OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [14 December 2021] Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044) Severity: Moderate Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. OpenSSL 3.0.0 SSL/TLS clients are affected by this issue. Users of this version should upgrade to OpenSSL 3.0.1. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 29th November 2021 by Tobias Nießen. The fix was developed by Matt Caswell and Tobias Nießen. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20211214.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4zbUACgkQ2cTSbQ5g RJG+TggAsQHgwpwy2j4FPzKFAar5hM+3cMI9hZUECu5VJBZaVUQM3fBY5Um16T5L n6weB9EFe+xpA2ncuuDeUWGvACW5oj6j/obfse4cIRc2K4XfHNydzCi/EB1cG1Qi d4/dqw4I8KgyZkk7iyZawtQ+vslSefsUbYSqrslBiETK7VMGjIrxNy7ohMadFdA7 E8dYicPPjkYX/4+vs/W0RiAe4kFAHKTFZIvh2ab65CBubAOGDS0CFavd57FvC10Y UquSKdBIWIIlfueQ8IhYx3v/VEOvS4Q8OpkPkfuoRu0j3qX8lvyHV+gipHD9MK9q zI7Kj9oa+mUqyT5cp3mhIbSqq3Qm0A== =xJgY -END PGP SIGNATURE-
OpenSSL version 3.0.1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.1 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.1 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.1 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.1.tar.gz Size: 15011207 SHA1 checksum: 33b00311e7a910f99ff041deebc6dd7bb9f459de SHA256 checksum: c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.1.tar.gz openssl sha256 openssl-3.0.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w10ACgkQ2cTSbQ5g RJETYQgAjRoCClgeA+HaqG8t+dnYgBdlvXtRqdcPaBpWPO0E4hoSE09jgfJrs2Hj oKiH844DXxfQTDAexG08X5sw/YL1hp5bchoHGz2L8ZzbaXNSt/4tUYRM+/DKo3t0 SWMCNNeu6PG2HUxv0VaDujAUnPqG0K7bZ9zjeXP3OepTSa8FR0QQG4oN+dBamYQi k8rL6+VOxxq2mjcAfBj8pybKcxiGXtEy+evBwSGdVPOXhogvzIO0JyPfpS08UZke CvIMcqR0k4CzmBlVeveKUKqF+EOJWTgcYDPjIzuP9FKFdYcEis0+dzMzg5CeLPbn MMMnbatP918MZIIeC4L6U02AT3I4Ew== =0RgY -END PGP SIGNATURE-
OpenSSL version 1.1.1m published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1m released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1m of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1m is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1m.tar.gz Size: 9847315 SHA1 checksum: 39d424c4411e45f1570073d7a71b1830b96007ca SHA256 checksum: f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1m.tar.gz openssl sha256 openssl-1.1.1m.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4vAIACgkQ2cTSbQ5g RJFRjgf+LXWwOHLNWh4XBVIwbQgaCF7mHMQqfa0LGzke/xA+K41Mb7h5+LRGsyDS NxHPiI1Qj4brhpVDQWF4D0aNi+BaWYU72tb7vaFneO1lVvRXBntYxw8ioyCKGRfZ weCw0Jl9+fH5KKQ2SMoSeXKwdeZWgm+JaUcIgIt9oDrlNHhv2lTYbaqXWZ9t0dwY HMjR78zdbcnmOJ3mqBzVlwfdBuGqC6iuk+J9SgZNTCn//X5PDj3gbcDjS22CWMQH ViMHOaN+ZxZii1HMELpEWE0RBotC5UxlWXq8PZFqXvwLISGeyokTcTCElxTuh3os OnZf+Jd35FlKihCKqaYFiRGboOKPjA== =Ac7r -END PGP SIGNATURE-
