= =d482 -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce