More OpenSSL security fixes

FanJ · Feb 7, 2023

Thanks @1PW !
(when I was online not all the info was yet available)

OpenSSL Security Advisory [7th February 2023]
https://www.openssl.org/news/secadv/20230207.txt

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only).
Click to expand...

Read there more!

Also here:
https://mta.openssl.org/pipermail/openssl-announce/2023-February/thread.html

Starting: Tue Feb 7 15:39:59 UTC 2023
Ending: Tue Feb 7 16:32:29 UTC 2023
Messages: 3
•OpenSSL version 1.1.1t published OpenSSL
•OpenSSL version 3.0.8 published OpenSSL
•OpenSSL Security Advisory OpenSSL
Click to expand...

FanJ · Mar 15, 2023

Final version of OpenSSL 3.1.0 - 14 Mar 2023

https://www.openssl.org/news/newslog.html

14-Mar-2023
Final version of OpenSSL 3.1.0 is now available: please download and upgrade!
Click to expand...

OpenSSL 3.1 Series Release Notes
https://www.openssl.org/news/openssl-3.1-notes.html

Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]

- SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
- Performance enhancements and new platform support including new assembler code algorithm implementations.
- Deprecated LHASH statistics functions.
- FIPS 140-3 compliance changes.
Click to expand...

See also:
OpenSSL version 3.1.0 published
https://mta.openssl.org/pipermail/openssl-announce/2023-March/000252.html

FanJ · Mar 29, 2023

OpenSSL 1.1.1 End of Life - 11th September 2023
by Matt Caswell , Mar 28th, 2023
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take.
Click to expand...

OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
Click to expand...

If you downloaded your copy of OpenSSL direct from the OpenSSL project then we would strongly encourage you to plan an upgrade to a more recent version before 1.1.1 reaches its EOL date. Our most recent version is OpenSSL 3.1 which will be supported until 14th March 2025. Also available is OpenSSL 3.0 which is an LTS release and will be supported until 7th September 2026. Our migration guide provides some useful information on the issues you should be considering when upgrading.
Click to expand...

Another option is to purchase a premium support contract which offers extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date.
Click to expand...

FanJ · Apr 20, 2023

OpenSSL Security Advisory [20th April 2023]
Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
https://www.openssl.org/news/secadv/20230420.txt

Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.
Click to expand...

OpenSSL versions 3.0.0 to 3.0.8, and 3.1.0 are vulnerable to this issue,
including the FIPS provider in those versions.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.
Click to expand...

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit bc2f61ad (for 3.1) and
commit 02ac9c94 (for 3.0) in the OpenSSL git repository.
Click to expand...

Read there more.

See also https://mta.openssl.org/pipermail/openssl-announce/2023-April/thread.html

FanJ · May 25, 2023

Forthcoming OpenSSL Releases - 30th May 2023

Two messages, for the timeline see also : https://mta.openssl.org/pipermail/openssl-announce/2023-May/thread.html

1.
Tomas Mraz
Wed May 24 04:06:12 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-May/000258.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.0.9, 1.1.1u and 1.0.2zh. Note that OpenSSL 1.0.2
is End Of Life and so 1.0.2zh will be available to premium support
customers only.

These releases will be made available on Tuesday 30th May 2023
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these three releases is Moderate
Click to expand...

2.
Matt Caswell
Wed May 24 09:49:13 UTC 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-May/000259.html

To clarify, OpenSSL version 3.1.1 will also be released on Tuesday 30th
May 2023, and is also a security-fix release with the highest severity
issue being Moderate.
Click to expand...

FanJ · May 30, 2023

OpenSSL Security Advisory [30th May 2023]
https://www.openssl.org/news/secadv/20230530.txt

Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
Click to expand...

Severity: Moderate
Click to expand...

Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
Click to expand...

= More quotes =
OpenSSL 3.0.x and 3.1.x are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when calling
OBJ_obj2txt() directly.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support
customers only).
= end of more quotes =

Read there more!

FanJ · Jul 14, 2023

OpenSSL Security Advisory [14th July 2023]
AES-SIV implementation ignores empty associated data entries (CVE-2023-2975)
https://www.openssl.org/news/secadv/20230714.txt
https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html

"Severity: Low

OpenSSL versions 3.0.0 to 3.0.9, and 3.1.0 to 3.1.1 are vulnerable to this
issue. The FIPS provider is not affected as the AES-SIV algorithm is not
FIPS approved and FIPS provider does not implement it.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue."

"Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 6a83f0c9 (for 3.1) and
commit 00e2f5ee (for 3.0) in the OpenSSL git repository."

FanJ · Jul 20, 2023

FanJ said: ↑

OpenSSL Security Advisory [14th July 2023]
Click to expand...

Update 19th July 2023
https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html

"OpenSSL Security Advisory [19th July 2023]
Excessive time spent checking DH keys and parameters (CVE-2023-3446)"

"Severity: Low
Issue summary: Checking excessively long DH keys or parameters may be very slow."

"Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service."

"The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit fc9867c1 (for 3.1),
commit 1fa20cf2 (for 3.0) and commit 8780a896 (for 1.1.1) in the OpenSSL git
repository. It is available to premium support customer in commit 9a0a4d3c (for
1.0.2)."

FanJ · Jul 27, 2023

Forthcoming OpenSSL Releases --> 1st August 2023

https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v.
These releases will be made available on Tuesday 1st August 2023 between
1300-1700 UTC.
These are security-fix releases. The highest severity issue fixed in
each of these three releases is Low
Click to expand...

1PW · Aug 2, 2023

As previously announced in the @FanJ post above, the following OpenSSL branches were updated on 01-August-2023:

1.1.1v

3.0.10

3.1.2

https://www.openssl.org/news/newslog.html

https://www.openssl.org/news/changelog.html

FanJ · Aug 18, 2023

Reminder : OpenSSL 1.1.1 End of Life on 11 September 2023

Carefully read again the article from 28 March 2023 (it was quoted here before):
OpenSSL 1.1.1 End of Life
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

In case you still need and/or want to use the 1.1.1. branch, you have to buy a premium support contract which offers extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date.

For those interested: read that article!

FanJ · Sep 6, 2023

Forthcoming OpenSSL Release - 11 Sep 2023

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.html
Matt Caswell - Wed Sep 6 10:54:08 UTC 2023

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1w.

This release will be made available on Monday 11th September 2023
between 1300-1700 UTC.

This will be the final public release in the 1.1.1 series [1]. Ongoing
access to security fixes is available to premium support customers [2].

This is a security-fix release. The highest severity issue fixed in this
release is Low
Click to expand...

FanJ · Sep 11, 2023

OpenSSL version 1.1.1w released

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000274.html
Mon Sep 11 15:06:43 UTC 2023

OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 1.1.1w of our open source toolkit for SSL/TLS.
This is the last public release of OpenSSL 1.1.1. Extended
support is available to premium support customers.

For details of the changes, see the release notes at:
https://www.openssl.org/news/openssl-1.1.1-notes.html
Click to expand...

See also:
OpenSSL Security Advisory [8th September 2023]
POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)
https://www.openssl.org/news/secadv/20230908.txt

Severity: Low
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.
Click to expand...

Read there more.

FanJ · Sep 17, 2023

Forthcoming OpenSSL Releases - 19 Sep 2023

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000275.html
Tue Sep 12 16:34:47 UTC 2023

The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.1.3 and 3.0.11.

These releases will be made available on Tuesday 19th September 2023
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these two releases is Low
Click to expand...

FanJ · Sep 18, 2023

It was a bit difficult to find what is going to be fixed in versions 3.1.3 and 3.0.11. Or maybe I didn't look good enough.
But I think it is the same vulnerability that was fixed in version 1.1.1w last week.

Look here: https://www.openssl.org/news/vulnerabilities.html
Look there at:
CVE-2023-4807 POLY1305 MAC implementation corrupts XMM registers on Windows [Low severity] 08 September 2023

Now this quote from there:

- Fixed in OpenSSL 3.1.3 (git commit) (Affected since 3.1.0)
- Fixed in OpenSSL 3.0.11 (git commit) (Affected since 3.0.0)
- Fixed in OpenSSL 1.1.1w (git commit) (Affected since 1.1.1)
Click to expand...

FanJ · Sep 19, 2023

OpenSSL version 3.0.11 published
https://mta.openssl.org/pipermail/openssl-announce/2023-September/000276.html
Tue Sep 19 13:55:22 UTC 2023

The OpenSSL project team is pleased to announce the release of
version 3.0.11 of our open source toolkit for SSL/TLS.
Click to expand...

Release Notes:
https://www.openssl.org/news/openssl-3.0-notes.html

Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807])
Click to expand...

==========

OpenSSL version 3.1.3 published
https://mta.openssl.org/pipermail/openssl-announce/2023-September/000277.html
Tue Sep 19 13:55:29 UTC 2023

The OpenSSL project team is pleased to announce the release of
version 3.1.3 of our open source toolkit for SSL/TLS.
Click to expand...

Release Notes:
https://www.openssl.org/news/openssl-3.1-notes.html

Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807])
Click to expand...

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

1PW Registered Member

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Log in or Sign up

More OpenSSL security fixes

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

1PW Registered Member

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Useful Searches