From matt at openssl.org Wed Feb 13 11:26:05 2019 From: matt at openssl.org (Matt Caswell) Date: Wed, 13 Feb 2019 11:26:05 +0000 Subject: [openssl-announce] OpenSSL 3.0 and FIPS Update Message-ID: <2c9fe037-9817-ba6f-1062-1d574264318a@openssl.org> Please see my blog post for an OpenSSL 3.0 and FIPS Update: https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ Matt From matt at openssl.org Tue Feb 19 16:10:20 2019 From: matt at openssl.org (Matt Caswell) Date: Tue, 19 Feb 2019 16:10:20 +0000 Subject: Forthcoming OpenSSL Releases Message-ID: <9b5740f6-0f40-0adf-3b60-beda7707edb3@openssl.org> The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at this time. These releases will be made available on 26th February 2019 between approximately 1300-1700 UTC. OpenSSL 1.0.2r is a security-fix release. The highest severity issue fixed in this release is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate OpenSSL 1.1.1b is a bug-fix release. Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From openssl at openssl.org Tue Feb 26 14:54:20 2019 From: openssl at openssl.org (OpenSSL) Date: Tue, 26 Feb 2019 14:54:20 +0000 Subject: OpenSSL version 1.0.2r published Message-ID: <20190226145420.GA1729@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.0.2r released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2r.tar.gz Size: 5348369 SHA1 checksum: b9aec1fa5cedcfa433aed37c8fe06b0ab0ce748d SHA256 checksum: ae51d08bba8a83958e894946f15303ff894d75c2b8bbd44a852b64e3fe11d0d6 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2r.tar.gz openssl sha256 openssl-1.0.2r.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1S0oACgkQ2cTSbQ5g RJH9UQf9Gi2WrDyOwxtlu84f7vlcQX1zfG+Fs10OZgYi6rvD6VprJJewsWaJI9S+ O5LDv0p1aCFNgcTc57oNZCb+Or8xWdhvTOc5cNa408nFVK4wVazTdzKRFLECZEL4 E0vs22XNEIhrPHuHAJnuYaP12232Wymn9VHSbWeNl2ZR7Vj64rJ8Lqp8w+YpBU5+ eGidbLSKC29r8VV/6/9ei8PUSGEpy6ci8Tp+oMn6iVgMx6fuAnVDWDL32kWbzdAB r/OUee06D+QQFQMAJGAiDRxbC4XuNaLCiysr8a7QoltsxJjCaq7H9zRlArv3iE27 /fuwegvHE+upW2k3J1ZCL/Dlq+MuxA== =MwGd -----END PGP SIGNATURE----- From openssl at openssl.org Tue Feb 26 14:54:38 2019 From: openssl at openssl.org (OpenSSL) Date: Tue, 26 Feb 2019 14:54:38 +0000 Subject: OpenSSL version 1.1.1b published Message-ID: <20190226145438.GA1980@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.1.1b released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1b of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1b.tar.gz Size: 8213737 SHA1 checksum: e9710abf5e95c48ebf47991b10cbb48c09dae102 SHA256 checksum: 5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1b.tar.gz openssl sha256 openssl-1.1.1b.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1SgkACgkQ2cTSbQ5g RJEc5QgAoB+R93O6fi3QBaLM6zcZQWcq0y/c2fEo+tybClP4DfUudJij5cjlfzfN W0srK+qq15PJPxbH02fUcUdIBHF5OdQv0XMIS5ueN1clvGTcvpqdmyvE7INqouFd xUGbRzNw8hN4BY/skamuc1uxMXQUFx4ek2W12q4D/oCSOuPrS411uSev3pACLyK8 Bchcs/TLSreaz46ckRC+fiQ9jgBKjcA5q4pC/kIn+KGrfoRZz+no4cQlZS84NFgN BbT4bn9mV1+f1PksSlBZ6r+YSeaFrXP/e0sfTuMGYiXUx+XPQ+uMHjiljAGuYYz3 Nr2GqL9nHLvJ5xMBJmJCes4zkd0J9g== =Wh0M -----END PGP SIGNATURE----- From openssl at openssl.org Tue Feb 26 14:59:17 2019 From: openssl at openssl.org (OpenSSL) Date: Tue, 26 Feb 2019 14:59:17 +0000 Subject: OpenSSL Security Advisory Message-ID: <20190226145917.GA5404@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL Security Advisory [26 February 2019] ============================================ 0-byte record padding oracle (CVE-2019-1559) ============================================ Severity: Moderate If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). This issue does not impact OpenSSL 1.1.1 or 1.1.0. OpenSSL 1.0.2 users should upgrade to 1.0.2r. This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. Note ==== OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20190226.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1U+gACgkQ2cTSbQ5g RJFnlAf/U9yZtCz59BjgD0Kh7Eya5KxlmUWItdBu1r3DwbY4KDgL/Wwh4UxG3Qim D7Ht5Xsta4iAywrMRI/iPEdEQct8pcpWjq4/65lEbTYjToEnNWhIeWHH/Lw3Jfza gcVpIfbWoWc7OL7U4uPQuGWcb/PO8fJXF+HcCdZ+kIuut0peMSgN5sK/wBnmSdsM +sJXCei+jwVy/9WvCBMOooX7D8oerJ6NX12n2cNAYH/K7e2deiPZ7D/HB7T9MSv/ BgOi1UqFzBxcsNhFpY5NMTHG8pl0bmS0OiZ9bThN0YHwxFVJz6ZsVX/L5cYOAbm/ mJAdDE24XMmUAOlVZrROzCZKXADx/A== =8h8L -----END PGP SIGNATURE-----