From levitte at openssl.org Thu Jan 14 14:44:18 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 14 Jan 2016 15:44:18 +0100 (CET) Subject: [openssl-announce] OpenSSL version 1.1.0 pre release 2 published Message-ID: <20160114.154418.799119456171028604.levitte@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.1.0 pre release 2 (alpha) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 2 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre2.tar.gz Size: 4948288 SHA1 checksum: d7a26cce5d4cc2b491996489d5385e0640bb92ef SHA256 checksum: 09e7470462e263ae853bc7a8fdb07fa439651c5f70aab4573c1a87ee2537a7ac The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre2.tar.gz openssl sha256 openssl-1.1.0-pre2.tar.gz Please download and check this alpha release as soon as possible. Bug reports should go to rt at openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWl7A8AAoJENXp5D99+e6MB2kQAJU5fn49JZ7YPx1VByhn873B UptNfbXozRn7ceLoDxMuZlwhbZEV/2BVc37bocagTsuU2gu2RedCE4WS/Kdk9j7q 9IK7pgInLgK2gTMXuPzKFz2qxAxtSi5QJC7BRqq88gR03dl0qXuJ+eCW2Y+zKiDt 2WgAFKrbTW9reDZs2a6WLJEY2lQdsc4eKMkVfCPZTPNpwMUsXipv7egJYC5XchBG ZM1nq8KbmwtVn1EIjH3pUxKbRIPhfza3OCwKQqWsx1XHga7fA4Cz/u+NiswcubGv fC+Aei30Ygi3oR8QG2tdEYMWQaa54hvn06/1bh6tVi8GcXGhFXj+gUTr6dw4TlGx wB/H3bII9slNkGC3w5kcVbSdCmH7ThTDKqeHbqPTVooOJMXMKj5EBXGKkkJ/O8Xg P3cDhqw48LgTW6BtM0ItZE7yHrApPaJr4MWTBQj4uqUIQz0SSUnxCE7xpSJS5UPE A/oi0p+Mzr3bJG+39lzDEqhFWxR/WP5cU9mWo68b002qwSzcOPm8RpMfqGfNJDyg P5OVJnykeI0JU8rR85fTdJFvcGgESOfv1HnSa9sGIMLhEA6Y4GwDhM804AV9xQ3+ trLd1Y5WYTcgc8yx181psw541N1Hsxl15Jm2sPcMMYdiK5YVbi1y+K3NGfnmKnYT /79DbTCo0r02h0k1X8JI =It+h -----END PGP SIGNATURE----- From mark at openssl.org Mon Jan 25 11:17:05 2016 From: mark at openssl.org (Mark J Cox) Date: Mon, 25 Jan 2016 11:17:05 +0000 Subject: [openssl-announce] Forthcoming OpenSSL releases Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Forthcoming OpenSSL releases ============================ The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f, 1.0.1r. These releases will be made available on 28th January between approx. 1pm and 5pm (UTC). They will fix two security defects, one of "high" severity affecting 1.0.2 releases, and one "low" severity affecting all releases. Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, support for 1.0.0 and 0.9.8 releases ended on 31st December 2015 and are no longer receiving security updates. Support for 1.0.1 will end on 31st December 2016. Yours The OpenSSL Project Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJWpgNkAAoJEAEKUEB8TIy9QcwH/3C7y700FjGjDBcNMcVO++GU 81cs87VqsoziuMSU9Sx8XlDWA8tH5JWXpES4+p9iWdKbks+2E0EahVZVaS5yDaLM LY6MaUM2Pucmrd/I7mvQ02AzzMWEUrFlbk1GtFVjU7IkYc1/ZOZLhjM6H0X8M8lO 5kvqpgWTGV5lMCJdOQLr/eIGIdGTy5Xqerm3Qz/nzvhbwaOu5pjvq0eub8AWbPb3 wwdB4GIKW4XaU7YAJl61o8jNeVoy/kMTfZmZYEefQzXf/1JYO2p8oqCMTIEUrSoN P7sT2d2DpjQvrK3j8MsIPMYUHLhxZt+MJ2+wuOLyznkPTdEIV+ylr6q0I74Wv1Q= =gzHe -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jan 28 15:03:27 2016 From: openssl at openssl.org (OpenSSL) Date: Thu, 28 Jan 2016 15:03:27 +0000 Subject: [openssl-announce] OpenSSL version 1.0.1r published Message-ID: <20160128150327.GA23362@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.1r released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1r.tar.gz Size: 4547786 SHA1 checksum: d2cfa980ef4548da6079fa1e51fe1fb2e5a53e99 SHA256 checksum: 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1r.tar.gz openssl sha256 openssl-1.0.1r.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWqiPkAAoJENnE0m0OYESRcmgIAJidxSVl5K1TE23gWxVrj75z tYY1YGGi+DjyYMJCxuXaKKZ/Yidhj8w3d+b0HnUs8r2YJNRjDQmh+BvGtA4FIgcq WQlypzUL/hmyicdvhTz/Y0r3O0DNOpYFIrjkWGkJFiYYm2bZIwDqkx4UAImOM3r1 qh0SfUuILDsHhwsi/EMexmTNKOuqcXWc/UVy2a5q074Va7BRJnUvAApD/jBpZgdh fIWOlVs1BnVE87wPddyXHK6UlyUd+5Zuc91ytvxYQayqx9D/t0AZ73isfzoE1jj9 dDS9H2+SJyN+WwJI1UUxZ8QthmPbnWwKpR733xtMUZ5r0M2e+V92eOgTNfcVvEI= =AYwY -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jan 28 15:03:37 2016 From: openssl at openssl.org (OpenSSL) Date: Thu, 28 Jan 2016 15:03:37 +0000 Subject: [openssl-announce] OpenSSL version 1.0.2f published Message-ID: <20160128150337.GA23585@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.2f released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2f of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2f is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2f.tar.gz Size: 5258384 SHA1 checksum: 2047c592a6e5a42bd37970bdb4a931428110a927 SHA256 checksum: 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2f.tar.gz openssl sha256 openssl-1.0.2f.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWqh5GAAoJENnE0m0OYESRsd8IALq/rtH2LTBSva5EahcoHWbp wa/bcqnk84tWhBtFdsPY6bc842I7KUuajdlb/O/tKket/7XDBtO8Ud+xwajCDjUR 0Ui56bWUD6KzDCKOuarTQ2zSdrnbBvO20x4WZlpNQ67ZsEQ3DuSouTetFGRmNgfb Te2BNteBZ//OGsqfvzuegbMbAuaePwwOO8XurNqwm4O1F1dphz7BuBx9IiCsHypa ISmmx27WzGYUS30nQuseFTHj8wd++zaJVRX8xM/alqoDdOT6qkavqpVku8RhwKuZ gnmeIXPRPzktYagQ1w+Py5ZGEIEZhvJpf/UQktuGw6xJ+D8PXC3D3i1Rth9UHIA= =ITZs -----END PGP SIGNATURE----- From openssl at openssl.org Thu Jan 28 15:05:47 2016 From: openssl at openssl.org (OpenSSL) Date: Thu, 28 Jan 2016 15:05:47 +0000 Subject: [openssl-announce] OpenSSL Security Advisory Message-ID: <20160128150547.GA26799@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL Security Advisory [28th Jan 2016] ========================================= NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES ONLY ARE BEING APPLIED. DH small subgroups (CVE-2016-0701) ================================== Severity: High Historically OpenSSL usually only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. OpenSSL before 1.0.2f will reuse the key if: - - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not set. - - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is an undocumted feature and parameter files don't contain the key. - - Static DH ciphersuites are used. The key is part of the certificate and so it will always reuse it. This is only supported in 1.0.2. It will not reuse the key for DHE ciphers suites if: - - SSL_OP_SINGLE_DH_USE is set - - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the callback does not provide the key, only the parameters. The callback is almost always used like this. Non-safe primes are generated by OpenSSL when using: - - genpkey with the dh_rfc5114 option. This will write an X9.42 style file including the prime-order subgroup size "q". This is supported since the 1.0.2 version. Older versions can't read files generated in this way. - - dhparam with the -dsaparam option. This has always been documented as requiring the single use. The fix for this issue adds an additional check where a "q" parameter is available (as is the case in X9.42 based parameters). This detects the only known attack, and is the only possible defense for static DH ciphersuites. This could have some performance impact. Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact. This issue affects OpenSSL version 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2f OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 based parameters. It is possible to generate parameters using non "safe" primes, but this option has always been documented as requiring single use and is not the default or believed to be common. However, as a precaution, the SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r. This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe). The fix was developed by Matt Caswell of the OpenSSL development team (incorporating some work originally written by Stephen Henson of the OpenSSL core team). SSLv2 doesn't block disabled ciphers (CVE-2015-3197) ==================================================== Severity: Low A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2f OpenSSL 1.0.1 users should upgrade to 1.0.1r This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and Sebastian Schinzel. The fix was developed by Nimrod Aviram with further development by Viktor Dukhovni of the OpenSSL development team. An update on DHE man-in-the-middle protection (Logjam) ==================================================================== A previously published vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). OpenSSL added Logjam mitigation for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits in releases 1.0.2b and 1.0.1n. This limit has been increased to 1024 bits in this release, to offer stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange. OpenSSL 1.0.2 users should upgrade to 1.0.2f OpenSSL 1.0.1 users should upgrade to 1.0.1r The fix was developed by Kurt Roeckx of the OpenSSL development team. Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20160128.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWqiT1AAoJENnE0m0OYESR07gIAJ65FdP2oFR9pspmLh+iZ978 Q+1R8vShqUjkpE14gUOHaidgsU8l7HoR7v3mWFtv+XqBUp94ISOFeyt4B4jlDsHE SSgO60zlnYha0KaOeRv/aH1quiWhx8bxNZ1HJbbwlxPclqmEplhXqoSEbVvOZKFZ VPu8gmJg3fzdQpQT0eAZ/5ez6SMvIM1FO47FlqtstWgHSs0iq1scIr1LKNmH3uMZ tmNmq5U/tTX/51eKYqFIrWXIeyHSiOTXRBUjnw4ybCiobklLH1qiEApJW6iPkOob 9WthtiyBVBxCpYpF8h4mQc3h77J/q4rLcL/b56sqMsHTV4ULhbN2VIUnzcuzIUI= =Dfuh -----END PGP SIGNATURE-----