[web] master update
The branch master has been updated via 8b89d4009750e75be8cc9ced269234c34290a775 (commit) from fb2c1de49360a78822fcd5c5a2ad0a1f0fd94220 (commit) - Log - commit 8b89d4009750e75be8cc9ced269234c34290a775 Author: Matt Caswell Date: Thu Apr 23 14:30:29 2020 +0100 Update newsflash for 3.0 alpha 1 release Reviewed-by: Richard Levitte --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 43ad814..38bf5e2 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +23-Apr-2020: Alpha 1 of OpenSSL 3.0 is now available: please download and test it 21-Apr-2020: Security Advisory: one high severity fix in SSL_check_chain() 21-Apr-2020: OpenSSL 1.1.1g is now available, including a security fix 31-Mar-2020: OpenSSL 1.1.1f is now available, including bug fixes
[web] master update
The branch master has been updated via fb2c1de49360a78822fcd5c5a2ad0a1f0fd94220 (commit) from 7432cc2319a591467575763dcbd5a1c968bf595e (commit) - Log - commit fb2c1de49360a78822fcd5c5a2ad0a1f0fd94220 Author: Matt Caswell Date: Tue Apr 21 15:25:49 2020 +0100 Add a link to the Security Advisory into newsflash Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/172) --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 23da77d..43ad814 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +21-Apr-2020: Security Advisory: one high severity fix in SSL_check_chain() 21-Apr-2020: OpenSSL 1.1.1g is now available, including a security fix 31-Mar-2020: OpenSSL 1.1.1f is now available, including bug fixes 17-Mar-2020: OpenSSL 1.1.1e is now available, including bug and security fixes
[web] master update
The branch master has been updated via 7432cc2319a591467575763dcbd5a1c968bf595e (commit) from 0ad7d3cbd190744b43db3517d8470b3bc5a09b20 (commit) - Log - commit 7432cc2319a591467575763dcbd5a1c968bf595e Author: Matt Caswell Date: Tue Apr 21 12:08:12 2020 +0100 Updates for 1.1.1g release Reviewed-by: Richard Levitte --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20200421.txt | 48 news/vulnerabilities.xml | 25 - 3 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20200421.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 6e96930..23da77d 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +21-Apr-2020: OpenSSL 1.1.1g is now available, including a security fix 31-Mar-2020: OpenSSL 1.1.1f is now available, including bug fixes 17-Mar-2020: OpenSSL 1.1.1e is now available, including bug and security fixes 17-Feb-2020: New Blog post: https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/";>QUIC and OpenSSL diff --git a/news/secadv/20200421.txt b/news/secadv/20200421.txt new file mode 100644 index 000..fe46b3f --- /dev/null +++ b/news/secadv/20200421.txt @@ -0,0 +1,48 @@ +OpenSSL Security Advisory [21 April 2020] += + +Segmentation fault in SSL_check_chain (CVE-2020-1967) += + +Severity: High + +Server or client applications that call the SSL_check_chain() function during or +after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a +result of incorrect handling of the "signature_algorithms_cert" TLS extension. +The crash occurs if an invalid or unrecognised signature algorithm is received +from the peer. This could be exploited by a malicious peer in a Denial of +Service attack. + +OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This +issue did not affect OpenSSL versions prior to 1.1.1d. + +Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g + +This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April +2020. It was found using the new static analysis pass being implemented in GCC, +-fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin +Kaduk. + +Note += + +This issue did not affect OpenSSL 1.0.2 however these versions are out of +support and no longer receiving public updates. Extended support is available +for premium support customers: https://www.openssl.org/support/contracts.html + +This issue did not affect OpenSSL 1.1.0 however these versions are out of +support and no longer receiving updates. + +Users of these versions should upgrade to OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20200421.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 08897ed..697c3c9 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,30 @@ - + + + + + + + + + + +NULL pointer dereference +Segmentation fault in SSL_check_chain + + Server or client applications that call the SSL_check_chain() function during or + after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a + result of incorrect handling of the "signature_algorithms_cert" TLS extension. + The crash occurs if an invalid or unrecognised signature algorithm is received + from the peer. This could be exploited by a malicious peer in a Denial of + Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This + issue did not affect OpenSSL versions prior to 1.1.1d. + + + +
[web] master update
The branch master has been updated
via 0ad7d3cbd190744b43db3517d8470b3bc5a09b20 (commit)
from edaff9123a6cb70d686b93455572f9cf313563d5 (commit)
- Log -
commit 0ad7d3cbd190744b43db3517d8470b3bc5a09b20
Author: Matt Caswell
Date: Sat Apr 11 19:34:21 2020 +0100
Don't die if we only have one tarball
mk-latest incorrectly dies if there is only one tarball. The value of
$#tarballs is 0 if there is 1 tarball.
Reviewed-by: Tim Hudson
(Merged from https://github.com/openssl/web/pull/170)
---
Summary of changes:
bin/mk-latest | 1 -
1 file changed, 1 deletion(-)
diff --git a/bin/mk-latest b/bin/mk-latest
index 37423cd..aa4432a 100755
--- a/bin/mk-latest
+++ b/bin/mk-latest
@@ -9,7 +9,6 @@ chdir $SRCDIR || die "Can't chdir $SRCDIR, $!";
my @tarballs =
sort grep /openssl-\d+\.\d+\.\d+[a-z]*\.tar\.gz$/,
glob("openssl-*.tar.gz");
-die "No tgz files found in $SRCDIR?\n" if $#tarballs < 1;
my %series = ();
foreach(@tarballs) {
[web] master update
The branch master has been updated via edaff9123a6cb70d686b93455572f9cf313563d5 (commit) from 37de7802c8761a93ce77322f3e840240d458a5bc (commit) - Log - commit edaff9123a6cb70d686b93455572f9cf313563d5 Author: Benjamin Kaduk Date: Thu Mar 12 13:48:19 2020 -0700 Add FAQ entry for "server sends HTTP headers in a loop" Older versions of a few commercial HTTPS servers don't handle extended-master-secret and/or encrypt-then-mac very well, but we end up getting asked about this weird behavior that shows up when people upgrade to OpenSSL 1.1.0 clients. Text largely taken from the discussion at https://github.com/openssl/openssl/issues/9360 . Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre Reviewed-by: Mark J. Cox Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/157) --- Summary of changes: docs/faq-2-user.txt | 15 +++ 1 file changed, 15 insertions(+) diff --git a/docs/faq-2-user.txt b/docs/faq-2-user.txt index 74126ab..3bc8ff7 100644 --- a/docs/faq-2-user.txt +++ b/docs/faq-2-user.txt @@ -213,3 +213,18 @@ this increases the size of the default ClientHello message to more than 255 bytes in length. Some software cannot handle this and hangs. +* Some secure servers emit an infinite loop of HTTP headers with an OpenSSL +1.1.0 client, is this a bug? + +OpenSSL 1.1.0 introduced support for several new TLS extensions, including +encrypt-then-mac and extended-master-secret, both of which provide +significant security improvements. Unfortunately, some deployed TLS +servers are severely broken and do not implement extensibility in a +standards-compliant manner; these servers may exhibit strange behavior +such as repeating the HTTP headers in a loop after receiving a ClientHello +that includes such TLS extensions unknown to them. While these new TLS +extensions provide significant security benefits to clients and are +accordingly enabled by default in modern TLS clients, if bringing the +server into compliance is not possible, the extension(s) in question can +be disabled on a per-connection basis when talking to the buggy server, by +using SSL_set_options(3).
[web] master update
The branch master has been updated via 37de7802c8761a93ce77322f3e840240d458a5bc (commit) from 4b0220368e888aab29972537aff8602a45b724e9 (commit) - Log - commit 37de7802c8761a93ce77322f3e840240d458a5bc Author: Matt Caswell Date: Tue Mar 31 13:38:54 2020 +0100 Update newsflash.txt for new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/167) --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index b07108b..6e96930 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +31-Mar-2020: OpenSSL 1.1.1f is now available, including bug fixes 17-Mar-2020: OpenSSL 1.1.1e is now available, including bug and security fixes 17-Feb-2020: New Blog post: https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/";>QUIC and OpenSSL 20-Dec-2019: OpenSSL 1.0.2u is now available, including security fixes
[web] master update
The branch master has been updated via 4b0220368e888aab29972537aff8602a45b724e9 (commit) from e06c12c5f7222ba0a7fc7982bf8e4b8f696d0222 (commit) - Log - commit 4b0220368e888aab29972537aff8602a45b724e9 Author: Richard Levitte Date: Tue Mar 31 11:24:47 2020 +0200 Fix 'make relupd' The release updating targets relied on the files CHANGES and NEWS. With OpenSSL 3.0, those have changed name to CHANGES.md and NEWS.md, so an adjustment is needed. Experience shows that we get the best output with a 'commonmark' pandoc reader, and a little bit of post processing the output. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/166) --- Summary of changes: Makefile | 28 +++- bin/from-tt| 33 ++--- bin/post-process-html5 | 18 ++ 3 files changed, 59 insertions(+), 20 deletions(-) create mode 100755 bin/post-process-html5 diff --git a/Makefile b/Makefile index df2d75e..d31a473 100644 --- a/Makefile +++ b/Makefile @@ -161,9 +161,10 @@ docs/fips.inc: $(wildcard docs/fips/*) bin/mk-filelist @rm -f $@ ./bin/mk-filelist docs/fips fips/ '*' >$@ -news/changelog.inc: news/changelog.txt bin/mk-changelog +news/changelog.inc: news/changelog.md bin/mk-changelog @rm -f $@ - ./bin/mk-changelog $@ + (echo 'Table of contents'; sed -e '1,/^OpenSSL Releases$$/d' < $<) \ + | pandoc -t html5 -f commonmark | ./bin/post-process-html5 >$@ news/changelog.html: news/changelog.html.tt news/changelog.inc @rm -f $@ ./bin/from-tt 'releases=$(SERIES)' $< @@ -175,41 +176,42 @@ news/changelog.html: $(foreach S,$(SERIES),news/cl$(subst .,,$(S)).txt) # mknews_changelogtxt creates a target and ruleset for any changelog text # file depending on the CHANGES file from the target release. # -# $(1) = output file, $(2) = source directory in CHECKOUTS +# $(1) = output file, $(2) = CHANGES files, relative to CHECKOUTS define mknews_changelogtxt -news/$(1): $(CHECKOUTS)/$(2)/CHANGES +news/$(1): $(CHECKOUTS)/$(2) @rm -f $$@ cp $$? $$@ endef # Create the target 'news/changelog.txt', taking the source from -# $(CHECKOUTS)/openssl/CHANGES -$(eval $(call mknews_changelogtxt,changelog.txt,openssl)) +# $(CHECKOUTS)/openssl/CHANGES.md +$(eval $(call mknews_changelogtxt,changelog.md,openssl/CHANGES.md)) # Create the targets 'news/clxyz.txt' for all current releases, taking the # source from $(CHECKOUTS)/openssl-x.y.z-stable/CHANGES $(foreach S,$(SERIES),\ -$(eval $(call mknews_changelogtxt,cl$(subst .,,$(S)).txt,openssl-$(S)-stable))) +$(eval $(call mknews_changelogtxt,cl$(subst .,,$(S)).txt,openssl-$(S)-stable/CHANGES))) # mknews_noteshtml creates two targets and rulesets for creating notes from # the NEWS file for each release. One target is to create a wrapping HTML # file from a template, the other is to create the inclusion file with the # actual text. # -# $(1) = release version +# $(1) = release version, $(2) = NEWS file, relative to CHECKOUTS define mknews_noteshtml news/openssl-$(1)-notes.html: news/openssl-notes.html.tt @rm -f $$@ - ./bin/from-tt -d news release='$(1)' < $$< > $$@ -news/openssl-$(1)-notes.inc: $(CHECKOUTS)/openssl-$(1)-stable/NEWS bin/mk-notes + ./bin/from-tt -d news -i $$< -o $$@ release='$(1)' +news/openssl-$(1)-notes.inc: $(CHECKOUTS)/$(2) bin/mk-notes @rm -f $$@ - ./bin/mk-notes $(1) < $(CHECKOUTS)/openssl-$(1)-stable/NEWS > $$@ + ./bin/mk-notes $(1) < $(CHECKOUTS)/$(2) > $$@ endef # Create the targets 'news/openssl-x.y.z-notes.html' and # 'news/openssl-x.y.z-notes.inc' for each release number x.y.z, taking -# the source from $(CHECKOUTS)/openssl-$(1)-stable/NEWS -$(foreach S,$(SERIES),$(eval $(call mknews_noteshtml,$(S +# the source from the news file given as second argument. +$(foreach S,$(SERIES),\ +$(eval $(call mknews_noteshtml,$(S),openssl-$(S)-stable/NEWS))) news/newsflash.inc: news/newsflash.txt sed <$? >$@ \ diff --git a/bin/from-tt b/bin/from-tt index e3ddf79..b5018b6 100755 --- a/bin/from-tt +++ b/bin/from-tt @@ -4,24 +4,31 @@ HERE=$(cd $(dirname $0); pwd) THIS=$(basename $0) dir= +input= +output= -shortopts='d:h' -longopts='dir:,help' +shortopts='d:i:o:h' +longopts='dir:,input:,output:,help' usage="\ Usage 1: $THIS [ options ] [ key=value ... ] < file.tt > file Usage 2: $THIS [ options ] [ key=value ... ] file.tt ... Options: -d, --dir=DIR Directory of the output file +-i, --input=FILEInput file (usage 1 only) +-o, --output=FILE Output file (usage 1 only) -h, --help Output this usage and do nothing else -In usage 1, the template is read from standard input and
[web] master update
The branch master has been updated
via e06c12c5f7222ba0a7fc7982bf8e4b8f696d0222 (commit)
via 9d0d2ec0fd21f46e4503282a9b9f1739869accfb (commit)
from 9801203e145577c03541cf147946d107d9ae74c5 (commit)
- Log -
commit e06c12c5f7222ba0a7fc7982bf8e4b8f696d0222
Author: Mark J. Cox
Date: Fri Mar 20 09:02:32 2020 +
Simple fix for #159 if we can't open the schema tell the user how to work
around it. We
actually need to do that because some older? Ubuntu systems were having
problems with the
CA cert from github
commit 9d0d2ec0fd21f46e4503282a9b9f1739869accfb
Author: Mark J. Cox
Date: Thu Mar 19 14:43:19 2020 +
Mitre have been stripping whitespace after commas on submitted entries, so
let's
do that by default. But they are keeping the whitespace after :.
fixes #160
---
Summary of changes:
bin/vulnxml2json.py | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/bin/vulnxml2json.py b/bin/vulnxml2json.py
index cffa29f..3b1dcbb 100755
--- a/bin/vulnxml2json.py
+++ b/bin/vulnxml2json.py
@@ -39,7 +39,11 @@ if not options.input:
exit();
if options.schema:
- response = urllib.urlopen(options.schema)
+ try:
+ response = urllib.urlopen(options.schema)
+ except:
+ print "Problem opening schema: try downloading it manually then specify
it using --schema option: %s" % options.schema
+ exit()
schema_doc = json.loads(response.read())
cvej = list()
@@ -146,7 +150,7 @@ for issue in cvej:
continue
f = codecs.open(options.outputdir+"/"+fn, 'w', 'utf-8')
-f.write(json.dumps(issue, sort_keys=True, indent=4))
+f.write(json.dumps(issue, sort_keys=True, indent=4, separators=(',',': ')))
print "wrote %s" %(options.outputdir+"/"+fn)
f.close()
[web] master update
The branch master has been updated via 9801203e145577c03541cf147946d107d9ae74c5 (commit) via 036255af6ba639dd58607c48b3099e13f41ad5bd (commit) from b0b2c557bf523fc71a3f0393fb77fcd84b68c7a1 (commit) - Log - commit 9801203e145577c03541cf147946d107d9ae74c5 Author: Mark J. Cox Date: Thu Mar 19 14:21:28 2020 + Update security.txt to a clearsigned version with non-expired key matching the latest draft-foudil-securitytxt-09 fixes #145 commit 036255af6ba639dd58607c48b3099e13f41ad5bd Author: Mark J. Cox Date: Wed Mar 18 11:03:03 2020 + typo fixes: #86 --- Summary of changes: .well-known/security.txt | 24 +++- .well-known/security.txt.asc | 16 docs/faq-5-misc.txt | 2 +- 3 files changed, 24 insertions(+), 18 deletions(-) delete mode 100644 .well-known/security.txt.asc diff --git a/.well-known/security.txt b/.well-known/security.txt index d56daa5..6da9fbb 100644 --- a/.well-known/security.txt +++ b/.well-known/security.txt @@ -1,5 +1,27 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA256 + +Canonical: https://www.openssl.org/.well-known/security.txt Contact: openssl-secur...@openssl.org +Contact: https://www.openssl.org/community/#securityreports Encryption: https://www.openssl.org/news/openssl-security.asc Acknowledgement: https://www.openssl.org/news/vulnerabilities.html Policy: https://www.openssl.org/policies/secpolicy.html -Signature: https://www.openssl.org/.well-known/security.txt.asc + +-BEGIN PGP SIGNATURE- + +iQJMBAEBCAA2FiEE78CkZ9YTy4PH7W0w2JTizos9efUFAl5zf7QYHG9wZW5zc2wt +b21jQG9wZW5zc2wub3JnAAoJENiU4s6LPXn1BP8P/1nvn2szpgh5acMdccb6BJlP +LKSmtkQpwp7SNF7qMwTJ1aB4cjO29n1NE4JGwNLgv4k4jCPsip7CjAbtm4dJolSF +y3y0SaMShkByeeVqB50Sp7EGgPbt91mb094viQiDkqxDnKw9pljG4jqQO/Aj4PQF +/u6b7sDmArLVZMM/62gGxqopovtiRxXxefg7Lp6Qb60JmULdkEJqpzm3lCoGZMuM +m3riCZRhUWVwIzdJtcmtD06QH6KNKNoZGhD2Kxp2zLm2rmn2FtCR8pfa106Nz3SI +gsvVrFymM6NYROMl0T4B71pTXrQJBmAfkp+JXbSIX/ta+bRaNx4Z1ChIEG0llRsf +Bn8YWQ6ub8VAApoi4bbvlIv2BUp+xrGaSoeqQ8wJSJ5yVNcTXCxjN0OhgZFIH0QE +cHn1hqhrCIyhX3NfYgZeeXSfYxUu7AqGufs25YZ6gtNu76nH6/HbYMFVDpCEp94n +dyU2JTIMihalylm54tUulQ/+TX2uTVD42OmcBvBfJ60e3qHNk4NmgiM7g90Gb9QF +dUwGf2QkUi+7xd2NaNGNhkrNvE1eKgPiJxalvWFLhGPOw2FBLxOK3LWpw+IhTacM +CsQnWt+LX9KvAGhd+4+3xThVbJOHBasa8R4o3sHWwTa5Jdi1oO+BaycZdvn8JBL/ +BN+h2A7B4GNYIGaDnYj2 +=w4IR +-END PGP SIGNATURE- diff --git a/.well-known/security.txt.asc b/.well-known/security.txt.asc deleted file mode 100644 index 3fa82a1..000 --- a/.well-known/security.txt.asc +++ /dev/null @@ -1,16 +0,0 @@ --BEGIN PGP SIGNATURE- - -iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAlpNnfIACgkQ2JTizos9 -efXBWg//YIzGg2gDBOxsL9TPw2JtCR7SiwgEyHuMKpiHZxhCTfBVlYC0PBJbIvzp -jis9T4GQhmTkKswFzMjSnjLcIWPwUBsuRoZ6J25kAxOckNIa3Cj6HslU+nhxjKzU -UWtSElJKm4TDoTljcl78Jh12xqB90QJU7m9nHyCphaIuCgAugVDfdJxbXS2PsEOP -wClu+dq94BlyswC4jsQSvA7JcEq9JocooD/BYbcSRYK3MCnlu1WtT9JCYap02D5k -lgkGJGNo/Vbi0IglM4WhLI83EWyEOPpEPkT63VeW2dyMFQww8FN/icT2W0geHvac -VfBIKn/Eb357j1pQEufwhLmOb4Wf2EmGGV4uMnzxXk4DCx0PUDXCn8da+/2iBDvS -OUiQ7ziVZdoW/rbA2S9mSIky6HaFQWasVYDCB95lpY20Nr5femLBUpDhp/vTskXJ -dGwITxUxWhH32TGIYMMLFwDLpGb/ej26S+FunVn6gceqnMMQ8MVqTBfO1/3tQKjK -/OJL6+sLWaJMxJK8skLXOUvIwGmeLGArRoITl1lzpzwu09hfTEy19F23DVlwvJ/S -OOYNrJKWhfZwquU3lTZgNxLozGBFKuKvPcFvx25wIuwWnt7AGcfZNTIQb29WMoF2 -bBHJfCYwea2VPuGF++KeFNfOGlXGNK9CX/aKjkwwJK+Fws60oTQ= -=W3nD --END PGP SIGNATURE- diff --git a/docs/faq-5-misc.txt b/docs/faq-5-misc.txt index f06fd34..611f23a 100644 --- a/docs/faq-5-misc.txt +++ b/docs/faq-5-misc.txt @@ -48,7 +48,7 @@ * Where can I get a compiled version of OpenSSL? -You can finder pointers to binary distributions in +You can find pointers to binary distributions in https://www.openssl.org/community/binaries.html. Some applications that use OpenSSL are distributed in binary form.
[web] master update
The branch master has been updated via b0b2c557bf523fc71a3f0393fb77fcd84b68c7a1 (commit) from 2e05fdcbb7391972e356b5ea43174e346b9ceca1 (commit) - Log - commit b0b2c557bf523fc71a3f0393fb77fcd84b68c7a1 Author: Matt Caswell Date: Tue Mar 17 13:31:21 2020 + Update website for new release Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/158) --- Summary of changes: news/newsflash.txt | 1 + news/vulnerabilities.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index 3ca8706..b07108b 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +17-Mar-2020: OpenSSL 1.1.1e is now available, including bug and security fixes 17-Feb-2020: New Blog post: https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/";>QUIC and OpenSSL 20-Dec-2019: OpenSSL 1.0.2u is now available, including security fixes 06-Dec-2019: Security Advisory: one low severity fix diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 60bfd33..08897ed 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -37,7 +37,7 @@ - +
[web] master update
The branch master has been updated via 2e05fdcbb7391972e356b5ea43174e346b9ceca1 (commit) from b0f7ee3640633f1be6e7de5962192ddcf44f7d25 (commit) - Log - commit 2e05fdcbb7391972e356b5ea43174e346b9ceca1 Author: Matt Caswell Date: Mon Feb 17 12:22:56 2020 + Add link to the QUIC blog post Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/156) --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 454b208..3ca8706 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +17-Feb-2020: New Blog post: https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/";>QUIC and OpenSSL 20-Dec-2019: OpenSSL 1.0.2u is now available, including security fixes 06-Dec-2019: Security Advisory: one low severity fix 07-Nov-2019: New Blog post: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/";>Update on 3.0 Development, FIPS and 1.0.2 EOL
[web] master update
The branch master has been updated via b0f7ee3640633f1be6e7de5962192ddcf44f7d25 (commit) from 2bc6b462e2a286361336a2c6bbab2c629dc38c6e (commit) - Log - commit b0f7ee3640633f1be6e7de5962192ddcf44f7d25 Author: Matt Caswell Date: Tue Jan 7 16:47:23 2020 + Update the Release Strategy for 3.0 Schedule some alpah and beta releases for 3.0 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/154) --- Summary of changes: policies/releasestrat.html | 28 +--- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/policies/releasestrat.html b/policies/releasestrat.html index b0d3686..2fd9ad9 100644 --- a/policies/releasestrat.html +++ b/policies/releasestrat.html @@ -13,7 +13,7 @@ Release Strategy First issued 23rd December 2014 - Last modified 25th February 2019 + Last modified 7th January 2020 @@ -45,7 +45,7 @@ - The current 1.1.1 and 1.0.2 versioning scheme remains unchanged: + The current 1.1.1 versioning scheme remains unchanged: As of release 1.0.0 the OpenSSL versioning scheme was improved @@ -72,11 +72,10 @@ The next version of OpenSSL will be 3.0.0. Version 1.1.1 will be supported until 2023-09-11 (LTS). - Version 1.1.0 will be supported until 2019-09-11. - Version 1.0.2 will be supported until 2019-12-31 (LTS). - Version 1.0.1 is no longer supported. - Version 1.0.0 is no longer supported. - Version 0.9.8 is no longer supported. + Version 1.0.2 is no longer supported. Extended support + for 1.0.2 to gain access to security fixes for that version is + available. + Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported. We may designate a release as a Long Term Support (LTS) @@ -108,6 +107,21 @@ Bug fixes only + The following alpha and beta releases for OpenSSL 3.0 are currently + scheduled. Note that these dates are subject to change and alpha or beta + releases may be inserted or removed as required: + + alpha1, 2020-03-31: Basic functionality plus basic FIPS module + alpha2, 2020-04-21: Complete external provider support (serialization, + support for new algs, support for providers which only include + operations in a class) + alpha3, 2020-05-21: Aiming to test the API completeness before beta1 + freezes it) + beta1, 2020-06-02: Code complete (API stable, feature freeze) + betaN: Other beta releases TBD + Final: 2020 early Q4 + + For any major or minor release, we have defined the following release criteria:
[web] master update
The branch master has been updated
via 2bc6b462e2a286361336a2c6bbab2c629dc38c6e (commit)
from 76f3aa014bf5bf3cf533cf9a0b51951dbd64e8a5 (commit)
- Log -
commit 2bc6b462e2a286361336a2c6bbab2c629dc38c6e
Author: Matt Caswell
Date: Mon Jan 6 16:22:17 2020 +
Update the website to remove a number of 1.0.2 references
Reviewed-by: Tim Hudson
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/web/pull/153)
---
Summary of changes:
Makefile | 28
bin/mk-manmap| 27 ---
inc/mansidebar.shtml | 1 -
source/index.html| 13 +
4 files changed, 9 insertions(+), 60 deletions(-)
delete mode 100755 bin/mk-manmap
diff --git a/Makefile b/Makefile
index 98ddd9f..df2d75e 100644
--- a/Makefile
+++ b/Makefile
@@ -17,14 +17,10 @@ RELEASEDIR = /var/www/openssl/source
##
## Current series
-SERIES=1.1.1 1.0.2
+SERIES=1.1.1
## Older series. The second type is for source listings
-OLDSERIES=1.1.0 1.0.1 1.0.0 0.9.8 0.9.7 0.9.6
-OLDSERIES2=1.1.0 1.0.1 1.0.0 0.9.x
-## Current series with newer and older manpage layout
-## (when the number of old man layout releases drop to none, this goes away)
-NEWMANSERIES=1.1.1
-OLDMANSERIES=1.0.2
+OLDSERIES=1.1.0 1.0.2 1.0.1 1.0.0 0.9.8 0.9.7 0.9.6
+OLDSERIES2=1.1.0 1.0.2 1.0.1 1.0.0 0.9.x
# All simple generated files.
SIMPLE = newsflash.inc sitemap.txt \
@@ -113,17 +109,6 @@ manpages-$(2):
< docs/sub-index.html.tt > docs/man$(2)/index.html
endef
-# makeoldmanmap creates a .htaccess for the man-pages of a given OpenSSL
-# release. This is only needed for OpenSSL releases where the subdirectories
-# of doc/ are apps/, crypto/ and ssl/. OpenSSL 1.1.1 and later have a
-# different structure and don't need this: man1/, man3/, man5/ and man7/.
-#
-# $(1) = release version
-define makeoldmanmap
-manmap-$(1):
- ./bin/mk-manmap docs/man$(1) > docs/man$(1)/.htaccess
-endef
-
# Now that we have the generating macros in place, let's use them!
#
# Start off with creating the 'manpages-master' target, taking the
@@ -134,13 +119,8 @@ $(eval $(call makemanpages,openssl,master))
# source from $(CHECKOUTS)/openssl-x.y.z-stable/doc
$(foreach S,$(SERIES),$(eval $(call makemanpages,openssl-$(S)-stable,$(S
-# Finally, create 'manmap-x.y.z' for all releases with the old doc/
-# structure.
-$(foreach S,$(OLDMANSERIES),$(eval $(call makeoldmanmap,$(S
-
manmaster: manpages-master
-manpages: $(foreach S,$(NEWMANSERIES),manpages-$(S)) \
- $(foreach S,$(OLDMANSERIES),manpages-$(S) manmap-$(S))
+manpages: $(foreach S,$(SERIES),manpages-$(S))
mancross:
./bin/mk-mancross master $(SERIES)
diff --git a/bin/mk-manmap b/bin/mk-manmap
deleted file mode 100755
index 7bde661..000
--- a/bin/mk-manmap
+++ /dev/null
@@ -1,27 +0,0 @@
-#! /bin/sh
-# $1 is the top of the manual page tree to look through
-
-dir=$1
-cd $dir
-
-for m in `find . -name '*.html'`; do
-origsubdir=`grep -F '||' -e 's| ||g'`
-subdir=`grep -F '||'
-e 's| ||g'`
-# If no subdir information is present, this is not a rendered manpage,
-# but something else, like index.html
-if [ "$origsubdir$subdir" = "" ]; then
- continue
-fi
-manfile=`echo $m | sed -e 's|\./||'`
-origmanfile=`echo $manfile | sed -e "s|^$subdir|$origsubdir|"`
-case ${origsubdir}:${subdir} in
- apps:man1 | crypto:man3 | ssl:man3 ) ;;
- * ) echo Redirect permanent /$dir/$origmanfile /$dir/$manfile ;;
-esac
-done
-
-cat <
master
1.1.1
- 1.0.2
diff --git a/source/index.html b/source/index.html
index 122336a..b617cfe 100644
--- a/source/index.html
+++ b/source/index.html
@@ -32,14 +32,11 @@
Note: The latest stable version is the 1.1.1 series.
This is
also our Long Term Support (LTS) version, supported until 11th
September
-2023. Our previous LTS version (1.0.2 series) will continue to be
-supported until 31st December 2019 (security fixes only during the last
-year of support). All users of 1.0.2 are encouraged to upgrade to 1.1.1
-as soon as possible. Extended support for 1.0.2 to gain access to
-security fixes beyond 31st December 2019 is
-available.
-The 0.9.8, 1.0.0, 1.0.1 and 1.1.0 versions are now out of support and
-should not be used.
+2023. All other versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are
+now out of support and should not be used. Users of these older
versions
+are encourage to upgrade to 1.1.1 as soon as possible. Extended support
+for 1.0.2 to gain access to security fixes for that version is
+available.
The OpenSSL FIPS Object Module 2.0 (FOM) is also available for
download. It is
[web] master update
The branch master has been updated via 76f3aa014bf5bf3cf533cf9a0b51951dbd64e8a5 (commit) from f26e81f977a239116ab29fab62b4ed875d9099bc (commit) - Log - commit 76f3aa014bf5bf3cf533cf9a0b51951dbd64e8a5 Author: Matt Caswell Date: Fri Jan 3 14:57:25 2020 + Create an OTC page on the website Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/152) --- Summary of changes: .gitignore | 1 + Makefile| 6 -- community/index.html| 2 ++ community/otc.html | 42 ++ community/sidebar.shtml | 3 +++ 5 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 community/otc.html diff --git a/.gitignore b/.gitignore index b307d34..83f4641 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ blog sitemap.txt community/committers.inc community/omc-alumni.inc +community/otc.inc community/omc.inc docs/OpenSSL300Design.html docs/OpenSSLStrategicArchitecture.html diff --git a/Makefile b/Makefile index 82ffca8..98ddd9f 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ OLDMANSERIES=1.0.2 # All simple generated files. SIMPLE = newsflash.inc sitemap.txt \ community/committers.inc \ -community/omc.inc community/omc-alumni.inc \ +community/otc.inc community/omc.inc community/omc-alumni.inc \ docs/faq.inc docs/fips.inc \ docs/OpenSSLStrategicArchitecture.html \ docs/OpenSSL300Design.html \ @@ -153,7 +153,7 @@ docs/manpages.html: docs/manpages.html.tt ## ## $(SIMPLE) -- SIMPLE GENERATED FILES ## -.PHONY: sitemap community/committers.inc community/omc.inc community/omc-alumni.inc +.PHONY: sitemap community/committers.inc community/otc.inc community/omc.inc community/omc-alumni.inc newsflash.inc: news/newsflash.inc @rm -f $@ head -7 $? >$@ @@ -167,6 +167,8 @@ community/committers.inc: ./bin/mk-committers $@ @rm -f Members +community/otc.inc: + ./bin/mk-omc -n -t 'OTC Members' otc otc-inactive > $@ community/omc.inc: ./bin/mk-omc -n -e -l -p -t 'OMC Members' omc omc-inactive > $@ community/omc-alumni.inc: diff --git a/community/index.html b/community/index.html index e204c4b..72587ad 100644 --- a/community/index.html +++ b/community/index.html @@ -16,6 +16,8 @@ team of committers. The overall project is run by the OpenSSL Management Committee. +Technical decisions are made by the +OpenSSL Technical Committee. We operate under a set of project bylaws and ask everyone to follow our diff --git a/community/otc.html b/community/otc.html new file mode 100644 index 000..19f9f54 --- /dev/null +++ b/community/otc.html @@ -0,0 +1,42 @@ + + + + + + + + + + + +OpenSSL Technical Committee + + The + OpenSSL Technical Committee + represents the official technical voice of the project. All + OTC decisions are taken on the basis of a vote. + + The current OTC consists of (in alphabetical order): + + + + + Names with an (I) are currently inactive as defined in our + bylaws. + + + + + You are here: Home + : Community + : OTC + Sitemap + + + + + + + + + diff --git a/community/sidebar.shtml b/community/sidebar.shtml index 22d5ca0..1f888d0 100644 --- a/community/sidebar.shtml +++ b/community/sidebar.shtml @@ -6,6 +6,9 @@ List of Committers + + OpenSSL Technical Committee + OpenSSL Management Committee
[web] master update
The branch master has been updated via f26e81f977a239116ab29fab62b4ed875d9099bc (commit) from 23af72984b104ab0407873cd01c885be9635cb81 (commit) - Log - commit f26e81f977a239116ab29fab62b4ed875d9099bc Author: Matt Caswell Date: Thu Nov 21 13:44:27 2019 + Update policies for OTC changes Update other policies as necessary to reflect the bylaws changes that introduced the OTC concept. Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/146) --- Summary of changes: policies/committers.html | 64 +++- policies/secpolicy.html | 5 ++-- policies/sidebar.shtml | 4 +-- 3 files changed, 34 insertions(+), 39 deletions(-) diff --git a/policies/committers.html b/policies/committers.html index 46e2b74..96f1018 100644 --- a/policies/committers.html +++ b/policies/committers.html @@ -10,7 +10,7 @@ - Guidelines for OpenSSL Committers + Policy for OpenSSL Committers @@ -24,8 +24,8 @@ How to become a committer? Commit access is granted by the OpenSSL Management Committee - (OMC) (see the - OpenSSL bylaws). + (OMC) typically on the recommendation of the OpenSSL Technical Committee (OTC) + (see the OpenSSL Bylaws). We welcome contributors who become domain experts in some part of the library (for example, low-level crypto) as well as @@ -45,42 +45,38 @@ https://github.com/openssl/openssl/issues";>Github issue tracker, and our mailing lists - find impactful ideas to work on. Seek feedback from multiple OMC - members to understand the project, and to support your - application. Let them know that you'd like to become a committer - - they'll nominate you when your code review record demonstrates - impact as well as understanding of the codebase and coding style - (usually after a few months of activity). The final decision to - grant commit access is taken by an OMC vote. - - How to maintain commit status? - To maintain commit status, you should stay active in the - project. As stated in the project bylaws, if you remain inactive - for several months, your commit access will be withdrawn - but - you are always welcome back, just ask an OMC member to - re-nominate you. + find impactful ideas to work on. + + How to maintain committer status? + To maintain committer status, you must stay active in the + project. Refer to the OpenSSL Bylaws + for details. In the unlikely and unfortunate event that your actions conflict with the project objectives or are otherwise - disruptive, commit access may also be revoked by vote of the - OMC. + disruptive, committer status may also be revoked by the OMC. - Code reviews + Approvals and code reviews All submissions must be reviewed and approved by at least two - committers, one of whom must also be an OMC member. If the + committers, one of whom must also be an OTC member. If the author is also a committer then that counts as one of the reviews. In other words: -OMC members need one approval from any committer -Committers need one approval from a committer within the -OMC +OTC members need one approval from any committer +Committers need one approval from an OTC member Contributors without commit rights need two approvals, -including one from the OMC. +including one from an OTC member. - This process may seem a little heavy, but OpenSSL is a large, - complicated codebase, and we think two reviews help prevent - security bugs, as well as disseminate knowledge to the growing - contributor base. + An OMC member may apply an OMC-hold to a submission. + An OTC member may apply an OTC-hold to a submission. + An OMC-hold may be cleared by being removed by the member + that put in place the hold or by a vote of the OMC. + An OTC-hold may be cleared by being removed by the member + that put in place the hold or by a vote of the OTC. + + Appr
[web] master update
The branch master has been updated
via 23af72984b104ab0407873cd01c885be9635cb81 (commit)
via d357e46dce040f602bd150afa23c68d80a58abfa (commit)
via 5ad619db6417b3405b9932e0d514112a60beb875 (commit)
via 78cdcfd517424f1b95f8d8e195e5cbdd822a631e (commit)
from ba98fa477470b023d70a080fad35dd406b573f3f (commit)
- Log -
commit 23af72984b104ab0407873cd01c885be9635cb81
Merge: d357e46 78cdcfd
Author: Mark J. Cox
Date: Fri Jan 3 12:13:39 2020 +
Merge pull request #148 from mattcaswell/remove-110-additional
Remove an additional 1.1.0 reference
commit d357e46dce040f602bd150afa23c68d80a58abfa
Merge: ba98fa4 5ad619d
Author: Mark J. Cox
Date: Fri Jan 3 12:13:07 2020 +
Merge pull request #151 from iamamoose/eolstatements
Allow a default statement if our page is not for a specific base version
commit 5ad619db6417b3405b9932e0d514112a60beb875
Author: Mark J. Cox
Date: Fri Jan 3 11:48:09 2020 +
Allow a default statement if our page is not for a specific base version
also clean up the HTML we closed the p tag in the wrong place. Add a
statement on all the versions out of support.
commit 78cdcfd517424f1b95f8d8e195e5cbdd822a631e
Author: Matt Caswell
Date: Tue Dec 17 14:26:51 2019 +
Remove an additional 1.1.0 reference
We previously removed references to 1.1.0 as a current release. There is
one remaining spot that was missed, so we update that too.
---
Summary of changes:
bin/mk-cvepage | 11 ++-
inc/mansidebar.shtml | 1 -
news/vulnerabilities.xml | 1 +
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/bin/mk-cvepage b/bin/mk-cvepage
index 8ab..abed8b4 100755
--- a/bin/mk-cvepage
+++ b/bin/mk-cvepage
@@ -138,12 +138,13 @@ for base in allyourbase(dom):
bases.append( "%s"
%(base,base))
preface += "Show issues fixed only in OpenSSL " + ", ".join(bases)
if options.base:
-preface += ", or all versions"
+preface += ", or all versions"
preface += "Fixed in OpenSSL %s" %(options.base)
-for statement in dom.getElementsByTagName('statement'):
-if (statement.getAttribute("base") in options.base):
-preface += statement.firstChild.data.strip()
-preface += ""
+else:
+preface += ""
+for statement in dom.getElementsByTagName('statement'):
+if (statement.getAttribute("base") in (options.base or "none")):
+preface += ""+statement.firstChild.data.strip()+""
if len(allyears)>1: # If only vulns in this year no need for the year table of
contents
preface += "Jump to year: " + ", ".join( "%s" %(year,year) for year in allyears)
preface += ""
diff --git a/inc/mansidebar.shtml b/inc/mansidebar.shtml
index c794b16..5ec8083 100644
--- a/inc/mansidebar.shtml
+++ b/inc/mansidebar.shtml
@@ -5,7 +5,6 @@
master
1.1.1
- 1.1.0
1.0.2
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 0378674..60bfd33 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7336,6 +7336,7 @@ default and not common.
+ Note: All OpenSSL versions before 1.1.1 are out of
support and no longer receiving updates. Extended support is available for
1.0.2 from OpenSSL Software Services for premium support customers.
OpenSSL 0.9.6 is out of support and no longer
receiving updates.
OpenSSL 0.9.7 is out of support and no longer
receiving updates.
OpenSSL 0.9.8 is out of support since 1st January
2016 and no longer receiving updates.
[web] master update
The branch master has been updated
via ba98fa477470b023d70a080fad35dd406b573f3f (commit)
via edfd2b0b8980e340b13d288fc373c8ee9b909307 (commit)
from 9d8e43e70514d403e27663b13d06963c5381603b (commit)
- Log -
commit ba98fa477470b023d70a080fad35dd406b573f3f
Merge: 9d8e43e edfd2b0
Author: Mark J. Cox
Date: Fri Jan 3 10:05:39 2020 +
Merge pull request #150 from iamamoose/eolstatements
Update the vulnerability XML to also include some statements about EOL
commit edfd2b0b8980e340b13d288fc373c8ee9b909307
Author: Mark J. Cox
Date: Fri Jan 3 09:50:43 2020 +
Update the vulnerability XML to also include some statements about EOL
versions
that was we can make it clear on the vulnerability page when things are EOL
---
Summary of changes:
bin/mk-cvepage | 3 +++
news/vulnerabilities.xml | 8
2 files changed, 11 insertions(+)
diff --git a/bin/mk-cvepage b/bin/mk-cvepage
index 10654b6..8ab 100755
--- a/bin/mk-cvepage
+++ b/bin/mk-cvepage
@@ -140,6 +140,9 @@ preface += "Show issues fixed only in OpenSSL " + ",
".join(bases)
if options.base:
preface += ", or all versions"
preface += "Fixed in OpenSSL %s" %(options.base)
+for statement in dom.getElementsByTagName('statement'):
+if (statement.getAttribute("base") in options.base):
+preface += statement.firstChild.data.strip()
preface += ""
if len(allyears)>1: # If only vulns in this year no need for the year table of
contents
preface += "Jump to year: " + ", ".join( "%s" %(year,year) for year in allyears)
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index de81fa1..0378674 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7336,6 +7336,14 @@ default and not common.
+ OpenSSL 0.9.6 is out of support and no longer
receiving updates.
+ OpenSSL 0.9.7 is out of support and no longer
receiving updates.
+ OpenSSL 0.9.8 is out of support since 1st January
2016 and no longer receiving updates.
+ OpenSSL 1.0.0 is out of support since 1st January
2016 and no longer receiving updates.
+ OpenSSL 1.0.1 is out of support since 1st January
2017 and no longer receiving updates.
+ OpenSSL 1.0.2 is out of support since 1st January
2020 and is no longer receiving updates. Extended support is available from
OpenSSL Software Services for premium support customers
+ OpenSSL 1.1.0 is out of support since 12th September
2019 and no longer receiving updates.
+
[web] master update
The branch master has been updated via 9d8e43e70514d403e27663b13d06963c5381603b (commit) from d94a44ca1bb6183e692c86a5fe99b4f7bf2f28c0 (commit) - Log - commit 9d8e43e70514d403e27663b13d06963c5381603b Author: Matt Caswell Date: Fri Dec 20 13:21:39 2019 + Updates for the 1.0.2u release Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/149) --- Summary of changes: news/newsflash.txt | 1 + news/vulnerabilities.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index 0b6d94f..454b208 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +20-Dec-2019: OpenSSL 1.0.2u is now available, including security fixes 06-Dec-2019: Security Advisory: one low severity fix 07-Nov-2019: New Blog post: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/";>Update on 3.0 Development, FIPS and 1.0.2 EOL 10-Sep-2019: Security Advisory: three low severity fixes diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 7409a4d..de81fa1 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -40,7 +40,7 @@ - + Integer overflow bug
[web] master update
The branch master has been updated via d94a44ca1bb6183e692c86a5fe99b4f7bf2f28c0 (commit) from 70947eca9c26af584ac69467a6f5fcd1a2fa6b5a (commit) - Log - commit d94a44ca1bb6183e692c86a5fe99b4f7bf2f28c0 Author: Matt Caswell Date: Mon Dec 16 11:39:44 2019 + Drop 1.1.0 as a current release Don't refer to 1.1.0 as a current release since it is no longer supported. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/147) --- Summary of changes: Makefile | 8 source/index.html | 11 ++- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 49b9845..82ffca8 100644 --- a/Makefile +++ b/Makefile @@ -17,14 +17,14 @@ RELEASEDIR = /var/www/openssl/source ## ## Current series -SERIES=1.1.1 1.1.0 1.0.2 +SERIES=1.1.1 1.0.2 ## Older series. The second type is for source listings -OLDSERIES=1.0.1 1.0.0 0.9.8 0.9.7 0.9.6 -OLDSERIES2=1.0.1 1.0.0 0.9.x +OLDSERIES=1.1.0 1.0.1 1.0.0 0.9.8 0.9.7 0.9.6 +OLDSERIES2=1.1.0 1.0.1 1.0.0 0.9.x ## Current series with newer and older manpage layout ## (when the number of old man layout releases drop to none, this goes away) NEWMANSERIES=1.1.1 -OLDMANSERIES=1.1.0 1.0.2 +OLDMANSERIES=1.0.2 # All simple generated files. SIMPLE = newsflash.inc sitemap.txt \ diff --git a/source/index.html b/source/index.html index 605c009..122336a 100644 --- a/source/index.html +++ b/source/index.html @@ -34,11 +34,12 @@ also our Long Term Support (LTS) version, supported until 11th September 2023. Our previous LTS version (1.0.2 series) will continue to be supported until 31st December 2019 (security fixes only during the last -year of support). The 1.1.0 series is currently only receiving security -fixes and will go out of support on 11th September 2019. All users of -1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible. -The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support and should -not be used. +year of support). All users of 1.0.2 are encouraged to upgrade to 1.1.1 +as soon as possible. Extended support for 1.0.2 to gain access to +security fixes beyond 31st December 2019 is +available. +The 0.9.8, 1.0.0, 1.0.1 and 1.1.0 versions are now out of support and +should not be used. The OpenSSL FIPS Object Module 2.0 (FOM) is also available for download. It is no longer receiving updates. It must be used in
[web] master update
The branch master has been updated via 70947eca9c26af584ac69467a6f5fcd1a2fa6b5a (commit) from 420fb543c12b2a4a18aae85315f8eaefefcd1c33 (commit) - Log - commit 70947eca9c26af584ac69467a6f5fcd1a2fa6b5a Author: Matt Caswell Date: Thu Nov 21 13:44:10 2019 + Update the by-laws to introduce the OTC concept We split the responsibilities of the current OMC into two different groups - the OMC and the OTC (OpenSSL Technical Committee). The OMC still retains its overall management function but the OTC becomes responsible for technical decision making. PR reviews will then require approval from an OTC member instead of an OMC member. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/143) --- Summary of changes: policies/omc-bylaws.html | 276 --- 1 file changed, 211 insertions(+), 65 deletions(-) diff --git a/policies/omc-bylaws.html b/policies/omc-bylaws.html index af5a2ca..88704a8 100644 --- a/policies/omc-bylaws.html +++ b/policies/omc-bylaws.html @@ -13,7 +13,7 @@ OpenSSL Bylaws First issued 13th February 2017 - Last modified 20th December 2017 +Last modified 10th December 2019 @@ -72,10 +72,26 @@ The OMC: makes all decisions regarding management and strategic direction -of the project; -sets and maintains all policies and procedures; -nominates, elects and removes committers and OMC members as -required; +of the project; including: + + business requirements; + feature requirements; + platform requirements; + roadmap requirements and priority; + end-of-life decisions; + release timing and requirement decisions; + + +maintains the project infrastructure; +maintains the project website; +maintains the project code of conduct; +sets and maintains all project Bylaws; +sets and maintains all non-technical policies and non-technical procedures; +nominates and elects OMC members as required; +approves or rejects OTC nominations for committers and OTC members; +adds or removes OMC, OTC, or committers as required; +adjudicates any objections to OTC decisions; +adjudicates any objections to any commits to project repositories; ensures security issues are dealt with in an appropriate manner; schedules releases and determines future release plans and the @@ -95,13 +111,20 @@ but the ones that count in order to participate in the OMC decision-making process are the ones listed below. + In general, the OMC will leave technical decisions to the OpenSSL + Technical Committee (OTC, see below) and not participate in + discussions related to development and documention of the OpenSSL + Toolkit. In exceptional cases however an OTC vote can be overruled + by an OMC vote. Such an exceptional case would be for example if an + OTC decision stands contrary to OMC policies or decisions. + OMC members may become inactive. In order to remain active a member must, in any calendar quarter, contribute by: a) Having authored, or been recorded as a reviewer of, at least one commit made to any OpenSSL repository (including non-code based ones) and -b) vote in at least two-thirds of the total votes closed in the +b) vote in at least two-thirds of the OMC votes closed in the first two months of the quarter and the last month of the preceding quarter. @@ -129,30 +152,7 @@ to vote on and participate in discussions. They retain access to OMC internal resources. - OpenSSL Software Foundation (OSF) - - The OpenSSL Software Foundation represents the OpenSSL project in - legal and most official formal capacities in relation to external - entities and individuals. This includes, but is not limited to, - managing contributor license agreements, managing donations, - registering and holding trademarks, registering and holding domain - names, obtaining external legal advice, and so on. - - Any OMC member may serve as a director of OSF if they wish. To do - so they should send a request to any existing OSF director. - - OpenSSL Software Services (OSS) - - OpenSSL Software Services represents the OpenSSL p
[web] master update
The branch master has been updated via 420fb543c12b2a4a18aae85315f8eaefefcd1c33 (commit) via af80178dcbad3919595cbbf7b7c1837c6ef68d67 (commit) from 4139e6e2815280bdd6fe1618a793918c1c7156f2 (commit) - Log - commit 420fb543c12b2a4a18aae85315f8eaefefcd1c33 Author: Matt Caswell Date: Fri Dec 6 14:33:26 2019 + Update newsflash for security advisory Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/144) commit af80178dcbad3919595cbbf7b7c1837c6ef68d67 Author: Matt Caswell Date: Fri Dec 6 14:26:44 2019 + Add security advisory for CVE-2019-1551 Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/144) --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20191206.txt | 49 + news/vulnerabilities.xml | 52 +++- 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20191206.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 896266b..0b6d94f 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +06-Dec-2019: Security Advisory: one low severity fix 07-Nov-2019: New Blog post: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/";>Update on 3.0 Development, FIPS and 1.0.2 EOL 10-Sep-2019: Security Advisory: three low severity fixes 10-Sep-2019: OpenSSL 1.1.1d is now available, including bug and security fixes diff --git a/news/secadv/20191206.txt b/news/secadv/20191206.txt new file mode 100644 index 000..3141f78 --- /dev/null +++ b/news/secadv/20191206.txt @@ -0,0 +1,49 @@ +OpenSSL Security Advisory [6 December 2019] +=== + +rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) +=== + +Severity: Low + +There is an overflow bug in the x64_64 Montgomery squaring procedure used in +exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis +suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a +result of this defect would be very difficult to perform and are not believed +likely. Attacks against DH512 are considered just feasible. However, for an +attack the target would have to re-use the DH512 private key, which is not +recommended anyway. Also applications directly using the low level API +BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. + +OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue. However due to the +low severity of this issue we are not creating new releases at this time. The +1.1.1 mitigation for this issue can be found in commit 419102400. The 1.0.2 +mitigation for this issue can be found in commit f1c5eea8a. + +This issue was found by OSS-Fuzz and Guido Vranken and reported to OpenSSL on +12th September 2019. The fix was developed by Andy Polyakov with additional +analysis by Bernd Edlinger. + +Note += + +OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2 +will end on 31st December 2019. Extended support is available for premium +support customers: https://www.openssl.org/support/contracts.html + +OpenSSL 1.1.0 is out of support and no longer receiving updates. It is unknown +whether issues in this advisory affect it. + +Users of these versions should upgrade to OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20191206.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index c3532a5..7409a4d 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,57 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Integer overflow bug +rsaz_512_sqr overflow bug on x86_64 + + There is an overflow bug in the x64_64 Montgomery squaring procedure used in + exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis + suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a + result of this defect would be very difficult to perform and are not believed + likely. Attacks against DH512 are considered just feasible. However, for an + attack the target would have to re-use the DH512 private key, which is not + recommended anyway. Al
[web] master update
The branch master has been updated via 4139e6e2815280bdd6fe1618a793918c1c7156f2 (commit) from f4b6f035624adcd2228c450cb10e74c940aee37f (commit) - Log - commit 4139e6e2815280bdd6fe1618a793918c1c7156f2 Author: Kurt Roeckx Date: Wed Dec 4 19:09:01 2019 +0100 Update key's expiration date --- Summary of changes: news/openssl-security.asc | 74 +++ 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index 9dddc89..2b32a4b 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -13,31 +13,31 @@ zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAlvEwCcFCQmW/3kACgkQ2JTizos9efW23BAAqYqN -dyXOqaK1R6IuYs2fcPcQmIr+sIa4YI3QQj5viT+mz29GjU9BJIUOKAbDod4grVaw -V43moFytTUdUs3vzx/5MQEYPTceq2n7/Y0RdoqztBPPn2FNp1ds/Eo7no9rgCHzB -CVtBpzibEf6Z5/muj9jWvKsLsKBKFltq08KoAjTj8E1gFqoAebGK7eTPEYZkmV1t -L+jZggEFa5xmxLKoArgS6NFqsj7M1ugREKlLL4+GgALnEiGa9r2jeE514YNFXZSN -X9RN9prNpUpDVxAnUmFnk9XllZ9pzyom6Xj6yV7hxxD9RqjPc+9PqLajZ+6myCK9 -mgrvWqAJHKmzQjOljehYGW9AR/1ywcmTOpLC4zuTg9QR0j5Cuxw0yw2k0BWG8x9S -Labllr1YfpfeWuQJptyHOCWck28NCO0uJ9JaPiRuJfPVq1rGMACbI9QoZ9E4rRf1 -UzBuyTrRRygSszb1zmOx/Oc1PAMbwuZYrOby3qUnONTV8CaEe5fgsItYRSCSETuk -UladwcCPpgEkWQJ/WWgqjcnwx4RUJ7aZ+tO6UZdnh7zueyjda9XyTmQcfD/aeEtL -KgbPUFxeMDZQTNr/03uDBqvsM0EBbaHybgUhKTdIx6VbqRxmUVpAksnTOE6Aka8B -IXJb9xr1JotVgM8tuUgW2keNPPwYBAE9l6+k1Fy0JU9wZW5TU0wgT01DIDxvcGVu +Z9YTy4PH7W0w2JTizos9efUFAl3n9TkFCQvHY5oACgkQ2JTizos9efVbRQ//aItr +wyVa5j+OtrMaIJI9x835ES4bBaEIY1YVwGzoKzj+MOxdai0spUR6KZ9TYnEC5R4b +yFac7H9g+R4V5rv3+HogMBTYaCTmbFmZ4Y8viD7YaDsHHMcbHQymyV55l7ZfzyNt +pw3D3acvS3nOij9JQqRTOHuIOtS5FtJh1/+pig5sEk1TigOemJ7cnC7uWmfkzDzx +ywz29EBFZXeFV7Dg+hjkUuVtMqcbhouvjJlwvx7cgcAPwFRZcu7UoirVoq0+sSJj +kxxohVekpc+daZK9ge6qpHi7LObgM64fVPjR4FizuTmHU+f7ptUaI7BEGxmPtmBa +skj1Wi4lkSgQ4SfS7PpnlPphM2Tms7mG4gPO4f0cZ/qZriCoaU5DZ8kPx0xgY7Yf +Uol3NyRxAXJZi7voSWsj/YM1rsyd8Q7bYFW0Rx/hcjbT2AwZcqruqAuYEM6+M3Sb +JzOm28w+lnS7urnog8MBSSX9wsFzwHEXKBiqY2Qp+jU/fmSebqiDrRaAXJPvidCM +gsPNrK6HrQOjemZTG7dReIxqIjWuguhcN4aoellXwJYuR0NOo0uRK79IGbjFU8Vy +UBuv5AMCWgpblLaDyVHkhnQbNjnpvJnVoCqvTU4R0ttmjKQV4aWwgdryuc/a564J +PKcfr4pmeb+4Lfh1SxpNP3O2pzI1OY1zSj5nFRm0JU9wZW5TU0wgT01DIDxvcGVu c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCW8TAGAUJCZb/eQAKCRDY -lOLOiz159Xe0EACD9dOKa8Yy0K8xrC77KZteyEJb49O3e0fagjulquebwXQNjdzv -SvAo3W67bwJ2zRA6kBRHzCxh70dtdd9PvD7gkbqombeZ8CKf1ADj0P31I3dOBJM4 -rupTWnzycKkSzR2JvhoXmA7bNqpGIgRtOSJBKNCVPMtLSR/Oc2Z/KckjbldY110s -zaa6ef1lLtc9CrNnQb9GQNu4hrIbRrFFFyvyIb+46R8XPcjCTnwyfMpWo9/6ftk9 -MbpnsQRwsX3YujnzH6z20nlp+vRtNEbXCfkvz4j744QiffYLA9DQHoV4jjaN5cZ1 -3isaODNnIFuq9QPbN6LzlJrfTplQ4ugPmK5IBe1WTIratFGp8bLyb5HRNXVNDblK -RBp1R/V/PWBL5C3IDgyG4zh/09hHqQ1TOMeQYDDDopMb5seKJB0A4oIQNhmDP1tj -3BIPnd9BOHyvkOFD152AVABmwnlHmOi5m77lt4bxU/U66+AoDjvzL9VZfrGcosKo -B+IX6nhp7RYNObZxCJnKyRMtDY1oLTESYCD0OBN3S/0215VUwp5WmloawTbW9pfu -zbbw+Pax/wQDCXmKq1wlkxVUwd2Yx6uiN3QeeZY+mVsFWjBpNPEtwzP9eqWvGXvK -WHo2oDeEUrUHCEWQAfogS9dia4Bk0S3MWX63ibmWwYeuUf6Wy1C5KXbm/7QnT3Bl +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCXef1QQUJC8djmgAKCRDY +lOLOiz159UcFD/9XdBn0wKmEwBO2KyM/zfHLpTysV3A1QM98C3Oy2/jPI/wcWmIN +1PoXbDEUGTBCKAEYhcnQKb5E7FsD+68i/07S5eBP65R24G182f6Qofy8Hy/Kbed/ +GmQEoprDaYqpUp6qFoPxBExW8bwEzkSRWTz4d/ptjDREOF3d4oJS3CE/HOr3l9Jy +0Jgvg1iAw2uiRSNb5/miUZM7wa/wGYmJmtbGomr3/suyyLeRh4UwoOAZulB6crql +ITxoyv9M7IF+YAYIdRQB1/zbE6d+i+5AKeyGmBxhXyYlIIFHjmFpMmz+HbHZ31tr +FodE/1EK9kxGcOOv9jSxiplLdgl0d4XqAb2wsNYygNb2n6uj/7Vz+iZwWnCDfNEo +UPazufcFh4KMPV6ZzqguXWpV6aV40rEjqWWwXfwXiSL7Yc1TYdnj+koCy2sXoiLd +d2VlCX/wWhl38KsAN69OgYlDNVne5ctQ2zpdYyYrQZlL9yk164evBroZGOrJSTl4 +5ZNSmsbX/alNQRTCVuPmICY6KOEE0CylvhcZtXbDvT9OTm0wNg99jj0Hpd3r8I6d +zGlsBfnipSWVnXtg4ozzvsIKdHy/1kfbiojwBwhD3QyIheQuA1MfmbItw60olEHH +iGqEzcztmQBTSXtyZ2ZhhPN9ZYGAxFmDmju3alqOqRIwu3C86WN3XCl/urQnT3Bl blNTTCB0ZWFtIDxvcGVuc3NsLXRlYW1Ab3BlbnNzbC5vcmc+iQJZBDABCgBDFiEE 78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ9jUlHSBSZXBsYWNlZCBieSBvcGVuc3Ns LW9tY0BvcGVuc3NsLm9yZwAKCRDYlOLOiz159VAiD/wLVz8KE84z+iPBcDXJR4hr @@ -63,17 +63,17 @@ ncd+VYvth6cM9jDWsTJAXEaqNoFjVfw227NnQ/hxqGCwEVzweBi7a7dix3nCa9JO w5eV3xCyezUohQ6nOBbDnoAnp3FLeUrhBJQXCPNtlb0fSMnj14EwBoD6EKO/xz/g EW5mr0a+xp+fjbkvHVX/c8UmU+7nlX7upaN46RLM1y0yWYKo9BV61tn+kcsAk7kh Q7dKhOzmSXpsBHMAEQEAAYkCPAQYAQoAJgIbDBYhBO/ApGfWE8uDx+1tMNiU4s6L -PXn1BQJcCEC3BQkJl0OYAAoJENiU4s6LPXn12EAP/Aq6g9XE6Hodr9ig01NC5VtZ -ryNvxSQtMnQuIJIiCcpY0rVzCLVI+Qcnd66vZIm+7w6WEBJQo6F/9zMPS36OQXDc -2UE4Wz3Sgrwk1PYnRu77M/eEdDsCWsSNjQR0wvjqNuZEAxb8qOs1qkg2pXGdNWW5 -lZ6017A7osKOBhTOdYWR7LXtMRTY1npg6ayHomk
[web] master update
The branch master has been updated via f4b6f035624adcd2228c450cb10e74c940aee37f (commit) from 0f13e11e18c095b1880821007c06719808ce1360 (commit) - Log - commit f4b6f035624adcd2228c450cb10e74c940aee37f Author: Matt Caswell Date: Thu Nov 14 10:50:53 2019 + Clarify the Premium support contract wording The current text is not correct. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/141) --- Summary of changes: support/contracts.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/support/contracts.html b/support/contracts.html index 1b91cd1..57302a3 100644 --- a/support/contracts.html +++ b/support/contracts.html @@ -40,10 +40,9 @@ Premium Level Support US$50,000 annually - A custom support contract designed to meet the needs of a specific Enterprise customer + A support contract designed to meet the needs of Enterprise customers Includes extended support for the immediately previous LTS release beyond the public EOL date for that release - Exact costs will depend on the terms of the agreed support contract The premium support plan is intended for the large enterprise using OpenSSL as an essential component of multiple products or
[web] master update
The branch master has been updated
via 0f13e11e18c095b1880821007c06719808ce1360 (commit)
via 5fbd49f0e4457fdae7e5c09a263792f97353c759 (commit)
via cea049657a3078c9cde30101ec0aef24169642c5 (commit)
from 8930b3a506ef2147a434448fc21429c1d3e8027d (commit)
- Log -
commit 0f13e11e18c095b1880821007c06719808ce1360
Merge: 8930b3a 5fbd49f
Author: Mark J. Cox
Date: Mon Nov 11 12:35:06 2019 +
Merge pull request #140 from iamamoose/sponsorship
Sync the OSF sponsorship page with the current sponsors
commit 5fbd49f0e4457fdae7e5c09a263792f97353c759
Author: Mark J. Cox
Date: Mon Nov 11 12:13:54 2019 +
Better grammar for where the support goes
commit cea049657a3078c9cde30101ec0aef24169642c5
Author: Mark J. Cox
Date: Mon Nov 11 11:47:41 2019 +
Update the sponsorship page to be current with the list of OSF
sponsors. Add a bronze level and the current sponsors at that level.
Add a link to the 'in kind' thanks page.
---
Summary of changes:
support/acks.html | 76 ++
support/donations.html | 3 ++
2 files changed, 49 insertions(+), 30 deletions(-)
diff --git a/support/acks.html b/support/acks.html
index eea4919..1f5714c 100644
--- a/support/acks.html
+++ b/support/acks.html
@@ -7,19 +7,19 @@
- Sponsor Acknowledgements
+ Acknowledgements
The OpenSSL project depends on volunteer efforts and financial
support from the end user community. That support comes
in many forms.
- We would like to identify and thank the following such sponsors
- for their significant support of the OpenSSL project. Sponsors are
- listed alphabetically within categories. Please note that we ask
- permission to identify sponsors and that some sponsors we consider
- eligible for inclusion here have requested to remain anonymous.
+ Sponsorship Donations
- Current Sponsors:
+
+ We would like to identify and thank the following sponsors
+ for their donations which give significant support to the OpenSSL
project.
+ Please note some sponsors remain anonymous.
+
.sponsorlogo {
@@ -37,44 +37,60 @@
text-align: center !important;
}
-
-
- Exceptional support:
+
+ Exceptional:
- https://www.akamai.com/";>
https://www.smartisan.com/";>
-
-
- Platinum support:
+ Platinum:
- https://www.bluecedar.com/";>
https://www.huawei.com/";>
- https://www.netapp.com/";>
- https://www.oracle.com/";>
- https://www.vmware.com/";>
-
+ Bronze:
+
+ https://cargurus.com/";>CarGurus
+
+ Past sponsors include:
+
+2018: https://www.akamai.com/";>Akamai,
+ https://www.bluecedar.com/";>Blue Cedar,
+ https://www.handshake.org/";>Handshake,
+ https://www.huawei.com/";>Huawei,
+ https://levchinprize.com/";>Levchin Prize,
+ https://www.netapp.com/";>NetApp,
+ https://www.smartisan.com/";>Smartisan,
+ and
+ https://vmware.com/";>VMWare.
+
+2017: https://www.akamai.com/";>Akamai,
+ https://www.huawei.com/";>Huawei,
+ https://www.oracle.com/";>Oracle,
+ and
+ https://www.smartisan.com/";>Smartisan.
+
+2016: https://www.huawei.com/";>Huawei,
+ https://www.coreinfrastructure.org/";>Linux Foundation
+Core Infrastructure Initiative,
+ and
+ https://www.smartisan.com/";>Smartisan.
+
+
-
+ Other Donations
+
+
+ We also identify and thank organizations who contribute
+ in-kind donations to the
project.
+
+
diff --git a/support/donations.html b/support/donations.html
index 1e6d56e..731ac19 100644
--- a/support/donations.html
+++ b/support/donations.html
@@ -48,6 +48,9 @@
Silver$10,000/yr
Acknowledgement on openssl.org
+ Bronze$5,000/yr
+Acknowledgement on openssl.org
+
[web] master update
The branch master has been updated via 8930b3a506ef2147a434448fc21429c1d3e8027d (commit) from 121a1909bc25d24d6b11c0e3d084ecc5625a1a86 (commit) - Log - commit 8930b3a506ef2147a434448fc21429c1d3e8027d Author: Matt Caswell Date: Thu Nov 7 16:39:27 2019 + Add a link to the new blog post Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/139) --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 3671610..896266b 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +07-Nov-2019: New Blog post: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/";>Update on 3.0 Development, FIPS and 1.0.2 EOL 10-Sep-2019: Security Advisory: three low severity fixes 10-Sep-2019: OpenSSL 1.1.1d is now available, including bug and security fixes 10-Sep-2019: OpenSSL 1.1.0l is now available, including security fixes
[web] master update
The branch master has been updated via 121a1909bc25d24d6b11c0e3d084ecc5625a1a86 (commit) from 1cb8b8b472c5bc07856ee2c37fe4e211598d4094 (commit) - Log - commit 121a1909bc25d24d6b11c0e3d084ecc5625a1a86 Author: Richard Levitte Date: Wed Sep 11 23:39:26 2019 +0200 .htaccess: force .sha256 files to application/binary --- Summary of changes: .htaccess | 4 1 file changed, 4 insertions(+) diff --git a/.htaccess b/.htaccess index 717f682..653e58d 100644 --- a/.htaccess +++ b/.htaccess @@ -21,6 +21,10 @@ ForceType application/binary ForceType application/binary + +ForceType application/binary + + ForceType application/binary
[web] master update
The branch master has been updated via 1cb8b8b472c5bc07856ee2c37fe4e211598d4094 (commit) from 6239182447d80939a1e2170e4f7b79917561c165 (commit) - Log - commit 1cb8b8b472c5bc07856ee2c37fe4e211598d4094 Author: Richard Levitte Date: Wed Sep 11 23:25:06 2019 +0200 source: Remove gz encoding on .gz.sha256 files --- Summary of changes: bin/mk-latest | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bin/mk-latest b/bin/mk-latest index 8c2d3a7..37423cd 100755 --- a/bin/mk-latest +++ b/bin/mk-latest @@ -56,4 +56,7 @@ RewriteRule ^openssl-(fips.*) old/fips/openssl-$1 [L] RemoveEncoding .gz + +RemoveEncoding .gz + EOF
[web] master update
The branch master has been updated via 6239182447d80939a1e2170e4f7b79917561c165 (commit) from 81c6d01b55625c3071296caced494d5d61866083 (commit) - Log - commit 6239182447d80939a1e2170e4f7b79917561c165 Author: Matt Caswell Date: Tue Sep 10 15:34:03 2019 +0100 Fix typo in advisories Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/137) --- Summary of changes: news/secadv/20190730.txt | 2 +- news/secadv/20190910.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/news/secadv/20190730.txt b/news/secadv/20190730.txt index cff9b85..88a50f5 100644 --- a/news/secadv/20190730.txt +++ b/news/secadv/20190730.txt @@ -55,7 +55,7 @@ will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. -Referenses +References == URL for this Security Advisory: diff --git a/news/secadv/20190910.txt b/news/secadv/20190910.txt index 0358352..9af565e 100644 --- a/news/secadv/20190910.txt +++ b/news/secadv/20190910.txt @@ -94,7 +94,7 @@ last 1.1.0 release. Users of these versions should upgrade to OpenSSL 1.1.1. -Referenses +References == URL for this Security Advisory:
[web] master update
The branch master has been updated via 81c6d01b55625c3071296caced494d5d61866083 (commit) from b9cdda6cdbe4e87b1e2db37b23cddaca5fb7da9a (commit) - Log - commit 81c6d01b55625c3071296caced494d5d61866083 Author: Matt Caswell Date: Tue Sep 10 12:05:36 2019 +0100 Website updates for new releases Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/136) --- Summary of changes: news/newsflash.txt | 4 ++ news/secadv/20190910.txt | 107 +++ news/vulnerabilities.xml | 164 ++- 3 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20190910.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 491bee5..3671610 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,10 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +10-Sep-2019: Security Advisory: three low severity fixes +10-Sep-2019: OpenSSL 1.1.1d is now available, including bug and security fixes +10-Sep-2019: OpenSSL 1.1.0l is now available, including security fixes +10-Sep-2019: OpenSSL 1.0.2t is now available, including security fixes 30-Jul-2019: Security Advisory: one low severity fix in Windows builds 28-May-2019: OpenSSL 1.1.1c is now available, including bug and security fixes 28-May-2019: OpenSSL 1.1.0k is now available, including bug and security fixes diff --git a/news/secadv/20190910.txt b/news/secadv/20190910.txt new file mode 100644 index 000..0358352 --- /dev/null +++ b/news/secadv/20190910.txt @@ -0,0 +1,107 @@ +OpenSSL Security Advisory [10 September 2019] += + +ECDSA remote timing attack (CVE-2019-1547) +== + +Severity: Low + +Normally in OpenSSL EC groups always have a co-factor present and this is used +in side channel resistant code paths. However, in some cases, it is possible to +construct a group using explicit parameters (instead of using a named curve). In +those cases it is possible that such a group does not have the cofactor present. +This can occur even where all the parameters match a known named curve. + +If such a curve is used then OpenSSL falls back to non-side channel resistant +code paths which may result in full key recovery during an ECDSA signature +operation. + +In order to be vulnerable an attacker would have to have the ability to time +the creation of a large number of signatures where explicit parameters with no +co-factor present are in use by an application using libcrypto. + +For the avoidance of doubt libssl is not vulnerable because explicit parameters +are never used. + +OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. + +OpenSSL 1.1.1 users should upgrade to 1.1.1d +OpenSSL 1.1.0 users should upgrade to 1.1.0l +OpenSSL 1.0.2 users should upgrade to 1.0.2t + +This issue was reported by Cesar Pereida García, Sohaib ul Hassan, +Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley. The +fix was developed by Billy Brumley. It was reported to OpenSSL on 5th August +2019. + + +Fork Protection (CVE-2019-1549) +=== + +Severity: Low + +OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was +intended to include protection in the event of a fork() system call in order to +ensure that the parent and child processes did not share the same RNG state. +However this protection was not being used in the default case. + +A partial mitigation for this issue is that the output from a high precision +timer is mixed into the RNG state so the likelihood of a parent and child +process sharing state is significantly reduced. + +If an application already calls OPENSSL_init_crypto() explicitly using +OPENSSL_INIT_ATFORK then this problem does not occur at all. + +OpenSSL version 1.1.1 is affected by this issue. + +OpenSSL 1.1.1 users should upgrade to 1.1.1d + +This issue was reported by Matt Caswell. The fix was developed by Matthias +St. Pierre. It was reported to OpenSSL on 27th May 2019. + + +Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) + + +Severity: Low + +In situations where an attacker receives automated notification of the success +or failure of a decryption attempt an attacker, after sending a very large +number of messages to be decrypted, can recover a CMS/PKCS7 transported +encryption key or decrypt any RSA encrypted message that was encrypted with the +public RSA key, using a Bleichenbacher padding oracle attack. Applications are +not affected if they use a certificate together with the private RSA key to the +CMS_decrypt or PKCS7_
[web] master update
The branch master has been updated via b9cdda6cdbe4e87b1e2db37b23cddaca5fb7da9a (commit) from e6ce68d75408edac4a22e85dc3af43444bc7fefc (commit) - Log - commit b9cdda6cdbe4e87b1e2db37b23cddaca5fb7da9a Author: Matt Caswell Date: Wed Jul 31 09:38:46 2019 +0100 Correct typo in security advisory Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/135) --- Summary of changes: news/secadv/20190730.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/secadv/20190730.txt b/news/secadv/20190730.txt index 0714a04..cff9b85 100644 --- a/news/secadv/20190730.txt +++ b/news/secadv/20190730.txt @@ -42,7 +42,7 @@ The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for mingw, while the 1.0.2 mitigation documents the issue and provides enhanced examples. -This issue was reported by Rich Mirth. The fix was developed by +This issue was reported by Rich Mirch. The fix was developed by Richard Levitte from the OpenSSL development team. It was reported to OpenSSL on 9th Jun 2019.
[web] master update
The branch master has been updated via e6ce68d75408edac4a22e85dc3af43444bc7fefc (commit) from e784301605e11bb68c60d0f8c8e0c0ce5520eb17 (commit) - Log - commit e6ce68d75408edac4a22e85dc3af43444bc7fefc Author: Richard Levitte Date: Tue Jul 30 15:20:38 2019 +0200 CVE-2019-1552 security advisory Reviewed-by: Mark J. Cox Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/134) --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20190730.txt | 68 +++ news/vulnerabilities.xml | 83 +++- 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20190730.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 7a47756..491bee5 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +30-Jul-2019: Security Advisory: one low severity fix in Windows builds 28-May-2019: OpenSSL 1.1.1c is now available, including bug and security fixes 28-May-2019: OpenSSL 1.1.0k is now available, including bug and security fixes 28-May-2019: OpenSSL 1.0.2s is now available, including bug fixes diff --git a/news/secadv/20190730.txt b/news/secadv/20190730.txt new file mode 100644 index 000..0714a04 --- /dev/null +++ b/news/secadv/20190730.txt @@ -0,0 +1,68 @@ +OpenSSL Security Advisory [30 July 2019] + + +Windows builds with insecure path defaults (CVE-2019-1552) +== + +Severity: Low + +OpenSSL has internal defaults for a directory tree where it can find a +configuration file as well as certificates used for verification in +TLS. This directory is most commonly referred to as OPENSSLDIR, and +is configurable with the --prefix / --openssldir configuration options. + +For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets +assume that resulting programs and libraries are installed in a +Unix-like environment and the default prefix for program installation +as well as for OPENSSLDIR should be '/usr/local'. + +However, mingw programs are Windows programs, and as such, find +themselves looking at sub-directories of 'C:/usr/local', which may be +world writable, which enables untrusted users to modify OpenSSL's +default configuration, insert CA certificates, modify (or even +replace) existing engine modules, etc. + +For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR +on all Unix and Windows targets, including Visual C builds. However, +some build instructions for the diverse Windows targets on 1.0.2 +encourage you to specify your own --prefix. + +OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. +Due to the limited scope of affected deployments this has been +assessed as low severity and therefore we are not creating new +releases at this time. + +The mitigations are found in these commits: +- For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e +- For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and + b15a19c148384e73338aa7c5b12652138e35ed28 +- For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd + +The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for +mingw, while the 1.0.2 mitigation documents the issue and provides +enhanced examples. + +This issue was reported by Rich Mirth. The fix was developed by +Richard Levitte from the OpenSSL development team. It was reported to +OpenSSL on 9th Jun 2019. + +Note += + +OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. +Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 +will end on 11th September 2019. Users of these versions should +upgrade to OpenSSL 1.1.1. + + +Referenses +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20190730.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index f9949ce..e66f6d8 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,88 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Insecure defaults +Windows builds with insecure path defaults + + OpenSSL has internal defaults for a directory tree where it can find a +
[web] master update
The branch master has been updated via e784301605e11bb68c60d0f8c8e0c0ce5520eb17 (commit) from 3b00096bd14d8a86ec486dcb132fe3055fc170df (commit) - Log - commit e784301605e11bb68c60d0f8c8e0c0ce5520eb17 Author: Pauli Date: Mon Jul 8 07:47:18 2019 +1000 Include description of a trivial commit. Trivial submissions are mentioned but not defined. --- Summary of changes: policies/cla.html| 23 --- policies/committers.html | 6 +++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/policies/cla.html b/policies/cla.html index efe0445..51876e4 100644 --- a/policies/cla.html +++ b/policies/cla.html @@ -12,7 +12,7 @@ Contributor Agreements -Every non-trival contribution to be +Every non-trivial contribution to be covered by a signed Contributor License Agreement (CLA). We have modelled our policy based on the practice of @@ -31,10 +31,27 @@ the terms under which intellectual property has been contributed to OpenSSL and thereby allow us to defend the project should there be a legal dispute regarding the software at some future - time. + time. + + + + A submission is trivial if it is considered trivial under copyright + law. Since we are not lawyers, we place the bar for trivial + contributions very high. For example: corrections of grammatical or + typographical errors (including misspelled function names in manual + pages), simple whitespace changes and in some cases one-line + bugfixes might be accepted as trivial without requiring a CLA. + + + + In practice, it is required that the author (in the git commit + message) and all approving team members (in the pull request thread) + agree that a change is trivial. The reviewers will normally post + a statement to the effect of "I agree that it is a trivial change." + - Please make sure that the email + When filling in the CLA, please make sure that the email address matches the one that you use for the "Author" in your git commits. List multiple email addresses if necessary. diff --git a/policies/committers.html b/policies/committers.html index 80e31c8..46e2b74 100644 --- a/policies/committers.html +++ b/policies/committers.html @@ -123,9 +123,9 @@ A note on CLAs All authors, including committers, must have current CLAs on file. A CLA is not required for trivial contributions (e.g. the - fix of a spelling mistake). If all reviewers as well as the - original author agree that the submission is trivial, the commit - text should include "CLA: trivial." + fix of a spelling mistake). Refer to the + CLA page for further details. +
[web] master update
The branch master has been updated
via 3b00096bd14d8a86ec486dcb132fe3055fc170df (commit)
from dd74209e0beb5fdcb99aa967aec90b1d9b95c322 (commit)
- Log -
commit 3b00096bd14d8a86ec486dcb132fe3055fc170df
Author: Richard Levitte
Date: Sat Jun 22 09:44:24 2019 +0200
When producing HTML man-pages, include the original base name
For OpenSSL 1.1.0 and on, this isn't relevant any more, since all pod
names should be one of the names in the NAME section. However, 1.0.2
pages were written differently, and people still refer to the original
base name to look up documentation.
Fixes openssl/openssl#9189
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/132)
---
Summary of changes:
bin/mk-manpages | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/bin/mk-manpages b/bin/mk-manpages
index efc95b1..6b57ead 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -64,9 +64,17 @@ sub main {
print $fh $out or $class->die("Can't print $outinc: $!");
close($fh) or $class->die("Can't close $outinc: $!");
-foreach my $htmlname (
-map { (my $x = $_) =~ s|/|-|g; $x }
-@{$data{names}}) {
+my @htmlnames =
+map { (my $x = $_) =~ s|/|-|g; $x } @{$data{names}};
+# Older OpenSSL pods have file names that do not correspond
+# to any of the names in the NAME section.
+# Strictly speaking, we shouldn't use that name, but HTML
+# pages with that name have been produced in the past, so
+# we keep doing so as long as it's relevant.
+if (! grep { $_ eq $origbase } @htmlnames) {
+push @htmlnames, $origbase;
+}
+foreach my $htmlname (@htmlnames) {
my $htmlfile = File::Spec->catdir( "man$data{sectnum}",
"$htmlname.html" );
my $outhtml = File::Spec->catfile( $wwwdir, $htmlfile );
[web] master update
The branch master has been updated via dd74209e0beb5fdcb99aa967aec90b1d9b95c322 (commit) from 70aec4f068ead8d76605508b1eb6b104bf616f0f (commit) - Log - commit dd74209e0beb5fdcb99aa967aec90b1d9b95c322 Author: Matt Caswell Date: Wed Jun 5 17:28:17 2019 +0100 Update the copyright date in the licence file Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/131) --- Summary of changes: source/license-openssl-ssleay.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/license-openssl-ssleay.txt b/source/license-openssl-ssleay.txt index 0511f2e..9601ab4 100644 --- a/source/license-openssl-ssleay.txt +++ b/source/license-openssl-ssleay.txt @@ -10,7 +10,7 @@ --- /* - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions
[web] master update
The branch master has been updated via 70aec4f068ead8d76605508b1eb6b104bf616f0f (commit) from b506b4fae6ec2661f12c2ae522c83c2f4fc051b3 (commit) - Log - commit 70aec4f068ead8d76605508b1eb6b104bf616f0f Author: Richard Levitte Date: Tue May 28 15:39:56 2019 +0200 Updates for releases 1.0.2s, 1.1.0k and 1.1.1c Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/129) --- Summary of changes: news/newsflash.txt | 3 +++ news/vulnerabilities.xml | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index 1346f6e..7a47756 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,9 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +28-May-2019: OpenSSL 1.1.1c is now available, including bug and security fixes +28-May-2019: OpenSSL 1.1.0k is now available, including bug and security fixes +28-May-2019: OpenSSL 1.0.2s is now available, including bug fixes 06-Mar-2019: Security Advisory: one low severity fix in ChaCha20-Poly1305 26-Feb-2019: OpenSSL 1.1.1b is now available, including bug fixes 26-Feb-2019: OpenSSL 1.0.2r is now available, including bug and security fixes diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 00518fb..f9949ce 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,7 @@ - + @@ -25,10 +25,10 @@ - + - + Nonce Reuse
[web] master update
The branch master has been updated via b506b4fae6ec2661f12c2ae522c83c2f4fc051b3 (commit) via 947d03ee10750815f8cf7a2e597dfb6441857295 (commit) from 5ea7530ac9bea4482635ec821e5babff35aec8c7 (commit) - Log - commit b506b4fae6ec2661f12c2ae522c83c2f4fc051b3 Author: Kurt Roeckx Date: Sat Dec 8 20:12:01 2018 +0100 Update security policy commit 947d03ee10750815f8cf7a2e597dfb6441857295 Author: Mark J. Cox Date: Thu Nov 29 15:27:27 2018 + Discussed at the OMC face to face that we should make it clear what things we consider in and out of scope of being OpenSSL vulnerabilities and therefore what we will assign a CVE for --- Summary of changes: policies/secpolicy.html | 45 ++--- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/policies/secpolicy.html b/policies/secpolicy.html index 3a298d4..d54fcc6 100644 --- a/policies/secpolicy.html +++ b/policies/secpolicy.html @@ -12,7 +12,7 @@ Security Policy - Last modified 16th May 2018 + Last modified 12th May 2019 @@ -21,11 +21,11 @@ If you wish to report a possible security issue in OpenSSL -please notify us. +please notify us. Issue triage - + Notifications are received by a group of OpenSSL Management Committee members. We engage resources within @@ -38,12 +38,35 @@ + Threat Model + +Certain threats are currently considered outside of the scope of the OpenSSL threat model. + Accordingly, we do not consider OpenSSL secure against the following classes of attacks: + +same physical system side channel +CPU/hardware flaws +physical fault injection +physical observation side channels (e.g. power consumption, EM emissions, etc) + + + Mitigations for security issues outside of our threat scope may + still be addressed, however we do not class these as OpenSSL vulnerabilities + and will therefore not issue CVEs for any mitigations to address these issues. + + We are working towards making the same physical system side + channel attacks very hard. + + Prior to the threat model being included in this policy, CVEs + were sometimes issued for these classes of attacks. The + existence of a previous CVE does not override this policy going + forward. + Issue severity We will determine the risk of each issue, taking into account our experience dealing with past issues, versions affected, common defaults, and use cases. - We use the following severity categories: +We use the following severity categories: CRITICAL Severity. @@ -51,8 +74,8 @@ be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to - compromise server private keys (excluding local, theoretical or - difficult to exploit side channel attacks) or where remote code + compromise server private keys + or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as @@ -67,7 +90,7 @@ versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control - + MODERATE Severity. This includes issues like crashes in client applications, @@ -75,12 +98,12 @@ and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time. - + LOW Severity. This includes issues such as those that only affect the - openssl command line utility, unlikely configurations, or hard - to exploit timing (side channel) attacks. These will in general + openssl command line utility, or unlikely configurations. + These will in general be fixed immediately in latest development versions, a
[web] master update
The branch master has been updated
via 5ea7530ac9bea4482635ec821e5babff35aec8c7 (commit)
from 76edf555401fd18e31b6968edee6b2bb46391edd (commit)
- Log -
commit 5ea7530ac9bea4482635ec821e5babff35aec8c7
Author: Richard Levitte
Date: Mon May 6 09:56:19 2019 +0200
Update of 3.0.0 design: addition of a provider context
This changes gives providers the opportunity to create a context for
the execution of the operations and algorithms it provides.
The idea is that OSSL_provider_init() will create that context, and
the teardown function will destroy it, and libcrypto is simply
responsible for saving away the pointer to the context and pass it
down to appropriate provider side functions (typically the
constructors of operation specific contexts).
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/128)
---
Summary of changes:
docs/OpenSSL300Design.md | 30 +-
1 file changed, 17 insertions(+), 13 deletions(-)
diff --git a/docs/OpenSSL300Design.md b/docs/OpenSSL300Design.md
index 83e718c..e552692 100644
--- a/docs/OpenSSL300Design.md
+++ b/docs/OpenSSL300Design.md
@@ -710,7 +710,8 @@ A provider module _must_ have the following well known
entry point:
``` C
int OSSL_provider_init(const OSSL_PROVIDER *provider,
const OSSL_DISPATCH *in,
- const OSSL_DISPATCH **out);
+ const OSSL_DISPATCH **out
+ void **provider_ctx);
```
If the entry point does not exist in the dynamically loaded object,
@@ -721,6 +722,11 @@ then it is not a valid module and loading it will fail.
`out` is an array of provider functions that the provider passes back
to the Core.
+`provider_ctx` (may be shortened to `provctx` elsewhere in this
+document) is an object optionally created by the provider for its own
+use (storing data it needs to keep around safely). This pointer will
+be passed back to appropriate provider functions.
+
`provider` is a handle to a provider object belonging to the Core.
This can serve as a unique provider identity which may be required in
some API calls. This object will also be populated with diverse data,
@@ -829,8 +835,6 @@ The `OSSL_provider_init` entry point does not register any
algorithms
that will be needed, but it will return at least these two callbacks
to enable this process:
-
-
1. `OSSL_FUNC_QUERY_OPERATION`, which is used to find out what
implementations of an operation are available. This must return
an array of `OSSL_ALGORITHM` (see further down), which maps
@@ -838,7 +842,7 @@ to enable this process:
dispatch tables. This function must also be able to indicate if
the resulting array may be cached by the Core or not. This is
explained in further detail below.
-1. `OSSL_FUNC_TEARDOWN`, which is used when the provider is unloaded.
+2. `OSSL_FUNC_TEARDOWN`, which is used when the provider is unloaded.
The provider register callback can only be run after the
`OSSL_provider_init()` call succeeds.
@@ -887,8 +891,8 @@ form of a function table.
A provider will also offer a service for returning information (in the
form of parameters as specified in
-[Appendix 2 - Parameter Passing](#appendix-2---parameter-passing)) via a
callback provided by the
-provider, such as:
+[Appendix 2 - Parameter Passing](#appendix-2---parameter-passing)) via
+a callback provided by the provider, such as:
* version number
@@ -912,7 +916,7 @@ are required:
#define OSSL_OP_DIGEST_UPDATE_FUNC 3
#define OSSL_OP_DIGEST_FINAL_FUNC 4
#define OSSL_OP_DIGEST_FREECTX_FUNC5
-typedef void *(*OSSL_OP_digest_newctx_fn)(const OSSL_PROVIDER *prov);
+typedef void *(*OSSL_OP_digest_newctx_fn)(void *provctx);
typedef int (*OSSL_OP_digest_init_fn)(void *ctx);
typedef int (*OSSL_OP_digest_update_fn)(void *ctx, void *data, size_t len);
typedef int (*OSSL_OP_digest_final_fn)(void *ctx, void *md, size_t mdsize,
@@ -925,7 +929,7 @@ multi-part operations:
``` C
#define OSSL_OP_DIGEST_FUNC6
-typedef int (*OSSL_OP_digest)(const OSSL_PROVIDER *prov,
+typedef int (*OSSL_OP_digest)(void *provctx,
const void *data, size_t len,
unsigned char *md, size_t mdsize,
size_t *outlen);
@@ -974,8 +978,8 @@ The FIPS provider init module entry point function might
look like
this:
``` C
-static int fips_query_operation(const OSSL_PROVIDER *provider,
- int op_id, const OSSL_ALGORITHM **map)
+static int fips_query_operation(void *provctx, int op_id,
+const OSSL_ALGORITHM **map)
{
*map = NULL;
switch (op_id) {
@@ -991,8 +995,7 @@ static int fips_query_operation(c
[web] master update
The branch master has been updated via 76edf555401fd18e31b6968edee6b2bb46391edd (commit) from f9256cd07bd1f33a8359540133e03d7c37afdd42 (commit) - Log - commit 76edf555401fd18e31b6968edee6b2bb46391edd Author: Dr. Matthias St. Pierre Date: Fri Mar 15 00:58:43 2019 +0100 OpenSSL300Design: fix two broken links Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/126) --- Summary of changes: docs/OpenSSL300Design.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/OpenSSL300Design.md b/docs/OpenSSL300Design.md index d30e8fe..83e718c 100644 --- a/docs/OpenSSL300Design.md +++ b/docs/OpenSSL300Design.md @@ -553,7 +553,7 @@ The OpenSSL Core and providers have to exchange data while keeping OpenSSL and provider structures opaque. All composite values will be passed as an array of items, using the public data structure defined in -[Appendix 2 - OpenSSL parameter passing](#openssl-parameter-passing). +[Appendix 2 - OpenSSL parameter passing](#appendix-2---parameter-passing). Parameters will be identified using their name (as a string) and each contains its own type and size information. @@ -2118,7 +2118,7 @@ All ASN.1 serialization/deserialization will be performed in libcrypto, with composite-value **key, parameter and signature** structures crossing the Core/provider boundary as an array of items, using the public data structure defined in -[Appendix 2 - OpenSSL parameter passing](#appendix-2---openssl-parameter-passing). +[Appendix 2 - OpenSSL parameter passing](#appendix-2---parameter-passing). The encoded digest OIDs used for **RSA PKCS #1 padding** will either be pre-generated (as was done in the old FIPS module using the SHA_DATA macro)
[web] master update
The branch master has been updated via f9256cd07bd1f33a8359540133e03d7c37afdd42 (commit) from 497e8bf4a455aa2adc495777e49ad32e133a7d34 (commit) - Log - commit f9256cd07bd1f33a8359540133e03d7c37afdd42 Author: Dr. Matthias St. Pierre Date: Fri Mar 15 01:25:06 2019 +0100 OpenSSL300Design: lighten watermark The strong DRAFT watermark is very distracting while reading and makes the eyes loose the current reading position while scrolling. Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/127) --- Summary of changes: bin/md-to-html5.tmpl.html5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/md-to-html5.tmpl.html5 b/bin/md-to-html5.tmpl.html5 index d784305..b1c597f 100644 --- a/bin/md-to-html5.tmpl.html5 +++ b/bin/md-to-html5.tmpl.html5 @@ -8,7 +8,7 @@ $endfor$
[web] master update
The branch master has been updated via 497e8bf4a455aa2adc495777e49ad32e133a7d34 (commit) from b221da5e00d3e9304664f605c132a18674a343e5 (commit) - Log - commit 497e8bf4a455aa2adc495777e49ad32e133a7d34 Author: Matt Caswell Date: Wed Mar 6 15:12:07 2019 + Website updates for CVE-2019-1543 Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/125) --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20190306.txt | 61 news/vulnerabilities.xml | 58 - 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20190306.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index b458dc4..1346f6e 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +06-Mar-2019: Security Advisory: one low severity fix in ChaCha20-Poly1305 26-Feb-2019: OpenSSL 1.1.1b is now available, including bug fixes 26-Feb-2019: OpenSSL 1.0.2r is now available, including bug and security fixes 11-Feb-2019: 3.0.0 Design (draft) is now available diff --git a/news/secadv/20190306.txt b/news/secadv/20190306.txt new file mode 100644 index 000..50b2744 --- /dev/null +++ b/news/secadv/20190306.txt @@ -0,0 +1,61 @@ +OpenSSL Security Advisory [6 March 2019] + + +ChaCha20-Poly1305 with long nonces (CVE-2019-1543) +== + +Severity: Low + +ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every +encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 +bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce +with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a +nonce to be set of up to 16 bytes. In this case only the last 12 bytes are +significant and any additional leading bytes are ignored. + +It is a requirement of using this cipher that nonce values are unique. Messages +encrypted using a reused nonce value are susceptible to serious confidentiality +and integrity attacks. If an application changes the default nonce length to be +longer than 12 bytes and then makes a change to the leading bytes of the nonce +expecting the new value to be a new unique nonce then such an application could +inadvertently encrypt messages with a reused nonce. + +Additionally the ignored bytes in a long nonce are not covered by the integrity +guarantee of this cipher. Any application that relies on the integrity of these +ignored leading bytes of a long nonce may be further affected. + +Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because +no such use sets such a long nonce value. However user applications that use +this cipher directly and set a non-default nonce length to be longer than 12 +bytes may be vulnerable. + +OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited +scope of affected deployments this has been assessed as low severity and +therefore we are not creating new releases at this time. The 1.1.1 mitigation +for this issue can be found in commit f426625b6a. The 1.1.0 mitigation for this +issue can be found in commit ee22257b14. + +This issue does not impact OpenSSL 1.0.2. + +This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developed +by Matt Caswell from the OpenSSL development team. It was reported to OpenSSL on +26th February 2019. + +Note + + +OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support +for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th +September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20190306.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 5286f54..00518fb 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,63 @@ - + + + + + + + + + + + + + + + + + + + + + + + + +Nonce Reuse +ChaCha20-Poly1305 with long nonces + + ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every + encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 + bits (12 bytes). OpenSSL allows a variable nonce length and front pads
[web] master update
The branch master has been updated
via b221da5e00d3e9304664f605c132a18674a343e5 (commit)
from f6f50f59aea1b6ec6d9cf6849a1866dd1db8cb20 (commit)
- Log -
commit b221da5e00d3e9304664f605c132a18674a343e5
Author: Richard Levitte
Date: Fri Mar 1 10:11:51 2019 +0100
Don't try to hide section numbers / links in manpages
In previous times, we produced manpages in apps/, crypto/ and ssl/,
and having to deal with links containing '/man{n}/' was only tedious,
so we simply removed the section numbers from the L<> POD codes.
Now that we've switched to regular manpage layout, removing the
section numbers is not necessary any more, and also leads to incorrect
links when the L<> code refers to pages in a different man section.
Issue was reported on
[openssl-users](https://marc.info/?l=openssl-users&m=155138532927266&w=2).
Thank you Paul Smith
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/124)
---
Summary of changes:
bin/mk-manpages | 22 +++---
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/bin/mk-manpages b/bin/mk-manpages
index bc9c793..efc95b1 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -41,7 +41,6 @@ sub main {
#
# release => "..."#
# subdir => "..."# The original subdir
-# sect=> "..."# Output section subdir
# sectnum => n# Default section number
#
my %data = (
@@ -52,7 +51,7 @@ sub main {
);
# These are for display
my $podfile = File::Spec->catfile( $subdir, $ent );
-my $incfile = File::Spec->catfile( $data{sect},
+my $incfile = File::Spec->catfile( "man$data{sectnum}",
"$origbase.inc" );
# These are files we're actually manipulating
my $inpod = File::Spec->catfile( $srcdir, $podfile );
@@ -68,7 +67,7 @@ sub main {
foreach my $htmlname (
map { (my $x = $_) =~ s|/|-|g; $x }
@{$data{names}}) {
-my $htmlfile = File::Spec->catdir( $data{sect},
+my $htmlfile = File::Spec->catdir( "man$data{sectnum}",
"$htmlname.html" );
my $outhtml = File::Spec->catfile( $wwwdir, $htmlfile );
$out = $class->genhtml( $release, $title, $origbase,
@@ -90,7 +89,7 @@ sub genhtml {
-
+
@@ -111,8 +110,8 @@ sub genhtml {
: Docs
: Manpages
: $release
-: $data{sect}
-: $htmlbase
+: man$data{sectnum}
+: $htmlbase
Sitemap
@@ -145,18 +144,12 @@ sub geninc {
my $infile = do { local $/; <$fh>; };
close( $fh );
-# L ==> L
-$infile =~ s/L<[^|>]*\|([^>]+)>/L<$1>/g;
-
-# L --> L
-$infile =~ s/L<([^>]+)\(\d\)>/L<$1>/g;
-
my $out;
my $pod = Pod::Simple::XHTML->new;
$pod->html_h_level(3);
-$pod->perldoc_url_prefix("/docs/man$release/$data{sect}/");
+$pod->perldoc_url_prefix("/docs/man$release/man$data{sectnum}/");
$pod->perldoc_url_postfix(".html");
-$pod->man_url_prefix("/docs/man$release/$data{sect}/");
+$pod->man_url_prefix("/docs/man$release/man");
$pod->man_url_postfix(".html");
$pod->html_header('');
$pod->html_footer('');
@@ -183,7 +176,6 @@ sub getdata {
s/\n/ /gm;
if (/^=for comment openssl_manual_section:\s*(\d+)/) {
$data{sectnum} = "$1";
-$data{sect} = "man$1";
}
elsif (/^=head1\s/) {
$foundname = 0;
[web] master update
The branch master has been updated
via f6f50f59aea1b6ec6d9cf6849a1866dd1db8cb20 (commit)
from 73fe28cd382b6b5fb3c84ec227e8dedce23c2ac4 (commit)
- Log -
commit f6f50f59aea1b6ec6d9cf6849a1866dd1db8cb20
Author: Richard Levitte
Date: Thu Feb 28 15:54:12 2019 +0100
bin/mk-manpages: allow slashes in names
The names in the NAME section may describe headers, which contain a slash
for OpenSSL headers. We deal with that by converting slashes to dashes
for the file names.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/123)
---
Summary of changes:
bin/mk-manpages | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/bin/mk-manpages b/bin/mk-manpages
index b756128..bc9c793 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -65,7 +65,9 @@ sub main {
print $fh $out or $class->die("Can't print $outinc: $!");
close($fh) or $class->die("Can't close $outinc: $!");
-foreach my $htmlname (@{$data{names}}) {
+foreach my $htmlname (
+map { (my $x = $_) =~ s|/|-|g; $x }
+@{$data{names}}) {
my $htmlfile = File::Spec->catdir( $data{sect},
"$htmlname.html" );
my $outhtml = File::Spec->catfile( $wwwdir, $htmlfile );
[web] master update
The branch master has been updated via 73fe28cd382b6b5fb3c84ec227e8dedce23c2ac4 (commit) via 3926d4eec53217895bed4a0dca5394707fbccc66 (commit) via 9873de29128aab496a239d4efb6f1f2a0fad6915 (commit) via 2caab96c8e0a03e6891a67f1a02b91f3f6f94952 (commit) via ee0137412475ec26b9a9f5f60785d849c89f231f (commit) via 8bf82949d36d42eb11836202950256db99bfcc27 (commit) via ea1a835c5069fcb1bdf1126093aeba88f90ef3f7 (commit) via b654262bace5ca81b49e0fc2e62c8ad09809d77e (commit) via d69832a8f9741ef27965e1315fdf53a081457d54 (commit) via d8d36be2491589e2aae592c65fbd5de58383ea46 (commit) via af3fbdeeb010afdb9dba864aee19e18115c0e3f5 (commit) via eb90cf76b940668286deda9035faef001e771945 (commit) via 3dcc5b7ed327b993341fe3d25f62f4aba6b4a98c (commit) via b0f6bb016691f83583ef9b7cac1f29901c1e51e6 (commit) via e1b59a61f7397e2e08e572c77997e3ef6157f064 (commit) from 160ebaa336556bd42c4df6354f70cabeab77ca7c (commit) - Log - commit 73fe28cd382b6b5fb3c84ec227e8dedce23c2ac4 Author: Richard Levitte Date: Mon Feb 25 22:08:15 2019 +0100 Add commentary in the Makefile to explain what is going on Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit 3926d4eec53217895bed4a0dca5394707fbccc66 Author: Richard Levitte Date: Mon Feb 25 01:14:46 2019 +0100 Change news/openssl-notes.html.in to use Template Toolkit Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit 9873de29128aab496a239d4efb6f1f2a0fad6915 Author: Richard Levitte Date: Mon Feb 25 01:00:36 2019 +0100 Clean up .gitignore Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit 2caab96c8e0a03e6891a67f1a02b91f3f6f94952 Author: Richard Levitte Date: Mon Feb 25 00:56:11 2019 +0100 Remove redundancy: generate vulnerabilities indexes from templates Adapt Makefile accordingly Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit ee0137412475ec26b9a9f5f60785d849c89f231f Author: Richard Levitte Date: Mon Feb 25 00:36:14 2019 +0100 Remove redundancy: generate source indexes from templates Adapt Makefile accordingly Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit 8bf82949d36d42eb11836202950256db99bfcc27 Author: Richard Levitte Date: Sun Feb 24 23:14:14 2019 +0100 Remove redundancy: remove the manpage dir cleanup from bin/mk-manpages Let the Makefile take care of it instead Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit ea1a835c5069fcb1bdf1126093aeba88f90ef3f7 Author: Richard Levitte Date: Sun Feb 24 23:13:23 2019 +0100 Remove redundancy: generate docs/manpages.html from template Change Makefile accordingly Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit b654262bace5ca81b49e0fc2e62c8ad09809d77e Author: Richard Levitte Date: Sun Feb 24 23:07:03 2019 +0100 Remove redundancy: generate all manpage indexes from templates Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit d69832a8f9741ef27965e1315fdf53a081457d54 Author: Richard Levitte Date: Sun Feb 24 14:12:54 2019 +0100 Remove redundancy: produce news/changelog.html from a template This templates produces a list of links to release changelogs from a passed list of release versions. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit d8d36be2491589e2aae592c65fbd5de58383ea46 Author: Richard Levitte Date: Sun Feb 24 14:01:32 2019 +0100 Remove redundancy: add a template processing script The choice comes to using [Template Toolkit], as it's powerful, flexible, and consistent enough. - [Template Toolkit]: http://www.template-toolkit.org/ Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit af3fbdeeb010afdb9dba864aee19e18115c0e3f5 Author: Richard Levitte Date: Sun Feb 24 13:31:57 2019 +0100 Remove redundancy: strip away hard coded release versions from scripts Adapt Makefile accordingly Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/120) commit eb90cf76b940668286deda9035faef001e771945 Author: Richard Levitte Date: Sun Feb 24 13:06:10 2019 +0100 Remove redundancy: documentation Move the processing of changelogs and notes to use SERIES, using GNU make features. This only does part of the job. A later commit will automatically create the whole documentation directory structure from templates. Reviewed-by: Matt Caswe
[web] master update
The branch master has been updated via 160ebaa336556bd42c4df6354f70cabeab77ca7c (commit) from 419c4314952ac1ad9586bb9b767447242bdfca79 (commit) - Log - commit 160ebaa336556bd42c4df6354f70cabeab77ca7c Author: Matt Caswell Date: Wed Feb 27 16:13:35 2019 + Add extended support to the support contracts page Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/122) --- Summary of changes: support/contracts.html | 2 ++ 1 file changed, 2 insertions(+) diff --git a/support/contracts.html b/support/contracts.html index 7f35804..1b91cd1 100644 --- a/support/contracts.html +++ b/support/contracts.html @@ -41,6 +41,8 @@ US$50,000 annually A custom support contract designed to meet the needs of a specific Enterprise customer + Includes extended support for the immediately previous LTS release + beyond the public EOL date for that release Exact costs will depend on the terms of the agreed support contract The premium support plan is intended for the large enterprise
[web] master update
The branch master has been updated via 419c4314952ac1ad9586bb9b767447242bdfca79 (commit) via 1700dfb97f7690b6656018b271cdddbc5c880f26 (commit) via 9d38ec2ec727e861507a0a71df35f080f981 (commit) via 19379975053b4f59b8a57fd6f9648c94589acffc (commit) via 5977b703ae5371458c39208dd5e3ba7257ee18f1 (commit) from 4b05bbb28879460b203a4c99ed0c70c12c63a265 (commit) - Log - commit 419c4314952ac1ad9586bb9b767447242bdfca79 Author: Matt Caswell Date: Mon Feb 25 16:20:13 2019 + Update the release strategy modification date Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/82) commit 1700dfb97f7690b6656018b271cdddbc5c880f26 Author: Matt Caswell Date: Fri Sep 21 14:11:32 2018 +0100 Add a stability policy to the release strategy Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/82) commit 9d38ec2ec727e861507a0a71df35f080f981 Author: Richard Levitte Date: Sun Jan 13 00:48:43 2019 +0100 Generalise the descriptions of alpha, beta, and release criteria Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/82) commit 19379975053b4f59b8a57fd6f9648c94589acffc Author: Richard Levitte Date: Sun Jan 13 00:39:00 2019 +0100 Remove the 1.1.1 time table and add support information Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/82) commit 5977b703ae5371458c39208dd5e3ba7257ee18f1 Author: Richard Levitte Date: Sun Jan 13 00:31:36 2019 +0100 Release strategy: add text on the 3.0.0 versioning scheme Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/82) --- Summary of changes: policies/releasestrat.html | 181 ++--- 1 file changed, 122 insertions(+), 59 deletions(-) diff --git a/policies/releasestrat.html b/policies/releasestrat.html index 0bb80f5..b0d3686 100644 --- a/policies/releasestrat.html +++ b/policies/releasestrat.html @@ -13,34 +13,68 @@ Release Strategy First issued 23rd December 2014 - Last modified 29th May 2018 + Last modified 25th February 2019 - As of release 1.0.0 the OpenSSL versioning scheme was improved - to better meet developers' and vendors' expectations. Letter - releases, such as 1.0.2a, exclusively contain bug and security - fixes and no new features. Minor releases that change the - last digit, e.g. 1.1.0 vs. 1.1.1, can and are likely to - contain new features, but in a way that does not break binary - compatibility. This means that an application compiled and - dynamically linked with 1.1.0 does not need to be recompiled - when the shared library is updated to 1.1.1. It should be - noted that some features are transparent to the application - such as the maximum negotiated TLS version and cipher suites, - performance improvements and so on. There is no need to - recompile applications to benefit from these features. + As of release 3.0.0, the OpenSSL versioning scheme is changing + to a more contemporary format: MAJOR.MINOR.PATCH + + + + With this format, API/ABI compatibility will be guaranteed + for the same MAJOR version number. Previously we guaranteed + API/ABI compatibility across the same MAJOR.MINOR combination. + + + + MAJOR: API/ABI incompatible changes will increase this number + MINOR: API/ABI compatible feature releases will change this + PATCH: Bug fix releases will increment this number. We also +allow backporting of accessor functions in these releases. + + + + This more closely aligns with the expectations of users who are + familiar with semantic versioning. However, we have not adopted + semantic versioning in the strict sense of its rules, because it + would mean changing our current LTS policies and practices. + + + + The current 1.1.1 and 1.0.2 versioning scheme remains unchanged: + + + As of release 1.0.0 the OpenSSL versioning scheme was improved + to better meet developers' and vendors' expectations. Letter + releases, such as 1.0.2a, exclusively contain bug and security + fixes and no new features. Releases that change the last digit, + e.g. 1.1.0 vs. 1.1.1, can and are likely to + contain new features, but in a way that does not break binary + compatibility. This means that an application compiled
[web] master update
The branch master has been updated via 4b05bbb28879460b203a4c99ed0c70c12c63a265 (commit) from 6f4edf054e16bec8cb590de4b77c523334ebfe28 (commit) - Log - commit 4b05bbb28879460b203a4c99ed0c70c12c63a265 Author: Matt Caswell Date: Tue Feb 26 16:49:35 2019 + Clarify the advisory regarding AEAD ciphersuites Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/121) --- Summary of changes: news/secadv/20190226.txt | 4 +++- news/vulnerabilities.xml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/news/secadv/20190226.txt b/news/secadv/20190226.txt index 8a4a6dd..64cdbe2 100644 --- a/news/secadv/20190226.txt +++ b/news/secadv/20190226.txt @@ -18,7 +18,7 @@ In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do -anyway). +anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0. @@ -28,6 +28,8 @@ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. +Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted. + Note diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 1732db5..5286f54 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -47,7 +47,7 @@ Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do - anyway). + anyway). AEAD ciphersuites are not impacted.
[web] master update
The branch master has been updated via 6f4edf054e16bec8cb590de4b77c523334ebfe28 (commit) from 604491061a61f0e554cdd38354df341f57ee9fc1 (commit) - Log - commit 6f4edf054e16bec8cb590de4b77c523334ebfe28 Author: Matt Caswell Date: Tue Feb 26 14:31:17 2019 + Updates for new releases Reviewed-by: Richard Levitte --- Summary of changes: news/newsflash.txt | 2 ++ news/secadv/20190226.txt | 48 news/vulnerabilities.xml | 46 +- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20190226.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 5ded4d4..b458dc4 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +26-Feb-2019: OpenSSL 1.1.1b is now available, including bug fixes +26-Feb-2019: OpenSSL 1.0.2r is now available, including bug and security fixes 11-Feb-2019: 3.0.0 Design (draft) is now available 11-Feb-2019: Strategic Architecture for OpenSSL 3.0.0 and beyond is now available 20-Nov-2018: OpenSSL 1.1.1a is now available, including bug and security fixes diff --git a/news/secadv/20190226.txt b/news/secadv/20190226.txt new file mode 100644 index 000..8a4a6dd --- /dev/null +++ b/news/secadv/20190226.txt @@ -0,0 +1,48 @@ +OpenSSL Security Advisory [26 February 2019] + + +0-byte record padding oracle (CVE-2019-1559) + + +Severity: Moderate + +If an application encounters a fatal protocol error and then calls +SSL_shutdown() twice (once to send a close_notify, and once to receive one) then +OpenSSL can respond differently to the calling application if a 0 byte record is +received with invalid padding compared to if a 0 byte record is received with an +invalid MAC. If the application then behaves differently based on that in a way +that is detectable to the remote peer, then this amounts to a padding oracle +that could be used to decrypt data. + +In order for this to be exploitable "non-stitched" ciphersuites must be in use. +Stitched ciphersuites are optimised implementations of certain commonly used +ciphersuites. Also the application must call SSL_shutdown() twice even if a +protocol error has occurred (applications should not do this but some do +anyway). + +This issue does not impact OpenSSL 1.1.1 or 1.1.0. + +OpenSSL 1.0.2 users should upgrade to 1.0.2r. + +This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, +with additional investigation by Steven Collison and Andrew Hourselt. It was +reported to OpenSSL on 10th December 2018. + +Note + + +OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support +for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th +September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20190226.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index d9b42bd..1732db5 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,51 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + +Padding Oracle +0-byte record padding oracle + + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) then + OpenSSL can respond differently to the calling application if a 0 byte record is + received with invalid padding compared to if a 0 byte record is received with an + invalid MAC. If the application then behaves differently based on that in a way + that is detectable to the remote peer, then this amounts to a padding oracle + that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in use. + Stitched ciphersuites are optimised implementations of certain commonly used + ciphersuites. Also the application must call SSL_shutdown() twice even if a + protocol error has occurred (applications should not do this but some do + anyway). + + + +
[web] master update
The branch master has been updated
via 604491061a61f0e554cdd38354df341f57ee9fc1 (commit)
via 9a8296e24a0b4dc88cda33aacdab44676906f7c5 (commit)
from c2804b5a37217fccddacb44e5dc2791f962759ac (commit)
- Log -
commit 604491061a61f0e554cdd38354df341f57ee9fc1
Author: Richard Levitte
Date: Sat Feb 16 14:02:44 2019 +0100
3.0.0 design doc: /usr/share -> /usr/lib
/usr/share was a bad example for storing modules
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/119)
commit 9a8296e24a0b4dc88cda33aacdab44676906f7c5
Author: Richard Levitte
Date: Sat Feb 16 14:02:04 2019 +0100
3.0.0 design doc: mark all code sections with a language where possible
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/119)
---
Summary of changes:
docs/OpenSSL300Design.md | 33 -
1 file changed, 16 insertions(+), 17 deletions(-)
diff --git a/docs/OpenSSL300Design.md b/docs/OpenSSL300Design.md
index 30a02eb..d30e8fe 100644
--- a/docs/OpenSSL300Design.md
+++ b/docs/OpenSSL300Design.md
@@ -420,7 +420,7 @@ create and provide its own library context, an internal
default one
will be used.
-```
+``` C
OPENSSL_CTX *OPENSSL_CTX_new();
void OPENSSL_CTX_free(OPENSSL_CTX *ctx);
```
@@ -707,7 +707,7 @@ entry point.
A provider module _must_ have the following well known entry point:
-```
+``` C
int OSSL_provider_init(const OSSL_PROVIDER *provider,
const OSSL_DISPATCH *in,
const OSSL_DISPATCH **out);
@@ -735,7 +735,7 @@ function-pointer >` tuple mentioned in the introduction of
[Core and Provider Design](#core-and-provider-design):
-```
+``` C
typedef struct ossl_dispatch_st {
int function_id;
void *(*function)();
@@ -760,7 +760,7 @@ numbers. More function numbers can be added in later
releases as
required without breaking backwards compatibility.
-```
+``` C
/* Functions provided by the Core to the provider */
#define OSSL_FUNC_ERR_PUT_ERROR1
#define OSSL_FUNC_GET_PARAMS 2
@@ -773,7 +773,7 @@ required without breaking backwards compatibility.
The Core will set up an array of the well known callback functions:
-```
+``` C
static OSSL_DISPATCH core_callbacks[] = {
{ OSSL_FUNC_ERR_PUT_ERROR, ERR_put_error },
/* int ossl_get_params(OSSL_PROVIDER *prov, OSSL_PARAM params[]); */
@@ -789,7 +789,7 @@ testing, instrumentation etc as the need comes up.
Once the module is loaded and the well known entry point located, the
init entry point can be invoked by the Core:
-```
+``` C
/*
* NOTE: this code is meant as a simple demonstration of what could happen
* in the core. This is an area where the OSSL_PROVIDER type is not opaque.
@@ -857,7 +857,7 @@ code.
Operations are identified by a unique number. For example:
-```
+``` C
#define OSSL_OP_DIGEST 1
#define OSSL_OP_SYM_ENCRYPT2
#define OSSL_OP_SEAL 3
@@ -906,7 +906,7 @@ for init functions for other operations, those will have
their own
unique numbers. For example, for the digest operation, these functions
are required:
-```
+``` C
#define OSSL_OP_DIGEST_NEWCTX_FUNC 1
#define OSSL_OP_DIGEST_INIT_FUNC 2
#define OSSL_OP_DIGEST_UPDATE_FUNC 3
@@ -923,7 +923,7 @@ typedef void (*OSSL_OP_digest_freectx_fn)(void *ctx);
An all in one version is also advisable for devices that cannot handle
multi-part operations:
-```
+``` C
#define OSSL_OP_DIGEST_FUNC6
typedef int (*OSSL_OP_digest)(const OSSL_PROVIDER *prov,
const void *data, size_t len,
@@ -938,7 +938,7 @@ for each operation. The algorithm descriptor was mentioned
higher up,
and would be publically defined like this:
-```
+``` C
typedef struct ossl_algorithm_st {
const char *name;
const char *properties;
@@ -952,7 +952,7 @@ querying function such as `fips_query_operation` below
returns) the
FIPS module may define arrays like this for the SHA1 algorithm:
-```
+``` C
static OSSL_DISPATCH fips_sha1_callbacks[] = {
{ OSSL_OP_DIGEST_NEWCTX_FUNC, fips_sha1_newctx },
{ OSSL_OP_DIGEST_INIT_FUNC, fips_sha1_init },
@@ -1105,8 +1105,7 @@ application to specify a non-default library context if
required
(`osslctx` in this example):
-```
-
+``` C
EVP_CIPHER_CTX *ctx;
EVP_CIPHER *ciph;
@@ -2344,7 +2343,7 @@ There is functionality to create diverse EVP method
structures in
OpenSSL 1.1.x, easily found like this:
-```
+``` shell
grep EVP_CIPHER_meth util/libcrypto.num
grep EVP_MD_meth util/libcrypto.num
grep EVP_PKEY_meth util/libcrypto.num
@@ -2663,7 +2662,7 @@ time.
We have macros to declare the type of content in `data_type`:
-```
+`
[web] master update
The branch master has been updated via c2804b5a37217fccddacb44e5dc2791f962759ac (commit) from d58a4110c94ead1c72693c86e1d5841620209660 (commit) - Log - commit c2804b5a37217fccddacb44e5dc2791f962759ac Author: Matt Caswell Date: Thu Feb 14 14:51:15 2019 + Remove rel=canonical from head.shtml With that line we are claiming that all our web pages are synonyms of the home page. Fixes #117 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/118) --- Summary of changes: inc/head.shtml | 1 - 1 file changed, 1 deletion(-) diff --git a/inc/head.shtml b/inc/head.shtml index 244afed..c622c8b 100644 --- a/inc/head.shtml +++ b/inc/head.shtml @@ -9,7 +9,6 @@ - https://www.openssl.org/";>
[openssl-commits] [web] master update
The branch master has been updated via d58a4110c94ead1c72693c86e1d5841620209660 (commit) from 5c98cb9a57ad617454a721aa640cb096e09b5e7b (commit) - Log - commit d58a4110c94ead1c72693c86e1d5841620209660 Author: Richard Levitte Date: Fri Feb 15 10:16:46 2019 +0100 Typo --- Summary of changes: news/newsflash.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index d5d6e56..5ded4d4 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,7 +5,7 @@ # headings. URL paths must all be absolute. Date: Item 11-Feb-2019: 3.0.0 Design (draft) is now available -11-Feb-2019: Strategic Architecture for OpenSSL 3.0.0 and beyond is now available +11-Feb-2019: Strategic Architecture for OpenSSL 3.0.0 and beyond is now available 20-Nov-2018: OpenSSL 1.1.1a is now available, including bug and security fixes 20-Nov-2018: OpenSSL 1.1.0j is now available, including bug and security fixes 20-Nov-2018: OpenSSL 1.0.2q is now available, including bug and security fixes _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated
via 5c98cb9a57ad617454a721aa640cb096e09b5e7b (commit)
from f758bad1d2241ae88a3065b974313d78a8978200 (commit)
- Log -
commit 5c98cb9a57ad617454a721aa640cb096e09b5e7b
Author: Richard Levitte
Date: Mon Feb 11 23:59:21 2019 +0100
Fix CSS props for code color
The 'pre' CSS is enough, we have no need for variants for 'p code',
'li code', 'p pre code' and 'li pre code'...
Reviewed-by: Tim Hudson
(Merged from https://github.com/openssl/web/pull/116)
---
Summary of changes:
inc/screen.css | 42 +-
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/inc/screen.css b/inc/screen.css
index 9938bcc..29b74b9 100644
--- a/inc/screen.css
+++ b/inc/screen.css
@@ -1084,27 +1084,27 @@ h3.filename + pre {
border-top-right-radius: 0px;
}
-p code, li code {
- display: inline-block;
- white-space: no-wrap;
- background: #fff;
- font-size: .8em;
- line-height: 1.5em;
- color: #555;
- border: 1px solid #ddd;
- -webkit-border-radius: 0.4em;
- -moz-border-radius: 0.4em;
- -ms-border-radius: 0.4em;
- -o-border-radius: 0.4em;
- border-radius: 0.4em;
- padding: 0 .3em;
- margin: -1px 0;
-}
-p pre code, li pre code {
- font-size: 1em !important;
- background: none;
- border: none;
-}
+//p code, li code {
+// display: inline-block;
+// white-space: no-wrap;
+// background: #fff;
+// font-size: .8em;
+// line-height: 1.5em;
+// color: #555;
+// border: 1px solid #ddd;
+// -webkit-border-radius: 0.4em;
+// -moz-border-radius: 0.4em;
+// -ms-border-radius: 0.4em;
+// -o-border-radius: 0.4em;
+// border-radius: 0.4em;
+// padding: 0 .3em;
+// margin: -1px 0;
+//}
+//p pre code, li pre code {
+// font-size: 1em !important;
+// background: none;
+// border: none;
+//}
.pre-code, html .highlight pre, .highlight code {
font-family: Menlo, Monaco, "Andale Mono", "lucida console", "Courier New",
monospace !important;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via f758bad1d2241ae88a3065b974313d78a8978200 (commit) from 2377ab72410b9c117e9a88cecbad83c6a2827220 (commit) - Log - commit f758bad1d2241ae88a3065b974313d78a8978200 Author: Richard Levitte Date: Mon Feb 11 22:41:12 2019 +0100 Stray 'q' begone! Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/115) --- Summary of changes: docs/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.html b/docs/index.html index 1279b6d..a0297d0 100644 --- a/docs/index.html +++ b/docs/index.html @@ -46,7 +46,7 @@ It is highly recommended. -q + You are here: Home : Documentation Sitemap _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 2377ab72410b9c117e9a88cecbad83c6a2827220 (commit) via e9ab2edffc56f8a840347ef7c35cc55cc6879744 (commit) from e56baa71b5cc8028e08e8a3027ea9ecf3f27dbd0 (commit) - Log - commit 2377ab72410b9c117e9a88cecbad83c6a2827220 Author: Richard Levitte Date: Mon Feb 11 20:49:51 2019 +0100 Make a general rule for converting markdown to html5 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/114) commit e9ab2edffc56f8a840347ef7c35cc55cc6879744 Author: Richard Levitte Date: Mon Feb 11 20:49:13 2019 +0100 Publish the Strategic Architecture and 3.0.0 Design (draft) documents Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/114) --- Summary of changes: Makefile | 13 ++--- docs/index.html| 11 ++- news/newsflash.txt | 2 ++ 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index a8dbae6..37ffb75 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,12 @@ SRCLISTS = \ source/old/fips/index.inc \ +.SUFFIXES: .md .html + +.md.html: + @rm -f $@ + ./bin/md-to-html5 $< + all: suball manmaster mancross suball: $(SIMPLE) $(SRCLISTS) @@ -108,13 +114,6 @@ docs/fips.inc: $(wildcard docs/fips/*) bin/mk-filelist @rm -f $@ ./bin/mk-filelist docs/fips fips/ '*' >$@ -docs/OpenSSLStrategicArchitecture.html: docs/OpenSSLStrategicArchitecture.md - @rm -f $@ - ./bin/md-to-html5 $< -docs/OpenSSL300Design.html: docs/OpenSSL300Design.md - @rm -f $@ - ./bin/md-to-html5 $< - news/changelog.inc: news/changelog.txt bin/mk-changelog @rm -f $@ ./bin/mk-changelog $@ diff --git a/docs/index.html b/docs/index.html index 7fcbc9a..1279b6d 100644 --- a/docs/index.html +++ b/docs/index.html @@ -11,6 +11,15 @@ Documentation + + We have a + Strategic + Architecture for the development of OpenSSL from + 3.0.0 and going forward, as well as a + design for 3.0.0 (draft) + specifically. + + The frequently-asked questions (FAQ) is available. So is an incomplete list of @@ -37,7 +46,7 @@ It is highly recommended. - +q You are here: Home : Documentation Sitemap diff --git a/news/newsflash.txt b/news/newsflash.txt index 07229f2..d5d6e56 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +11-Feb-2019: 3.0.0 Design (draft) is now available +11-Feb-2019: Strategic Architecture for OpenSSL 3.0.0 and beyond is now available 20-Nov-2018: OpenSSL 1.1.1a is now available, including bug and security fixes 20-Nov-2018: OpenSSL 1.1.0j is now available, including bug and security fixes 20-Nov-2018: OpenSSL 1.0.2q is now available, including bug and security fixes _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 86790fc138e335918125ccd51941958785e840d5 (commit) via b36b544b878c13b91109743220590fa7e9af5508 (commit) from 1763c4db685b43c58b33d2ace0435da1a067ba24 (commit) - Log - commit 86790fc138e335918125ccd51941958785e840d5 Author: Richard Levitte Date: Tue Jan 29 14:10:00 2019 +0100 Add the OpenSSL Strategic Architecture document Includes notes on how to convert documents from Google Docs to Markdown. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/110) commit b36b544b878c13b91109743220590fa7e9af5508 Author: Richard Levitte Date: Wed Jan 30 13:50:48 2019 +0100 bin/md-to-html5: change output directory The output directory should be the same as for the input file Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/111) --- Summary of changes: Makefile | 5 + bin/md-to-html5 | 6 +- docs/OpenSSLStrategicArchitecture.md | 290 +++ docs/README.googledocs.md| 77 ++ docs/images/AsIsComponent.png| Bin 0 -> 52562 bytes docs/images/AsIsPackaging.png| Bin 0 -> 36348 bytes docs/images/ToBeComponent.png| Bin 0 -> 73449 bytes docs/images/ToBePackaging.png| Bin 0 -> 65063 bytes 8 files changed, 375 insertions(+), 3 deletions(-) create mode 100644 docs/OpenSSLStrategicArchitecture.md create mode 100644 docs/README.googledocs.md create mode 100644 docs/images/AsIsComponent.png create mode 100644 docs/images/AsIsPackaging.png create mode 100644 docs/images/ToBeComponent.png create mode 100644 docs/images/ToBePackaging.png diff --git a/Makefile b/Makefile index d1a8651..f799e85 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ SIMPLE = newsflash.inc sitemap.txt \ community/committers.inc \ community/omc.inc community/omc-alumni.inc \ docs/faq.inc docs/fips.inc \ +docs/OpenSSLStrategicArchitecture.html \ news/changelog.inc news/changelog.txt \ news/cl102.txt news/cl110.txt news/cl111.txt \ news/openssl-1.0.2-notes.inc \ @@ -106,6 +107,10 @@ docs/fips.inc: $(wildcard docs/fips/*) bin/mk-filelist @rm -f $@ ./bin/mk-filelist docs/fips fips/ '*' >$@ +docs/OpenSSLStrategicArchitecture.html: docs/OpenSSLStrategicArchitecture.md + @rm -f $@ + ./bin/md-to-html5 $< + news/changelog.inc: news/changelog.txt bin/mk-changelog @rm -f $@ ./bin/mk-changelog $@ diff --git a/bin/md-to-html5 b/bin/md-to-html5 index 7bb815b..08aac34 100755 --- a/bin/md-to-html5 +++ b/bin/md-to-html5 @@ -4,12 +4,12 @@ template="$0.tmpl.html5" for f in "$@"; do b=`basename "$f" .md` +d=`dirname "$f"` if [ "$f" != "$b" ]; then - bns=`echo "$b" | sed -e 's| *||g'` - t=`dirname "$b"`.tmpl.html5 + t="$d/$b.tmpl.html5" if [ ! -f "$t" ]; then t="$template" fi - pandoc -t html5 --template="$t" "$f" > "$bns.html" + pandoc -t html5 --template="$t" "$f" > "$d/$b.html" fi done diff --git a/docs/OpenSSLStrategicArchitecture.md b/docs/OpenSSLStrategicArchitecture.md new file mode 100644 index 000..ecc8fd1 --- /dev/null +++ b/docs/OpenSSLStrategicArchitecture.md @@ -0,0 +1,290 @@ +--- +title: OpenSSL Strategic Architecture +author: OpenSSL Management Committee (OMC) +date: January, 2019 +--- +## Introduction + +This document outlines the OpenSSL strategic architecture. It will take +multiple releases, starting from 3.0.0, to move the architecture from +the current "as-is" (1.1.1), to the future "to-be" architecture. + +Numerous changes are anticipated in the to-be architecture. A migration +path for handling the eventual transition will be provided. The OpenSSL +3.0.0 release will have minimal impact to the vast majority of existing +applications, almost all well-behaved applications will just need to be +recompiled. + +The current functionality provided by the engine interface will be +replaced over time via a provider interface. OpenSSL 3.0.0 will continue +to support engines. The to-be architecture will not be fully realised +until OpenSSL 4.0.0 at the earliest. + +## As-is architecture + +Currently, OpenSSL is split into four principal components: + +1. libcrypto. This is the core library for providing implementations of +numerous cryptographic primitives. In addition it provides a set of +supporting services which are used by libssl and libcrypto, as well +as implementations of protocols such as CMS and OCSP. + +2. Engine. The functionality of libcrypto can be extended through the +Engine API. + +Typically engines are dynamically loadable modules that are registered +with libcrypto and use the availabl
[openssl-commits] [web] master update
The branch master has been updated
via 1763c4db685b43c58b33d2ace0435da1a067ba24 (commit)
via 8e80d7699c38ef890cc62da9fd713bcfc49152db (commit)
via 98d1be0a1bcd7ae582753e54b523faf6b4bd1360 (commit)
from 04c0cb565a81ed4357722dcce70c50b3575e2863 (commit)
- Log -
commit 1763c4db685b43c58b33d2ace0435da1a067ba24
Author: Richard Levitte
Date: Tue Jan 29 22:21:39 2019 +0100
bin/mk-mancross: new manpage cross reference script
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/107)
commit 8e80d7699c38ef890cc62da9fd713bcfc49152db
Author: Richard Levitte
Date: Tue Jan 29 21:33:30 2019 +0100
bin/mk-manpages: refactor to allow cross references between releases
So far, we created one HTML file for each POD file, and then made hard
links to it for other names that are in the POD file's NAMES section.
However, this came with the assumption that cross referencing between
releases would work simply be linking to the same name on other
releases. This, however, did not take into account that manuals in
newer releases don't necessarily exist in older releases, or that some
files may have changed names.
Names in NAMES sections are, however, fairly constant, and are
therefore much safer to link to. At the same time, it's safe to say
that if a particular name doesn't exist in some other releases, there
should simply not be a link. A conclusion to draw from is that cross
referencing must be made on a per NAMES section name basis, rather
than on POD file name basis.
To allow this to happen and still not have to rewrite the same
Pod2Html result for every name in a specific POD file's NAMES section,
the structure of the rendered man pages are changed to this:
- POD files are rendered into a .inc file with the exact same
basename as the POD file.
- For every name in the NAMES section, am HTML file is created. It
contains the standard header and footer stuff, and includes the
generated .inc file in the middle. It also includes a .cross file
with the same basename as the HTML file as part of the sidebar.
In another commit, there will be a script for cross referencing, which
will generate the .cross files mentioned above.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/107)
commit 98d1be0a1bcd7ae582753e54b523faf6b4bd1360
Author: Richard Levitte
Date: Thu Jan 3 16:37:24 2019 +0100
Handle document sectioning correctly
Gone are the apps/, crypto/ and ssl/ directories. We move to a Unix
manpage structure for older releases as well as new ones.
With that, there's no more need for a separate bin/mk-newmanpages,
bin/mk-manpages can handle both the old and the new POD directory
structure.
For a document tree that previously had apps/, crypto/ and ssl/, we
provide a .htaccess that accepts the old URLs and maps them correctly
to man1/ or man3/.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/107)
---
Summary of changes:
.gitignore | 1 +
Makefile | 26 +-
bin/mk-mancross | 54
bin/mk-manmap| 27 ++
bin/mk-manpages | 300 ++---
bin/mk-newmanpages | 315 ---
docs/man1.0.2/crypto/index.html | 43
docs/man1.0.2/index.html | 7 +-
docs/{man1.1.0/apps => man1.0.2/man1}/index.html | 5 +-
docs/{man1.1.0/ssl => man1.0.2/man3}/index.html | 17 +-
docs/{man1.1.1/man7 => man1.0.2/man5}/index.html | 8 +-
docs/{man1.1.1 => man1.0.2}/man7/index.html | 8 +-
docs/man1.1.0/crypto/index.html | 43
docs/man1.1.0/index.html | 7 +-
docs/{man1.0.2/apps => man1.1.0/man1}/index.html | 4 +-
docs/{man1.0.2/ssl => man1.1.0/man3}/index.html | 16 +-
docs/{man1.1.1/man7 => man1.1.0/man5}/index.html | 8 +-
docs/{man1.1.1/man1 => man1.1.0/man7}/index.html | 5 +-
docs/man1.1.1/man3/index.html| 6 +
docs/manmaster/man3/index.html | 6 +
20 files changed, 306 insertions(+), 600 deletions(-)
create mode 100755 bin/mk-mancross
create mode 100755 bin/mk-manmap
delete mode 100755 bin/mk-newmanpages
delete mode 100644 docs/man1.0.2/crypto/index.html
rename docs/{man1.1.0/apps => man1.0.2/man1}/index.html (91%)
rename docs/{man1.1.0/ssl => man1.0.2/man3}/index.html (68%)
copy docs/{man1.1.1/man7 => man1.0.2/man5}/index.html (83%)
copy docs/{man1.1.1 => man1.0.2}
[openssl-commits] [web] master update
The branch master has been updated via 04c0cb565a81ed4357722dcce70c50b3575e2863 (commit) from 895ee9dcaa50a72637b907dd3ab62723e23863f9 (commit) - Log - commit 04c0cb565a81ed4357722dcce70c50b3575e2863 Author: Richard Levitte Date: Tue Jan 29 13:29:23 2019 +0100 mk-apropos: don't include non-manpage files mk-apropos looks at all HTML files in a given directory, but failed to recognise files that aren't rendered manpage, such as index.html. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/109) --- Summary of changes: bin/mk-apropos | 5 + 1 file changed, 5 insertions(+) diff --git a/bin/mk-apropos b/bin/mk-apropos index a9dd5b6..64899a4 100755 --- a/bin/mk-apropos +++ b/bin/mk-apropos @@ -6,6 +6,11 @@ cd $dir for m in `find . -name '*.html' | sort`; do description=`grep -F '||'` +# If there isn't a description, it isn't a manpage and should not be +# included +if [ "$description" = "" ]; then + continue +fi manfile=`echo $m | sed -e 's|\./||'` manname=`basename $manfile .html` origmanfile=`echo $manfile | sed -e "s|^$subdir|$origsubdir|"` _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 895ee9dcaa50a72637b907dd3ab62723e23863f9 (commit) from 8557dd2bb3cebee18ec35347250271322b09d5da (commit) - Log - commit 895ee9dcaa50a72637b907dd3ab62723e23863f9 Author: Richard Levitte Date: Tue Jan 29 12:43:41 2019 +0100 Markdown to OpenSSL HTML5 pages Markdown is a popular format for text files, and some documents are easier to read in this form than in HTML. For future purposes, this is the scripts we need to process markdown files into HTML5. This script is based on pandoc, which is a pretty good translator between a range of different document formats. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/108) --- Summary of changes: bin/md-to-html5| 15 +++ bin/md-to-html5.tmpl.html5 | 34 ++ 2 files changed, 49 insertions(+) create mode 100755 bin/md-to-html5 create mode 100644 bin/md-to-html5.tmpl.html5 diff --git a/bin/md-to-html5 b/bin/md-to-html5 new file mode 100755 index 000..7bb815b --- /dev/null +++ b/bin/md-to-html5 @@ -0,0 +1,15 @@ +#! /bin/sh + +template="$0.tmpl.html5" + +for f in "$@"; do +b=`basename "$f" .md` +if [ "$f" != "$b" ]; then + bns=`echo "$b" | sed -e 's| *||g'` + t=`dirname "$b"`.tmpl.html5 + if [ ! -f "$t" ]; then + t="$template" + fi + pandoc -t html5 --template="$t" "$f" > "$bns.html" +fi +done diff --git a/bin/md-to-html5.tmpl.html5 b/bin/md-to-html5.tmpl.html5 new file mode 100644 index 000..b1fbe38 --- /dev/null +++ b/bin/md-to-html5.tmpl.html5 @@ -0,0 +1,34 @@ + + + + + + + + + + + +$if(title)$ + +$title$ +$if(subtitle)$ +$subtitle$ +$endif$ +$for(author)$ +$author$ +$endfor$ +$if(date)$ +$date$ +$endif$ + +$endif$ +$body$ + + + + + + + + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 8557dd2bb3cebee18ec35347250271322b09d5da (commit) from 0ef1cccd789aa8434f9ef8e3783df637d506b53f (commit) - Log - commit 8557dd2bb3cebee18ec35347250271322b09d5da Author: Richard Levitte Date: Tue Dec 25 15:53:29 2018 +0100 Reformat FAQ files Make them correct Markdown, and then use pandoc to create the FAQ HTML. We then use CSS and a bit of Javascript to make it an accordion style FAQ. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/103) --- Summary of changes: bin/mk-faq | 110 +++-- docs/faq-1-legal.txt | 42 ++-- docs/faq-2-user.txt | 373 +++ docs/faq-3-prog.txt | 614 +-- docs/faq-4-build.txt | 397 - docs/faq-5-misc.txt | 177 --- docs/faq-6-old.txt | 18 +- docs/faq.html| 9 +- inc/screen.css | 121 ++ 9 files changed, 951 insertions(+), 910 deletions(-) diff --git a/bin/mk-faq b/bin/mk-faq index 531a6c6..0f92d2e 100755 --- a/bin/mk-faq +++ b/bin/mk-faq @@ -1,88 +1,30 @@ -#! /usr/bin/perl -use strict; -use warnings; +#! /bin/sh -# Filename->anchor name -my %anchors; -foreach my $f ( @ARGV ) { -next unless $f =~ /faq-[0-9]-(.*).txt/; -$anchors{$f} = uc($1); -} +cat/>/' \ + | sed -E -e 's/<([^<>]*)>\|([A-Z]*[0-9]*)\|/<\1 id="\2">/' +done diff --git a/docs/faq-1-legal.txt b/docs/faq-1-legal.txt index dc69809..1dfc067 100644 --- a/docs/faq-1-legal.txt +++ b/docs/faq-1-legal.txt @@ -1,28 +1,28 @@ -Legal Questions + Legal Questions -* Do I need patent licenses to use OpenSSL? +* Do I need patent licenses to use OpenSSL? -For information on intellectual property rights, please consult a lawyer. -The OpenSSL team does not offer legal advice. +For information on intellectual property rights, please consult a lawyer. +The OpenSSL team does not offer legal advice. -You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using - -./config no-idea no-mdc2 no-rc5 - +You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using -* Can I use OpenSSL with GPL software? +./config no-idea no-mdc2 no-rc5 -On many systems includi
[openssl-commits] [web] master update
The branch master has been updated via 0ef1cccd789aa8434f9ef8e3783df637d506b53f (commit) via d5d657a5d4ee7aa2602d41cdcc5723b191c43a8b (commit) from c49be85acdf6d10bfb17d0a5f1cb6405ae25fcaf (commit) - Log - commit 0ef1cccd789aa8434f9ef8e3783df637d506b53f Merge: c49be85 d5d657a Author: Mark J. Cox Date: Tue Jan 15 12:02:31 2019 + Merge pull request #105 from iamamoose/vulns Add severities that were in the advisories but missing from the vulnerability pages, also found a missing vulnerability commit d5d657a5d4ee7aa2602d41cdcc5723b191c43a8b Author: Mark J. Cox Date: Tue Jan 15 11:37:51 2019 + Add severities that were in the advisories but missing from the vulnerability pages, also found a missing vulnerability --- Summary of changes: news/vulnerabilities.xml | 80 1 file changed, 80 insertions(+) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 2142ade..d9b42bd 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -3629,6 +3629,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3671,6 +3672,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3689,6 +3691,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3757,8 +3760,79 @@ the certificate key is invalid. This function is rarely used in practice. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due + to a NULL pointer dereference. This could lead to a Denial Of Service attack. + + + + + + @@ -3829,6 +3903,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3872,6 +3947,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3951,6 +4027,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4040,6 +4117,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4066,6 +4144,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4201,6 +4280,7 @@ the certificate key is invalid. This function is rarely used in practice. + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via c49be85acdf6d10bfb17d0a5f1cb6405ae25fcaf (commit) via 064a3b32b4890eff85cb8c905d91cf361673e485 (commit) via 6869d8b6065b187af840f29a574dace73d05f3c4 (commit) from 025f5f461ca3a67091aac0690de2496c03d3ba7f (commit) - Log - commit c49be85acdf6d10bfb17d0a5f1cb6405ae25fcaf Author: Richard Levitte Date: Thu Jan 3 17:23:54 2019 +0100 Generate apropos-like tables instead of filelists for manpages This works together with bin/mk-manpages' generation of description comment. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/102) commit 064a3b32b4890eff85cb8c905d91cf361673e485 Author: Richard Levitte Date: Thu Jan 3 17:17:32 2019 +0100 Have bin/mk-manpages and bin/mk-newmanpages add a description comment Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/102) commit 6869d8b6065b187af840f29a574dace73d05f3c4 Author: Richard Levitte Date: Thu Jan 3 17:11:47 2019 +0100 Change getnames() to getdata(), for generic data retrieval from POD files Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/102) --- Summary of changes: Makefile| 14 +++--- bin/mk-apropos | 13 + bin/mk-manpages | 43 - bin/mk-newmanpages | 43 - docs/man1.0.2/apps/index.html | 7 +++ docs/man1.0.2/crypto/index.html | 7 +++ docs/man1.0.2/ssl/index.html| 7 +++ docs/man1.1.0/apps/index.html | 7 +++ docs/man1.1.0/crypto/index.html | 7 +++ docs/man1.1.0/ssl/index.html| 7 +++ docs/man1.1.1/man1/index.html | 7 +++ docs/man1.1.1/man3/index.html | 7 +++ docs/man1.1.1/man5/index.html | 7 +++ docs/man1.1.1/man7/index.html | 7 +++ docs/manmaster/man1/index.html | 7 +++ docs/manmaster/man3/index.html | 7 +++ docs/manmaster/man5/index.html | 7 +++ docs/manmaster/man7/index.html | 7 +++ 18 files changed, 112 insertions(+), 99 deletions(-) create mode 100755 bin/mk-apropos diff --git a/Makefile b/Makefile index c6c54bb..2418e5e 100644 --- a/Makefile +++ b/Makefile @@ -58,16 +58,16 @@ rebuild: all define makemanpages ./bin/mk-manpages $(1) $(2) docs - ./bin/mk-filelist -a docs/man$(2)/apps '' '*.html' >docs/man$(2)/apps/index.inc - ./bin/mk-filelist -a docs/man$(2)/crypto '' '*.html' >docs/man$(2)/crypto/index.inc - ./bin/mk-filelist -a docs/man$(2)/ssl '' '*.html' >docs/man$(2)/ssl/index.inc + ./bin/mk-apropos docs/man$(2)/apps > docs/man$(2)/apps/index.inc + ./bin/mk-apropos docs/man$(2)/crypto > docs/man$(2)/crypto/index.inc + ./bin/mk-apropos docs/man$(2)/ssl> docs/man$(2)/ssl/index.inc endef define newmakemanpages ./bin/mk-newmanpages $(1) $(2) docs - ./bin/mk-filelist -a docs/man$(2)/man1 '' '*.html' >docs/man$(2)/man1/index.inc - ./bin/mk-filelist -a docs/man$(2)/man3 '' '*.html' >docs/man$(2)/man3/index.inc - ./bin/mk-filelist -a docs/man$(2)/man5 '' '*.html' >docs/man$(2)/man5/index.inc - ./bin/mk-filelist -a docs/man$(2)/man7 '' '*.html' >docs/man$(2)/man7/index.inc + ./bin/mk-apropos docs/man$(2)/man1 > docs/man$(2)/man1/index.inc + ./bin/mk-apropos docs/man$(2)/man3 > docs/man$(2)/man3/index.inc + ./bin/mk-apropos docs/man$(2)/man5 > docs/man$(2)/man5/index.inc + ./bin/mk-apropos docs/man$(2)/man7 > docs/man$(2)/man7/index.inc endef manpages: manmaster $(call newmakemanpages,$(CHECKOUTS)/openssl-1.1.1-stable,1.1.1) diff --git a/bin/mk-apropos b/bin/mk-apropos new file mode 100755 index 000..a9dd5b6 --- /dev/null +++ b/bin/mk-apropos @@ -0,0 +1,13 @@ +#! /bin/sh +# $1 is the top of the manual page tree to look through + +dir=$1 +cd $dir + +for m in `find . -name '*.html' | sort`; do +description=`grep -F '||'` +manfile=`echo $m | sed -e 's|\./||'` +manname=`basename $manfile .html` +origmanfile=`echo $manfile | sed -e "s|^$subdir|$origsubdir|"` +echo "$manname$description" +done diff --git a/bin/mk-manpages b/bin/mk-manpages index f177f3f..0096ec2 100755 --- a/bin/mk-manpages +++ b/bin/mk-manpages @@ -56,17 +56,18 @@ sub main { my $filename = File::Spec->catfile( $dir, $ent ); my $basename = basename( $ent, ".pod" ); my $title = $basename; +my %data = $class->getdata( $filename ); my $out = - $class->genhtml( $release, $sect, $filename, $title, $basename ); +$class->genhtml( $release, $sect, $filename, $title, $basename, + $data{description}); my $outf
[openssl-commits] [web] master update
The branch master has been updated via 025f5f461ca3a67091aac0690de2496c03d3ba7f (commit) from 2ee3b78b0e20e1e2e9fc3830813a843567ea94a2 (commit) - Log - commit 025f5f461ca3a67091aac0690de2496c03d3ba7f Author: Dr. Matthias St. Pierre Date: Thu Dec 27 18:33:03 2018 +0100 Add 1.1.1 to manual sidebar Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/100) --- Summary of changes: inc/mansidebar.shtml | 1 + 1 file changed, 1 insertion(+) diff --git a/inc/mansidebar.shtml b/inc/mansidebar.shtml index 64fd0e9..c794b16 100644 --- a/inc/mansidebar.shtml +++ b/inc/mansidebar.shtml @@ -4,6 +4,7 @@ Manpages master + 1.1.1 1.1.0 1.0.2 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 2ee3b78b0e20e1e2e9fc3830813a843567ea94a2 (commit) from ad8f7120bad64bcc43861c36eedcf29fc2728f13 (commit) - Log - commit 2ee3b78b0e20e1e2e9fc3830813a843567ea94a2 Author: Matt Caswell Date: Wed Dec 5 13:00:13 2018 + Update CLA templates Update the address in the CLA templates Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/97) --- Summary of changes: policies/openssl_ccla.pdf | Bin 32971 -> 38288 bytes policies/openssl_icla.pdf | Bin 32488 -> 37641 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/policies/openssl_ccla.pdf b/policies/openssl_ccla.pdf index 814c2f7..f341c27 100644 Binary files a/policies/openssl_ccla.pdf and b/policies/openssl_ccla.pdf differ diff --git a/policies/openssl_icla.pdf b/policies/openssl_icla.pdf index 25d1b96..cb24818 100644 Binary files a/policies/openssl_icla.pdf and b/policies/openssl_icla.pdf differ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via ad8f7120bad64bcc43861c36eedcf29fc2728f13 (commit) from 0d92547742c3da2f066f4babaacf8a51bb2f5e3c (commit) - Log - commit ad8f7120bad64bcc43861c36eedcf29fc2728f13 Author: Rich Salz Date: Mon Mar 19 18:20:32 2018 -0400 Switch to new (ASF) license Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/98) --- Summary of changes: .gitignore| 1 - Makefile | 4 - source/apache-license-2.0.txt | 177 ++ source/license-openssl-ssleay.txt | 125 +++ source/license.html | 35 +--- 5 files changed, 327 insertions(+), 15 deletions(-) create mode 100644 source/apache-license-2.0.txt create mode 100644 source/license-openssl-ssleay.txt diff --git a/.gitignore b/.gitignore index be23066..86cadae 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ source/*.gz* source/*.patch source/.htaccess source/index.inc -source/license.txt source/old/*/*.patch source/old/*/*.tar.gz* source/old/*/*.txt.asc diff --git a/Makefile b/Makefile index a495e0c..c6c54bb 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,6 @@ SIMPLE = newsflash.inc sitemap.txt \ news/vulnerabilities-0.9.7.inc \ news/vulnerabilities-0.9.6.inc \ source/.htaccess \ -source/license.txt \ source/index.inc SRCLISTS = \ source/old/0.9.x/index.inc \ @@ -174,9 +173,6 @@ news/vulnerabilities-0.9.6.inc: bin/mk-cvepage news/vulnerabilities.xml source/.htaccess: $(wildcard source/openssl-*.tar.gz) bin/mk-latest @rm -f @? ./bin/mk-latest source >$@ -source/license.txt: $(SNAP)/LICENSE - @rm -f $@ - cp $? $@ source/index.inc: $(wildcard $(RELEASEDIR)/openssl-*.tar.gz) bin/mk-filelist @rm -f $@ ./bin/mk-filelist $(RELEASEDIR) '' 'openssl-*.tar.gz' >$@ diff --git a/source/apache-license-2.0.txt b/source/apache-license-2.0.txt new file mode 100644 index 000..49cc83d --- /dev/null +++ b/source/apache-license-2.0.txt @@ -0,0 +1,177 @@ + + Apache License + Version 2.0, January 2004 +https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner +
[openssl-commits] [web] master update
The branch master has been updated via 0d92547742c3da2f066f4babaacf8a51bb2f5e3c (commit) from be4639ae76f20fccfd718dea2aaa7def1dbe8a55 (commit) - Log - commit 0d92547742c3da2f066f4babaacf8a51bb2f5e3c Author: Kurt Roeckx Date: Wed Dec 5 22:22:04 2018 +0100 Update PGP key --- Summary of changes: news/openssl-security.asc | 80 +++ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index fb0482f..9dddc89 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -11,33 +11,33 @@ Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO 5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB -tCVPcGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+ -AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9 -efUFAlvEwBgFCQmW/3kACgkQ2JTizos9efV3tBAAg/XTimvGMtCvMawu+ymbXshC -W+PTt3tH2oI7parnm8F0DY3c70rwKN1uu28Cds0QOpAUR8wsYe9HbXXfT7w+4JG6 -qJm3mfAin9QA49D99SN3TgSTOK7qU1p88nCpEs0dib4aF5gO2zaqRiIEbTkiQSjQ -lTzLS0kfznNmfynJI25XWNddLM2munn9ZS7XPQqzZ0G/RkDbuIayG0axRRcr8iG/ -uOkfFz3Iwk58MnzKVqPf+n7ZPTG6Z7EEcLF92Lo58x+s9tJ5afr0bTRG1wn5L8+I -++OEIn32CwPQ0B6FeI42jeXGdd4rGjgzZyBbqvUD2zei85Sa306ZUOLoD5iuSAXt -VkyK2rRRqfGy8m+R0TV1TQ25SkQadUf1fz1gS+QtyA4MhuM4f9PYR6kNUzjHkGAw -w6KTG+bHiiQdAOKCEDYZgz9bY9wSD53fQTh8r5DhQ9edgFQAZsJ5R5jouZu+5beG -8VP1OuvgKA478y/VWX6xnKLCqAfiF+p4ae0WDTm2cQiZyskTLQ2NaC0xEmAg9DgT -d0v9NteVVMKeVppaGsE21vaX7s228Pj2sf8EAwl5iqtcJZMVVMHdmMerojd0HnmW -PplbBVowaTTxLcMz/Xqlrxl7ylh6NqA3hFK1BwhFkAH6IEvXYmuAZNEtzFl+t4m5 -lsGHrlH+lstQuSl25v+0NE9wZW5TU0wgc2VjdXJpdHkgdGVhbSA8b3BlbnNzbC1z -ZWN1cml0eUBvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCW8TAJwUJCZb/eQAKCRDY -lOLOiz159bbcEACpio13Jc6porVHoi5izZ9w9xCYiv6whrhgjdBCPm+JP6bPb0aN -T0EkhQ4oBsOh3iCtVrBXjeagXK1NR1Sze/PH/kxARg9Nx6rafv9jRF2irO0E8+fY -U2nV2z8Sjuej2uAIfMEJW0GnOJsR/pnn+a6P2Na8qwuwoEoWW2rTwqgCNOPwTWAW -qgB5sYrt5M8RhmSZXW0v6NmCAQVrnGbEsqgCuBLo0WqyPszW6BEQqUsvj4aAAucS -IZr2vaN4TnXhg0VdlI1f1E32ms2lSkNXECdSYWeT1eWVn2nPKibpePrJXuHHEP1G -qM9z70+otqNn7qbIIr2aCu9aoAkcqbNCM6WN6FgZb0BH/XLByZM6ksLjO5OD1BHS -PkK7HDTLDaTQFYbzH1ItpuWWvVh+l95a5Amm3Ic4JZyTbw0I7S4n0lo+JG4l89Wr -WsYwAJsj1Chn0TitF/VTMG7JOtFHKBKzNvXOY7H85zU8AxvC5lis5vLepSc41NXw -JoR7l+Cwi1hFIJIRO6RSVp3BwI+mASRZAn9ZaCqNyfDHhFQntpn607pRl2eHvO57 -KN1r1fJOZBx8P9p4S0sqBs9QXF4wNlBM2v/Te4MGq+wzQQFtofJuBSEpN0jHpVup -HGZRWkCSydM4ToCRrwEhclv3GvUmi1WAzy25SBbaR408/BgEAT2Xr6TUXLQnT3Bl +tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz +bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck +Z9YTy4PH7W0w2JTizos9efUFAlvEwCcFCQmW/3kACgkQ2JTizos9efW23BAAqYqN +dyXOqaK1R6IuYs2fcPcQmIr+sIa4YI3QQj5viT+mz29GjU9BJIUOKAbDod4grVaw +V43moFytTUdUs3vzx/5MQEYPTceq2n7/Y0RdoqztBPPn2FNp1ds/Eo7no9rgCHzB +CVtBpzibEf6Z5/muj9jWvKsLsKBKFltq08KoAjTj8E1gFqoAebGK7eTPEYZkmV1t +L+jZggEFa5xmxLKoArgS6NFqsj7M1ugREKlLL4+GgALnEiGa9r2jeE514YNFXZSN +X9RN9prNpUpDVxAnUmFnk9XllZ9pzyom6Xj6yV7hxxD9RqjPc+9PqLajZ+6myCK9 +mgrvWqAJHKmzQjOljehYGW9AR/1ywcmTOpLC4zuTg9QR0j5Cuxw0yw2k0BWG8x9S +Labllr1YfpfeWuQJptyHOCWck28NCO0uJ9JaPiRuJfPVq1rGMACbI9QoZ9E4rRf1 +UzBuyTrRRygSszb1zmOx/Oc1PAMbwuZYrOby3qUnONTV8CaEe5fgsItYRSCSETuk +UladwcCPpgEkWQJ/WWgqjcnwx4RUJ7aZ+tO6UZdnh7zueyjda9XyTmQcfD/aeEtL +KgbPUFxeMDZQTNr/03uDBqvsM0EBbaHybgUhKTdIx6VbqRxmUVpAksnTOE6Aka8B +IXJb9xr1JotVgM8tuUgW2keNPPwYBAE9l6+k1Fy0JU9wZW5TU0wgT01DIDxvcGVu +c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCW8TAGAUJCZb/eQAKCRDY +lOLOiz159Xe0EACD9dOKa8Yy0K8xrC77KZteyEJb49O3e0fagjulquebwXQNjdzv +SvAo3W67bwJ2zRA6kBRHzCxh70dtdd9PvD7gkbqombeZ8CKf1ADj0P31I3dOBJM4 +rupTWnzycKkSzR2JvhoXmA7bNqpGIgRtOSJBKNCVPMtLSR/Oc2Z/KckjbldY110s +zaa6ef1lLtc9CrNnQb9GQNu4hrIbRrFFFyvyIb+46R8XPcjCTnwyfMpWo9/6ftk9 +MbpnsQRwsX3YujnzH6z20nlp+vRtNEbXCfkvz4j744QiffYLA9DQHoV4jjaN5cZ1 +3isaODNnIFuq9QPbN6LzlJrfTplQ4ugPmK5IBe1WTIratFGp8bLyb5HRNXVNDblK +RBp1R/V/PWBL5C3IDgyG4zh/09hHqQ1TOMeQYDDDopMb5seKJB0A4oIQNhmDP1tj +3BIPnd9BOHyvkOFD152AVABmwnlHmOi5m77lt4bxU/U66+AoDjvzL9VZfrGcosKo +B+IX6nhp7RYNObZxCJnKyRMtDY1oLTESYCD0OBN3S/0215VUwp5WmloawTbW9pfu +zbbw+Pax/wQDCXmKq1wlkxVUwd2Yx6uiN3QeeZY+mVsFWjBpNPEtwzP9eqWvGXvK +WHo2oDeEUrUHCEWQAfogS9dia4Bk0S3MWX63ibmWwYeuUf6Wy1C5KXbm/7QnT3Bl blNTTCB0ZWFtIDxvcGVuc3NsLXRlYW1Ab3BlbnNzbC5vcmc+iQJZBDABCgBDFiEE 78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ9jUlHSBSZXBsYWNlZCBieSBvcGVuc3Ns LW9tY0BvcGVuc3NsLm9yZwAKCRDYlOLOiz159VAiD/wLVz8KE84z+iPBcDXJR4hr @@ -63,17 +63,17 @@ ncd+VYvth6cM9jDWsTJAXEaqNoFjVfw227NnQ/hxqGCwEVzweBi7a7dix3nCa9JO w5eV3xCyezUohQ6nOBbDnoAnp3FLeUrhBJQXCPNtlb0fSMnj14EwBoD6EKO/xz/g EW5mr0a+xp+fjbkvHVX/c8UmU+7nlX7upaN46RLM1y0yWYKo9BV61
[openssl-commits] [web] master update
The branch master has been updated via be4639ae76f20fccfd718dea2aaa7def1dbe8a55 (commit) from af5e14f2df748257775c39faa63fcc755b81b1b9 (commit) - Log - commit be4639ae76f20fccfd718dea2aaa7def1dbe8a55 Author: Dr. Matthias St. Pierre Date: Tue Nov 6 12:12:26 2018 +0100 cla.html: make CLA download links and email address more prominent Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/92) --- Summary of changes: policies/cla.html | 28 +--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/policies/cla.html b/policies/cla.html index f234dde..efe0445 100644 --- a/policies/cla.html +++ b/policies/cla.html @@ -25,7 +25,8 @@ OpenSSL requires that all non-trivial contributors of ideas, code, or documentation complete, sign, and submit (via postal mail, fax - or email) an Individual CLA [PDF]. + or email) an + Individual Contributor License Agreement (ICLA). The purpose of this agreement is to clearly define the terms under which intellectual property has been contributed to OpenSSL and thereby allow us to defend the project should @@ -39,8 +40,8 @@ - For a corporation that has assigned employees to work on OpenSSL, - a Corporate CLA [PDF] + For a corporation that has assigned employees to work on OpenSSL, a + Corporate Contributor License Agreement (CCLA) is available for contributing intellectual property via the corporation, that may have been assigned as part of an employment agreement. Note that a Corporate CLA does not @@ -49,6 +50,27 @@ + If you have not already done so, please complete and sign a printout of the above + ICLA (and CCLA if necessary), then scan and email a pdf file of the Agreement(s) to + mailto:le...@opensslfoundation.org";>le...@opensslfoundation.org. + + + + If you prefer snail mail, send an original signed Agreement to the + + + + OpenSSL Software Foundation + 40 East Main Street + Suite 744 + Newark, DE 19711 + United States + + + Please read the document(s) carefully before signing and keep a copy for your records. + + + Your Full name will be published unless you provide an alternative Public name. For example if your full name is Andrew Bernard Charles Dickens, but you wish to be known as Andrew Dickens, please enter _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via af5e14f2df748257775c39faa63fcc755b81b1b9 (commit) from 28c43932d579cd6ba18ec411bb828a2512c3419e (commit) - Log - commit af5e14f2df748257775c39faa63fcc755b81b1b9 Author: Matt Caswell Date: Tue Nov 20 13:55:56 2018 + Updates for new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/95) --- Summary of changes: news/newsflash.txt | 4 news/vulnerabilities.xml | 12 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index 2c05c1a..07229f2 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,10 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +20-Nov-2018: OpenSSL 1.1.1a is now available, including bug and security fixes +20-Nov-2018: OpenSSL 1.1.0j is now available, including bug and security fixes +20-Nov-2018: OpenSSL 1.0.2q is now available, including bug and security fixes +12-Nov-2018: Security Advisory: one low severity fix in ECC scalar multiplication 29-Oct-2018: Security Advisory: one low severity fix in DSA 29-Oct-2018: Security Advisory: one low severity fix in ECDSA 11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade! diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 46cdcff..2142ade 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -40,7 +40,7 @@ - + Side Channel Attack @@ -85,13 +85,13 @@ - + - + - + Constant time issue @@ -118,10 +118,10 @@ - + - + Constant time issue _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 28c43932d579cd6ba18ec411bb828a2512c3419e (commit) from a7fc7eb4f8d9d6b21c3376d6e815d0735909bd7b (commit) - Log - commit 28c43932d579cd6ba18ec411bb828a2512c3419e Author: Matt Caswell Date: Mon Nov 12 15:02:14 2018 + Updates for CVE-2018-5407 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/93) --- Summary of changes: news/secadv/20181112.txt | 41 + news/vulnerabilities.xml | 48 +++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20181112.txt diff --git a/news/secadv/20181112.txt b/news/secadv/20181112.txt new file mode 100644 index 000..764520e --- /dev/null +++ b/news/secadv/20181112.txt @@ -0,0 +1,41 @@ +OpenSSL Security Advisory [12 November 2018] + + +Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) +=== + +Severity: Low + +OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown +to be vulnerable to a microarchitecture timing side channel attack. An attacker +with sufficient access to mount local timing attacks during ECDSA signature +generation could recover the private key. + +This issue does not impact OpenSSL 1.1.1 and is already fixed in the latest +version of OpenSSL 1.1.0 (1.1.0i). OpenSSL 1.0.2 is affected but due to the low +severity of this issue we are not creating a new release at this time. The 1.0.2 +mitigation for this issue can be found in commit b18162a7c. + +OpenSSL 1.1.0 users should upgrade to 1.1.0i. + +This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera +Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. + +Note + + +OpenSSL 1.1.0 is currently only receiving security updates. Support for this +version will end on 11th September 2019. Users of this version should upgrade to +OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20181112.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 86b18c0..46cdcff 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,53 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Side Channel Attack +Microarchitecture timing vulnerability in ECC scalar multiplication + + OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown + to be vulnerable to a microarchitecture timing side channel attack. An attacker + with sufficient access to mount local timing attacks during ECDSA signature + generation could recover the private key. + + + + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via a7fc7eb4f8d9d6b21c3376d6e815d0735909bd7b (commit) via 93507ac9b3d6cd013b2148f83c0726817cf71576 (commit) via 92a7bda034e49e626bf933f9e61b82a2cefe308c (commit) from b78d963402ca83b6ede75f1a5d42d64ca61c2c49 (commit) - Log - commit a7fc7eb4f8d9d6b21c3376d6e815d0735909bd7b Merge: b78d963 93507ac Author: Mark J. Cox Date: Mon Nov 12 16:09:29 2018 + Merge pull request #94 from iamamoose/master trivial changes - CVE-2015-1788 was missing severity tag, fix bad website includes commit 93507ac9b3d6cd013b2148f83c0726817cf71576 Author: Mark J. Cox Date: Mon Nov 12 16:01:40 2018 + CVE-2015-1788 was missing the severity tag commit 92a7bda034e49e626bf933f9e61b82a2cefe308c Author: Mark J. Cox Date: Sat Oct 13 10:29:45 2018 +0100 Remove broken include --- Summary of changes: news/vulnerabilities.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 97ec427..86b18c0 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -2482,6 +2482,7 @@ + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via b78d963402ca83b6ede75f1a5d42d64ca61c2c49 (commit) from ec4583cb047f1dd56918b38f5a36941747d50d28 (commit) - Log - commit b78d963402ca83b6ede75f1a5d42d64ca61c2c49 Author: Pauli Date: Fri Nov 2 08:40:27 2018 +1000 Update advisory for CVE-2018-0734 indicating that it introduced a new issue and that this has been fixed. Git commit versions are included. --- Summary of changes: news/secadv/20181030.txt | 5 + 1 file changed, 5 insertions(+) diff --git a/news/secadv/20181030.txt b/news/secadv/20181030.txt index b33ac41..7569b56 100644 --- a/news/secadv/20181030.txt +++ b/news/secadv/20181030.txt @@ -19,6 +19,11 @@ git repository. This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. +As a result of the changes made to mitigate this vulnerability, a new +side channel attack was created. The mitigation for this new vulnerability +can be found in these commits: 6039651c43 (for 1.1.1), 26d7fce13d (for 1.1.0) +and 880d1c76ed (for 1.0.2) + References == _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via ec4583cb047f1dd56918b38f5a36941747d50d28 (commit) from 54c39f92bbaae5b32b84c8b632c4daf2d7ad6132 (commit) - Log - commit ec4583cb047f1dd56918b38f5a36941747d50d28 Author: Matt Caswell Date: Mon Oct 29 21:52:29 2018 + Correct the security advisory name Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/91) --- Summary of changes: news/secadv/{20181030.pdf => 20181030.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename news/secadv/{20181030.pdf => 20181030.txt} (100%) diff --git a/news/secadv/20181030.pdf b/news/secadv/20181030.txt similarity index 100% rename from news/secadv/20181030.pdf rename to news/secadv/20181030.txt _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 54c39f92bbaae5b32b84c8b632c4daf2d7ad6132 (commit) via c84f2126b736207c23b1984cbc07d496c22ca85d (commit) from 43a3ec6622d22e8fb33324d50bd4aa4944e9e5fb (commit) - Log - commit 54c39f92bbaae5b32b84c8b632c4daf2d7ad6132 Merge: c84f212 43a3ec6 Author: Pauli Date: Tue Oct 30 07:00:24 2018 +1000 Merge branch 'master' of git.openssl.org:openssl-web commit c84f2126b736207c23b1984cbc07d496c22ca85d Author: Pauli Date: Tue Oct 30 07:00:08 2018 +1000 Add CVE-2018-0734 --- Summary of changes: news/newsflash.txt | 3 ++- news/secadv/20181030.pdf | 32 + news/vulnerabilities.xml | 52 +++- 3 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 news/secadv/20181030.pdf diff --git a/news/newsflash.txt b/news/newsflash.txt index 311c39b..2c05c1a 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,7 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item -29-Oct-2018: Security Advisory: one low severity fix +29-Oct-2018: Security Advisory: one low severity fix in DSA +29-Oct-2018: Security Advisory: one low severity fix in ECDSA 11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade! 21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it 14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes diff --git a/news/secadv/20181030.pdf b/news/secadv/20181030.pdf new file mode 100644 index 000..b33ac41 --- /dev/null +++ b/news/secadv/20181030.pdf @@ -0,0 +1,32 @@ +OpenSSL Security Advisory [30 October 2018] +=== + +Timing vulnerability in DSA signature generation (CVE-2018-0734) + + +Severity: Low + +The OpenSSL DSA signature algorithm has been shown to be vulnerable to a +timing side channel attack. An attacker could use variations in the signing +algorithm to recover the private key. + +Due to the low severity of this issue we are not issuing a new release +of OpenSSL 1.1.1, 1.1.0 or 1.0.2 at this time. The fix will be included +in OpenSSL 1.1.1a, OpenSSL 1.1.0j and OpenSSL 1.0.2q when they become +available. The fix is also available in commit 8abfe72e8c (for 1.1.1), +ef11e19d13 (for 1.1.0) and commit 43e6a58d49 (for 1.0.2) in the OpenSSL +git repository. + +This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20181030.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 52cc185..97ec427 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,57 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Constant time issue +Timing attack against DSA + + The OpenSSL DSA signature algorithm has been shown to be vulnerable + to a timing side channel attack. An attacker could use variations + in the signing algorithm to recover the private key. + + + + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 43a3ec6622d22e8fb33324d50bd4aa4944e9e5fb (commit) from ecf0f6ced3b30e616932d3ccd7609e7e63520c8c (commit) - Log - commit 43a3ec6622d22e8fb33324d50bd4aa4944e9e5fb Author: Matt Caswell Date: Mon Oct 29 12:09:44 2018 + Update vulnerabilities.xml The new CVE is only fixed in the dev version. 1.1.1a and 1.1.0j are not yet released. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/90) --- Summary of changes: news/vulnerabilities.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 6067c1e..52cc185 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -22,10 +22,10 @@ - + - + Constant time issue _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via ecf0f6ced3b30e616932d3ccd7609e7e63520c8c (commit) from 61572af57041195c7654c0485f8f323baec0ab66 (commit) - Log - commit ecf0f6ced3b30e616932d3ccd7609e7e63520c8c Author: Pauli Date: Mon Oct 29 10:54:02 2018 +1000 update vulnerability information again, this is the published version --- Summary of changes: news/vulnerabilities.xml | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index b2979db..6067c1e 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -10,7 +10,7 @@ - + @@ -22,6 +22,12 @@ + + + + + + Constant time issue Timing attack against ECDSA signature generation _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 61572af57041195c7654c0485f8f323baec0ab66 (commit) from c35854b022239196048f9bbd5418fb77dd4f7ee0 (commit) - Log - commit 61572af57041195c7654c0485f8f323baec0ab66 Author: Pauli Date: Mon Oct 29 10:01:23 2018 +1000 fix vulnerability entry --- Summary of changes: news/vulnerabilities.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 605f354..b2979db 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -10,7 +10,7 @@ - + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via c35854b022239196048f9bbd5418fb77dd4f7ee0 (commit) from 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 (commit) - Log - commit c35854b022239196048f9bbd5418fb77dd4f7ee0 Author: Pauli Date: Mon Oct 29 09:58:52 2018 +1000 fix vulnerability entry --- Summary of changes: news/vulnerabilities.xml | 50 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index a2a2de0..605f354 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,31 @@ - + + + + + + + + + + + + + + + +Constant time issue +Timing attack against ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be + vulnerable to a timing side channel attack. An attacker could use + variations in the signing algorithm to recover the private key. + + + + @@ -54,30 +78,6 @@ - - - - - - - - - - - - - - -Constant time issue -Timing attack against ECDSA signature generation - - The OpenSSL ECDSA signature algorithm has been shown to be - vulnerable to a timing side channel attack. An attacker could use - variations in the signing algorithm to recover the private key. - - - - _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 (commit) via 911cdb11d835a00d901d3e9c1a728ed2613f84a6 (commit) from fbf24147cb7b9e04c40ef0d14f76dc85d59a8413 (commit) - Log - commit 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 Merge: 911cdb1 fbf2414 Author: Pauli Date: Mon Oct 29 09:06:01 2018 +1000 Merge branch 'master' of git.openssl.org:openssl-web commit 911cdb11d835a00d901d3e9c1a728ed2613f84a6 Author: Pauli Date: Mon Oct 29 09:03:42 2018 +1000 Update for ECDSA vulnerability CVS-2018-0735 --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20181029.txt | 31 +++ news/vulnerabilities.xml | 24 3 files changed, 56 insertions(+) create mode 100644 news/secadv/20181029.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 1a0f0fb..311c39b 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +29-Oct-2018: Security Advisory: one low severity fix 11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade! 21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it 14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes diff --git a/news/secadv/20181029.txt b/news/secadv/20181029.txt new file mode 100644 index 000..2194ef0 --- /dev/null +++ b/news/secadv/20181029.txt @@ -0,0 +1,31 @@ +OpenSSL Security Advisory [29 October 2018] +=== + +Timing vulnerability in ECDSA signature generation (CVE-2018-0735) +== + +Severity: Low + +The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a +timing side channel attack. An attacker could use variations in the signing +algorithm to recover the private key. + +Due to the low severity of this issue we are not issuing a new release +of OpenSSL 1.1.1 or 1.1.0 at this time. The fix will be included in +OpenSSL 1.1.1a and OpenSSL 1.1.0j when they become available. The fix +is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28 +(for 1.1.0) in the OpenSSL git repository. + +This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20181029.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 6ef9c56..a2a2de0 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -54,6 +54,30 @@ + + + + + + + + + + + + + + +Constant time issue +Timing attack against ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be + vulnerable to a timing side channel attack. An attacker could use + variations in the signing algorithm to recover the private key. + + + + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via fbf24147cb7b9e04c40ef0d14f76dc85d59a8413 (commit) from 3b07e5291b0df2cef8469ab0494d1c787e84af87 (commit) - Log - commit fbf24147cb7b9e04c40ef0d14f76dc85d59a8413 Author: Joe Date: Fri Oct 26 08:22:17 2018 + Small typo fix CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/89) --- Summary of changes: source/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/index.html b/source/index.html index a4a98ce..605c009 100644 --- a/source/index.html +++ b/source/index.html @@ -17,7 +17,7 @@ at https://github.com/openssl/openssl";>https://github.com/openssl/openssl. Bugs and pull patches (issues and pull requests) should be -file on the GitHub repo. +filed on the GitHub repo. Please familiarize yourself with the license. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 3b07e5291b0df2cef8469ab0494d1c787e84af87 (commit) from 72c1892c6630fe39a3ba99980876a4e7e983a2d8 (commit) - Log - commit 3b07e5291b0df2cef8469ab0494d1c787e84af87 Author: Kurt Roeckx Date: Mon Oct 15 18:32:18 2018 +0200 Update PGP key --- Summary of changes: news/openssl-security.asc | 128 +++--- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index 217cbe7..fb0482f 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -12,68 +12,68 @@ Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB tCVPcGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+ -FiEE78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ8x0CGwMFCQefA0oFCwkIBwMFFQoJ -CAsFFgIDAQACHgECF4AACgkQ2JTizos9efVNnw/9GHSauODL8PCSRcobbVm8/3tl -ejky6YVmjBjpbKKLVCAyK6sM7ns1RDSoHSQfKdClZbD+n2ZLZFVbvdDbu873ntsE -WdMZUk5dTW0a8mtaUFV5nkZiWbNn5Yr+gtUiqOtIDR6wbXOd4RtpaKawllqN0JX/ -oZdVUcV60tekt92rUe3J/KbFptACvZNkvm1c2zEWdNemEWIqYOierjaeNhqdgAbA -kKA7EAYP53bursxTDfhQQZWzPOFXcl4ElHKHvVED2ZyGamRnuwD5F2YyjOCNlvt2 -si1mzTsvyjuNJv0OeK0rdPqX00OXWCuOb96rlGiSeaK3WFSTHeDiaFiCahwf9VJT -I9kGA/FF6is8UW2SJEGzYHGnY/lsUL697XTuLEgWU2qHlYXExLY1cuz+pTLB0vsB -suCGTe18BgjKF2und7z7+kDPB4uECXCwgPKjxLNM/JFhJswt3KTzDbcXz0/lg0+5 -3r1NsBV3JW0DxoRsmqWAn6anyCRDxN8GHzEymRkc88wacEt38JeyPuLiz6ejbpFR -EYNHDrVVB9gDkkxafL7csKH/J69v1GAujzyXPcTsT08YyKgf7kOc5e26jyNq9KYs -YJhE7yr/qcqcbcQTgntaFCas+1nBm/SM26xKLF4MkS8KEeGRUuCwQhDXPNORAsNj -EIOh6s4v5T9Py3lpJNu0NE9wZW5TU0wgc2VjdXJpdHkgdGVhbSA8b3BlbnNzbC1z -ZWN1cml0eUBvcGVuc3NsLm9yZz6JAlMEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCWdny6QUJB58DSgAKCRDY -lOLOiz159XxmD/dSmuPL95utayr83urce6FibwqWZeA7LldBiaKEn8ShxhVgb/HG -EGfQKxF1cWXOe1NF3NEhmZD/JTYoMlqEyGARZMDR4klDPP0jhPWVcfnw8HoUjufE -QptCagLhitZzfb0GEzvAOG63tFwit4bM6gT2po3VZH8o62j2PcBtcSmjHVqtaKwI -i5MMXFRTaJnLQmLHg+W2nunw+CgTNdUgvn/oB0RPHXU+TlfPiuC7tAluZC+xYnIA -nspHRRbge3H1R07JP5LZW8fu60VMj/o7t/0rCupjjra/qE2KScF1MsFI7eiv1I/Q -68lgvtHLCpSqV/qqVmrdgGhV2pHQaEeB7sh/8E5+G0Yi6sYwztl/OeUUpdiGhXxU -OPWPYExIwDrh1guIi/yva/78wksbi/ZQffZTR//OIwdGmMVxYfdCQ16PfqXpKJlW -OcaH0Kbom13lha0Am0pXnqRnupOp5XrcrHJUcdFoS2df3wOh6aFejimjBWnvAajh -rzNnXedY9rtxDlA5O/D1Yx0j8ZfAMrmqxFTc+XyT5gBwxYc2wCQ3ch20MfDpJ9/s -eA4WS7dPGyOkziIcszT4vNCAtDnIs4Hr0uNb/1wF5R1UFq464Ghyqpt6SE2xfxsP -Uty+iyvCYfrbL7ILwHmpgYUARL51ovSxVRQA7osSg8qrf6U26pIDXD63tCdPcGVu -U1NMIHRlYW0gPG9wZW5zc2wtdGVhbUBvcGVuc3NsLm9yZz6JAlkEMAEKAEMWIQTv -wKRn1hPLg8ftbTDYlOLOiz159QUCWdn2NSUdIFJlcGxhY2VkIGJ5IG9wZW5zc2wt -b21jQG9wZW5zc2wub3JnAAoJENiU4s6LPXn1UCIP/AtXPwoTzjP6I8FwNclHiGuK -w+gV5Sw3rRNyiKg9TL0dudcVfDsdtdxmBR1vughH0PNsYstNggflbGIefLTIuNTQ -1qun5GTluLxZyWxcf6WJPMRTJdJpdy5BrIfXFaHrEohAQLBeL0P25gjXzOvA7C7Y -wCuxkKG3FuQKyKr4HNy5WF1LKZIBPcjHEHD6sjLDaxD4KxQnHd31s1xdarDvEbXe -G8MmiQApKUJ2fN9sGPdbrjBs1nBtgPksZHThT7g5FpuZfIWwOvg6XRaf2Ig538AG -aq+rqKnZHE9HvCEbBqidhSe6h3hkr5BY5Bh2jj5CTOvZSSBBTAq47wUFTeG/B4XK -m5yW561lRhQ8YEnYzb16swQyYA6jIRjeWRyYRoYmQ4tNrs6idKfjlMytQohKNPzH -OzW+bFX72Kz+C6KikXHjXj4MGafCcDpwuVPOE1muqR2Jt64o36wTzzBXsfTQ0EPy -hBSDYQDEFTFLY9osuQDT6arH7TiI7EX1lp/u0CIuBLmEQA3JZUWhyWkwQMyOep4J -A2gOeaMmjJ0lJ7tH44Fk4g+AhFW7Eq0dJ1iSoQoOQ21cKv3SJqDdYiu/M4kenCXX -kIXtxmPgHVnuwovu+U4mMvGZYfUs+JqZfNcUc/XmHDv4NMRusKTxP36rmvPwIHig -KxCiVjdbrygghWc0Qe7quQINBFQv6Z8BEADAd7PvHauU/H1vm9znBroxHG4coLnO -g+bIZTVrLgld1u/os7FVHvtIQ9WMA99Aus49vgiazMT0PwQd7t0m8hzAz+Xyi+xk -IgP59fdoV9g7h8b0MJwzZB8WIIbaxSjpVwMrXtmsANHwvntKPJR2tWHdmWTapQwt -t6ibSzCR/G1/AiK+fSnJDcr+uGxfoVTyDd3r54dQI5+APOfOPBGTEHI3nYO9jLAN -01tg+KJmsmO3lxObrrexWHGOkjOKU4SAdl/QzN/UYMt6guDm7xJBH2lpyXx8cl4g -PFxfhWbpF3P4jOvD9FUv7DJpfUD7GDFpzB3BpTnLs0CUQGpamScLitGSL6G4f2Pa -2C8ax7TQoEo2hbkjfSv2IaQMbPNB+pVWuxgkgEk0a0tzr5mPvn07FD80jr4rdJKk -H4ps4mMe0HCSGoBvdpr1Jrn9jxH870ouomiKjIWk2iauasTkdKuN9CmpEJLTT1+d -x35Vi+2Hpwz2MNaxMkBcRqo2gWNV/Dbbs2dD+HGoYLARXPB4GLtrt2LHecJr0k7D -l5XfELJ7NSiFDqc4FsOegCencUt5SuEElBcI822VvR9IyePXgTAGgPoQo7/HP+AR -bmavRr7Gn5+NuS8dVf9zxSZT7ueVfu6lo3jpEszXLTJZgqj0FXrW2f6RywCTuSFD -t0qE7OZJemwEcwARAQABiQI8BBgBCgAmAhsMFiEE78CkZ9YTy4PH7W0w2JTizos9 -efUFAlnZ9v8FCQefB2AACgkQ2JTizos9efVBOA/+ObcOrEGwKPI3KFaxKdkfbl/K -UoTTC8L6F/AJTd9JREXgic/CKZRfa64S+RvRqH8kY1DEUCi6v6o/57kS6o1BS+6a -PMeg/xi8nBmC5o+fqgOdIdFyUkJbwq/jWcHZ7Sjf89LCh0gtVqxsRYT3yZicCNJi -8qrWe4I2iv6OHOjZbHeF3RKM7IKaqcUCI6jklJSge3MoCR74gOEpAAA/eUQ2YfVx -pS1kMaJXLpa0gbkaylZALmt2uTvacOc5uipmZBzQRoVna9scM9+Fy0taus4TA+54 -8EMzjK7LUcgkgndXUf1hE29UGgZyOLBkLfXRZMl9hnOrurTnfUqthbpvZwQ892ba -ZW0NDkk2nlGFOCJQsfrLQdwxKm0oeH/eJoXaSSZuzn1hL2+EzfMNwpAP03l7xagI -sYkuyTUDyVGKwyT036yro9yqP0Iaa7CIgJ+DaxsyWthtG/NbJoRkmaJFKyu0pNa8 -dt04jmfMODToNAU7Ji8Ctan4gacGevYItgE8q30+kr1PPQD18DNXw6u36BLfjvPj -27SS0R
[openssl-commits] [web] master update
The branch master has been updated via 72c1892c6630fe39a3ba99980876a4e7e983a2d8 (commit) from e803b1e8aa04dde1595450e785bcb7b63f1ac7b5 (commit) - Log - commit 72c1892c6630fe39a3ba99980876a4e7e983a2d8 Author: Mark J. Cox Date: Sat Oct 13 10:30:33 2018 +0100 Remove broken link --- Summary of changes: docs/fips/verifycd.html | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/fips/verifycd.html b/docs/fips/verifycd.html index da76889..e02e28b 100644 --- a/docs/fips/verifycd.html +++ b/docs/fips/verifycd.html @@ -73,7 +73,6 @@ - _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via e803b1e8aa04dde1595450e785bcb7b63f1ac7b5 (commit) via fc3a76a7b2d8cfa3de18408ce1428785f4a9678e (commit) from 0fdc26a3da6206efb38025e5f2d94a97760f0614 (commit) - Log - commit e803b1e8aa04dde1595450e785bcb7b63f1ac7b5 Merge: 0fdc26a fc3a76a Author: Mark J. Cox Date: Sat Oct 13 10:26:44 2018 +0100 Merge pull request #88 from iamamoose/fipscd Link to KeyPair arrangement for FIPS CD provision commit fc3a76a7b2d8cfa3de18408ce1428785f4a9678e Author: Mark J. Cox Date: Sat Oct 13 09:35:14 2018 +0100 Link to KeyPair arrangement for FIPS CD provision --- Summary of changes: docs/fips/verifycd.html | 26 +- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/fips/verifycd.html b/docs/fips/verifycd.html index a30a9c1..da76889 100644 --- a/docs/fips/verifycd.html +++ b/docs/fips/verifycd.html @@ -40,20 +40,20 @@ The requirement for this verification with an independently acquired FIPS 140-2 validated cryptographic module does not apply when the distribution file is distributed using a "secure" means. Distribution -on physical media is considered secure in this context, so as a -convenience a copy of the distribution files can be obtained from -OSS as a CD-ROM disks via postal mail. - -The fee for this is $100 in US Dollars. At this time we are only able - to accept US wire transfers. -Email us at mailto:osf-cont...@openssl.org";>osf-cont...@openssl.org -and we will send you our ABA and account information. -We cannot do credit cards, purchase orders, or anything other - than a US-based bank transfer at this time. -We can mail internationally (the CD contains only open source code -and so may be exported under the TSU exception of EAR ECCN 5D002). -It will take a week or two to process your order. +on physical media is considered secure in this context so you can +verify by obtaining a copy of the distribution files on CD-ROM disks via +postal mail. +OpenSSL are not providing disks directly at this time. However we have +an arrangement with KeyPair Consulting who will +https://keypair.us/2018/05/cd/";>send a disk to you at no + charge. + +Important Disclaimer: The listing of these third party products does not + imply any endorsement by the OpenSSL project, and these organizations are not + affiliated in any way with OpenSSL other than by the reference to their + independent web sites here. + Note that the files you will receive on these CDs will be identical in every respect (except for formal FIPS 140-2 compliance) with the files you can download from https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 0fdc26a3da6206efb38025e5f2d94a97760f0614 (commit) from 39045b9f57b5ff168bb646f44119bf4dc55ba37c (commit) - Log - commit 0fdc26a3da6206efb38025e5f2d94a97760f0614 Author: Matt Caswell Date: Wed Oct 10 17:19:54 2018 +0100 Correct the contact email on the trademark page Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/87) --- Summary of changes: policies/trademark.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/trademark.html b/policies/trademark.html index f669e46..39ecab7 100644 --- a/policies/trademark.html +++ b/policies/trademark.html @@ -134,7 +134,7 @@ When in doubt about the use of OpenSSL trademarks, or to request permission for uses not allowed by this policy, please send an email to -mailto:cont...@openssl.org";>cont...@openssl.org. +mailto:osf-cont...@openssl.org";>osf-cont...@openssl.org. Be sure to include the following information in the body of your message: @@ -160,7 +160,7 @@ For any queries with respect to these guidelines, please send an email to -mailto:cont...@openssl.org";>cont...@openssl.org. +mailto:osf-cont...@openssl.org";>osf-cont...@openssl.org. Organisations Licensed to Use OpenSSL Trademarks _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 39045b9f57b5ff168bb646f44119bf4dc55ba37c (commit) from 2c0a67c87382d0e10d4ee02921e4d59358906039 (commit) - Log - commit 39045b9f57b5ff168bb646f44119bf4dc55ba37c Author: Beat Bolli Date: Sat Sep 29 00:20:38 2018 +0200 inc/screen.css: style and like and pod2html emits the deprecated visual tags instead of the semantic ones, so we have to style the visual tags as well. Fixes #74 Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/85) --- Summary of changes: inc/screen.css | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/screen.css b/inc/screen.css index 9a5b157..e3d672c 100644 --- a/inc/screen.css +++ b/inc/screen.css @@ -239,11 +239,11 @@ ul ul, ul ol, ol ul, ol ol { margin-bottom: 0em; } -strong { +strong, b { font-weight: bold; } -em { +em, i { font-style: italic; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 2c0a67c87382d0e10d4ee02921e4d59358906039 (commit) via 14964aea93f2691734f6f40a3207e810349b9c2c (commit) via e5d4e54cc90c3c5756e03b32b5490a2cbf26b42a (commit) from d7b78dd4edd7fda96fc4b1fafdfd7686108d2b22 (commit) - Log - commit 2c0a67c87382d0e10d4ee02921e4d59358906039 Merge: d7b78dd 14964ae Author: Mark J. Cox Date: Mon Sep 24 10:42:11 2018 +0100 Merge pull request #84 from iamamoose/vulns111 Missing the 1.1.1 vulns page which will be needed when any issues get fixed commit 14964aea93f2691734f6f40a3207e810349b9c2c Author: Mark J. Cox Date: Mon Sep 24 10:36:15 2018 +0100 Add page for 1.1.1 vulnerabilities, this will get automatically updated when there are any (the breadcrumbs will get updated automatically at that time) commit e5d4e54cc90c3c5756e03b32b5490a2cbf26b42a Author: Mark J. Cox Date: Mon Sep 24 10:35:14 2018 +0100 Don't imply there are no vulnerabilities at all, just that we've not released fixes for any yet --- Summary of changes: bin/mk-cvepage | 2 +- news/{vulnerabilities-1.0.2.html => vulnerabilities-1.1.1.html} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) copy news/{vulnerabilities-1.0.2.html => vulnerabilities-1.1.1.html} (92%) diff --git a/bin/mk-cvepage b/bin/mk-cvepage index 8dbb864..10654b6 100755 --- a/bin/mk-cvepage +++ b/bin/mk-cvepage @@ -147,7 +147,7 @@ preface += "" if allissues != "": preface += allissues + "" else: -preface += "No vulnerabilities" +preface += "No vulnerabilities fixed" sys.stdout.write(preface.encode('utf-8')) diff --git a/news/vulnerabilities-1.0.2.html b/news/vulnerabilities-1.1.1.html similarity index 92% copy from news/vulnerabilities-1.0.2.html copy to news/vulnerabilities-1.1.1.html index 0f1ac3b..db54fa1 100644 --- a/news/vulnerabilities-1.0.2.html +++ b/news/vulnerabilities-1.1.1.html @@ -15,7 +15,7 @@ If you think you have found a security bug in OpenSSL, please report it to us. - + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via d7b78dd4edd7fda96fc4b1fafdfd7686108d2b22 (commit) from 256ea23dae5b675ded6823625d6a966a353c2f5d (commit) - Log - commit d7b78dd4edd7fda96fc4b1fafdfd7686108d2b22 Author: Dr. Matthias St. Pierre Date: Sat Sep 22 16:42:58 2018 +0200 Remove pre-release from 1.1.1 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/83) --- Summary of changes: docs/manpages.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/manpages.html b/docs/manpages.html index 91623d9..d75fec0 100644 --- a/docs/manpages.html +++ b/docs/manpages.html @@ -14,7 +14,7 @@ master - 1.1.1 (pre-release) + 1.1.1 1.1.0 1.0.2 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 256ea23dae5b675ded6823625d6a966a353c2f5d (commit) from 2b448f5a972d0f89e4b141d0568984dc1d37d489 (commit) - Log - commit 256ea23dae5b675ded6823625d6a966a353c2f5d Author: Richard Levitte Date: Wed Sep 19 02:20:27 2018 +0200 inc/screen.css: no pre-wrap There's no reason why the contents of element should be wrapped on line breaks. Set white-space to 'normal' instead. This property is useful in case we happen to inherit some other setting of that property and want to get back to a normal setting. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/79) --- Summary of changes: inc/screen.css | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/inc/screen.css b/inc/screen.css index c526275..9a5b157 100644 --- a/inc/screen.css +++ b/inc/screen.css @@ -362,10 +362,7 @@ article blockquote cite:before { /* @extend this to force long lines of continuous text to wrap */ .force-wrap, article a, aside.sidebar a { - white-space: -moz-pre-wrap; - white-space: -pre-wrap; - white-space: -o-pre-wrap; - white-space: pre-wrap; + white-space: normal; word-wrap: break-word; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 2b448f5a972d0f89e4b141d0568984dc1d37d489 (commit) from 8a1b9339b244cf9bf76bb1bed0eb6e6cd45b3871 (commit) - Log - commit 2b448f5a972d0f89e4b141d0568984dc1d37d489 Author: Richard Levitte Date: Wed Sep 19 02:47:10 2018 +0200 Fix openssl.com htaccess Redirect works with prefixes. If only / should be redirected and not any sub-path, use RedirectMatch Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/81) --- Summary of changes: .htaccess.openssl.com | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.htaccess.openssl.com b/.htaccess.openssl.com index 90b3e57..2af9a82 100644 --- a/.htaccess.openssl.com +++ b/.htaccess.openssl.com @@ -1,4 +1,5 @@ # -*- Apache -*- -Redirect permanent / https://www.openssl.org/community/contacts.html Redirect permanent /verifycd.html https://www.openssl.org/docs/fips/verifycd.html + +RedirectMatch permanent "^/$" https://www.openssl.org/community/contacts.html RedirectMatch permanent "^(.*)$" "https://www.openssl.org$1"; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 8a1b9339b244cf9bf76bb1bed0eb6e6cd45b3871 (commit) from 53cc720aa09a60463d62d184ab6e23baccef5e71 (commit) - Log - commit 8a1b9339b244cf9bf76bb1bed0eb6e6cd45b3871 Author: Richard Levitte Date: Wed Sep 19 02:25:26 2018 +0200 Add a openssl.com specific .htaccess This allows us to redirect whatever openssl.com URLs we want freely. The setup in the openssl.com site configuration will include this line: AccessFileName .htaccess.openssl.com .htaccess Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/80) --- Summary of changes: .htaccess.openssl.com | 4 1 file changed, 4 insertions(+) create mode 100644 .htaccess.openssl.com diff --git a/.htaccess.openssl.com b/.htaccess.openssl.com new file mode 100644 index 000..90b3e57 --- /dev/null +++ b/.htaccess.openssl.com @@ -0,0 +1,4 @@ +# -*- Apache -*- +Redirect permanent / https://www.openssl.org/community/contacts.html +Redirect permanent /verifycd.html https://www.openssl.org/docs/fips/verifycd.html +RedirectMatch permanent "^(.*)$" "https://www.openssl.org$1"; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 53cc720aa09a60463d62d184ab6e23baccef5e71 (commit) via 7c369dac41a2f5a25d3533932686c860958b2643 (commit) via fb942af17ae8fff1e18939d57676678931e9b7e4 (commit) via a1a3195d8d9abdbc5238618b23f73cb774262d09 (commit) via 91ca9441703a779d4c065dc181653410914ee6f2 (commit) from 50ac168c298eedf5aced96da0b6eff5aee57b9fd (commit) - Log - commit 53cc720aa09a60463d62d184ab6e23baccef5e71 Merge: 50ac168 7c369da Author: Mark J. Cox Date: Tue Sep 18 14:07:12 2018 +0100 Merge pull request #77 from iamamoose/oss Merge information from openssl.com and about OSS into main site commit 7c369dac41a2f5a25d3533932686c860958b2643 Author: Mark J. Cox Date: Tue Sep 18 13:09:05 2018 +0100 Update to the latest OSS bylaws commit fb942af17ae8fff1e18939d57676678931e9b7e4 Author: Mark J. Cox Date: Tue Sep 18 11:04:31 2018 +0100 Add verify CD image commit a1a3195d8d9abdbc5238618b23f73cb774262d09 Author: Mark J. Cox Date: Tue Sep 18 11:03:45 2018 +0100 Add the page from http://openssl.com/verifycd.html but update to show we do not accept US cheques/checks at this time. commit 91ca9441703a779d4c065dc181653410914ee6f2 Author: Mark J. Cox Date: Tue Sep 18 10:49:41 2018 +0100 Add OSS bylaws and details of OSS to the contact page rather than using openssl.com which we should deprecate. Bring wording for FIPS in line with what we used on openssl.com --- Summary of changes: community/contacts.html | 19 docs/fips/verifycd.html | 81 docs/fips/verifycd.jpg | Bin 0 -> 20887 bytes policies/oss-bylaws.pdf | Bin 0 -> 38884 bytes 4 files changed, 94 insertions(+), 6 deletions(-) create mode 100644 docs/fips/verifycd.html create mode 100644 docs/fips/verifycd.jpg create mode 100644 policies/oss-bylaws.pdf diff --git a/community/contacts.html b/community/contacts.html index 5c6f6a6..8c0820e 100644 --- a/community/contacts.html +++ b/community/contacts.html @@ -17,10 +17,21 @@ (US) non-profit corporation with its own bylaws. + OpenSSL Software Services + (OSS) also represents the OpenSSL project, for +Support Contracts, and +as the + Vendor of Record for NIST Cryptographic Module +https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/1747";>#1747 +(This is an open-source validation of FIPS-140 based on OpenSSL). +It is a Delaware (US) corporation with its own bylaws. + - The best way to contact OSF is by sending an email to + The best way to contact OSF or OSS is by sending an email to mailto:osf-cont...@openssl.org";>osf-cont...@openssl.org. - For postal or telephone contact, use the following: + For postal contact, use the following: 40 E Main St, Suite 744 @@ -29,10 +40,6 @@ - https://www.openssl.com";>OpenSSL Software Services - (OSS) also represents the OpenSSL project, most notably as the - Vendor of Record for the FIPS validation. - You are here: Home diff --git a/docs/fips/verifycd.html b/docs/fips/verifycd.html new file mode 100644 index 000..a30a9c1 --- /dev/null +++ b/docs/fips/verifycd.html @@ -0,0 +1,81 @@ + + + + + + + + + + FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file + + + + +The latest of the OpenSSL FIPS Object Module ("FIPS module") +FIPS 140-2 validations saw the introduction of a new requirement +by the CMVP: + + The distribution tar file, shall be verified using an +independently acquired FIPS 140-2 validated cryptographic +module... + +Some prospective users of the OpenSSL FIPS Object Module 2.0 already +have ready access to an existing securely-installed software product +using FIPS 140-2 validated cryptography that is capable of calculating +the HMAC-SHA-1 digest of a file on disk, in which case satisfying this +requirement is easy (simply calculate the HMAC-SHA-1 digest of the +source distribution file using the key "etaonrishdlcupfm" +and confirm it is that same as documented in the http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm";>Security Policy +document (e.g., "2cdd29913c6523df8ad38da11c342b80ed3f1dae" for +openssl-fips-2.0.tar.gz). + + +For most prospective users the identification, acquisition, +installation, and configuration of a suitable product may be a challenge. +(See Section 6.6 of our FIPS +User + Guide) +The requirement for this verification with an in
[openssl-commits] [web] master update
The branch master has been updated via 50ac168c298eedf5aced96da0b6eff5aee57b9fd (commit) via 6bde6d627da78566f2b1b1f1b4dfdd3781fa91ee (commit) from a9e5da9e4698a64397f1f564337f13207518f3ee (commit) - Log - commit 50ac168c298eedf5aced96da0b6eff5aee57b9fd Merge: a9e5da9 6bde6d6 Author: Mark J. Cox Date: Tue Sep 18 13:24:11 2018 +0100 Merge pull request #78 from iamamoose/osf Update to latest OSF bylaws commit 6bde6d627da78566f2b1b1f1b4dfdd3781fa91ee Author: Mark J. Cox Date: Tue Sep 18 13:11:56 2018 +0100 Update to latest OSF bylaws --- Summary of changes: policies/osf-bylaws.pdf | Bin 44509 -> 45594 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/policies/osf-bylaws.pdf b/policies/osf-bylaws.pdf index ed4810c..b0a3994 100644 Binary files a/policies/osf-bylaws.pdf and b/policies/osf-bylaws.pdf differ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via a9e5da9e4698a64397f1f564337f13207518f3ee (commit) from b0d67bb874e71cd8708f374a0111b95fe76ffc87 (commit) - Log - commit a9e5da9e4698a64397f1f564337f13207518f3ee Author: Matt Caswell Date: Tue Sep 11 14:16:04 2018 +0100 Updates for the 1.1.1 release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/76) --- Summary of changes: news/newsflash.txt | 1 + source/index.html | 28 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index f1001bd..1a0f0fb 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade! 21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it 14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes 14-Aug-2018: OpenSSL 1.0.2p is now available, including bug and security fixes diff --git a/source/index.html b/source/index.html index 6c6c066..a4a98ce 100644 --- a/source/index.html +++ b/source/index.html @@ -30,11 +30,20 @@ A list of mirror sites can be found here. - Note: The latest stable version is the 1.1.0 series. -The 1.0.2 series is our Long Term - Support (LTS) release, supported until 31st December 2019. -The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support and - should not be used. + Note: The latest stable version is the 1.1.1 series. This is +also our Long Term Support (LTS) version, supported until 11th September +2023. Our previous LTS version (1.0.2 series) will continue to be +supported until 31st December 2019 (security fixes only during the last +year of support). The 1.1.0 series is currently only receiving security +fixes and will go out of support on 11th September 2019. All users of +1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible. +The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support and should +not be used. + +The OpenSSL FIPS Object Module 2.0 (FOM) is also available for +download. It is no longer receiving updates. It must be used in +conjunction with a FIPS capable version of OpenSSL (1.0.2 series). A +new FIPS module is currently in development. @@ -47,9 +56,12 @@ When building a release for the first time, please make sure - to look at the README and INSTALL files in the distribution. - If you have problems, look at the FAQ, which can be - found online. + to look at the INSTALL file in the distribution along with any NOTES +file applicable to your platform. If you have problems, look at the FAQ, +which can be found online. If you +still need more help, then join the +openssl-users email list and +post a question there. PGP keys for the signatures are available from the https://www.openssl.org/community/omc.html";>OMC page. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via b0d67bb874e71cd8708f374a0111b95fe76ffc87 (commit) via 963878785a6afbb5bbc714cc38a0cea7358e19cc (commit) from 6c27271343534942a6fee6fa97302072bde93e67 (commit) - Log - commit b0d67bb874e71cd8708f374a0111b95fe76ffc87 Merge: 6c27271 9638787 Author: Mark J. Cox Date: Thu Aug 30 14:34:35 2018 +0100 Merge pull request #75 from iamamoose/mirrors remove broken mirrors commit 963878785a6afbb5bbc714cc38a0cea7358e19cc Author: Mark J. Cox Date: Thu Aug 30 14:21:26 2018 +0100 remove broken mirrors --- Summary of changes: source/mirror.html | 4 1 file changed, 4 deletions(-) diff --git a/source/mirror.html b/source/mirror.html index 0e2419b..96c7386 100644 --- a/source/mirror.html +++ b/source/mirror.html @@ -16,10 +16,6 @@ LocaleURL - ATftp://gd.tuwien.ac.at/infosys/security/openssl/";>ftp://gd.tuwien.ac.at/infosys/security/openssl/ - CAhttp://openssl.skazkaforyou.com/";>http://openssl.skazkaforyou.com/ CZftp://ftp.fi.muni.cz/pub/openssl/";>ftp://ftp.fi.muni.cz/pub/openssl/ DEhttps://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 6c27271343534942a6fee6fa97302072bde93e67 (commit) from 60246d07484ce72139483e7bbcc52c7b45a3b408 (commit) - Log - commit 6c27271343534942a6fee6fa97302072bde93e67 Author: Richard Levitte Date: Wed Aug 22 13:01:20 2018 +0200 Update the end copyright year Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/72) --- Summary of changes: inc/footer.shtml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/footer.shtml b/inc/footer.shtml index 89f8e84..65be9f1 100644 --- a/inc/footer.shtml +++ b/inc/footer.shtml @@ -4,7 +4,7 @@ Please report problems with this website to webmaster at openssl.org. -Copyright © 1999-2017, OpenSSL Software Foundation. +Copyright © 1999-2018, OpenSSL Software Foundation. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 60246d07484ce72139483e7bbcc52c7b45a3b408 (commit) from 46b7dc43cbd00b4d6cf275afb544a770a991a2ec (commit) - Log - commit 60246d07484ce72139483e7bbcc52c7b45a3b408 Author: Matt Caswell Date: Tue Aug 21 15:30:13 2018 +0100 Update the support contracts page In accordance with an OMC vote Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/71) --- Summary of changes: support/contracts.html | 93 +++--- 1 file changed, 20 insertions(+), 73 deletions(-) diff --git a/support/contracts.html b/support/contracts.html index 0651184..7f35804 100644 --- a/support/contracts.html +++ b/support/contracts.html @@ -15,7 +15,9 @@ OpenSSL Software Services offers three different types of support contract. If you have specific requirements not addressed by any of these plans, - or for more information, discuss custom arrangements. + or for more information, please contact us at + mailto:osf-cont...@openssl.org";>osf-cont...@openssl.org to + discuss custom arrangements. Please see the list of definitions at the bottom of the page for the definitions used below. @@ -25,11 +27,11 @@ Enterprise Level Support Designed for the large enterprise utilising OpenSSL extensively in product lines or critical infrastructure. - Vendor Support + Vendor Support Designed for organisations requiring support of product lines using OpenSSL or for customised in-house versions of OpenSSL. - Basic Support + Basic Support Basic technical support for application development shops or end users. @@ -38,102 +40,47 @@ Premium Level Support US$50,000 annually - All technical support requests handled directly by a Designated Responder - 24x7x365 availability - Four Support Administrators - Unlimited Service Requests - Custom patch preparation and creation - OpenSSL FIPS Object Module support included - FIPS validation support + A custom support contract designed to meet the needs of a specific Enterprise customer + Exact costs will depend on the terms of the agreed support contract - The premium support plan is designed for the large enterprise + The premium support plan is intended for the large enterprise using OpenSSL as an essential component of multiple products or product lines or in support of in-house or commercially provided - services. Many prospective Premium Level customers have already - hired individual OpenSSL team members for specific tasks. The - typical large enterprise customer has a capable in-house technical - staff but still finds it cost-effective to engage the world class - talent of OpenSSL authors and maintainers. Customisation of - OpenSSL by prospective Schedule A customers is common, as are - "private label" FIPS 140-2 validations. - Note we don't expect to sell very many of the premium support - plans, but those few customers will receive careful attention for - both immediate problems and long range strategic interests. + services. The typical large enterprise customer has a capable in-house + technical staff but still finds it cost-effective to engage OpenSSL + authors and maintainers directly. Vendor Level Support - US$20,000 annually + US$25,000 annually - Institutional Response with escalation to Designated Responder as appropriate. - 12x5 availability - Two Support Administrators + Email response Limit of four Service Requests per month - Custom patch preparation - OpenSSL FIPS Object Module support included - FIPS validation support excluded + Patch preparation + Two Support Administrators This plan is designed for the medium enterprise using OpenSSL for a single product or product line. The prospective Vendor Level Support customer has a proficient technical staff but no specific - expertise in cryptography or OpenSSL. Technical support is - provided for use of the unmodified OpenSSL FIPS Object Module, but - not for validations of derivative software. + expertise in cryptography or Op
[openssl-commits] [web] master update
The branch master has been updated via 46b7dc43cbd00b4d6cf275afb544a770a991a2ec (commit) from b966818f2cf7a74e2535e6717f53a603f684fc89 (commit) - Log - commit 46b7dc43cbd00b4d6cf275afb544a770a991a2ec Author: Matt Caswell Date: Tue Aug 21 13:23:58 2018 +0100 Updates to newsflash for the pre9 release Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/70) --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 6913436..f1001bd 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it 14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes 14-Aug-2018: OpenSSL 1.0.2p is now available, including bug and security fixes 20-Jun-2018: Beta 6 of OpenSSL 1.1.1 (pre release 8) is now available: please download and test it _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via b966818f2cf7a74e2535e6717f53a603f684fc89 (commit) via 75e2b7a51f0c104ebfbfecdc49d24e3f5b017581 (commit) from 69f29ba7e9075d3e7cb078a3ee0581665b8ce0bd (commit) - Log - commit b966818f2cf7a74e2535e6717f53a603f684fc89 Merge: 75e2b7a 69f29ba Author: Mark J. Cox Date: Fri Aug 17 10:21:51 2018 +0100 Merge branch 'master' of git.openssl.org:openssl-web commit 75e2b7a51f0c104ebfbfecdc49d24e3f5b017581 Author: Mark J. Cox Date: Fri Aug 17 10:21:21 2018 +0100 Rearrange to alphabetical order which makes more sense (ack'd by Tim) --- Summary of changes: support/acks.html | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/support/acks.html b/support/acks.html index 4094177..eea4919 100644 --- a/support/acks.html +++ b/support/acks.html @@ -15,7 +15,7 @@ We would like to identify and thank the following such sponsors for their significant support of the OpenSSL project. Sponsors are - listed chronologically within categories. Please note that we ask + listed alphabetically within categories. Please note that we ask permission to identify sponsors and that some sponsors we consider eligible for inclusion here have requested to remain anonymous. @@ -53,15 +53,15 @@ Platinum support: - https://www.netapp.com/";> https://www.bluecedar.com/";> - https://www.vmware.com/";>https://www.huawei.com/";> + https://www.netapp.com/";> https://www.oracle.com/";> - https://www.huawei.com/";>https://www.vmware.com/";> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 69f29ba7e9075d3e7cb078a3ee0581665b8ce0bd (commit) from 22fe269070986cdb68933423044f4d126a154d0c (commit) - Log - commit 69f29ba7e9075d3e7cb078a3ee0581665b8ce0bd Author: Matt Caswell Date: Tue Aug 14 13:43:06 2018 +0100 Updates for the new releases Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/68) --- Summary of changes: news/newsflash.txt | 2 ++ news/vulnerabilities.xml | 10 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/news/newsflash.txt b/news/newsflash.txt index dabc4fa..6913436 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes +14-Aug-2018: OpenSSL 1.0.2p is now available, including bug and security fixes 20-Jun-2018: Beta 6 of OpenSSL 1.1.1 (pre release 8) is now available: please download and test it 12-Jun-2018: Security Advisory: one low severity fix 29-May-2018: Beta 5 of OpenSSL 1.1.1 (pre release 7) is now available: please download and test it diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 97f818b..6ef9c56 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,7 @@ - + @@ -36,10 +36,10 @@ - + - + Client side Denial of Service @@ -82,10 +82,10 @@ - + - + Constant time issue _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 22fe269070986cdb68933423044f4d126a154d0c (commit) from 23d754d753ebe6ed6b1ec6e8c9cecd67bdb0c6a1 (commit) - Log - commit 22fe269070986cdb68933423044f4d126a154d0c Author: Rich Salz Date: Tue Aug 14 07:59:18 2018 -0400 Add FIPS FAQ, update FIPS status. --- Summary of changes: docs/faq-5-misc.txt | 7 +++ docs/fips.html | 21 ++--- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/faq-5-misc.txt b/docs/faq-5-misc.txt index f2810e5..006b323 100644 --- a/docs/faq-5-misc.txt +++ b/docs/faq-5-misc.txt @@ -33,6 +33,13 @@ that came with the version of OpenSSL you are using. The pod format documentation is included in each OpenSSL distribution under the docs directory. +* I need a FIPS validated offering + +Please see +@@@https://www.openssl.org/docs/fips.html@@@; the OpenSSL project is no longer +involved in private label validations nor adding platforms to the existing +certificates. + * How can I contact the OpenSSL developers? The README file describes how to submit bug reports and patches to diff --git a/docs/fips.html b/docs/fips.html index 5c9b3ec..7bbce9c 100644 --- a/docs/fips.html +++ b/docs/fips.html @@ -10,7 +10,7 @@ FIPS-140 - The most recent open source based validation of a cryptographic + The current validation of a cryptographic module (Module) compatible with the OpenSSL 1.0.2 is v2.0.16, FIPS 140-2 certificate https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/1747";>#1747. @@ -28,6 +28,19 @@ +Neither validation will work with any release other than 1.0.2. +The OpenSSL project is no longer maintaining either the 1747 +or the 2398 module. This includes adding platforms to those +validations. +We are starting work on a new validation, after the 1.1.1 +release completes. +That module will have a small set of validated operational +environments. +The OpenSSL project is no longer involved in private label +validations nor adding platforms to the existing certificates. + + + Here is the complete set of files. Note that if you are interested in the "1747" validation, you only need the three files mentioned above. @@ -68,12 +81,6 @@ source based validated module directly. You must obtain your own validation. - None of the validations will work with OpenSSL 1.1.0 or - later. - - We are starting work on a new validation based on the - upcoming 1.1.1 release. - _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 23d754d753ebe6ed6b1ec6e8c9cecd67bdb0c6a1 (commit) from 556c539ce00cf8242a2d63018638942a21ef2319 (commit) - Log - commit 23d754d753ebe6ed6b1ec6e8c9cecd67bdb0c6a1 Author: Mark J. Cox Date: Tue Aug 14 12:21:00 2018 +0100 Another try at table spacing for donations page --- Summary of changes: support/donations.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/donations.html b/support/donations.html index aa5c8c6..1e6d56e 100644 --- a/support/donations.html +++ b/support/donations.html @@ -30,7 +30,7 @@ We provide Acknowledgements for sponsors depending on the level of funding: - + LevelAcknowledgement Exceptional$75,000+/yr _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 556c539ce00cf8242a2d63018638942a21ef2319 (commit) from a696660505f56a54173bb0cf400fd22f0458bc77 (commit) - Log - commit 556c539ce00cf8242a2d63018638942a21ef2319 Author: Mark J. Cox Date: Tue Aug 14 12:19:26 2018 +0100 Make the table look a tiny bit better --- Summary of changes: support/donations.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/donations.html b/support/donations.html index 9acfb51..aa5c8c6 100644 --- a/support/donations.html +++ b/support/donations.html @@ -30,7 +30,7 @@ We provide Acknowledgements for sponsors depending on the level of funding: - + LevelAcknowledgement Exceptional$75,000+/yr _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via a696660505f56a54173bb0cf400fd22f0458bc77 (commit) from eb318b531e5f84572847a0cd6e3620396b43dc99 (commit) - Log - commit a696660505f56a54173bb0cf400fd22f0458bc77 Author: Mark J. Cox Date: Tue Aug 14 12:15:30 2018 +0100 Update sponsros and acks page to match reality --- Summary of changes: support/acks.html | 69 +- support/donations.html | 39 ++-- 2 files changed, 71 insertions(+), 37 deletions(-) diff --git a/support/acks.html b/support/acks.html index 5c60a0c..4094177 100644 --- a/support/acks.html +++ b/support/acks.html @@ -11,37 +11,70 @@ The OpenSSL project depends on volunteer efforts and financial support from the end user community. That support comes - in the form of donations, contracts, and volunteer contributions. - Since all of these activities support the continued development - and improvement of OpenSSL, we consider all of them to be - sponsors of the OpenSSL project. + in many forms. We would like to identify and thank the following such sponsors - for their past or current significant support of the OpenSSL - project. Except as noted sponsors are listed within categories in - order of overall contribution value. Please note that we ask + for their significant support of the OpenSSL project. Sponsors are + listed chronologically within categories. Please note that we ask permission to identify sponsors and that some sponsors we consider eligible for inclusion here have requested to remain anonymous. + Current Sponsors: + + +.sponsorlogo { +height: 100px !important; +width: 210px !important; +object-fit: contain !important; +object-position: 50% 50% !important; +padding-left: 15px !important; +padding-top: 10px !important; +padding-bottom: 10px !important; +padding-right: 15px !important; +} +.sponsorsection { +background-color: #ff !important; +text-align: center !important; +} + + Exceptional support: - http://www.smartisan.com/";> + + https://www.akamai.com/";> + https://www.smartisan.com/";> + + - Platinum sponsors (listed chronologically). The - sustainable funding provided by these sponsorships allows long term - planning: - http://www.huawei.com/";> - https://www.oracle.com/";> + Platinum support: - - Major support: - https://www.akamai.com/";> + + https://www.netapp.com/";> + https://www.bluecedar.com/";> + https://www.vmware.com/";> + https://www.oracle.com/";> + https://www.huawei.com/";> + + + + + + + diff --git a/support/donations.html b/support/donations.html index 7c320e9..9acfb51 100644 --- a/support/donations.html +++ b/support/donations.html @@ -7,11 +7,19 @@ - Donations + Sponsorship and Donations - Your donation to the OpenSSL team will support the ongoing - development activities of the team members. +The OpenSSL project relies on funding to maintain and improve +OpenSSL. +You can support the OpenSSL project financially with the +purchase of a support contract, by a +sponsorship donation, or by hiring OSF for consulting services or +custom software development. + +We do not have a PayPal account. Please do not donate to any +PayPal account claiming to be associated with us! + Please note that the OpenSSL Software Foundation (OSF) is incorporated in the the state of Delaware, United States, @@ -19,20 +27,18 @@ charitable organisation under Section 501(c)(3) of the U.S. Internal Revenue Code. - In addition to direct financial contributions in the form of - donations or sponsorship you may also support the OpenSSL project - financially with the purchase of a -support contract, or by hiring OSF - for consulting services or custom software development. We - consider all sources of funding to be sponsors, because we use all - such funding, whether donations or pay for services rendered, for - the same purpose -- to i
< 1 2 3 4 5 6 7 8 >
