From matt at openssl.org Mon Nov 12 17:05:31 2018 From: matt at openssl.org (Matt Caswell) Date: Mon, 12 Nov 2018 17:05:31 +0000 Subject: [openssl-announce] OpenSSL Security Advisory Message-ID: <86b66671-8508-d720-416a-b4efd58c34bd@openssl.org> OpenSSL Security Advisory [12 November 2018] ============================================ Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) =================================================================================== Severity: Low OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. This issue does not impact OpenSSL 1.1.1 and is already fixed in the latest version of OpenSSL 1.1.0 (1.1.0i). OpenSSL 1.0.2 is affected but due to the low severity of this issue we are not creating a new release at this time. The 1.0.2 mitigation for this issue can be found in commit b18162a7c. OpenSSL 1.1.0 users should upgrade to 1.1.0i. This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. Note ==== OpenSSL 1.1.0 is currently only receiving security updates. Support for this version will end on 11th September 2019. Users of this version should upgrade to OpenSSL 1.1.1. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20181112.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From matt at openssl.org Wed Nov 14 18:00:02 2018 From: matt at openssl.org (Matt Caswell) Date: Wed, 14 Nov 2018 18:00:02 +0000 Subject: [openssl-announce] Forthcoming OpenSSL Releases Message-ID: <1e00c274-19f7-c862-32fa-2cc53e6b365d@openssl.org> The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q. These releases will be made available on 20th November 2018 between approximately 1300-1700 UTC. These are bug-fix releases. They also contain the fixes for three LOW severity security issues CVE-2018-0735, CVE-2018-0734 and CVE-2018-5407 which were previously announced here: https://www.openssl.org/news/secadv/20181029.txt https://www.openssl.org/news/secadv/20181030.txt https://www.openssl.org/news/secadv/20181112.txt CVE-2018-0735 only affects the 1.1.0 branch. CVE-2018-0734 affects the 1.1.1, 1.1.0 and 1.0.2 branches. CVE-2018-5407 affects the 1.0.2 branch. It also affects older 1.1.0 releases before 1.1.0i. Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From openssl at openssl.org Tue Nov 20 14:17:00 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 20 Nov 2018 14:17:00 +0000 Subject: [openssl-announce] OpenSSL version 1.0.2q published Message-ID: <20181120141700.GA29541@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.0.2q released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2q of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2q is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2q.tar.gz Size: 5345604 SHA1 checksum: 692f5f2f1b114f8adaadaa3e7be8cce1907f38c5 SHA256 checksum: 5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2q.tar.gz openssl sha256 openssl-1.0.2q.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0D/MACgkQ2cTSbQ5g RJHZwQf/XVVXUUPD6ybAWXzWTAhb4kECMC7ahiEuLwO82IF8dafNNGLWVKU4qD5Q oHCBuHq8UUHPo1s+YeR+3phH0it8xZNUvpDw4BPFlLNkev16+yYJudl2YE9asVep 1Hup97zhSVfF7YS3o4r3TFL6VeAeC0XLHNItIYznldZ7oiI4iCvSH3rZ3Sb3O6lL EpSu3CYqgpbUI09aSZDdwYaUwj7j2KGf3D+U8U+bHY7d47GdvykSk18l1Mt2m/0K 63gDR4Nl+dgkLu6BALuqT79vhkRdiKWV4+e0GhvZPpjpoWBveYY1Q7nkfjy0Sh7j womsen61sS073bbdHZX6LoVuAsQbOw== =WXDE -----END PGP SIGNATURE----- From openssl at openssl.org Tue Nov 20 14:17:19 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 20 Nov 2018 14:17:19 +0000 Subject: [openssl-announce] OpenSSL version 1.1.0j published Message-ID: <20181120141719.GA29594@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.1.0j released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0j of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0j is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0j.tar.gz Size: 5411919 SHA1 checksum: dcad1efbacd9a4ed67d4514470af12bbe2a1d60a SHA256 checksum: 31bec6c203ce1a8e93d5994f4ed304c63ccf07676118b6634edded12ad1b3246 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0j.tar.gz openssl sha256 openssl-1.1.0j.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DwoACgkQ2cTSbQ5g RJGaxggAkHnv1uEc/zs/mIRvJDcBi4ITN3Fgeu2CdmbgMhcLXpKKcVAt28f/bT6c gVgV7OGZbJPJBEz/X6Ed8hIV5+OSIDUyER8Vywo8hhKgA7P0zZKSL6UnHSanes6x zfJCQ43+g2GSKxxBWNo3qsMtbOpgNvqRbggnsOBnrCwiNVUbNGl7BqHDmH8+KzWB tXamWDZ7Q6g6/vpLeQQlR38LXEiC928dSUmeNhbllbEUskkmVQIyys5/uRlFkCcb 9XEHmv4/lSrC3iUe0av4jfo/YjpcaknvqytW+HBgjvb4X1QAERXO0c7qdd9vGU2R 28H8/ETVDvpdnohfEHA2w3gqrZS6Kw== =1c3l -----END PGP SIGNATURE----- From openssl at openssl.org Tue Nov 20 14:17:46 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 20 Nov 2018 14:17:46 +0000 Subject: [openssl-announce] OpenSSL version 1.1.1a published Message-ID: <20181120141746.GA29779@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.1.1a released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1a of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1a.tar.gz Size: 8350547 SHA1 checksum: 8fae27b4f34445a5500c9dc50ae66b4d6472ce29 SHA256 checksum: fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1a.tar.gz openssl sha256 openssl-1.1.1a.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DbQACgkQ2cTSbQ5g RJEs7Af+K00VWk3I/Eqo+HfIwVenGBE18xo26yCNjB7anxBi0ic4b/06ilME7lcT WANVlBcWg/ea7g8k8dEFNdnKlcdcQWRo51mfVelyC1L3OrVNfNzP1BrKTutaRq9S Hv8WvGGWaNlAdtLmy9rqmZVxuUMKYf0bC+9B8QqZ4hP1FjZry/wLSgU87+dqFY5Z dWBlctsvvc/7dl0ZrovtieEXCuH6+MK4i++jWjS6d5/ON1581wkmEzIkH5tRebQO jPaSj8rJB7H1bAZiZPd7c3Db5n4TG8NNoT+Kujk0LFTP+FjwEh6/WF8jybLDgGMg Y6mJnkcXimLoCLpuNZmBh1V4BAntTQ== =7K60 -----END PGP SIGNATURE----- From matt at openssl.org Wed Nov 28 17:02:40 2018 From: matt at openssl.org (Matt Caswell) Date: Wed, 28 Nov 2018 17:02:40 +0000 Subject: [openssl-announce] OpenSSL Versioning and License Message-ID: <40643fa8-321f-a85d-3484-13bb1be8aa0e@openssl.org> Please see the following blog post about OpenSSL Versioning and License: https://www.openssl.org/blog/blog/2018/11/28/version/ Matt