Additional
analysis was provided by David Benjamin (Google). The fix was developed by
Matt Caswell.
General Advisory Notes
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240627.txt
Note: the online version of the advisory may be updated with additional de
c88c3de510 (for 3.2), commit 704f725b96 (for 3.1) and commit b3f0eb0a29
(for 3.0) in the OpenSSL git repository. It is available to premium support
customers in commit f7a045f314 (for 1.1.1).
This issue was reported on 10th April 2024 by William Ahern (Akamai). The fix
was developed by Matt Caswell and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.13 released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.13 of our open sour
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.1.5 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.1.5 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.2.1 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.2.1 of our open source
repository. It is available to premium support customers in commit
x (for 1.1.1) and in commit
x (for 1.0.2).
This issue was reported on 23rd November 2023 by Bahaa Naamneh (Crosspoint
Labs). The fix was developed by Matt Caswell.
General Advisory Notes
==
URL for this Security
The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.1.4 and 3.0.12.
These releases will be made available on Tuesday 24th October 2023
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue fixed in
each of these two releases is
The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.1.3 and 3.0.11.
These releases will be made available on Tuesday 19th September 2023
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue fixed in
each of these two releas
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1w.
This release will be made available on Monday 11th September 2023
between 1300-1700 UTC.
This will be the final public release in the 1.1.1 series [1]. Ongoing
access to security fixes is avail
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [31st July 2023]
==
Excessive time spent checking DH q parameter value (CVE-2023-3817)
==
Severity: Low
Issue summary
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v.
These releases will be made available on Tuesday 1st August 2023 between
1300-1700 UTC.
These are security-fix releases. The highest severity issue fixed in
each of these thr
To clarify, OpenSSL version 3.1.1 will also be released on Tuesday 30th
May 2023, and is also a security-fix release with the highest severity
issue being Moderate.
Regards
Matt
On 24/05/2023 05:06, Tomas Mraz wrote:
The OpenSSL project team would like to announce the forthcoming release
of
Please see our blog post about the forthcoming End Of Life of OpenSSL
1.1.1 on 11th September 2023:
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
Kind Regards
Matt
OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.1.0 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.1.0 of our open source
Hello,
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg. Note that OpenSSL 1.0.2
is End Of Life and so 1.0.2zg will be available to premium support
customers only.
These releases will be made available on Tuesday 7th Februa
Please see the new blog post here:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
We have received a report of a significant regression in the latest
3.0.6 and 1.1.1r versions. The regression is not thought to have
security consequences. While the regression is further investigated we
have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and
instead recommend that
Supercomputing Center. The fix was developed by Matt Caswell.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221011.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.6 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.6 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1r released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1r of our open sour
Hello,
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.6 and 1.1.1r.
These releases will be made available on Tuesday 11th October 2022
between 1300-1700 UTC.
OpenSSL 3.0.6 is a security-fix release. The highest severity issue
fixed in OpenSSL 3.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [21 June 2022]
The c_rehash script allows command injection (CVE-2022-2068)
Severity: Moderate
In addition to the c_reh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.4 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.4 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1p released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1p of our open sour
s issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix
was developed by Matt Caswell from OpenSSL.
Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
=
Severity: Low
The OpenSSL 3.0 implement
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1o released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1o of our open sour
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.3 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.3 of our open source
:
https://www.openssl.org/policies/secpolicy.html#moderate
Yours
The OpenSSL Project Team
On 19/04/2022 20:51, Matt Caswell wrote:
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.
These releases will be made available on Tuesday 26th
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.
These releases will be made available on Tuesday 26th April 2022
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE:
h
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [15 March 2022]
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
==
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1n released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1n of our open sour
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.2 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.2 of our open source
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.2 and 1.1.1n.
These releases will be made available on Tuesday 15th March 2022
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue
fixed in these releases is HIGH:
https
OpenSSL 3.0 has recently been designated as a Long Term Support (LTS)
release. This means that it will now be supported until 7th September
2026 (5 years after its initial release).
Our previous LTS release (1.1.1) will continue to be supported until
11th September 2023.
We encourage all use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [28 January 2022]
===
BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)
Severity: Moderate
There is a
. Users of this version
should upgrade to OpenSSL 3.0.1.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 29th November 2021 by Tobias Nießen. The
fix was developed by Matt Caswell and Tobias Nießen.
Note
OpenSSL 1.0.2 is out of support and no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.1 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.1 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1m released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1m of our open sour
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 1.1.1m and 3.0.1.
These releases will be made available on Tuesday 14th December 2021
between 1300-1700 UTC.
OpenSSL 3.0.1 is a security and bug fix release. The highest severity
issue fixed in this rele
essed before the final release.
This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix
was developed by Matt Caswell.
Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
=
Severity: Moderate
ASN.1 stri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1l released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1l of our open sour
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1l.
This release will be made available on Tuesday 24th August 2021
between 1200-1600 UTC.
OpenSSL 1.1.1l is a security-fix release. The highest severity issue
fixed in this release is HIGH:
https://ww
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 beta 2 released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in beta.
OpenSSL 3.0 beta 2 has now been made available. We
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 beta 1 released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in beta.
OpenSSL 3.0 beta 1 has now been made available.
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1k.
This release will be made available on Thursday 25th March 2021
between 1300-1700 UTC.
OpenSSL 1.1.1k is a security-fix release. The highest severity issue
fixed in this release is HIGH:
https://ww
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1j.
This release will be made available on Tuesday 16th February 2021
between 1300-1700 UTC.
OpenSSL 1.1.1j is a security-fix release. The highest severi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1h.
This release will be made available on Tuesday 22nd September 2020
between 1300-1700 UTC.
OpenSSL 1.1.h is a bug-fix release. There are no CVEs addr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL Management Committee are looking to hire a full time
Administrator and Manager. Details of the role can be found here:
https://www.openssl.org/blog/blog/2020/09/05/OpenSSL.ProjectAdminRole/
To apply please send your cover letter and res
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1g.
This release will be made available on Tuesday 21st April 2020 between
1300-1700 UTC.
OpenSSL 1.1.g is a security-fix release. The highest severity i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1f.
This release will be made available on Tuesday 31st March 2020 between
1200-1600 UTC. This is a bug fix only release.
Yours
The OpenSSL Project Team
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1e.
This release will be made available on Tuesday 17th March 2020 between
1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551
previously announced here:
https://www.openssl.org/news/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.0.2u
This release will be made available on Friday 20th December 2019 between
1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551
previo
Please take a look at my blog post that gives an update on OpenSSL 3.0
development, FIPS and 1.0.2 EOL:
https://www.openssl.org/blog/blog/2019/11/07/3.0-update/
Matt
On 03/09/2019 17:19, Matt Caswell wrote:
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t.
>
> These releases will be made available on 10th September 2019 between
> approximately 1200-1600 UTC.
>
> T
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t.
These releases will be made available on 10th September 2019 between
approximately 1200-1600 UTC.
These are security fix releases. The highest severity security issue fixed by
th
On 21/05/2019 16:43, Matt Caswell wrote:
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.1.1c, 1.1.0k and 1.0.2s.
>
> These releases will be made available on 28th May 2019 between approximately
> 1200-1600 UTC.
>
> Open
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1c, 1.1.0k and 1.0.2s.
These releases will be made available on 28th May 2019 between approximately
1200-1600 UTC.
OpenSSL 1.1.0k and 1.0.2s contain security hardening bug fixes only but do not
address
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at
this time.
These releases will be made available on 26th February 2019 between
approximately 1300-1700 UTC.
OpenSSL 1.0.2r is a security-fix releas
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
--
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
Please see the following blog post about OpenSSL Versioning and License:
https://www.openssl.org/blog/blog/2018/11/28/version/
Matt
--
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q.
These releases will be made available on 20th November 2018 between
approximately 1300-1700 UTC.
These are bug-fix releases. They also contain the fixes for three LOW
severity se
OpenSSL Security Advisory [12 November 2018]
Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
===
Severity: Low
OpenSSL ECC scalar mult
Our new Long Term Support release, OpenSSL 1.1.1, including TLSv1.3, has
been released today. Please download and upgrade!
There is a blog post about the new release and the status of the older
releases here:
https://www.openssl.org/blog/blog/2018/09/11/release111/
Matt
--
openssl-announce maili
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0i and 1.0.2p.
These releases will be made available on 14th August 2018 between
approximately 1200-1600 UTC.
These are bug-fix releases. They
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0h and 1.0.2o.
These releases will be made available on 27th March 2018 between
approximately 1300-1700 UTC.
These are security-fix releases.
Today I have had great pleasure in attending the Real World Crypto 2018
conference in Zürich in order to receive the Levchin prize on behalf of
the OpenSSL team. More details are available in my blog post here:
https://www.openssl.org/blog/blog/2018/01/10/levchin/
Matt
--
openssl-announce mailin
Forthcoming OpenSSL release
===
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.0.2n. There will be no OpenSSL 1.1.0 release at
this time.
This release will be made available on 7th December 2017 between
approximately 1300-1700
On 30/10/17 13:50, Matt Caswell wrote:
> Forthcoming OpenSSL releases
>
>
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.1.0g and 1.0.2m.
>
> These releases will be made available on 2nd
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0g and 1.0.2m.
These releases will be made available on 2nd November 2017 between
approximately 1300-1700 UTC.
This is a bug-fix release. It w
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2l and 1.1.0f.
These releases will be made available on 25th May 2017 between
approximately 1200-1600 UTC.
Note: These are bug-fix only relea
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Due to an error in the release process the original distribution
downloads were failing to build. New downloads have now been made
available on the website. Corrected checksums are given below.
OpenSSL version 0.9.8zh released
=
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Due to an error in the release process the original distribution
downloads were failing to build. New downloads have now been made
available on the website. Corrected checksums are given below.
OpenSSL version 1.0.0t released
==
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Due to an error in the release process the original distribution
downloads were failing to build. New downloads have now been made
available on the website. Corrected checksums are given below.
OpenSSL version 1.0.1q released
==
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Due to an error in the release process the original distribution
downloads were failing to build. New downloads have now been made
available on the website. Corrected checksums are given below.
OpenSSL version 1.0.2e released
==
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh.
These releases will be made available on 3rd December between
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The OpenSSL Project team would like to announce the publication of our
current plans for the OpenSSL 1.1.0 release timetable. This has been
included in our release strategy available here:
https://www.openssl.org/policies/releasestrat.html
Yours
Th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg.
These releases will be made available on Thursday 11th June. The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 16/03/15 19:05, Matt Caswell wrote:
>
> Forthcoming OpenSSL releases
>
> The OpenSSL project team would like to announce the forthcoming
> release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
These releases will be made available on 19th March. They will
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The OpenSSL Project are pleased to make the following announcements:
- - There will be new releases made available on Thursday 15th January for
versions 1.0.1, 1.0.0 and 0.9.8. These will be bug fix only releases to
address build problems with the cur
80 matches
Mail list logo
