Re: [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
OpenSSL Development Team,When do you expect that a NIST certified version of AES will be released in OpenSSL? I notice from the NIST reference website of validated AES implementations that version 1.1 FIPS Object Module Library was validated on 7/20/2006. Is this version included in any of the new releases? Thanks,Chip MastersOn 9/28/06, Mark J Cox [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: SHA1 OpenSSL version 0.9.8d and 0.9.7l released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8d of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit.For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes four security vulnerabilities, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343.Please see http://www.openssl.org/news/secadv_20060928.txt We also release 0.9.7l, which contains the security update and bugfixes compared to 0.9.7k. We consider OpenSSL 0.9.8d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html ): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7l as soon as possible.It's available in the same location as 0.9.8d. The distribution file names are:o openssl-0.9.8d.tar.gzMD5 checksum: 8ed1853538e1d05a1f5ada61ebf8bffaSHA1 checksum: 4136fba00303a3d319d2052bfa8e1f09a2e12fc2o openssl-0.9.7l.tar.gzMD5 checksum: b21d6e10817ddeccf5fbe1379987333e SHA1 checksum: f0e4136639b10cbd1227c4f7350ff7ad406e575d The checksums were calculated using the following commands:openssl md5 openssl-0.9.*.tar.gzopenssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team...Mark J. Cox Nils Larsch Ulf MöllerRalf S. Engelschall Ben LaurieAndy PolyakovDr. Stephen HensonRichard Levitte Geoff Thorpe Lutz JänickeBodo Möller-BEGIN PGP SIGNATURE-Version: GnuPG v1.4.2.2 (GNU/Linux)iQCVAwUBRRvCTe6tTP1JpWPZAQIRbgP/aIb5s19eiSBrdGpSy36Ce1piAtBfqPPMBw/j9Y6fWTQYS5z/ZNDnFLmbQw269bR5nYIMT6da5dyKmSt9v6dUJHdQXI7i/gf4 o3JPEZwqRqqz1tyhhBNFMNAx3hV73noLOXUUuak+2Zw9VtKGTb4HoRGGmXq8VUSnzeeX2KgXEwg==fiHy-END PGP SIGNATURE-__OpenSSL Project http://www.openssl.orgDevelopment Mailing List openssl-dev@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
If AES is a part of the OpenSSL FIPS module validation, then (since the same code is used in the non-validated code) it's pretty much NIST-certified. -Kyle H On 10/3/06, Chip Masters [EMAIL PROTECTED] wrote: OpenSSL Development Team, When do you expect that a NIST certified version of AES will be released in OpenSSL? I notice from the NIST reference website of validated AES implementations that version 1.1 FIPS Object Module Library was validated on 7/20/2006. Is this version included in any of the new releases? Thanks, Chip Masters On 9/28/06, Mark J Cox [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8d and 0.9.7l released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8d of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes four security vulnerabilities, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343. Please see http://www.openssl.org/news/secadv_20060928.txt We also release 0.9.7l, which contains the security update and bugfixes compared to 0.9.7k. We consider OpenSSL 0.9.8d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html ): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7l as soon as possible. It's available in the same location as 0.9.8d. The distribution file names are: o openssl-0.9.8d.tar.gz MD5 checksum: 8ed1853538e1d05a1f5ada61ebf8bffa SHA1 checksum: 4136fba00303a3d319d2052bfa8e1f09a2e12fc2 o openssl-0.9.7l.tar.gz MD5 checksum: b21d6e10817ddeccf5fbe1379987333e SHA1 checksum: f0e4136639b10cbd1227c4f7350ff7ad406e575d The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRRvCTe6tTP1JpWPZAQIRbgP/aIb5s19eiSBrdGpSy36Ce1piAtBfqPPM Bw/j9Y6fWTQYS5z/ZNDnFLmbQw269bR5nYIMT6da5dyKmSt9v6dUJHdQXI7i/gf4 o3JPEZwqRqqz1tyhhBNFMNAx3hV73noLOXUUuak+2Zw9VtKGTb4HoRGGmXq8VUSn zeeX2KgXEwg= =fiHy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H
Re: [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
The security advisory only has 3 security issues referenced within it, though it mentions 4 security fixes. Is the fourth one the RSA signature with modulus 3 forgery issue fixed in 0.9.8c and 0.9.7k? Thanks! -Kyle H On 9/28/06, Mark J Cox [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8d and 0.9.7l released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8d of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes four security vulnerabilities, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343. Please see http://www.openssl.org/news/secadv_20060928.txt We also release 0.9.7l, which contains the security update and bugfixes compared to 0.9.7k. We consider OpenSSL 0.9.8d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7l as soon as possible. It's available in the same location as 0.9.8d. The distribution file names are: o openssl-0.9.8d.tar.gz MD5 checksum: 8ed1853538e1d05a1f5ada61ebf8bffa SHA1 checksum: 4136fba00303a3d319d2052bfa8e1f09a2e12fc2 o openssl-0.9.7l.tar.gz MD5 checksum: b21d6e10817ddeccf5fbe1379987333e SHA1 checksum: f0e4136639b10cbd1227c4f7350ff7ad406e575d The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRRvCTe6tTP1JpWPZAQIRbgP/aIb5s19eiSBrdGpSy36Ce1piAtBfqPPM Bw/j9Y6fWTQYS5z/ZNDnFLmbQw269bR5nYIMT6da5dyKmSt9v6dUJHdQXI7i/gf4 o3JPEZwqRqqz1tyhhBNFMNAx3hV73noLOXUUuak+2Zw9VtKGTb4HoRGGmXq8VUSn zeeX2KgXEwg= =fiHy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H :��IϮ��r�m (Z+�7�zZ)���1���x��hW^��^��%�� ��jם.+-1�ځ��j:+v���h�
Re: [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
The security advisory only has 3 security issues referenced within it, though it mentions 4 security fixes. Is the fourth one the RSA signature with modulus 3 forgery issue fixed in 0.9.8c and 0.9.7k? No, look closer, the first one (ASN.1 Denial of Service Attacks [yes, plural]), has two advisories, CVE-2006-2937 and CVE-2006-2940. Then obviously there is the buffer overflow (CVE-2006-3738) and the SSLv2 client crash (CVE-2006-4343). -Brad __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
Ah, this is what I get for not examining the headings more closely. Hey, Dr. Steve, have you run the ASN.1 test suite against CryptoAPI? I remember there was a buffer overrun problem in the ASN.1 code therein about a year ago... (I'm also curious, do you know if NISCC's planning on making that test suite publicly available?) Thanks! -Kyle H On 9/29/06, Brad House [EMAIL PROTECTED] wrote: The security advisory only has 3 security issues referenced within it, though it mentions 4 security fixes. Is the fourth one the RSA signature with modulus 3 forgery issue fixed in 0.9.8c and 0.9.7k? No, look closer, the first one (ASN.1 Denial of Service Attacks [yes, plural]), has two advisories, CVE-2006-2937 and CVE-2006-2940. Then obviously there is the buffer overflow (CVE-2006-3738) and the SSLv2 client crash (CVE-2006-4343). -Brad __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[SECURITY] OpenSSL 0.9.8d and 0.9.7l released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8d and 0.9.7l released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8d of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes four security vulnerabilities, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343. Please see http://www.openssl.org/news/secadv_20060928.txt We also release 0.9.7l, which contains the security update and bugfixes compared to 0.9.7k. We consider OpenSSL 0.9.8d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7l as soon as possible. It's available in the same location as 0.9.8d. The distribution file names are: o openssl-0.9.8d.tar.gz MD5 checksum: 8ed1853538e1d05a1f5ada61ebf8bffa SHA1 checksum: 4136fba00303a3d319d2052bfa8e1f09a2e12fc2 o openssl-0.9.7l.tar.gz MD5 checksum: b21d6e10817ddeccf5fbe1379987333e SHA1 checksum: f0e4136639b10cbd1227c4f7350ff7ad406e575d The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRRvCTe6tTP1JpWPZAQIRbgP/aIb5s19eiSBrdGpSy36Ce1piAtBfqPPM Bw/j9Y6fWTQYS5z/ZNDnFLmbQw269bR5nYIMT6da5dyKmSt9v6dUJHdQXI7i/gf4 o3JPEZwqRqqz1tyhhBNFMNAx3hV73noLOXUUuak+2Zw9VtKGTb4HoRGGmXq8VUSn zeeX2KgXEwg= =fiHy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]