Re: OpenSSL version 1.1.1n published
On 15/03/2022 21:03, Michael Wojcik wrote: From: openssl-users On Behalf Of Yann Droneaud Sent: Tuesday, 15 March, 2022 14:19 At the time of writing neither https://www.openssl.org/news/openssl-1.1.1-notes.html nor https://www.openssl.org/news/changelog.html#openssl-111 are updated to match 1.1.1n release. Neither have the Newslog (news/newslog.html) nor the Vulnerabilities (news/vulnerabilities) pages. These pages should be ok now too. Normally these are always updated as part of the release process, but something went wrong with a script somewhere. Not sure why... Matt This is not uncommon with new OpenSSL releases. Resources for updating the website are limited, and it's not a priority. I expect they'll be updated within the next few days. (Part of the problem is the same information, in different forms, on multiple pages; that's not ideal for prompt and consistent updates. But overhauling the website would take yet more resources.) openssl-users is a better channel if you want rapid notification, and a paid support contract is better yet.
Re: OpenSSL version 1.1.1n published
Those 2 links should be ok now. A problem with our scripts to flush the CDN cache. Matt On 15/03/2022 20:18, Yann Droneaud wrote: Hi, Le 15/03/2022 à 17:34, Matt Caswell a écrit : OpenSSL version 1.1.1n released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html At the time of writing neither https://www.openssl.org/news/openssl-1.1.1-notes.html nor https://www.openssl.org/news/changelog.html#openssl-111 are updated to match 1.1.1n release. Any reason ? Regards.
RE: OpenSSL version 1.1.1n published
> From: openssl-users On Behalf Of Yann > Droneaud > Sent: Tuesday, 15 March, 2022 14:19 > > At the time of writing neither > https://www.openssl.org/news/openssl-1.1.1-notes.html nor > https://www.openssl.org/news/changelog.html#openssl-111 are updated to > match 1.1.1n release. Neither have the Newslog (news/newslog.html) nor the Vulnerabilities (news/vulnerabilities) pages. This is not uncommon with new OpenSSL releases. Resources for updating the website are limited, and it's not a priority. I expect they'll be updated within the next few days. (Part of the problem is the same information, in different forms, on multiple pages; that's not ideal for prompt and consistent updates. But overhauling the website would take yet more resources.) openssl-users is a better channel if you want rapid notification, and a paid support contract is better yet. -- Michael Wojcik
Re: OpenSSL version 1.1.1n published
Hi, Le 15/03/2022 à 17:34, Matt Caswell a écrit : OpenSSL version 1.1.1n released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html At the time of writing neither https://www.openssl.org/news/openssl-1.1.1-notes.html nor https://www.openssl.org/news/changelog.html#openssl-111 are updated to match 1.1.1n release. Any reason ? Regards. -- Yann Droneaud OPTEYA
stunnel 5.63 released
Dear Users, I have released version 5.63 of stunnel. ### Version 5.63, 2022.03.15, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.2. * New features - Updated stunnel.spec to support bash completion. * Bugfixes - Fixed a PRNG initialization crash (thx to Gleydson Soares). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c74c4e15144a3ae34b8b890bb31c909207301490bd1e51bfaaa5ffeb0a994617 stunnel-5.63.tar.gz 723f54c28073f17b1ac095a2ab9922735c69f73fba6144a5c68cc160dc673b10 stunnel-5.63-win64-installer.exe c77850c39dfb42f95d26d4f5830a261a95c3785d8c39bdd9f28764ba43ee1d7d stunnel-5.63-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [15 March 2022] Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778) == Severity: High The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1n OpenSSL 3.0 users should upgrade to 3.0.2 This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. It is affected by the issue. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220315.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwtOcACgkQ2cTSbQ5g RJGd6wf/VColq7YEnA1dKQvd75ytnFkV8tUhb1uQ9eCjhxk76ASg3QToEar3yDd3 ykGXJZy5oPCl0zG33GORz9Pq8oWjIoCDLfhlTh3aORjWZ9uMkd+RWxVEjxyidgZp 4Rb8p5qSncxJ1EcYLoeUWu/lrDh67q1hDnwGNtNxyzVC0sqxWz++YoFXGJA2OH0m lcYZilUdZ4HLVKmFKEfQGX/xwdvxj3VTaJNjsEI+2h1xysXBN+TpXsEL2yOGx8Cq KzQXnRUrNhsdIQYEAJ7i3HXYmY0wHehTXvBoZsI/2yWiC19WWK8u/qZxdc3Y88v3 JDKNJRCyKGbji+ESZPnWB14yE3yZ0g== =9ROi -END PGP SIGNATURE-
OpenSSL version 1.1.1n published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1n released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1n is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1n.tar.gz Size: 9850712 SHA1 checksum: 4b0936dd798f60c97c68fc62b73033ecba6dfb0c SHA256 checksum: 40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1n.tar.gz openssl sha256 openssl-1.1.1n.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwpMEACgkQ2cTSbQ5g RJHEZgf+KWdz0hwZ32JMsmgKGLpfMtPBuKEJy6fgYQltp8CBdN5TgJxdlfI50rW4 6NjECRsbkfvl9cz3eMmxpktPoYtvP99vC3gTrHgBf1rvTrlPjDoJhh/nVUI5e7FB MpEg79NzrbK8bnu+2/mIx7IcSVhuKCr5vS5nYxovSbtgBbivr+PErFpq9363DB3O UDhlDCOl/dZh63vtyvEtsXkZlTIY3Je3XX600kqVMgs2Obm8IAT1UkyRkKyYLV6y zWBvl6jkH9j6Aa2bDR0kBLyaiTfTlrVEvO45sQT/EjOa8oWCE6OxeEscJRRGppyD IHFS/t/e7gvlfyoJvxKIbLZJv5mv5w== =+pTj -END PGP SIGNATURE-
OpenSSL version 3.0.2 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.2 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.2 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.2 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.2.tar.gz Size: 15038141 SHA1 checksum: c97166014243779a4b1b3613e1fce6087f2e17bc SHA256 checksum: 98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.2.tar.gz openssl sha256 openssl-3.0.2.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwowMACgkQ2cTSbQ5g RJGM7Af+Kx4G/JDh14Djb4NQhnq3pryEv55PTG3MChJBzsEWFhzYc0aXmz6LaPl0 YugY2OT09LRPMTAijoDJ6AVeObS2QAniFpIPS58UnHK5gzoNLmzRpuflp7oeSzv2 lxqtfL36FNfnGhEWJlfG8IYLIeQnjaEw05PY9FWNScCjN7vt9y0OsDxdv9jsOt8q OEw42b/EESSF568E2LQuZRLLf/DL4KQc9F9atGaPjtAldZI+GgQM/rl8hea/xooe BIMWRruhFM5yGP1tx9CC+9los8uvccULtuhni6eI6N9ryu5HBHEdGmRHvjW7ZdkT 946RJUuJjfJ2PgUpO20HxKDAMdjyqQ== =XQgF -END PGP SIGNATURE-