From openssl at openssl.org Mon Feb 13 08:52:42 2017 From: openssl at openssl.org (OpenSSL) Date: Mon, 13 Feb 2017 08:52:42 +0000 (GMT) Subject: [openssl-announce] Forthcoming OpenSSL release Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Forthcoming OpenSSL release =========================== The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.0e This release will be made available on 16th February 2017 between 1200-1600 UTC, and will include a fix for a security defect classified as severity "High". This issue does not affect OpenSSL versions prior to 1.1.0. Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Yours The OpenSSL Project Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYoXCaAAoJEAEKUEB8TIy92GwH+gMIr6v8IQE04/aHWlp+ilep RIPM3x+NAQCkBTSZDhYPRIfJPnbEfGY1hi6Og28SQwHyfClL8Kyg0rkcgEJa9Q1A evhXesZD6xwWiPbqS4yu/iAnjapCPDuNQOeH8toRBs97N4bZ5/SLN6a5UUQg3lQ6 4t3zHJMK3RDRl6O39xmU84qpP7iumGW8Br/0XD2DfPvF0hAJVO+IfvTHK1WEFZg3 j1bYFUEP3lFWnXQDN7h4e9dOKRioSADdl/Tj+Ibh51OBYwaE2xjqqsOs4VAjbG8x V17okImTVhXhKSEOw3wsNirjW/+ui6fDIjszUGTcmNSp+MLXvUB21+8OXaVTDQs= =DVlI -----END PGP SIGNATURE----- From openssl at openssl.org Thu Feb 16 12:18:56 2017 From: openssl at openssl.org (OpenSSL) Date: Thu, 16 Feb 2017 12:18:56 +0000 Subject: [openssl-announce] OpenSSL version 1.1.0e published Message-ID: <20170216121856.GA3824@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 1.1.0e released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0e of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0e is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0e.tar.gz Size: 5202247 SHA1 checksum: 8bbbaf36feffadd3cb9110912a8192e665ebca4b SHA256 checksum: 57be8618979d80c910728cfc99369bf97b2a1abd8f366ab6ebdee8975ad3874c The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0e.tar.gz openssl sha256 openssl-1.1.0e.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYpZPjAAoJENnE0m0OYESRxHwIAIk2mWe90coHwxhyMNsGswJH sVhGvvLMza+TZWOg5PIu0KGuFQhrGaKFtRUfWCiXApkNhTN5yiUq550sz4wP/+Uv KwE/R2ra5JPdGUmGxHZ14N/E54BursW5EhWpmraqlNyKw0IOOj2amvAjvNiMikuj +2Xc+59rMFInba6w9D5S45jtVY7uSk75RX9P5wtxH/ZG5cYALiqS+V5cpZBWMif4 lvZyc6sTZ77xb6yBNVMpeNmm5vkZrqOvSFnCuk/SwPVyfyWfh3alzx2ryzu6JZj2 57IY1gKK8kFx2o/FAC2kq9Vs9EkJv4ApVqIc90jtMcYHgAtek3yi+GIJ5O6xlak= =mbOM -----END PGP SIGNATURE----- From openssl at openssl.org Thu Feb 16 12:21:24 2017 From: openssl at openssl.org (OpenSSL) Date: Thu, 16 Feb 2017 12:21:24 +0000 Subject: [openssl-announce] OpenSSL Security Advisory Message-ID: <20170216122124.GA4307@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL Security Advisory [16 Feb 2017] ======================================== Encrypt-Then-Mac renegotiation crash (CVE-2017-3733) ==================================================== Severity: High During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected. OpenSSL 1.1.0 users should upgrade to 1.1.0e This issue does not affect OpenSSL version 1.0.2. This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat). The fix was developed by Matt Caswell of the OpenSSL development team. Note ==== Support for version 1.0.1 ended on 31st December 2016. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20170216.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYpZMiAAoJENnE0m0OYESRMUgH/0UN9sxxgyDewSCMeTOYPauK cSPqyw1pndQI6Lu+d3OCdWd01rdLcm+HxlbW5FOUjGZ4G9YefE0+JcvKkIuLGIpQ 1EE0g/ZuBzWDh7/MkFWcmjHceYVXi5sKewtWcQvO9uePzlPhlSZoNIL1G66n1HAo of3ZlSL5BmibaTiz1WmpDG//0W1pgYP5OdvQ8/AVrJJf8pUnU9Oyubm1yCyK2RHi jfJWLbMx0ENgW4G1sW4s8bPaj4GwLjIrZl8ocqoyAHhghkBv/UXUhv6i62bKHmxW vfYwwiU0GlRVwPXzFKbbE3qqCRyDsq+XLAe/09NZZWA+BtscWuUhUpyEODBqzeY= =zqNG -----END PGP SIGNATURE-----