New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.3.2, 3.2.3, 3.1.7 and 3.0.15. These are security-fix releases. The highest severity issue fixed in each of these four releases is Moderate: https://openssl-library.org/policies/general/security-policy/ We will be also releasing extended support OpenSSL versions 1.1.1za and 1.0.2zk which will be available to premium support customers. These are also security-fix releases. The highest severity issue fixed in each of these two releases is Low: https://openssl-library.org/policies/general/security-policy/ These releases will be made available on Tuesday 3rd September 2024 between 1300-1700 UTC. Yours The OpenSSL Project Team -- You received this message because you are subscribed to the Google Groups "openssl-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-announce+unsubscr...@openssl.org. signature.asc Description: This is a digitally signed message part
New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.3.1, 3.2.2, 3.1.6 and 3.0.14. We will be also releasing extended support OpenSSL version 1.1.1y which will be available to premium support customers. These releases will be made available on Tuesday 4th June 2024 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these releases is Low: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team signature.asc Description: This is a digitally signed message part
New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.2.1, 3.1.5 and 3.0.13. We will be also releasing extended support OpenSSL versions 1.0.2zj and 1.1.1x which will be available to premium support customers. These releases will be made available on Tuesday 30th January 2024 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these releases is Low: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team signature.asc Description: This is a digitally signed message part
New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.1.4 and 3.0.12. These releases will be made available on Tuesday 24th October 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these two releases is Moderate: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
New OpenSSL Releases
The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.1.3 and 3.0.11. These releases will be made available on Tuesday 19th September 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these two releases is Low: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team
New OpenSSL releases fix denial of service attacks [17 March 2004]
-BEGIN PGP SIGNED MESSAGE- OpenSSL Security Advisory [17 March 2004] Updated versions of OpenSSL are now available which correct two security issues: 1. Null-pointer assignment during SSL handshake === Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. 2. Out-of-bounds read affects Kerberos ciphersuites === Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. Recommendations - --- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837e9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits - --- Patches for these issues were created by Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References - -- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j Ez3jSlsbRRA= =wvAZ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]