Thanks @1PW ! (when I was online not all the info was yet available) OpenSSL Security Advisory [7th February 2023] https://www.openssl.org/news/secadv/20230207.txt Read there more! Also here: https://mta.openssl.org/pipermail/openssl-announce/2023-February/thread.html
Final version of OpenSSL 3.1.0 - 14 Mar 2023 https://www.openssl.org/news/newslog.html OpenSSL 3.1 Series Release Notes https://www.openssl.org/news/openssl-3.1-notes.html See also: OpenSSL version 3.1.0 published https://mta.openssl.org/pipermail/openssl-announce/2023-March/000252.html
OpenSSL 1.1.1 End of Life - 11th September 2023 by Matt Caswell , Mar 28th, 2023 https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
OpenSSL Security Advisory [20th April 2023] Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) https://www.openssl.org/news/secadv/20230420.txt Read there more. See also https://mta.openssl.org/pipermail/openssl-announce/2023-April/thread.html
Forthcoming OpenSSL Releases - 30th May 2023 Two messages, for the timeline see also : https://mta.openssl.org/pipermail/openssl-announce/2023-May/thread.html 1. Tomas Mraz Wed May 24 04:06:12 UTC 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-May/000258.html 2. Matt Caswell Wed May 24 09:49:13 UTC 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-May/000259.html
OpenSSL Security Advisory [30th May 2023] https://www.openssl.org/news/secadv/20230530.txt = More quotes = OpenSSL 3.0.x and 3.1.x are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when calling OBJ_obj2txt() directly. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support customers only). = end of more quotes = Read there more!
OpenSSL Security Advisory [14th July 2023] AES-SIV implementation ignores empty associated data entries (CVE-2023-2975) https://www.openssl.org/news/secadv/20230714.txt https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html "Severity: Low OpenSSL versions 3.0.0 to 3.0.9, and 3.1.0 to 3.1.1 are vulnerable to this issue. The FIPS provider is not affected as the AES-SIV algorithm is not FIPS approved and FIPS provider does not implement it. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue." "Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit 6a83f0c9 (for 3.1) and commit 00e2f5ee (for 3.0) in the OpenSSL git repository."
Update 19th July 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html "OpenSSL Security Advisory [19th July 2023] Excessive time spent checking DH keys and parameters (CVE-2023-3446)" "Severity: Low Issue summary: Checking excessively long DH keys or parameters may be very slow." "Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service." "The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit fc9867c1 (for 3.1), commit 1fa20cf2 (for 3.0) and commit 8780a896 (for 1.1.1) in the OpenSSL git repository. It is available to premium support customer in commit 9a0a4d3c (for 1.0.2)."
Forthcoming OpenSSL Releases --> 1st August 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html
As previously announced in the @FanJ post above, the following OpenSSL branches were updated on 01-August-2023: 1.1.1v 3.0.10 3.1.2 https://www.openssl.org/news/newslog.html https://www.openssl.org/news/changelog.html
Reminder : OpenSSL 1.1.1 End of Life on 11 September 2023 Carefully read again the article from 28 March 2023 (it was quoted here before): OpenSSL 1.1.1 End of Life https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ In case you still need and/or want to use the 1.1.1. branch, you have to buy a premium support contract which offers extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date. For those interested: read that article!
Forthcoming OpenSSL Release - 11 Sep 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.html Matt Caswell - Wed Sep 6 10:54:08 UTC 2023
OpenSSL version 1.1.1w released https://mta.openssl.org/pipermail/openssl-announce/2023-September/000274.html Mon Sep 11 15:06:43 UTC 2023 See also: OpenSSL Security Advisory [8th September 2023] POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) https://www.openssl.org/news/secadv/20230908.txt Read there more.
Forthcoming OpenSSL Releases - 19 Sep 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-September/000275.html Tue Sep 12 16:34:47 UTC 2023
It was a bit difficult to find what is going to be fixed in versions 3.1.3 and 3.0.11. Or maybe I didn't look good enough. But I think it is the same vulnerability that was fixed in version 1.1.1w last week. Look here: https://www.openssl.org/news/vulnerabilities.html Look there at: CVE-2023-4807 POLY1305 MAC implementation corrupts XMM registers on Windows [Low severity] 08 September 2023 Now this quote from there:
OpenSSL version 3.0.11 published https://mta.openssl.org/pipermail/openssl-announce/2023-September/000276.html Tue Sep 19 13:55:22 UTC 2023 Release Notes: https://www.openssl.org/news/openssl-3.0-notes.html ========== OpenSSL version 3.1.3 published https://mta.openssl.org/pipermail/openssl-announce/2023-September/000277.html Tue Sep 19 13:55:29 UTC 2023 Release Notes: https://www.openssl.org/news/openssl-3.1-notes.html
OpenSSL version 3.2.0-alpha2 published Thu Sep 28 14:20:45 UTC 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-September/000278.html PS: I'm not sure whether I should post about alpha and beta releases for OpenSSL here.
Upcoming releases https://mta.openssl.org/pipermail/openssl-announce/2023-October/000279.html Tue Oct 17 17:48:26 UTC 2023
OpenSSL Security Advisory - 24th October 2023 Incorrect cipher key & IV length processing (CVE-2023-5363) https://mta.openssl.org/pipermail/openssl-announce/2023-October/000282.html Severity: Moderate OpenSSL 3.1 and 3.0 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.12. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.4. Note this part: ...For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. - end quotes -
OpenSSL Security Advisory [6th November 2023] https://mta.openssl.org/pipermail/openssl-announce/2023-November/000284.html
OpenSSL Announces Final Release of OpenSSL 3.2.0 Nov 23rd, 2023 2:00 pm https://www.openssl.org/blog/blog/2023/11/23/OpenSSL32/ Read there more for a long list!! To pick only one new feature: === See also : Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023] https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md Read there more!! === Edited to add
Live OpenSSL Providers Workshop: Users Track : Dec 6th and Dec 7th Kajal Sapkota - Wed Nov 29 15:00:50 UTC 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-November/000286.html Quoting: "The long anticipated OpenSSL Providers Workshop is finally here! We have divided the workshop into two tracks the Users Track and the Authors Track. Please join us next week for the Live OpenSSL Providers Workshop: Users Track. Due to world wide interest, we will be hosting two sessions of the Users Track at different times to allow people from different time zones to be able to join our workshops live. The Users Track will cover how to use OpenSSL providers. It will be split into 3 separate presentations by OpenSSL Engineers. There will be opportunities to ask questions after each talk, as well as at the end where there will be an open forum for any questions or feedback not covered by the individual presentations. Learn more and register in advance for the workshop here(please choose the time zone that works best for you):" Read there more!
Live OpenSSL Providers Workshop: Authors Track : Dec 11th and Dec 12th Kajal Sapkota - Tue Dec 5 02:25:27 UTC 2023 https://mta.openssl.org/pipermail/openssl-announce/2023-December/000287.html Quoting: "Part two of the OpenSSL Providers Workshop is next week! We have divided the workshop into two tracks the Users Track and the Authors Track. Please join us next week for the Live OpenSSL Providers Workshop: Authors Track. We will be hosting two sessions of the Authors Track at different times to allow people from different time zones to be able to join our workshops live. The Author Track will cover how to write your own OpenSSL provider. This session will assume some basic knowledge about what OpenSSL providers are and how to use them (such as might be obtained from attending the “Users Track” session). It will be split into 4 separate presentations by OpenSSL Engineers. There will be opportunities to ask questions after each talk, as well as at the end where there will be an open forum for any questions or feedback not covered by the individual presentations. Learn more and register in advance for the workshop here(please choose the time zone that works best for you):" Read there more!
Anyone here who attended the first track (the Users Track) live? If so, share your thoughts with us! BTW for those who missed the first one: it is possible to watch it. See my previous two postings. Quote from the links:
OpenSSL Security Advisory - Tue Jan 9 16:39:14 UTC 2024 POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) https://mta.openssl.org/pipermail/openssl-announce/2024-January/000288.html