More OpenSSL security fixes

FanJ · Feb 7, 2023

Thanks @1PW !
(when I was online not all the info was yet available)

OpenSSL Security Advisory [7th February 2023]
https://www.openssl.org/news/secadv/20230207.txt

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only).
Click to expand...

Read there more!

Also here:
https://mta.openssl.org/pipermail/openssl-announce/2023-February/thread.html

Starting: Tue Feb 7 15:39:59 UTC 2023
Ending: Tue Feb 7 16:32:29 UTC 2023
Messages: 3
•OpenSSL version 1.1.1t published OpenSSL
•OpenSSL version 3.0.8 published OpenSSL
•OpenSSL Security Advisory OpenSSL
Click to expand...

FanJ · Mar 15, 2023

Final version of OpenSSL 3.1.0 - 14 Mar 2023

https://www.openssl.org/news/newslog.html

14-Mar-2023
Final version of OpenSSL 3.1.0 is now available: please download and upgrade!
Click to expand...

OpenSSL 3.1 Series Release Notes
https://www.openssl.org/news/openssl-3.1-notes.html

Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]

- SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
- Performance enhancements and new platform support including new assembler code algorithm implementations.
- Deprecated LHASH statistics functions.
- FIPS 140-3 compliance changes.
Click to expand...

See also:
OpenSSL version 3.1.0 published
https://mta.openssl.org/pipermail/openssl-announce/2023-March/000252.html

FanJ · Mar 29, 2023

OpenSSL 1.1.1 End of Life - 11th September 2023
by Matt Caswell , Mar 28th, 2023
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.
Click to expand...

OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
Click to expand...

If you downloaded your copy of OpenSSL direct from the OpenSSL project then we would strongly encourage you to plan an upgrade to a more recent version before 1.1.1 reaches its EOL date. Our most recent version is OpenSSL 3.1 which will be supported until 14th March 2025. Also available is OpenSSL 3.0 which is an LTS release and will be supported until 7th September 2026. Our migration guide provides some useful information on the issues you should be considering when upgrading.
Click to expand...

Another option is to purchase a premium support contract which offers extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date.
Click to expand...

FanJ · Apr 20, 2023

OpenSSL Security Advisory [20th April 2023]
Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
https://www.openssl.org/news/secadv/20230420.txt

Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.
Click to expand...

OpenSSL versions 3.0.0 to 3.0.8, and 3.1.0 are vulnerable to this issue,
including the FIPS provider in those versions.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.
Click to expand...

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit bc2f61ad (for 3.1) and
commit 02ac9c94 (for 3.0) in the OpenSSL git repository.
Click to expand...

Read there more.

See also https://mta.openssl.org/pipermail/openssl-announce/2023-April/thread.html

FanJ · May 25, 2023

Forthcoming OpenSSL Releases - 30th May 2023

Two messages, for the timeline see also : https://mta.openssl.org/pipermail/openssl-announce/2023-May/thread.html

1.
Tomas Mraz
Wed May 24 04:06:12 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-May/000258.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.0.9, 1.1.1u and 1.0.2zh. Note that OpenSSL 1.0.2
is End Of Life and so 1.0.2zh will be available to premium support
customers only.

These releases will be made available on Tuesday 30th May 2023
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these three releases is Moderate
Click to expand...

2.
Matt Caswell
Wed May 24 09:49:13 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-May/000259.html

To clarify, OpenSSL version 3.1.1 will also be released on Tuesday 30th
May 2023, and is also a security-fix release with the highest severity
issue being Moderate.
Click to expand...

FanJ · May 30, 2023 at 11:34 AM

OpenSSL Security Advisory [30th May 2023]
https://www.openssl.org/news/secadv/20230530.txt

Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
Click to expand...

Severity: Moderate
Click to expand...

Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
Click to expand...

= More quotes =
OpenSSL 3.0.x and 3.1.x are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when calling
OBJ_obj2txt() directly.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support
customers only).
= end of more quotes =

Read there more!

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Useful Searches