From matt at openssl.org Mon Jun 8 19:32:47 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 08 Jun 2015 20:32:47 +0100 Subject: [openssl-announce] Forthcoming OpenSSL releases Message-ID: <5575EDDF.1070009@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forthcoming OpenSSL releases ============================ The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg. These releases will be made available on Thursday 11th June. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "moderate" severity (see https://www.openssl.org/about/secpolicy.html). Yours The OpenSSL Project Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVde3fAAoJENnE0m0OYESRIokH+QFLMvyyCxztRQGRm54oxOGA WugDkHsonM6meJp8TPqjnSrvk5xmKT1FFL+9lZ/7V/Y/ImhjSkxAp1j3mbA3Drw0 UoDEO59hA2ZuKtLMIIgSRH+BTUIO0wHuVDURiVRBkj0A1shlI21uoRcJFNoAuGMQ 9wymbc5lIkN3OEUYKh5QW/izmdTFEYeNBDSndTO0kg5koymRTf68gCEtQ5sh3zFB Hnmx3rEsEr8NbWxrvHly2rPLcy8TluIe/uiIG3FBF/acyW/4KWFqvf994eCQYenw JG57Hv64TZa7dTmmjBNZgkrN8wM89SEW3pLCRmqkbBfQ12IByJC8dYNR8ieOp9g= =eGiv -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jun 11 14:45:55 2015 From: openssl at openssl.org (OpenSSL) Date: Thu, 11 Jun 2015 14:45:55 +0000 Subject: [openssl-announce] OpenSSL version 0.9.8zg released Message-ID: <20150611144555.GA15788@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 0.9.8zg released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zg of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zg is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zg.tar.gz Size: 3826891 MD5 checksum: 0a912b6623ac95a8627ea2bd0e0abf1b SHA1 checksum: a73005583ba8d5edc3bdcc1f99a1e33ee0ed41f8 The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zg.tar.gz openssl sha1 openssl-0.9.8zg.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZkpAAoJENnE0m0OYESRzLcIAKhsW3bm1latn1wLoQk0cJEf GQVf9ztRkxivgodycUYhkuGhq2O+djeYHqKMXnedso+KnkgE/FnhTbDkyX6G12bs H17ZMgWOIypjHnwGW6jT1GlH+qb9tlzJYAuqsIEbG+hwE5KIsUrwtjAb1MhUuZFC f11jP5VFf4YXsN681TdyXxlhIdmeImiIDMjsVMGLIZ12zDV6AEJ4LrLkyyaaJxnd cryKY+Ai4AqBW3Mnv/tVddDvUdgmvjyNHBXEyBUkhy8oIpHe33RMLmGyK6w4P6os rTKsQzliZ8FSmBfbrOeFUTfPh/N1POqTcWV4VEBjD7mNZbnk3dHQZ3eFLBz8QGs= =kj2n -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jun 11 14:46:33 2015 From: openssl at openssl.org (OpenSSL) Date: Thu, 11 Jun 2015 14:46:33 +0000 Subject: [openssl-announce] OpenSSL version 1.0.0s released Message-ID: <20150611144633.GA15893@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.0s released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0s.tar.gz Size: 4102101 MD5 checksum: fe54d58a42c6aa1c7a587378e27072f3 SHA1 checksum: 3df4b9a87c0a37e6fd589360f9d43a6be2252b62 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0s.tar.gz openssl sha1 openssl-1.0.0s.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZeTAAoJENnE0m0OYESR/qoIAJRa63Si5UbI8hrJVsTCDAb6 VBfb40NrzOA3x7XpsS1MQxHK9ixPokdhMSHsjAkk4D3tz703I5ig9BDymWr8U2tF 2XvNKm4JBwn8SGfPgI/sy+YgaD0Adzt84eeAek+elPReAdQZGTJ83YFbycs8tSH5 g35JNrEOO8eXADq1WTsM3iqgPt4rXW7RJFQuI4yOtZZA1aqeD+d3WGQTopglt5Az /+CVViskrnlBihRiOZKfEk4qinB0s7TIJPZifPRzDFdhvMqz6VIndYsPmFhgQMSn jkhhwHhNB/NXZyNUGBdrxeq2ySX88ObXFlMvUAHFnj0CpaGuHyA2XIEL3vmHdtg= =8O7B -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jun 11 14:46:51 2015 From: openssl at openssl.org (OpenSSL) Date: Thu, 11 Jun 2015 14:46:51 +0000 Subject: [openssl-announce] OpenSSL version 1.0.1n released Message-ID: <20150611144651.GA15919@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.1n released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1n is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1n.tar.gz Size: 4545564 MD5 checksum: 139568bd5a56fa49b72a290d37113f30 SHA1 checksum: 2f6ea1e0f2724aca1805392e4387df8361442ace The checksums were calculated using the following commands: openssl md5 openssl-1.0.1n.tar.gz openssl sha1 openssl-1.0.1n.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZWaAAoJENnE0m0OYESRqlwIAJ1ncajYk0swYcFxXEbCs02q dI220NF3q9ohvXSzUVvM18Az8Lrr4u/bkZUNhmWkW2GwY7HF6DHUzgg7yWTWZ3h3 pxz33OxxNhBdXA0bkIl4d8q8SW9m7Xo+JZ2Pky2BC8MO3FTd5N8p9zfyJY63dtYV W9pOV0M/LzD3CkFMyX1NdAsoy3KNxB4NFoGKxuaYyOSwyrYCkHBXsBZM5O4BhvDt JeZMAcZagu4kNZ9fdNDNo28AxSOQicGuCqW4SOYnC/XACcsVvpuZYvMFdoqDRBN4 vWS91UAoor1Ld2IsdNsqe2D7S/35NKokvxdeUjbPKzyxPMoX5sgtJJyQZ6IUM0s= =d4VL -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jun 11 14:47:08 2015 From: openssl at openssl.org (OpenSSL) Date: Thu, 11 Jun 2015 14:47:08 +0000 Subject: [openssl-announce] OpenSSL version 1.0.2b released Message-ID: <20150611144708.GA16030@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.2b released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2b of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2b.tar.gz Size: 5281009 MD5 checksum: 7729b259e2dea7d60b32fc3934d6984b SHA1 checksum: 9006e53ca56a14d041e3875320eedfa63d82aba7 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2b.tar.gz openssl sha1 openssl-1.0.2b.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZNdAAoJENnE0m0OYESRYscIAKrJik5qyPifnVhWRHVTUXot NYhfl+h+ooHequRyz9ug7Wz3vdUioftuOYlX0eJBBZ+YvskVk27U9tjY+plFnRjq vpdNKfa6bSL9rjztZObupvbCnhYRdDkcJRqLi8HfPb53UlZS/ALIbpDi1FPqIErs Bc7D/toD0nDoQUONLVQw/aSZNWWCaACO09326K2xX/jZGEsQbhCWdlkERfO3RzRW RBN0RnR+k8XBaqy6TRELF1vlYdHe83Dqxg1h3KBTBJ+yOFXvQblPoZO4GnkAyoNA 8EGhbzgWsjg6OIroUbnbbq50avvya/2eDmY+N3gNg5wOrYBNZlWShy91WGZ4378= =rcRW -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jun 11 14:49:11 2015 From: openssl at openssl.org (OpenSSL) Date: Thu, 11 Jun 2015 14:49:11 +0000 Subject: [openssl-announce] OpenSSL Security Advisory Message-ID: <20150611144911.GA16575@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL Security Advisory [11 Jun 2015] ======================================= DHE man-in-the-middle protection (Logjam) ==================================================================== A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n Fixes for this issue were developed by Emilia K??sper and Kurt Roeckx of the OpenSSL development team. Malformed ECParameters causes infinite loop (CVE-2015-1788) =========================================================== Severity: Moderate When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are affected. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0d (and below) users should upgrade to 1.0.0s OpenSSL 0.9.8r (and below) users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 6th April 2015 by Joseph Birr-Pixton. The fix was developed by Andy Polyakov of the OpenSSL development team. Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) =============================================================== Severity: Moderate X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 8th April 2015 by Robert Swiecki (Google), and independently on 11th April 2015 by Hanno B??ck. The fix was developed by Emilia K??sper of the OpenSSL development team. PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) ========================================================= Severity: Moderate The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 18th April 2015 by Michal Zalewski (Google). The fix was developed by Emilia K??sper of the OpenSSL development team. CMS verify infinite loop with unknown hash function (CVE-2015-1792) =================================================================== Severity: Moderate When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 31st March 2015 by Johannes Bauer. The fix was developed by Dr. Stephen Henson of the OpenSSL development team. Race condition handling NewSessionTicket (CVE-2015-1791) ======================================================== Severity: Low If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was discovered by Emilia K??sper of the OpenSSL development team. The fix was developed by Matt Caswell of the OpenSSL development team. Invalid free in DTLS (CVE-2014-8176) ==================================== Severity: Moderate This vulnerability does not affect current versions of OpenSSL. It existed in previous OpenSSL versions and was fixed in June 2014. If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a segmentation fault or potentially, memory corruption. This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. This issue was originally reported on March 28th 2014 in https://rt.openssl.org/Ticket/Display.html?id=3286 by Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google). A fix was developed by zhu qun-ying. The fix for this issue can be identified by commits bcc31166 (1.0.1), b79e6e3a (1.0.0) and 4b258e73 (0.9.8). Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv_20150611.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZq1AAoJENnE0m0OYESRESoIAJWIeqHHDd83ONNpXGeythDj F7DTzlKkOx+URajAOBme+XNFJSqe71kBHk8uY7ZSZcindLcVxIHEXY3S0z2qGc1B 3SsOo71TsvReIuMN8mV2fq2MDEvPpbi5fSCND1OqR5C7kGafWvUtM9TneyuB4Mu6 ktvitpJtJ/TNUXo1+50HufR3boveQzZo6Sf1KFCK5jWROaiwolTTjHQNk9aPItEz fgS7YmbHToBqnhK/JyRip7T9UlBJ2LVUoCqiQoZZ3abAbAAfBycjoXfalEQ53wde V6LUE36D1viTIG5OcIGbbUEcMkWbTQU7KISz+IocZ2e1KEAU0CCP54qi6rgazrQ= =aQnm -----END PGP SIGNATURE----- From levitte at openssl.org Fri Jun 12 14:55:28 2015 From: levitte at openssl.org (Richard Levitte) Date: Fri, 12 Jun 2015 16:55:28 +0200 (CEST) Subject: [openssl-announce] Forthcoming releases Message-ID: <20150612.165528.2137931534546421320.levitte@openssl.org> Forthcoming OpenSSL releases ============================ The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2c, 1.0.1o. These releases will be made available on Friday 12th June. They will fix two specific issues: 1) an HMAC ABI incompatibility with previous releases, and 2) make it possible to accept a zero length extension block in a ClientHello. These are not security releases. Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From openssl at openssl.org Fri Jun 12 15:36:46 2015 From: openssl at openssl.org (OpenSSL) Date: Fri, 12 Jun 2015 15:36:46 +0000 Subject: [openssl-announce] OpenSSL version 1.0.1o released Message-ID: <20150612153646.GA2931@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.1o released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1o of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1o is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1o.tar.gz Size: 4546659 MD5 checksum: af1096f500a612e2e2adacb958d7eab1 SHA1 checksum: b003e3382607ef2c6d85b51e4ed7a4c0a76b8d5a The checksums were calculated using the following commands: openssl md5 openssl-1.0.1o.tar.gz openssl sha1 openssl-1.0.1o.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVevjeAAoJENnE0m0OYESRBTYIALl9NdRXPLxB+VZtVFVmOIHq HjC5IMBJCtsNCvUg3dOogSR+ZyrY82jPimxNY1+w5XCOQQ4Ro90Auw9OMoRwRo1y 7Y9+mZkxIrJUdudlNDmfsHw8wE5peThdhZnI9vnTgJSLBKbjqqVsHsxnUJ8dzNsc M2e2qa/poSPapWakfgafRRCblM9C/9zK/++n1m+t2SLHdM1dPanbiOIodnxX7XKp t/6UQzclDAPDpnG74bYPzHTI2rfcruezD8RiB3dNpma9n0uGRjorGEHjn/6PcgFy Rn1vgybhsoXpmQWT9kEQcLeRjgHEwyzxBlmVYnC3SFItlMma3h/bGYniCR89Huo= =WGaf -----END PGP SIGNATURE----- From openssl at openssl.org Fri Jun 12 15:37:04 2015 From: openssl at openssl.org (OpenSSL) Date: Fri, 12 Jun 2015 15:37:04 +0000 Subject: [openssl-announce] OpenSSL version 1.0.2c released Message-ID: <20150612153704.GA3101@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.2c released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2c of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2c.tar.gz Size: 5280670 MD5 checksum: 8c8d81a9ae7005276e486702edbcd4b6 SHA1 checksum: 6e4a5e91159eb32383296c7c83ac0e59b83a0a44 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2c.tar.gz openssl sha1 openssl-1.0.2c.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVevZ0AAoJENnE0m0OYESRAGIIAI+OThnhcwcrZoA3pddNL5+s mVGDd+ZstNkiqLFJSOn2Enh7Hx8xvUwaONvSAGqyiuxgmkyOSmnhc9NeE2LU+knl 8vMqF4hrTWV39JJZkkqqwEv5HRr17IWtzBL3N3/1mygvFmge6SFbGeRPk+XpyP/L 0aEWRzm7g4nq+g4Oa4/HeXsVeEwldMhgHoxbS0R3RHXPOlGb3VjZUDzg+0Nwqt5O q/sncMZAaC2TGauqsAxS19C+7hVEeZdvPKgX+DClf+NMe9+j8gWz1zmD7q5zJSQ8 ZH5+4ifFaVBSn1vuxPK4cLF5j+aUnotmWFkhJ3yZOAt+tYEH95MNB2aP4k2UCgc= =QIqW -----END PGP SIGNATURE----- From levitte at openssl.org Fri Jun 12 15:39:43 2015 From: levitte at openssl.org (Richard Levitte) Date: Fri, 12 Jun 2015 17:39:43 +0200 (CEST) Subject: [openssl-announce] Clarification on forthcoming releases Message-ID: <20150612.173943.1507279799213732121.levitte@openssl.org> Clarification on the forthcoming OpenSSL releases ================================================= To clarify, the mentioned HMAC ABI incompatibility occurred in recently released versions 1.0.2b and 1.0.1n which are security fixes but which may cause other problems due to the ABI issue. Therefore, the forthcoming releases should be used in preference to 1.0.2b and 1.0.1n. Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: