[openssl-dev] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2g, 1.0.1s. These releases will be made available on 1st March 2016 between approximately 1300-1700 UTC. They will fix several security defects with maximum severity "high". Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, support for 1.0.1 will end on 31st December 2016. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJWzsjbAAoJEAEKUEB8TIy9ukoH/A+KQh0TPuC5CulMeFd4OiGy 7HV9bX/nCe4sKmW5IGYt6GDPFRnhup9WR9Dvz0C/sBjwttsnF+UZOUUfYbDw2liO YG46kiS95zbeU4yYFQwHr9Sf01o89ogEGrxCIlKQiA4aXSZwn9liI0a51y7izWUC xdj2GEgQ/fnVnlN/AyToVmoQxlrphXJx9FigLxTuXi1X6nvSNdEYB1VtOuqjanRu 8sR4UDCWYRZNT0L3as0IEU49X7ncwm5a85NR02SkVimevdbJw0mBT1ru4Zjddo88 oO5xpgSKy2a56xC8yQXURkVPvuFqUpfvyojLwOULUnWHCpnDhzn+ygdko2Pii3o= =XURc -END PGP SIGNATURE- -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f, 1.0.1r. These releases will be made available on 28th January between approx. 1pm and 5pm (UTC). They will fix two security defects, one of "high" severity affecting 1.0.2 releases, and one "low" severity affecting all releases. Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, support for 1.0.0 and 0.9.8 releases ended on 31st December 2015 and are no longer receiving security updates. Support for 1.0.1 will end on 31st December 2016. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJWpgNkAAoJEAEKUEB8TIy9QcwH/3C7y700FjGjDBcNMcVO++GU 81cs87VqsoziuMSU9Sx8XlDWA8tH5JWXpES4+p9iWdKbks+2E0EahVZVaS5yDaLM LY6MaUM2Pucmrd/I7mvQ02AzzMWEUrFlbk1GtFVjU7IkYc1/ZOZLhjM6H0X8M8lO 5kvqpgWTGV5lMCJdOQLr/eIGIdGTy5Xqerm3Qz/nzvhbwaOu5pjvq0eub8AWbPb3 wwdB4GIKW4XaU7YAJl61o8jNeVoy/kMTfZmZYEefQzXf/1JYO2p8oqCMTIEUrSoN P7sT2d2DpjQvrK3j8MsIPMYUHLhxZt+MJ2+wuOLyznkPTdEIV+ylr6q0I74Wv1Q= =gzHe -END PGP SIGNATURE- ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as high severity. This defect does not affect the 1.0.0 or 0.9.8 releases. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVmpufAAoJEAEKUEB8TIy9yVAIALIZcV/4IW2ab7ENffcThFcz Wlgr553L2bciqRYU99EK8w+4Peg54lKoVw/5rZOQmL4fZqS9jAV+76PNz1kQX4jM 2+oe+F6Ed9A4GgwYbh69WDzSnnIdImH5aa1ui2AOqsgsT0aCZkups0hexCqKFSCW e5+OlHXA6FXNzsvRUTzcvfQBczakM7Z/7V4pOpTouzCwHQ+O1jriDRuI+8TVaF0w HpFWJ5uTGfY2lP3p1xI/A+11jfoxTd/XW7ljpqybTx7xARzH7tIuWQk+5Qd7DOZP NEdKw1YtPTXOR3MZJc4xShxv5SWFBjqUjmtVkHpF/dFmBWaMWTDYfAMhk/WOyAQ= =yVBV -END PGP SIGNATURE- ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl-announce] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as high severity. This defect does not affect the 1.0.0 or 0.9.8 releases. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVmpufAAoJEAEKUEB8TIy9yVAIALIZcV/4IW2ab7ENffcThFcz Wlgr553L2bciqRYU99EK8w+4Peg54lKoVw/5rZOQmL4fZqS9jAV+76PNz1kQX4jM 2+oe+F6Ed9A4GgwYbh69WDzSnnIdImH5aa1ui2AOqsgsT0aCZkups0hexCqKFSCW e5+OlHXA6FXNzsvRUTzcvfQBczakM7Z/7V4pOpTouzCwHQ+O1jriDRuI+8TVaF0w HpFWJ5uTGfY2lP3p1xI/A+11jfoxTd/XW7ljpqybTx7xARzH7tIuWQk+5Qd7DOZP NEdKw1YtPTXOR3MZJc4xShxv5SWFBjqUjmtVkHpF/dFmBWaMWTDYfAMhk/WOyAQ= =yVBV -END PGP SIGNATURE- ___ openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [24 Apr 2012] === ASN1 BIO incomplete fix (CVE-2012-2131) === It was discovered that the fix for CVE-2012-2110 released on 19 Apr 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. Please see http://www.openssl.org/news/secadv_20120419.txt for details of that vulnerability. This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110. Thanks to Red Hat for discovering and fixing this issue. Affected users should upgrade to 0.9.8w. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20120424.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQCVAwUBT5ZV8+6tTP1JpWPZAQIQHwQAvrWr3lRsvFkskFR1apYn/xf0l7cUABGX HUUtmDRQJuYFyK0UMdInvcrZ7W82FhzzuGNLwnwI5b8Ttn4oOwcntM335WMf8d10 O4S7OjJmjpNEM1Lb0Ik9ZQdxJTepuWgG4iNKXtZIMdY8amCC+a0jPcwDzji2RfHP OKUh7LxTI5E= =HggZ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 0.9.8h released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8h released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8h of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://cvs.openssl.org/getfile/openssl/CHANGES?v=1.1238.2.104 Two moderate severity security flaws have been fixed in OpenSSL 0.9.8h. The OpenSSL security team would like to thank Codenomicon for reporting these issues: OpenSSL Server Name extension crash --- Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause it to crash. (CVE-2008-0891). Please note this issue does not affect any other released versions of OpenSSL, and does not affect versions compiled without TLS server name extensions. OpenSSL Omit Server Key Exchange message crash -- Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672). Please note this issue does not affect any other released versions of OpenSSL. Users of OpenSSL 0.9.8f or 0.9.8g should update to the OpenSSL 0.9.8h release which contains patches to correct these issues. We consider OpenSSL 0.9.8h to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8h is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8h.tar.gz Size: 3439981 MD5 checksum: 7d3d41dafc76cf2fcb5559963b5783b3 SHA1 checksum: ced4f2da24a202e01ea22bef30ebc8aee274de86 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQCVAwUBSD0zDu6tTP1JpWPZAQLsDQP/VSBPNnqGy0i+QW/hsU8n+9A1o6DKZISA ctQRYMbsZg4VyQOvdJg++LXI8VJyXJCzfHwtoYPSGaaOq/H4S8Z7DmK6zHW7cpi0 zSAIPaI3XA5lxzrbhADxpuDVVVUkGJA+dxsUpLV1V+lKbrRfZhzBwXyV8jAqdlsE b2DlMZ8v+lg= =0T9U -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[SECURITY] OpenSSL 0.9.8d and 0.9.7l released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8d and 0.9.7l released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8d of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes four security vulnerabilities, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343. Please see http://www.openssl.org/news/secadv_20060928.txt We also release 0.9.7l, which contains the security update and bugfixes compared to 0.9.7k. We consider OpenSSL 0.9.8d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7l as soon as possible. It's available in the same location as 0.9.8d. The distribution file names are: o openssl-0.9.8d.tar.gz MD5 checksum: 8ed1853538e1d05a1f5ada61ebf8bffa SHA1 checksum: 4136fba00303a3d319d2052bfa8e1f09a2e12fc2 o openssl-0.9.7l.tar.gz MD5 checksum: b21d6e10817ddeccf5fbe1379987333e SHA1 checksum: f0e4136639b10cbd1227c4f7350ff7ad406e575d The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRRvCTe6tTP1JpWPZAQIRbgP/aIb5s19eiSBrdGpSy36Ce1piAtBfqPPM Bw/j9Y6fWTQYS5z/ZNDnFLmbQw269bR5nYIMT6da5dyKmSt9v6dUJHdQXI7i/gf4 o3JPEZwqRqqz1tyhhBNFMNAx3hV73noLOXUUuak+2Zw9VtKGTb4HoRGGmXq8VUSn zeeX2KgXEwg= =fiHy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[SECURITY] OpenSSL 0.9.8c and 0.9.7k released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8c and 0.9.7k released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes an important security vulnerability which could allow RSA Signature Forgery, CVE-2006-4339. Please see http://www.openssl.org/news/secadv_20060905.txt We also release 0.9.7k, which contains the security update and bugfixes compared to 0.9.7j. We consider OpenSSL 0.9.8c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7k as soon as possible. It's available in the same location as 0.9.8c. The distribution file names are: * openssl-0.9.8c.tar.gz MD5 checksum: 78454bec556bcb4c45129428a766c886 SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d * openssl-0.9.7k.tar.gz MD5 checksum: be6bba1d67b26eabb48cf1774925416f SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRP1Enu6tTP1JpWPZAQKUhQP/dBLTKnYVGvNvUYi2mleBNoUn8ISsZsA8 5jfBOzsrR+GnZHdyxU3wqcUBzoteE6robAB5Xz1eVvtQDoSPOor0zQWNTrTOEL7N 3MUbD/xwCv46kfk6OnptUUQ1UK2uA+IV6nxQHx6CDDdDO5wr2D8vBX3Q2JCuPXlf YjbILfKdPaA= =CW+z -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL version 0.9.8a and 0.9.7h released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8a and 0.9.7h released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8a of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. We also release 0.9.7h, which contains the same security bugfix as 0.9.8a and a few small bugfixes compared to 0.9.7g. These updates contain a fix for CAN-2005-2969, a potential SSL 2.0 rollback reported by Yutaka Oiwa. For more details of the security issue being fixed in this release please see http://www.openssl.org/news/secadv_20051011.txt We consider OpenSSL 0.9.8a to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7h as soon as possible. It's available in the same location as 0.9.8a. The distribution file names are: * openssl-0.9.8a.tar.gz MD5 checksum: 1d16c727c10185e4d694f87f5e424ee1 SHA1 checksum: 2aaba0f728179370fb3e86b43209205bc6c06a3a * openssl-0.9.7h.tar.gz MD5 checksum: 8dc90a113eb8925795071fbe52b2932c SHA1 checksum: 9fe535fce89af967b29c4727dedd25f2b4cc2f0d The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQCVAwUBQ0uaXu6tTP1JpWPZAQKXyAP/V6xGTooFL52d9Ep0qd0DDaZCSHlukk48 DWljg3EY9QF9BfzLVB1BDbLNuHAyYpeAEjvte4kwHV1vWvAoiabV+XMx8kuoRTxi O+8NLOeOc1hilC0hLDYfM+XPq5k9dPiOfQvYpnqiwnr/TnwSBh11D+EEcoZlQToE a6qRMTC3mAM= =bwJD -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL 0.9.7e released
-BEGIN PGP SIGNED MESSAGE- OpenSSL version 0.9.7e released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.7e of our open source toolkit for SSL/TLS. This new OpenSSL version is a bugfix release and incorporates changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES ). The most significant changes are: o Fix race condition in CRL checking code. o Fixes to PKCS#7 (S/MIME) code. We consider OpenSSL 0.9.7e to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.7e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.7e.tar.gz MD5 checksum: a8777164bca38d84e5eb2b1535223474 The checksums were calculated using the following command: openssl md5 openssl-0.9.7e.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Lutz JänickeUlf Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iQCVAwUBQX0CP+6tTP1JpWPZAQELoAP+IIx6Sx63eQMh9+MdrIPqIXltssJEvAFB eX908DMg3xpH4quEI4AwJauc9ro1rz4t8Oyb9RYbDBLHmqWUVNmCPvQtja+vbSfh z5aYxHL8jsyQwiiSgWpMhW9mSnQKMIFFZjrdNYFsAgx9lhvFhovHKaP3pV/6/qmP SJJPGoBw2ew= =xDxl -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
New OpenSSL releases fix denial of service attacks [17 March 2004]
-BEGIN PGP SIGNED MESSAGE- OpenSSL Security Advisory [17 March 2004] Updated versions of OpenSSL are now available which correct two security issues: 1. Null-pointer assignment during SSL handshake === Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. 2. Out-of-bounds read affects Kerberos ciphersuites === Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. Recommendations - --- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837e9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits - --- Patches for these issues were created by Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References - -- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j Ez3jSlsbRRA= =wvAZ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[OpenSSL Advisory] Denial of Service in ASN.1 parsing
-BEGIN PGP SIGNED MESSAGE- OpenSSL Security Advisory [4 November 2003] Denial of Service in ASN.1 parsing == Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to address various ASN.1 issues. The issues were found using a test suite from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team. Subsequent to that release, Novell Inc. carried out further testing using the NISCC suite. They discovered that there was a denial of service vulnerability in OpenSSL version 0.9.6k when running on a Windows platform. A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows this large recursion cannot be handled correctly and so the bug causes OpenSSL to crash. A remote attacker could exploit this flaw if they can send arbitrary ASN.1 sequences which would cause OpenSSL to crash. This could be performed for example by sending a client certificate to a SSL/TLS enabled server which is configured to accept them. We do not believe this issue could be exploited further than a Denial of Service attack. Patches for this issue have been created by Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team. Who is affected? - OpenSSL 0.9.6k is affected by the bug, but the denial of service does not affect all platforms. This issue does not affect OpenSSL 0.9.7. Currently only OpenSSL running on Windows platforms is known to crash. Recommendations - --- Upgrade to OpenSSL 0.9.6l or 0.9.7c. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.6l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.6l.tar.gz [normal] MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27 o openssl-engine-0.9.6l.tar.gz [engine] MD5 checksum: dd372198cdf31667f2cb29cd76fbda1c The checksums were calculated using the following command: openssl md5 openssl-0.9.6l.tar.gz openssl md5 openssl-engine-0.9.6l.tar.gz References - -- The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0851 to this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851 URL for this Security Advisory: http://www.openssl.org/news/secadv_20031104.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iQCVAwUBP6eVw+6tTP1JpWPZAQF2pgP8CXV6at09Nloo7Pyv40m/J3Tbuh224WLE mQ2IARAqnj+gds8MRzQnKQcWaqdnMXOu6ayAULdDZXmQVQYBMQ61lrJiVjaxonyD T8LtSb6Zg2A5ijut7Nsuw7TItOGTfqHPSOMRUwmdcsz2/IpzDPQXcIJt2WU8uHO3 zDd6ZTOpPxY= =jZd3 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.7c and 0.9.6k released
-BEGIN PGP SIGNED MESSAGE- OpenSSL version 0.9.7c and 0.9.6k released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.7c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES ). We also release 0.9.6k, which contains the same security bugfix as 0.9.7c and a few more small bugfixes compared to 0.9.6j. For more details of the security issues being fixed in this release please see http://www.openssl.org/news/secadv_20030930.txt The most significant changes are: o Security: fix vulnerabilities in ASN.1 parsing CAN-2003-0543, CAN-2003-0544[0.9.7c 0.9.6k] o Security: fix additional vulnerability in ASN.1 parsing CAN-2003-0545[0.9.7c] o Only accept a client cert if the server requests one[0.9.7c 0.9.6k] o Various S/MIME bug and compatibility fixes [0.9.7c] We consider OpenSSL 0.9.7c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.7c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.6 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.6k as soon as possible. It's available in the same location as 0.9.7c. The distribution file name is: o openssl-0.9.7c.tar.gz [normal] MD5 checksum: c54fb36218adaaaba01ef733cd88c8ec o openssl-0.9.6k.tar.gz [normal] MD5 checksum: dee92f648a02e4a7db0507ab3d0769c6 o openssl-engine-0.9.6k.tar.gz [engine] MD5 checksum: 50082758f8e5b3fcf5c26bd032e1739c The checksums were calculated using the following command: openssl md5 openssl-0.9.7c.tar.gz openssl md5 openssl-0.9.6k.tar.gz openssl md5 openssl-engine-0.9.6k.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Lutz JänickeUlf Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iQCVAwUBP3mOMu6tTP1JpWPZAQF13wQApViz8Wz6dfLYAoznQ1Agauh7Hik9mQ06 Wiq0k+Jq8SkMbGlZxauNESdkG6H5g+0uXjwFv+IBIFWlrir3/5N5uzy8ex85r8Tx CW6SOT1P7Rvo1F9dVB1R7QnKFn0GYdIn9uMzma/bzOxhKSnYfpAP2QbIkleJBL+m 87wnyI0icvA= =7K10 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[OpenSSL Advisory] Vulnerabilities in ASN.1 parsing
-BEGIN PGP SIGNED MESSAGE- OpenSSL Security Advisory [30 September 2003] Vulnerabilities in ASN.1 parsing NISCC (www.niscc.gov.uk) prepared a test suite to check the operation of SSL/TLS software when presented with a wide range of malformed client certificates. Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team identified and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code when running the test suite. A bug in OpenSSLs SSL/TLS protocol was also identified which causes OpenSSL to parse a client certificate from an SSL/TLS client when it should reject it as a protocol error. Vulnerabilities - --- 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability. 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication. Who is affected? - All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay are affected. Any application that makes use of OpenSSL's ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations - --- Upgrade to OpenSSL 0.9.7c or 0.9.6k. Recompile any OpenSSL applications statically linked to OpenSSL libraries. References - -- The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0545 for issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 and CAN-2003-0543 and CAN-2003-0544 for issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 URL for this Security Advisory: http://www.openssl.org/news/secadv_20030930.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iQCVAwUBP3mNKu6tTP1JpWPZAQFjPwP/Y8epYBa9oCK69dCT5Y90kg9Ir8pYuv+q x4NxuyhD5JaJfmStwbl3BUSE5juI0mh7d6yFjfI0Ci3sdC+5v10ZOanGwX7o4JlS 3pGSSocAEiYS59qciRLtFsCbBt8jIOCG8KiTmKO2mI5dhAEB9UqPH9e8A1Wy/8un xjGKYbcITrM= =fFTe -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fix inttypes.h problem
The recent fix in 0.9.6c engine adding inttypes.h for AEP accelerator broke Solaris 2.5.1 and Unixware 7 builds. Joe wrote this patch which compiles on all our build machines. Not tested (but should be okay) on Windows too. Cheers, Mark -- Forwarded message -- Date: Tue, 04 Dec 2001 11:13:41 + From: Joe Orton [EMAIL PROTECTED] Index: openssl-engine-0.9.6c-inttypes.patch === --- ./crypto/engine/vendor_defns/aep.h.itypes Tue Dec 4 10:49:49 2001 +++ ./crypto/engine/vendor_defns/aep.hTue Dec 4 10:51:40 2001 @@ -9,15 +9,6 @@ * */ -#ifdef WIN32 -typedef unsigned __int8 uint8_t; -typedef unsigned __int16 uint16_t; -typedef unsigned __int32 uint32_t; -typedef unsigned __int64 uint64_t; -#else -#include inttypes.h -#endif - /*Successful return value*/ #define AEP_R_OK0x @@ -85,7 +76,7 @@ */ /* an unsigned 8-bit value */ -typedef uint8_t AEP_U8; +typedef unsigned charAEP_U8; /* an unsigned 8-bit character */ typedef char AEP_CHAR; @@ -94,21 +85,16 @@ typedef AEP_U8 AEP_BBOOL; /*Unsigned value, at least 16 bits long*/ -typedef uint16_t AEP_U16; +typedef unsigned short AEP_U16; /* an unsigned value, at least 32 bits long */ -typedef uint32_t AEP_U32; +typedef unsigned int AEP_U32; -/*#if defined(AEP_Win32)*/ -/* 64 bit unsigned value */ -/*typedef unsigned _int64AEP_U64;*/ - -/*#elif defined(AEP_GENERIC)*/ -/* 64 bit unsigned value */ -/*typedef unsigned long long AEP_U64;*/ -/*#endif*/ - -typedef uint64_t AEP_U64; +#ifdef SIXTY_FOUR_BIT_LONG +typedef unsigned longAEP_U64; +#else +typedef unsigned long long AEP_U64; +#endif /* at least 32 bits; each bit is a Boolean flag */ typedef AEP_U32 AEP_FLAGS; @@ -164,11 +150,11 @@ typedef unsigned int t_AEP_OpenConnection(unsigned int *phConnection); typedef unsigned int t_AEP_ModExp(unsigned int hConnection, void *a, void *p, - void *n, void *r,uint64_t *tranid); + void *n, void *r, AEP_U64 *tranid); typedef unsigned int t_AEP_ModExpCrt(unsigned int hConnection,void *a, void *p, void *q, void *dmp1, void *dmq1,void *iqmp, - void *r,uint64_t *tranid); + void *r, AEP_U64 *tranid); typedef unsigned int t_AEP_GenRandom(AEP_CONNECTION_HNDL hConnection, AEP_U32 Len, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] fix make install
Noticed a problem with make install on the 0.9.6c-dev engine branch, might affect other branches too. Mark Index: Makefile.org === RCS file: /e/openssl/cvs/openssl/Makefile.org,v retrieving revision 1.88.2.7.4.7 diff -u -r1.88.2.7.4.7 Makefile.org --- Makefile.org2001/11/15 08:15:02 1.88.2.7.4.7 +++ Makefile.org2001/11/21 11:29:32 @@ -619,7 +619,7 @@ fn=`basename $$i .pod`; \ if [ $$fn = config ]; then sec=5; else sec=1; fi; \ echo installing man$$sec/`basename $$i .pod`.$$sec; \ - (cd `echo $$i | sed -e 's|/[^/]*$||'`; \ + (cd `echo $$i | sed -e 's|/[^/]*$$||'`; \ $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`) \ $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ @@ -628,7 +628,7 @@ fn=`basename $$i .pod`; \ if [ $$fn = des_modes ]; then sec=7; else sec=3; fi; \ echo installing man$$sec/`basename $$i .pod`.$$sec; \ - (cd `echo $$i | sed -e 's|/[^/]*$||'`; \ + (cd `echo $$i | sed -e 's|/[^/]*$$||'`; \ $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`) \ $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
SGC obsolete? (Was Re: Exporting (SGC) keys from IIS - OpenSSL)
Having said that SGC might now become obsolete anyway. I think it will take some time for this to happen; we've got to wait for MS and Netscape to release full-strength versions, then wait for everyone to upgrade to them. Theres still a large percentage of people who hit our site with browsers that can't do SGC Mark __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: New U.S. export regs - my opinion
that incorporate become covered by the E.A.R. and must adhere to the U.S. governments decisions on which countries are to be considered ...plus they may change the rules in 120 days :) Mark __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] allow certificates in a file to be repeated
I noticed a problem - when the CA list we were loading from a file (standard verify_locations stuff) contained a duplicate certificate all certificates after the duplicate would be ignored. This patch alters X509_load_cert_file() so that if an error occurs looking at one certificate the routine will continue and look for others in the file. Objections? Mark. Index: by_file.c === RCS file: /usr/local/cvsroot-rsync-openssl/openssl/crypto/x509/by_file.c,v retrieving revision 1.1.1.2 diff -u -r1.1.1.2 by_file.c --- by_file.c 1998/12/21 10:55:40 1.1.1.2 +++ by_file.c 1999/04/10 11:20:47 @@ -178,8 +178,12 @@ } } i=X509_STORE_add_cert(ctx-store_ctx,x); - if (!i) goto err; - count++; + /* ignore any problems with current certificate + and continue with the next one */ + if (i) + count++; + else + ERR_clear_error(); X509_free(x); x=NULL; } @@ -194,7 +198,8 @@ goto err; } i=X509_STORE_add_cert(ctx-store_ctx,x); - if (!i) goto err; + if (!i) + ERR_clear_error(); ret=i; } else __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: New Tools Proposal
Actually I didn't found any command line tool able to generate and/or verify PKCS#7 signatures (such as generated by signed forms by Netscape and other tools ...) We've (C2Net) got a set of stand-alone command line programs for PKCS#7 encrypt/decrypt that seem to work well. They need a little tidying but we should be able to submit these to the project. Mark __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: TLSv1 rollback changes
I'm going to delay applying this patch; after applying some connections fail: try openssl -connect www.trustcenter.de:443 [fails] try openssl -connect www.trustcenter.de:443 -no_tls1 [passes] On Sun, 31 Jan 1999, Mark J Cox wrote: In going through our internal code I came across some changes that we should look at putting into OpenSSL. I've attached a large DIFF against the current CVS tree (all changes in the /ssl/ directory). "This patch is a fix so that the version number in the master secret, when passed via RSA, checks that if TLS was proposed, but we roll back to SSLv3 (because the server will not accept higher), that the version number is 0x03,0x01, not 0x03,0x00" It also makes some changes and fixes to the SSL compression code. I didn't commit this to the archive as it is a fairly substantial set of changes that I have not tested completely. Mark __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: TLSv1 rollback changes
Is there likely to be much more of this? Coz the longer its left the harder it gets to incorporate... Yes, there is some more of this; but it is intermingled with C2Net proprietary stuff that I need to extract it from. I tried to break down the changes into a number of distinct self-contained changes that I can apply over time after going through each one. As we know the SSLeay team didn't use CVS so finding out reasons for changes to the code base can only be done by reading every line. The major bits were the BN and SSL bits. There are also some CAST fixes. I presume the diff was made by diffing your internal tree, patching the current one, then diffing again? I'm just worried about accidentally undoing existing changes... This stuff isn't all in our internal tree. But yes, I diffed it against the original SSLeay-0.9.1b we supplied to start out OpenSSL. Then went through those diffs manually to remove anything that shouldn't be there and to tidy them up (removing extra blank lines and stuff, fixing indentation). Then I applied that patch to my copy of the latest CVS tree and used a CVS diff output to again go through the changes. By doing it this way I think it will catch any recent patches and conflicts. Where I've found conflicts (in the BN code) I've gone through the CVS logs to see what people have changed since SSLeay-0.9.1b to make sure they are folded in. I'm not able to test the resultant code thoroughly however, so it may break for people. I was concerned about the ssl changes as they are a fairly major change and have not been part of C2Net products so they've not seen any public testing yet. Mark Mark J Cox, . www.awe.com/~mark Latest news on the Apache Web Server ... www.apacheweek.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
