From openssl at openssl.org Tue Apr 3 13:46:24 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 3 Apr 2018 13:46:24 +0000 Subject: [openssl-announce] OpenSSL version 1.1.1 pre release 4 published Message-ID: <20180403134624.GA18668@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 1.1.1 pre release 4 (beta) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 4 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre4.tar.gz Size: 8259067 SHA1 checksum: 28d83c6441d269660ca1571331bb830867b082d4 SHA256 checksum: df2d5fcc2a878525611c75b9e9116fbcfbce8d9b96419a16eda5fb11ecc428f6 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre4.tar.gz openssl sha256 openssl-1.1.1-pre4.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJaw4CRAAoJENnE0m0OYESR8/gH+wRA1A8TQnwUr9/keW8SGZrg wxhgEh3q04yYTL7yGYMWn53TDLJR1TJN3viEKtS9vZ7/EIfytb7Q/Sf+dlEpy3GP Fe5QWQu76DakiF5HHKVoVmcNyObA1sdNzqagxz/XhYkhUdjToOlqDhT0lkPg42ps lidX68jqvZx2DfE5yjsHp4HzHwLsXVPcOILarX0OOIeG7mVS1k9fIqnVFsajnOhR KJxMoyJ59pos0hsjA6ZHcjMpcaeXFEUYCqpPQYP/EqQz5h5q456HRovempB+GRM8 yUWAPAgaqfTlOz5Jx5+1SxFbKqFc+/Rkx2M3zpa15SuJ6R7cHZiS/JLlBXF+LiQ= =x0tg -----END PGP SIGNATURE----- From rsalz at akamai.com Mon Apr 16 15:25:47 2018 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 16 Apr 2018 15:25:47 +0000 Subject: [openssl-announce] OpenSSL FIPS Validation 1747 is not being labeled historic Message-ID: <05551A14-8390-4A9C-BCE6-6941AD3B33B6@akamai.com> We have been getting asked about the status of the OpenSSL FIPS 2.0 Validation, Certificate 1747 [1]. In particular, they read the notice about "symmetric key wrapping"[2] and wondered if OpenSSL would be moved to the Historical list. The OpenSSL validation testing was performed by InfoGard Laboratories, which is now known as UL Verification Services[3]. The program manager was Marc Ireland. Marc has the same role at UL. In response to our question about this, he said the following: The transition for that was January 1st, so it would have already been moved. We submitted updated Security Policies late last year to avoid it being moved. We hope this alleviates everyone's concern. We thank Mark Minnoch of KeyPair Consulting who had earlier posted the same thing[4]. [1] https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/1747 [2] https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Notices [3] https://www.ul-ts.com/standards/fips/c-38/c-1863 [4] https://mta.openssl.org/pipermail/openssl-users/2018-March/007668.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Apr 16 15:36:47 2018 From: openssl at openssl.org (OpenSSL) Date: Mon, 16 Apr 2018 15:36:47 +0000 Subject: [openssl-announce] OpenSSL Security Advisory Message-ID: <20180416153647.GA21276@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL Security Advisory [16 Apr 2018] ======================================== Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) ================================================================ Severity: Low The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i and OpenSSL 1.0.2p when they become available. The fix is also available in commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git repository. This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. The fix was developed by Billy Brumley. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20180416.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJa1MKgAAoJENnE0m0OYESRKOoIAKmRnj0YtE1y89WnRiCjMk8l Z7XAsPk6nkEa8dlrEvEsUhS90CFSf9OcYliAlfjD/+RVZXXeK4AHn8/g7HxAdDcK 62biQiHbxICBqnrE6DCe6GrMXEy3MWuefSWnoTyd/x8W1grjdhkrlmIqe68DP0iv WItmStRVOpx4mQDcrYqw6ZKhhu1Lv007khyAornJP+S6NSlK6brdNQyRNmp3+HO4 irqPi6xQWGcaAtrdpWi8mDnomld75j5m+G98N/gCqaCAIn7Zau+kAAW1+1dO5S4L tsQ0CifVnRfUTz0cCL51L8G3a3RWYs34AXRZvSRi3q88AiZ1L6FCF2cHZJu1KuE= =+TYO -----END PGP SIGNATURE----- From openssl at openssl.org Tue Apr 17 14:04:50 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 17 Apr 2018 14:04:50 +0000 Subject: [openssl-announce] OpenSSL verssion 1.1.1 pre release 5 published Message-ID: <20180417140450.GA15737@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.1.1 pre release 5 (beta) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 5 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre5.tar.gz Size: 8288689 SHA1 checksum: 8b479a8c555a9eba57b6003e4bd7200dff9535ee SHA256 checksum: 0e5ff2f216cea5fa89af6dcd429c3c142acd7c786b0c4868a039689a2641cf3d The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre5.tar.gz openssl sha256 openssl-1.1.1-pre5.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlrV93QACgkQ1enkP335 7owHBBAArOo3ChdJyOVRNN9wXPgRJtDTTv22yqadmcgpEiwh5AMWZUCg9Tl8B0BZ mMcQruV1J0m5qi4mUgBp87ZhqCcOje7uZubyj6VKEAxlklIzyrfPaJyIUWE7CwQi 6jPrMrF9PVkj24DZ/IUPFk6+fJen9POJddeaCuxUM12faZkRD0XxxTEvyKamgou7 Odb/Zn148SFQKMMSVOgaSr0t/go9gJ3vNRaRzBUhG9ZSaxDcwzCaO5OjjwI4xrEY XnGT54yWJNIvnSsxddhs7q4AUDEa/jNq+iCduPYVbMfuym+7YYMTlKABfnP5i1D2 gd8Ag+2hJe7rtKB6vYKOnyTKJFoMLhoRfJ12N55fJ9L4yLoy5guZEelE2Ib35YWo twlgQVPu5YnJpZnF0uZTZmcOJruEcQ7e15B8zyZfUIBtqXXg3tcH3QD3noKUYVmf s8+EfwebwIoLCy8kriO5bogJRVLQHvu1gehTXQa3edrD7iinZzlhdR7UPl9avlnv 7A0XhEiPEqwEmJUdHx/NGH5bydx/cb+oRgB26YTQyqhNw0meQg4znTui/xz2ARE/ r7PWifGhPPAbq8txuj+d8ipDeoyXS46KgR+sF2ncYMS3iQpAddQtCFIU1whpeRip wGm9uMu41Ba0H3CmUbmgTNU5kE3RCR00kirPiGQfRtf/pwI5zZY= =vyz+ -----END PGP SIGNATURE-----