More OpenSSL security fixes

FanJ · Feb 7, 2023

Thanks @1PW !
(when I was online not all the info was yet available)

OpenSSL Security Advisory [7th February 2023]
https://www.openssl.org/news/secadv/20230207.txt

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only).
Click to expand...

Read there more!

Also here:
https://mta.openssl.org/pipermail/openssl-announce/2023-February/thread.html

Starting: Tue Feb 7 15:39:59 UTC 2023
Ending: Tue Feb 7 16:32:29 UTC 2023
Messages: 3
•OpenSSL version 1.1.1t published OpenSSL
•OpenSSL version 3.0.8 published OpenSSL
•OpenSSL Security Advisory OpenSSL
Click to expand...

FanJ · Mar 15, 2023

Final version of OpenSSL 3.1.0 - 14 Mar 2023

https://www.openssl.org/news/newslog.html

14-Mar-2023
Final version of OpenSSL 3.1.0 is now available: please download and upgrade!
Click to expand...

OpenSSL 3.1 Series Release Notes
https://www.openssl.org/news/openssl-3.1-notes.html

Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]

- SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
- Performance enhancements and new platform support including new assembler code algorithm implementations.
- Deprecated LHASH statistics functions.
- FIPS 140-3 compliance changes.
Click to expand...

See also:
OpenSSL version 3.1.0 published
https://mta.openssl.org/pipermail/openssl-announce/2023-March/000252.html

FanJ · Mar 29, 2023

OpenSSL 1.1.1 End of Life - 11th September 2023
by Matt Caswell , Mar 28th, 2023
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.
Click to expand...

OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
Click to expand...

If you downloaded your copy of OpenSSL direct from the OpenSSL project then we would strongly encourage you to plan an upgrade to a more recent version before 1.1.1 reaches its EOL date. Our most recent version is OpenSSL 3.1 which will be supported until 14th March 2025. Also available is OpenSSL 3.0 which is an LTS release and will be supported until 7th September 2026. Our migration guide provides some useful information on the issues you should be considering when upgrading.
Click to expand...

Another option is to purchase a premium support contract which offers extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date.
Click to expand...

FanJ · Apr 20, 2023

OpenSSL Security Advisory [20th April 2023]
Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
https://www.openssl.org/news/secadv/20230420.txt

Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.
Click to expand...

OpenSSL versions 3.0.0 to 3.0.8, and 3.1.0 are vulnerable to this issue,
including the FIPS provider in those versions.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.
Click to expand...

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit bc2f61ad (for 3.1) and
commit 02ac9c94 (for 3.0) in the OpenSSL git repository.
Click to expand...

Read there more.

See also https://mta.openssl.org/pipermail/openssl-announce/2023-April/thread.html

FanJ · May 25, 2023

Forthcoming OpenSSL Releases - 30th May 2023

Two messages, for the timeline see also : https://mta.openssl.org/pipermail/openssl-announce/2023-May/thread.html

1.
Tomas Mraz
Wed May 24 04:06:12 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-May/000258.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.0.9, 1.1.1u and 1.0.2zh. Note that OpenSSL 1.0.2
is End Of Life and so 1.0.2zh will be available to premium support
customers only.

These releases will be made available on Tuesday 30th May 2023
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these three releases is Moderate
Click to expand...

2.
Matt Caswell
Wed May 24 09:49:13 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-May/000259.html

To clarify, OpenSSL version 3.1.1 will also be released on Tuesday 30th
May 2023, and is also a security-fix release with the highest severity
issue being Moderate.
Click to expand...

FanJ · May 30, 2023

OpenSSL Security Advisory [30th May 2023]
https://www.openssl.org/news/secadv/20230530.txt

Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
Click to expand...

Severity: Moderate
Click to expand...

Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
Click to expand...

= More quotes =
OpenSSL 3.0.x and 3.1.x are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when calling
OBJ_obj2txt() directly.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support
customers only).
= end of more quotes =

Read there more!

FanJ · Jul 14, 2023

OpenSSL Security Advisory [14th July 2023]
AES-SIV implementation ignores empty associated data entries (CVE-2023-2975)
https://www.openssl.org/news/secadv/20230714.txt
https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html

"Severity: Low

OpenSSL versions 3.0.0 to 3.0.9, and 3.1.0 to 3.1.1 are vulnerable to this
issue. The FIPS provider is not affected as the AES-SIV algorithm is not
FIPS approved and FIPS provider does not implement it.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue."

"Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 6a83f0c9 (for 3.1) and
commit 00e2f5ee (for 3.0) in the OpenSSL git repository."

FanJ · Jul 20, 2023

FanJ said: ↑

OpenSSL Security Advisory [14th July 2023]
Click to expand...

Update 19th July 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html

"OpenSSL Security Advisory [19th July 2023]
Excessive time spent checking DH keys and parameters (CVE-2023-3446)"

"Severity: Low
Issue summary: Checking excessively long DH keys or parameters may be very slow."

"Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service."

"The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit fc9867c1 (for 3.1),
commit 1fa20cf2 (for 3.0) and commit 8780a896 (for 1.1.1) in the OpenSSL git
repository. It is available to premium support customer in commit 9a0a4d3c (for
1.0.2)."

FanJ · Jul 27, 2023

Forthcoming OpenSSL Releases --> 1st August 2023

https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v.
These releases will be made available on Tuesday 1st August 2023 between
1300-1700 UTC.
These are security-fix releases. The highest severity issue fixed in
each of these three releases is Low
Click to expand...

1PW · Aug 2, 2023

As previously announced in the @FanJ post above, the following OpenSSL branches were updated on 01-August-2023:

1.1.1v

3.0.10

3.1.2

https://www.openssl.org/news/newslog.html

https://www.openssl.org/news/changelog.html

FanJ · Aug 18, 2023

Reminder : OpenSSL 1.1.1 End of Life on 11 September 2023

Carefully read again the article from 28 March 2023 (it was quoted here before):
OpenSSL 1.1.1 End of Life
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

In case you still need and/or want to use the 1.1.1. branch, you have to buy a premium support contract which offers extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date.

For those interested: read that article!

FanJ · Sep 6, 2023

Forthcoming OpenSSL Release - 11 Sep 2023

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.html
Matt Caswell - Wed Sep 6 10:54:08 UTC 2023

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1w.

This release will be made available on Monday 11th September 2023
between 1300-1700 UTC.

This will be the final public release in the 1.1.1 series [1]. Ongoing
access to security fixes is available to premium support customers [2].

This is a security-fix release. The highest severity issue fixed in this
release is Low
Click to expand...

FanJ · Sep 11, 2023

OpenSSL version 1.1.1w released

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000274.html
Mon Sep 11 15:06:43 UTC 2023

OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 1.1.1w of our open source toolkit for SSL/TLS.
This is the last public release of OpenSSL 1.1.1. Extended
support is available to premium support customers.

For details of the changes, see the release notes at:
https://www.openssl.org/news/openssl-1.1.1-notes.html
Click to expand...

See also:
OpenSSL Security Advisory [8th September 2023]
POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)
https://www.openssl.org/news/secadv/20230908.txt

Severity: Low
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.
Click to expand...

Read there more.

FanJ · Sep 17, 2023

Forthcoming OpenSSL Releases - 19 Sep 2023

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000275.html
Tue Sep 12 16:34:47 UTC 2023

The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.1.3 and 3.0.11.

These releases will be made available on Tuesday 19th September 2023
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these two releases is Low
Click to expand...

FanJ · Sep 18, 2023

It was a bit difficult to find what is going to be fixed in versions 3.1.3 and 3.0.11. Or maybe I didn't look good enough.
But I think it is the same vulnerability that was fixed in version 1.1.1w last week.

Look here: https://www.openssl.org/news/vulnerabilities.html
Look there at:
CVE-2023-4807 POLY1305 MAC implementation corrupts XMM registers on Windows [Low severity] 08 September 2023

Now this quote from there:

- Fixed in OpenSSL 3.1.3 (git commit) (Affected since 3.1.0)
- Fixed in OpenSSL 3.0.11 (git commit) (Affected since 3.0.0)
- Fixed in OpenSSL 1.1.1w (git commit) (Affected since 1.1.1)
Click to expand...

FanJ · Sep 19, 2023

OpenSSL version 3.0.11 published
https://mta.openssl.org/pipermail/openssl-announce/2023-September/000276.html
Tue Sep 19 13:55:22 UTC 2023

The OpenSSL project team is pleased to announce the release of
version 3.0.11 of our open source toolkit for SSL/TLS.
Click to expand...

Release Notes:
https://www.openssl.org/news/openssl-3.0-notes.html

Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807])
Click to expand...

==========

OpenSSL version 3.1.3 published
https://mta.openssl.org/pipermail/openssl-announce/2023-September/000277.html
Tue Sep 19 13:55:29 UTC 2023

The OpenSSL project team is pleased to announce the release of
version 3.1.3 of our open source toolkit for SSL/TLS.
Click to expand...

Release Notes:
https://www.openssl.org/news/openssl-3.1-notes.html

Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807])
Click to expand...

FanJ · Sep 28, 2023

OpenSSL version 3.2.0-alpha2 published
Thu Sep 28 14:20:45 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-September/000278.html

OpenSSL 3.2 is currently in alpha.

OpenSSL 3.2 alpha 2 has now been made available.

Note: This OpenSSL pre-release has been provided for testing ONLY.
It should NOT be used for security critical purposes.
Click to expand...

PS: I'm not sure whether I should post about alpha and beta releases for OpenSSL here.

FanJ · Oct 18, 2023

Upcoming releases
https://mta.openssl.org/pipermail/openssl-announce/2023-October/000279.html
Tue Oct 17 17:48:26 UTC 2023

The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.1.4 and 3.0.12.

These releases will be made available on Tuesday 24th October 2023
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these two releases is Moderate
Click to expand...

FanJ · Oct 24, 2023

OpenSSL Security Advisory - 24th October 2023

Incorrect cipher key & IV length processing (CVE-2023-5363)
https://mta.openssl.org/pipermail/openssl-announce/2023-October/000282.html

Severity: Moderate

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.12.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.4.

Note this part:
...For these reasons we expect the probability of an application being
vulnerable to this to be quite low. However if an application is vulnerable then
this issue is considered very serious. For these reasons we have assessed this
issue as Moderate severity overall.

- end quotes -

FanJ · Nov 8, 2023

OpenSSL Security Advisory [6th November 2023]
https://mta.openssl.org/pipermail/openssl-announce/2023-November/000284.html

Severity: Low
Click to expand...

Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
Click to expand...

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available.
Click to expand...

FanJ · Nov 23, 2023

OpenSSL Announces Final Release of OpenSSL 3.2.0
Nov 23rd, 2023 2:00 pm
https://www.openssl.org/blog/blog/2023/11/23/OpenSSL32/

We are pleased to announce the immediate availability of OpenSSL 3.2.0. OpenSSL 3.2.0 is the first General Availability release of the OpenSSL 3.2 release line, and incorporates a number of new features, including:
Click to expand...

Read there more for a long list!!

To pick only one new feature:

Support for using the Windows system certificate store as a source of trusted root certificates. This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release.
Click to expand...

===

See also :
Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023]
https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md

OpenSSL 3.2.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:
Click to expand...

Read there more!!

===

Edited to add

The following known issues are present in this release and will be rectified in a future release:

Provider-based signature algorithms cannot be configured using the SignatureAlgorithms configuration file parameter (#22761)
Click to expand...

FanJ · Dec 1, 2023

Live OpenSSL Providers Workshop: Users Track : Dec 6th and Dec 7th

Kajal Sapkota - Wed Nov 29 15:00:50 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-November/000286.html

Quoting:

"The long anticipated OpenSSL Providers Workshop is finally here! We have
divided the workshop into two tracks the Users Track and the Authors
Track. Please join us next week for the Live OpenSSL Providers Workshop:
Users Track. Due to world wide interest, we will be hosting two sessions
of the Users Track at different times to allow people from different
time zones to be able to join our workshops live.

The Users Track will cover how to use OpenSSL providers. It will be
split into 3 separate presentations by OpenSSL Engineers. There will be
opportunities to ask questions after each talk, as well as at the end
where there will be an open forum for any questions or feedback not
covered by the individual presentations.

Learn more and register in advance for the workshop here(please choose
the time zone that works best for you):"

Read there more!

FanJ · Dec 6, 2023

Live OpenSSL Providers Workshop: Authors Track : Dec 11th and Dec 12th

Kajal Sapkota - Tue Dec 5 02:25:27 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-December/000287.html

Quoting:

"Part two of the OpenSSL Providers Workshop is next week! We have divided
the workshop into two tracks the Users Track and the Authors Track.
Please join us next week for the Live OpenSSL Providers Workshop:
Authors Track. We will be hosting two sessions of the Authors Track at
different times to allow people from different time zones to be able to
join our workshops live.

The Author Track will cover how to write your own OpenSSL provider. This
session will assume some basic knowledge about what OpenSSL providers
are and how to use them (such as might be obtained from attending the
“Users Track” session). It will be split into 4 separate presentations
by OpenSSL Engineers. There will be opportunities to ask questions after
each talk, as well as at the end where there will be an open forum for
any questions or feedback not covered by the individual presentations.

Learn more and register in advance for the workshop here(please choose
the time zone that works best for you):"

Read there more!

FanJ · Dec 8, 2023

Anyone here who attended the first track (the Users Track) live?
If so, share your thoughts with us!

BTW for those who missed the first one: it is possible to watch it.
See my previous two postings. Quote from the links:

If you are unable to attend please contact us and we will provide a
recording of the meeting
Click to expand...

FanJ · Jan 9, 2024

OpenSSL Security Advisory - Tue Jan 9 16:39:14 UTC 2024
POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
https://mta.openssl.org/pipermail/openssl-announce/2024-January/000288.html

Severity: Low
Click to expand...

Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.
Click to expand...

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 5b139f95 (for 3.2),
commit f3fc5808 (for 3.1) and commit 050d263 (for 3.0) in the OpenSSL git
repository.
Click to expand...

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

1PW Registered Member

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

1PW Registered Member

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Useful Searches