Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - 13 Sept 2021 https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ See also: DST Root CA X3 Expiration (September 2021) https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ Read more at those sites!!
OpenSSL 3.0 LTS - Fri Mar 4 11:04:00 UTC 2022 https://mta.openssl.org/pipermail/openssl-announce/2022-March/000215.html Edit: whoops, I forgot to give the link
OpenSSL Security Advisory [15 March 2022] https://www.openssl.org/news/vulnerabilities.html#CVE-2022-0778 https://www.openssl.org/news/secadv/20220315.txt
Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability By Eduard Kovacs on March 31, 2022
OpenSSL postponing the releases of 3.0.3 and 1.1.1o planned for today https://mta.openssl.org/pipermail/openssl-announce/2022-April/000221.html Tue Apr 26 12:42:43 UTC 2022
The postponed 3.0.3 and 1.1.1o are now published - 03 May 2022 OpenSSL Security Advisory [03 May 2022] https://www.openssl.org/news/secadv/20220503.txt OpenSSL version 3.0.3 published https://mta.openssl.org/pipermail/openssl-announce/2022-May/000222.html OpenSSL version 1.1.1o published https://mta.openssl.org/pipermail/openssl-announce/2022-May/000223.html
OpenSSL Security Advisory [21 June 2022] https://www.openssl.org/news/newslog.html https://www.openssl.org/news/secadv/20220621.txt
OpenSSL Security Advisory [05 July 2022] - one high and one moderate severity fix https://www.openssl.org/news/newslog.html https://www.openssl.org/news/secadv/20220705.txt Heap memory corruption with RSA private key operation (CVE-2022-2274) Severity: High The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. ===== AES OCB fails to encrypt some bytes (CVE-2022-2097) Severity: MODERATE AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This issue affects versions 1.1.1 and 3.0. OpenSSL 1.1.1 users should upgrade to 1.1.1q OpenSSL 3.0 users should upgrade to 3.0.5
PS: For the tech persons interested in the math etc., there is an article from Guido Vranken : Notes on OpenSSL remote memory corruption - June 27, 2022 https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/ (I'm not quoting, sorry; this is for the experts)
Just got the update for Linux Mint 20.3. (but not 1.1.1q) Code: openssl (1.1.1f-1ubuntu2.16) focal-security; urgency=medium * SECURITY UPDATE: AES OCB fails to encrypt some bytes - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for x86 AES-NI in crypto/aes/asm/aesni-x86.pl. - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in test/recipes/30-test_evp_data/evpciph.txt. - CVE-2022-2097
Withdrawal of OpenSSL 3.0.6 and 1.1.1r - Matt Caswell - Wed Oct 12 14:23:38 UTC 2022 https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html Quoting: "We have received a report of a significant regression in the latest 3.0.6 and 1.1.1r versions. The regression is not thought to have security consequences. While the regression is further investigated we have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and instead recommend that users remain on the previous 3.0.5 and 1.1.1q versions for now. We will issue a new plan for the release of 3.0.7 and 1.1.1s soon."
Forthcoming OpenSSL Releases https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html Please note the word CRITICAL ========== Forthcoming OpenSSL Bug Fix Release https://mta.openssl.org/pipermail/openssl-announce/2022-October/000239.html
GlobalSign has put an urgent message on their site about the upcoming critical OpenSSL security fix: Urgent: Patch OpenSSL on November 1 to avoid “Critical” Security Vulnerability - October 28, 2022 https://www.globalsign.com/en/blog/...ember-1-avoid-critical-security-vulnerability Read there more. ===== Cisco article: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a 2022 October 28 Version 1.0: Interim
Thanks Ron! More info also here: https://mta.openssl.org/pipermail/openssl-announce/2022-November/000243.html I give one quote because original the severity was Critical and has now been downgraded to High: There is discussion on many internet sites about this. ===== There were two related issues: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows ===== On github there is this list (I don't know how "accurate" it is though; things might change): Overview of software (un)affected by vulnerability https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software ========== Let's not forget that there was also a fix for version 1.1.1 : OpenSSL version 1.1.1s published https://mta.openssl.org/pipermail/openssl-announce/2022-November/000242.html
There is a blog post by the OpenSSL Security Team explaining the situation - Nov 1st, 2022 3:00 pm CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ Read there more!
Some room-temperature takes on yesterday's not-quite-RCE vulnerabilities in OpenSSL 3.0, and on what there is to learn about safe cryptography engineering. https://words.filippo.io/dispatches/openssl-punycode/
Qualys blog - Travis Smith, VP, Malware Threat Research, Qualys - November 3, 2022 OpenSSL Vulnerability Recap https://blog.qualys.com/vulnerabilities-threat-research/2022/11/03/openssl-vulnerability-recap Two quotes:
OpenSSL Security Advisory [13 December 2022] X.509 Policy Constraints Double Locking (CVE-2022-3996) https://www.openssl.org/news/secadv/20221213.txt Quoting: "Severity: Low" "If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup." "OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. However due to the low severity of this issue we are not creating a new release at this time. The mitigation for this issue can be found in commit 7725e7bfe." Read there more. See also https://mta.openssl.org/pipermail/openssl-announce/2022-December/000246.html
Forthcoming OpenSSL Releases - for 7 February 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html Quoting: "The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg. Note that OpenSSL 1.0.2 is End Of Life and so 1.0.2zg will be available to premium support customers only. These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High" === Emphasis by me in that quote
Hello All: The following OpenSSL branches were updated on 07-February-2023. On a severity scale from “Low” to “Critical”, these updates are deemed “High”. 1.1.1 branch was updated to 1.1.1t 3.0 branch was updated to 3.0.8 Newslog: https://www.openssl.org/news/newslog.html HTH