More OpenSSL security fixes

Discussion in 'privacy technology' started by BoerenkoolMetWorst, Aug 7, 2014.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    143,798
    Location:
    Texas
    OpenSSL Releases Security Update 
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    45,245
    Location:
    Germany
    OpenSSL 3.0 Released (September 7, 2021)
    OpenSSL Blog entry
    Newslog
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - 13 Sept 2021
    https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

    See also:
    DST Root CA X3 Expiration (September 2021)
    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    Read more at those sites!!
     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    OpenSSL 3.0 LTS - Fri Mar 4 11:04:00 UTC 2022
    https://mta.openssl.org/pipermail/openssl-announce/2022-March/000215.html

    Edit: whoops, I forgot to give the link
     
  5. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    OpenSSL Security Advisory [15 March 2022]
    https://www.openssl.org/news/vulnerabilities.html#CVE-2022-0778
    https://www.openssl.org/news/secadv/20220315.txt
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    143,798
    Location:
    Texas
    Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability
    By Eduard Kovacs on March 31, 2022

     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    OpenSSL postponing the releases of 3.0.3 and 1.1.1o planned for today
    https://mta.openssl.org/pipermail/openssl-announce/2022-April/000221.html
    Tue Apr 26 12:42:43 UTC 2022
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    OpenSSL Security Advisory [21 June 2022]
    https://www.openssl.org/news/newslog.html
    https://www.openssl.org/news/secadv/20220621.txt

     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    OpenSSL Security Advisory [05 July 2022] - one high and one moderate severity fix
    https://www.openssl.org/news/newslog.html

    https://www.openssl.org/news/secadv/20220705.txt

    Heap memory corruption with RSA private key operation (CVE-2022-2274)
    Severity: High

    The OpenSSL 3.0.4 release introduced a serious bug in the RSA
    implementation for X86_64 CPUs supporting the AVX512IFMA instructions.

    Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    =====

    AES OCB fails to encrypt some bytes (CVE-2022-2097)
    Severity: MODERATE

    AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
    implementation will not encrypt the entirety of the data under some
    circumstances.

    This issue affects versions 1.1.1 and 3.0.
    OpenSSL 1.1.1 users should upgrade to 1.1.1q
    OpenSSL 3.0 users should upgrade to 3.0.5
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
  12. nicolaasjan

    nicolaasjan Registered Member

    Joined:
    Sep 23, 2018
    Posts:
    667
    Location:
    The Netherlands
    Just got the update for Linux Mint 20.3. :)
    (but not 1.1.1q)
    Code:
    openssl (1.1.1f-1ubuntu2.16) focal-security; urgency=medium
    
      * SECURITY UPDATE: AES OCB fails to encrypt some bytes
        - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for
          x86 AES-NI in crypto/aes/asm/aesni-x86.pl.
        - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in
          test/recipes/30-test_evp_data/evpciph.txt.
        - CVE-2022-2097
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    Withdrawal of OpenSSL 3.0.6 and 1.1.1r - Matt Caswell - Wed Oct 12 14:23:38 UTC 2022

    https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html

    Quoting:

    "We have received a report of a significant regression in the latest
    3.0.6 and 1.1.1r versions. The regression is not thought to have
    security consequences. While the regression is further investigated we
    have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and
    instead recommend that users remain on the previous 3.0.5 and 1.1.1q
    versions for now.

    We will issue a new plan for the release of 3.0.7 and 1.1.1s soon."
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    Forthcoming OpenSSL Releases

    https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
    Please note the word CRITICAL

    ==========

    Forthcoming OpenSSL Bug Fix Release

    https://mta.openssl.org/pipermail/openssl-announce/2022-October/000239.html
     
  16. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    GlobalSign has put an urgent message on their site about the upcoming critical OpenSSL security fix:
    Urgent: Patch OpenSSL on November 1 to avoid “Critical” Security Vulnerability - October 28, 2022
    https://www.globalsign.com/en/blog/...ember-1-avoid-critical-security-vulnerability

    Read there more.

    =====

    Cisco article:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a
    2022 October 28
    Version 1.0: Interim
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    143,798
    Location:
    Texas
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    Thanks Ron!

    More info also here:
    https://mta.openssl.org/pipermail/openssl-announce/2022-November/000243.html

    I give one quote because original the severity was Critical and has now been downgraded to High:
    There is discussion on many internet sites about this.

    =====

    There were two related issues:
    CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows

    =====

    On github there is this list (I don't know how "accurate" it is though; things might change):
    Overview of software (un)affected by vulnerability
    https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software

    ==========

    Let's not forget that there was also a fix for version 1.1.1 :
    OpenSSL version 1.1.1s published
    https://mta.openssl.org/pipermail/openssl-announce/2022-November/000242.html
     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    There is a blog post by the OpenSSL Security Team explaining the situation - Nov 1st, 2022 3:00 pm
    CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
    https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

    Read there more!
     
  20. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
  21. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    412
    Location:
    Australia
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    Qualys blog - Travis Smith, VP, Malware Threat Research, Qualys - November 3, 2022
    OpenSSL Vulnerability Recap
    https://blog.qualys.com/vulnerabilities-threat-research/2022/11/03/openssl-vulnerability-recap

    Two quotes:
     
  23. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    OpenSSL Security Advisory [13 December 2022]
    X.509 Policy Constraints Double Locking (CVE-2022-3996)
    https://www.openssl.org/news/secadv/20221213.txt

    Quoting:
    "Severity: Low"

    "If an X.509 certificate contains a malformed policy constraint and
    policy processing is enabled, then a write lock will be taken twice
    recursively. On some operating systems (most widely: Windows) this
    results in a denial of service when the affected process hangs. Policy
    processing being enabled on a publicly facing server is not considered
    to be a common setup."

    "OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. However due
    to the low severity of this issue we are not creating a new release at
    this time. The mitigation for this issue can be found in commit 7725e7bfe."

    Read there more.

    See also https://mta.openssl.org/pipermail/openssl-announce/2022-December/000246.html
     
  24. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,324
    Forthcoming OpenSSL Releases - for 7 February 2023

    https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html

    Quoting:

    "The OpenSSL project team would like to announce the forthcoming release
    of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg. Note that OpenSSL 1.0.2
    is End Of Life and so 1.0.2zg will be available to premium support
    customers only.

    These releases will be made available on Tuesday 7th February 2023
    between 1300-1700 UTC.

    These are security-fix releases. The highest severity issue fixed in
    each of these three releases is High"

    ===

    Emphasis by me in that quote
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.