More OpenSSL security fixes

FanJ · Jan 15, 2024

OpenSSL Security Advisory [15th January 2024]
Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
https://mta.openssl.org/pipermail/openssl-announce/2024-January/000289.html

Severity: Low
Click to expand...

The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.
OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to
this issue.
OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.
Click to expand...

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 0b0f7abf (for 3.2),
commit a830f551 (for 3.1) and commit 18c02492 (for 3.0) in the OpenSSL git
repository.
Click to expand...

FanJ · Jan 26, 2024

New OpenSSL Releases
By Tomas Mraz - Tue Jan 23 16:26:59 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-January/000291.html

The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.2.1, 3.1.5 and 3.0.13.

We will be also releasing extended support OpenSSL versions 1.0.2zj and
1.1.1x which will be available to premium support customers.

These releases will be made available on Tuesday 30th January 2024
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these releases is Low
Click to expand...

Note by me:
With all due respect, I do prefer the announcements made by Matt Caswell:
OpenSSL Security Advisory
By Matt Caswell - Thu Jan 25 18:43:35 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-January/000292.html

FanJ · Mar 20, 2024

Upcoming Webinar: Writing Your First OpenSSL Application
Tue Mar 19 07:46:07 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-March/000296.html

We are thrilled to announce our upcoming webinar, Writing Your First
OpenSSL Application.

This webinar is designed to take you from an understanding of basic
cryptography concepts to writing your first secure application using
OpenSSL. It's the perfect starting point for anyone looking to dive into
the world of secure application development. Here's what we'll cover:
Click to expand...

*Event Details*

* *Date:* Mar 28, 2024
* *Time:* 09:00 AM Pacific Time (US and Canada)
* *Location:* Online (Zoom)
Click to expand...

Read there more.

FanJ · Mar 20, 2024

OpenSSL version 3.3.0-alpha1 published
Wed Mar 20 13:35:23 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-March/000297.html

OpenSSL 3.3 is currently in alpha.

OpenSSL 3.3 alpha 1 has now been made available.

Note: This OpenSSL pre-release has been provided for testing ONLY.
It should NOT be used for security critical purposes.
Click to expand...

Read there more.

FanJ · Mar 30, 2024

OpenSSL version 3.3.0-beta1 published
Fri Mar 29 14:58:40 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-March/000298.html

OpenSSL 3.3 beta 1 has now been made available.

Note: This OpenSSL pre-release has been provided for testing ONLY.
It should NOT be used for security critical purposes.
Click to expand...

Read there more.

FanJ · Apr 8, 2024

OpenSSL Security Advisory
Mon Apr 8 13:59:11 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-April/000299.html

OpenSSL Security Advisory [8th April 2024]

Unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
Click to expand...

Severity: Low
Click to expand...

Issue summary: Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger
unbounded memory growth that would lead to a Denial of Service
Click to expand...

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS
clients.
Click to expand...

Read there more.

FanJ · Apr 9, 2024

OpenSSL version 3.3.0 published
Tue Apr 9 12:56:00 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-April/000300.html

OpenSSL version 3.3.0 released
==============================

OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 3.3.0 of our open source toolkit for SSL/TLS.
For details of the changes, see the release notes at:

https://www.openssl.org/news/openssl-3.3-notes.html

Specific notes on upgrading to OpenSSL 3.3 from previous versions are
available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/man3.3/man7/migration_guide.html
Click to expand...

Read there more!

FanJ · Apr 17, 2024

Upcoming Webinar: Writing a TLS Client
Tue Apr 16 05:37:52 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-April/000301.html

We are pleased to announce our upcoming webinar, Writing a TLS Client.

In this webinar we will cover writing a simple TLS client using the
OpenSSL APIs. The webinar will cover how to write an application that
connects to a server and securely exchanges data using TLS using the
OpenSSL API.
At the end of the webinar we will host a Q&A session, giving you the
opportunity to have your questions answered by OpenSSL developers.

Event Details

* *Date*: April 25, 2024
* *Time*: 09:00 AM Pacific Time (US and Canada)
* *Location*: Online (Zoom)
Click to expand...

Read there more.

FanJ · May 2, 2024

IMPORTANT

Releases Distribution Changes
by Dmitry Misharov - DevOps Engineer -
Thu May 2 07:31:46 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-May/000302.html

I’d like to give you a heads-up about the release distribution changes
we’re making at OpenSSL. The main source of OpenSSL releases will be
OpenSSL GitHub at https://github.com/openssl/openssl. OpenSSL Source at
https://openssl.org/source/ will remain only for backward compatibility and
will redirect to GitHub.
Please read this blog post to get more details
https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
Click to expand...

==========
Blogpost
Releases Distribution Changes
https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
Posted by Dmitry Misharov •Apr 30th, 2024 4:00 pm

=== Full quoting ===

I’d like to give you a heads-up about some changes we’re making at OpenSSL. We’re simplifying how you can get our software, and that means we’re phasing out some older methods that don’t quite fit with the way the web works today.

We’re no longer using our old ftp, rsync, and git links for distributing OpenSSL. These were great in their day, but it’s time to move on to something better and safer. ftp://ftp.openssl.org and rsync://rsync.openssl.org are not available anymore. As of June 1, 2024, we’re also going to shut down https://ftp.openssl.org and git://git.openssl.org/openssl.git mirrors.

GitHub is becoming the main distributor of the OpenSSL releases. So here is the transition plan. The steps will be spaced in 2-week intervals to gather and respond to any eventual feedback:
•Starting from the next patch release the tarballs will be uploaded only to GitHub, the download link at openssl.org/source will redirect to the corresponding release at github.com.
•One frequently downloaded old release at openssl.org/source will redirect to the corresponding release at github.com.
•All remaining frequently downloaded releases at openssl.org/source will redirect to the corresponding releases at github.com.

Why change things? Well, here are a couple of straightforward reasons:
•Safety first: The web’s come a long way in terms of security, and sticking to HTTPS helps keep everyone safer.
•Keeping it simple: Fewer methods of distribution mean less clutter and confusion, letting us focus on making OpenSSL even better.
•Watching the budget: Streamlining things cuts costs, which means we can spend more on improving OpenSSL and supporting you all.

That being said, the main source of OpenSSL releases will be OpenSSL GitHub. OpenSSL Source will remain only for backward compatibility and will redirect to GitHub.

Thanks so much for sticking with us. These updates will help us keep improving and ensure you have the best and safest experience using OpenSSL.

Cheers!

=== end of quoting ===

FanJ · May 22, 2024

OpenSSL Security Advisory
Excessive time spent checking DSA keys and parameters (CVE-2024-4603)

Thu May 16 16:03:51 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-May/000303.html

Severity: Low
Click to expand...

Issue summary: Checking excessively long DSA keys or parameters may be very
slow.

Impact summary: Applications that use the functions EVP_PKEY_param_check()
or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
experience long delays. Where the key or parameters that are being checked
have been obtained from an untrusted source this may lead to a Denial of
Service.
Click to expand...

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 53ea0648 (for 3.3),
commit da343d06 (for 3.2), commit 9c39b385 (for 3.1) and commit 3559e868
(for 3.0) in the OpenSSL git repository.
Click to expand...

FanJ · May 22, 2024

Upcoming Webinar: Getting Started with QUIC and OpenSSL
Tue May 21 17:45:28 UTC 2024
https://mta.openssl.org/pipermail/openssl-announce/2024-May/000304.html

We are pleased to announce our upcoming webinar, Getting Started with
QUIC and OpenSSL.
In this brief yet comprehensive session, we'll dive into the basics of
QUIC and guide you through implementing a simple client using the QUIC
OpenSSL API. By the end of this webinar, you'll have a solid grasp of
creating a client application that connects to a server and receives
data. Our demo client may be straightforward, but it serves as the
perfect playground to explore and observe the QUIC protocol in action.
Click to expand...

Event Details
* Date: May 30, 2024
* Time: 09:00 AM Pacific Time (US and Canada)
* Location: Online (Zoom)
Click to expand...

Read there more.

FanJ · May 29, 2024

Upcoming New OpenSSL Releases - 4th June 2024

https://mta.openssl.org/pipermail/openssl-announce/2024-May/000305.html

The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.3.1, 3.2.2, 3.1.6 and 3.0.14.

We will be also releasing extended support OpenSSL version
1.1.1y which will be available to premium support customers.

These releases will be made available on Tuesday 4th June 2024
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these releases is Low
Click to expand...

FanJ · Jun 6, 2024

As previously announced here:
https://www.wilderssecurity.com/threads/more-openssl-security-fixes.366904/page-6#post-3197156
Several updates - 04 June 2024

OpenSSL version 3.2.2 published
https://mta.openssl.org/pipermail/openssl-announce/2024-June/000307.html

OpenSSL version 3.3.1 published
https://mta.openssl.org/pipermail/openssl-announce/2024-June/000308.html

OpenSSL version 3.0.14 published
https://mta.openssl.org/pipermail/openssl-announce/2024-June/000309.html

OpenSSL version 3.1.6 published
https://mta.openssl.org/pipermail/openssl-announce/2024-June/000310.html

Read more at those links!

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Useful Searches