More OpenSSL security fixes

haakon · May 31, 2016

I have a fair understanding of OpenSSL's method, but not so much with its actual gears and pulleys.

I always keep some clients I use updated with the current libraries: libeay32.dll and ssleay32.dl, now at 1.0.2h / 1.0.2.8.

Having no control, of course, on what's used on the server side "out there," I wonder if that does some good or none at all??

summerheat · Jun 1, 2016

haakon said: ↑

FYI for all: this is a really useful extension for Mozilla browsers.
https://github.com/sibiantony/ssleuth
Click to expand...

Indeed. I've been using it for a long time.

ronjor · Sep 19, 2016

OpenSSL to Patch High Severity Vulnerability

By Eduard Kovacs on September 19, 2016
The OpenSSL Project announced on Monday that it will soon release updates that patch several vulnerabilities, including one rated as having “high” severity.
Click to expand...

ronjor · Sep 22, 2016

Over a Dozen Vulnerabilities Patched in OpenSSL

By Eduard Kovacs on September 22, 2016
The OpenSSL Project announced on Thursday that more than a dozen vulnerabilities have been patched in OpenSSL with the release of versions 1.1.0a, 1.0.2i and 1.0.1u.
Click to expand...

Victek · Sep 22, 2016

ronjor said: ↑

Over a Dozen Vulnerabilities Patched in OpenSSL
Click to expand...

Are these patches strictly "server side" or do clients (browsers?) need updating as well?

BoerenkoolMetWorst · Sep 22, 2016

Victek said: ↑

Are these patches strictly "server side" or do clients (browsers?) need updating as well?
Click to expand...

I didn't check but usually some vulnerabilities affect client side as well. The big browsers don't use OpenSSL, but some others do, QupZilla for example.
Also quite a few other softwares on Windows bundle OpenSSL files in their program files folders and don't update them properly. Search your computer for ssleay*.dll and libeay*.dll to find out.

haakon · Sep 22, 2016

Victek said: ↑

Are these patches strictly "server side" or do clients (browsers?) need updating as well?
Click to expand...

That's what I pondered in my post #26 above.

I've just been replacing the two dlls on my systems for years in the age-old trusted "it can't hurt" strategy.

As well, I don't believe they'd be releasing client-side libraries for no reason.

lotuseclat79 · Sep 22, 2016

OpenSSL Security Advisory [22 Sep 2016]

Note: Advisory released by openssl.org.

-- Tom

Palancar · Sep 22, 2016

I can tell you that my Debian systems all updated OpnSSL today. There were some high risk changes that were addressed.

ronjor · Sep 26, 2016

OpenSSL Security Advisory [26 Sep 2016]

This security update addresses issues that were caused by patches
included in our previous security update, released on 22nd September
2016. Given the Critical severity of one of these flaws we have
chosen to release this advisory immediately to prevent upgrades to the
affected version, rather than delaying in order to provide our usual
public pre-notification.
Click to expand...

ronjor · Nov 8, 2016

OpenSSL to Patch High Severity Flaw in Version 1.1.0

By Eduard Kovacs on November 08, 2016
The OpenSSL Project informed users on Monday that it’s preparing a patch for several vulnerabilities affecting version 1.1.0.
OpenSSL version 1.1.0c, which is scheduled for release on November 10 between 12:00 and 16:00 UTC, will address several security holes. The most serious of them has been classified as “high severity” and it does not affect versions prior to 1.1.0.
Click to expand...

ronjor · Nov 10, 2016

High Severity DoS Flaw Patched in OpenSSL

By Eduard Kovacs on November 10, 2016
As announced earlier this week, the OpenSSL Project today released an update for the 1.1.0 branch to address several vulnerabilities, including a high severity denial-of-service (DoS) issue reported by a security expert at Google.
Click to expand...

ronjor · Jan 26, 2017

OpenSSL Patches Four Vulnerabilities

By Eduard Kovacs on January 26, 2017
The OpenSSL Project announced on Thursday the availability of OpenSSL versions 1.1.0d and 1.0.2k, which address a total of four low and moderate severity vulnerabilities.
Click to expand...

ronjor · Feb 16, 2017

High Severity Flaw Patched in OpenSSL 1.1.0

By Eduard Kovacs on February 16, 2017
A high severity denial-of-service (DoS) vulnerability was patched on Thursday in OpenSSL with the release of version 1.1.0e.
Click to expand...

FanJ · Nov 1, 2017

Pre-announcement for the upcoming OpenSSL releases for 02 Nov 2017.

https://mta.openssl.org/pipermail/openssl-announce/2017-October/000104.html

On 30/10/17 13:50, Matt Caswell wrote:
Forthcoming OpenSSL releases
============================

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0g and 1.0.2m.

These releases will be made available on 2nd November 2017 between approximately 1300-1700 UTC.

This is a bug-fix release. It will also include a fix for the low severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt

Correction: It will additionally include a fix for a moderate level security issue.

Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016.

Yours

The OpenSSL Project Team
Click to expand...

ronjor · Nov 2, 2017

OpenSSL Patches Flaws Found With Google Fuzzer

By Eduard Kovacs on November 02, 2017
OpenSSL updates released on Thursday patch two low and medium severity vulnerabilities discovered using Google’s open source OSS-Fuzz fuzzing service.
Click to expand...

RockLobster · Nov 2, 2017

That Google fuzzer is a pretty awesome piece of kit, it tests programs with trillions of inputs, to see if any of them cause an unexpected response.

ronjor · Dec 7, 2017

Two Vulnerabilities Patched in OpenSSL

By Eduard Kovacs on December 07, 2017
The OpenSSL Project announced on Thursday the availability of OpenSSL 1.0.2n, a version that patches two vulnerabilities discovered by a Google researcher.
Click to expand...

ronjor · Mar 27, 2018

First OpenSSL Updates in 2018 Patch Three Flaws

By Eduard Kovacs on March 27, 2018
The first round of security updates released in 2018 for OpenSSL patch a total of three vulnerabilities, but none of them appears to be serious.
Click to expand...

ronjor · Dec 12, 2018

Here is a terse log of all OpenSSL announcements. They are almost release notices.

20-Nov-2018
OpenSSL 1.1.1a is now available, including bug and security fixes
20-Nov-2018
OpenSSL 1.1.0j is now available, including bug and security fixes
20-Nov-2018
OpenSSL 1.0.2q is now available, including bug and security fixes
Click to expand...

ronjor · Feb 26, 2019

OpenSSL Security Advisory [26 February 2019]
============================================

0-byte record padding oracle (CVE-2019-1559)
============================================

Severity: Moderate
Click to expand...

https://www.openssl.org/news/secadv/20190226.txt

FanJ · Oct 15, 2019

May I please "revive" this thread.

OpenSSL

Site
https://www.openssl.org/

News
https://www.openssl.org/news/

Newslog
https://www.openssl.org/news/newslog.html

Latest Security Advisory at the moment:
10 September 2019
https://www.openssl.org/news/secadv/20190910.txt

FanJ · Dec 5, 2019

I would like to point to the OpenSSL blog post from 07 Nov 2019 :
Update on 3.0 Development, FIPS and 1.0.2 EOL
https://www.openssl.org/blog/blog/2019/11/07/3.0-update/

IMHO a must read for developers, in particular for those who are using the 1.0.2 version.

Note that as previously announced OpenSSL 1.0.2 will be End Of Life at the end of this year. This means there will not be any further public updates or security fixes to the 1.0.2 branch from then. This gives another strong reason for existing 1.0.2 users to upgrade to 1.1.1 as soon as possible.
Click to expand...

(emphasis by me)

There is a lot more in that blog post.

FanJ · Dec 22, 2019

For those developers still using the 1.0.2 branch :
Version 1.0.2u is available.

https://www.openssl.org/news/vulnerabilities.html

CVE-2019-1551 (OpenSSL advisory) [Low severity] 06 December 2019
Click to expand...

https://www.openssl.org/news/cl102.txt

Changes between 1.0.2t and 1.0.2u [20 Dec 2019]
Click to expand...

Read more at those links.

Once again I would like to point to the EOL of the 1.0.2 branch at the end of 2019

FanJ · Feb 20, 2020

Long Read:
QUIC and OpenSSL - Feb 17th, 2020
https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/

QUIC is a new protocol which the IETF talks about as a UDP-Based Multiplexed and Secure Transport, and has attracted a lot of attention lately. The OpenSSL Management Committee (OMC) have followed the development with interest, and we feel that we owe it to the community to say where we stand on this, and on the inclusion of support for this protocol in our libraries.
Click to expand...

So in conclusion; QUIC is on our minds, but it will not be included in the OpenSSL 3.0 release. We expect more tangible action to happen after we’ve released OpenSSL 3.0.
Click to expand...

Log in or Sign up

More OpenSSL security fixes

haakon Guest

summerheat Registered Member

ronjor Global Moderator

ronjor Global Moderator

Victek Registered Member

BoerenkoolMetWorst Registered Member

haakon Guest

lotuseclat79 Registered Member

Palancar Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

ronjor Global Moderator

RockLobster Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Log in or Sign up

More OpenSSL security fixes

haakon Guest

summerheat Registered Member

ronjor Global Moderator

ronjor Global Moderator

Victek Registered Member

BoerenkoolMetWorst Registered Member

haakon Guest

lotuseclat79 Registered Member

Palancar Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

ronjor Global Moderator

RockLobster Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Useful Searches