From matt at openssl.org Tue Oct 4 16:20:09 2022 From: matt at openssl.org (Matt Caswell) Date: Tue, 4 Oct 2022 17:20:09 +0100 Subject: Forthcoming OpenSSL Releases Message-ID: <3e089979-c148-7063-953d-5f2fbab43900@openssl.org> Hello, The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.6 and 1.1.1r. These releases will be made available on Tuesday 11th October 2022 between 1300-1700 UTC. OpenSSL 3.0.6 is a security-fix release. The highest severity issue fixed in OpenSSL 3.0.6 is Low: https://www.openssl.org/policies/secpolicy.html OpenSSL 1.1.1 is a bug-fix release. There are no security issues fixed in this release. Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xD9C4D26D0E604491.asc Type: application/pgp-keys Size: 25023 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From noreply at github.com Wed Oct 5 09:07:30 2022 From: noreply at github.com (Pauli) Date: Wed, 05 Oct 2022 02:07:30 -0700 Subject: [openssl/general-policies] 100486: Added Policy for releasing Information [Informatio... Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 1004861513c2b22c25947745be6331b242671052 https://github.com/openssl/general-policies/commit/1004861513c2b22c25947745be6331b242671052 Author: TamaraDale Date: 2022-10-05 (Wed, 05 Oct 2022) Changed paths: A policies/information-release-policy.md Log Message: ----------- Added Policy for releasing Information [Information Release Policy.md] Commit: fce6a8253d484170d76c60bddddaaf5f19628129 https://github.com/openssl/general-policies/commit/fce6a8253d484170d76c60bddddaaf5f19628129 Author: Pauli Date: 2022-10-05 (Wed, 05 Oct 2022) Changed paths: A votes/vote-20220928-releasing-information-policy.txt Log Message: ----------- record passing vote Compare: https://github.com/openssl/general-policies/compare/42621965ca1c...fce6a8253d48 From matt at openssl.org Tue Oct 11 10:47:57 2022 From: matt at openssl.org (Matt Caswell) Date: Tue, 11 Oct 2022 11:47:57 +0100 Subject: OTC VOTE: OTC considers PR#17984 as a bug fix Message-ID: <180e4e22-44e0-af08-4bcb-f4a743e1ece4@openssl.org> OTC members please vote on the following issue: https://github.com/openssl/technical-policies/issues/55 Matt From noreply at reply.github.openssl.org Tue Oct 11 10:49:01 2022 From: noreply at reply.github.openssl.org (matt) Date: Tue, 11 Oct 2022 10:49:01 +0000 Subject: [otc/technical-policies] 4d4adb: Start a vote on PR17984 Message-ID: Branch: refs/heads/master Home: https://github.openssl.org/otc/technical-policies Commit: 4d4adbb1222a01924656f14def143a9327ac253d https://github.openssl.org/otc/technical-policies/commit/4d4adbb1222a01924656f14def143a9327ac253d Author: Matt Caswell Date: 2022-10-11 (Tue, 11 Oct 2022) Changed paths: A votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Start a vote on PR17984 Commit: 0cd28ca706143aa31bce28c26821225e3551d7ba https://github.openssl.org/otc/technical-policies/commit/0cd28ca706143aa31bce28c26821225e3551d7ba Author: Matt Caswell Date: 2022-10-11 (Tue, 11 Oct 2022) Changed paths: M votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Update the vote with an issue link Compare: https://github.openssl.org/otc/technical-policies/compare/3d519e6578b6...0cd28ca70614 From noreply at github.com Tue Oct 11 10:50:33 2022 From: noreply at github.com (Matt Caswell) Date: Tue, 11 Oct 2022 03:50:33 -0700 Subject: [openssl/technical-policies] 4d4adb: Start a vote on PR17984 Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/technical-policies Commit: 4d4adbb1222a01924656f14def143a9327ac253d https://github.com/openssl/technical-policies/commit/4d4adbb1222a01924656f14def143a9327ac253d Author: Matt Caswell Date: 2022-10-11 (Tue, 11 Oct 2022) Changed paths: A votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Start a vote on PR17984 Commit: 0cd28ca706143aa31bce28c26821225e3551d7ba https://github.com/openssl/technical-policies/commit/0cd28ca706143aa31bce28c26821225e3551d7ba Author: Matt Caswell Date: 2022-10-11 (Tue, 11 Oct 2022) Changed paths: M votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Update the vote with an issue link Compare: https://github.com/openssl/technical-policies/compare/3d519e6578b6...0cd28ca70614 From matt at openssl.org Tue Oct 11 14:38:08 2022 From: matt at openssl.org (Matt Caswell) Date: Tue, 11 Oct 2022 14:38:08 +0000 Subject: OpenSSL version 1.1.1r published Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 1.1.1r released =============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1r of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1r is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1r.tar.gz Size: 9868506 SHA1 checksum: 1a7d07ebc91a4e834be3db861453a79b0fe8d259 SHA256 checksum: e389352ae3d5ae4d38597bf8a54f1dcb6fb3c8b50f4fe58a94bb1bf7f85d82a0 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1r.tar.gz openssl sha256 openssl-1.1.1r.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFZYwACgkQ2cTSbQ5g RJGuSgf9FDZQeKdowwxbXRamGvcoQflKsRypla/nMBOEyWpR6zS2HnbYtlcNxlfg 2+cilT/KRK5BQ/egMcCqXJ8bpQRcdbh9NixUdN3z9qhedp4NTwK51X12s1EdUZOp 4LCn31IDRYvYqY55ufvgLz6g8EC3eZADM9Ph8H/rawyGN8ieM8SVrzSxd/4RNcov iVqX4ECejMRW1/s3iZmkBhMDUw6HDUc/8Wbbq1Dychr65L8l3r7k58MSN1b/ZUyQ u8Vsjt3UZoJ9WE5uP604j+LNCiU9kODWGrMuCl2ElSyLIPqU4iH1b/ckHxThfYGG fi7r97ZvDrFvX7f2PLYODtwTqvSzrQ== =p2qv -----END PGP SIGNATURE----- From matt at openssl.org Tue Oct 11 14:38:19 2022 From: matt at openssl.org (Matt Caswell) Date: Tue, 11 Oct 2022 14:38:19 +0000 Subject: OpenSSL version 3.0.6 published Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0.6 released ============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.6 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.6 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.6.tar.gz Size: 15101953 SHA1 checksum: df7c98f7780babdedd0810fb3c2b55332a8f6b89 SHA256 checksum: e4a10a2986945e3f1a1f2ebd68ac780449a1773b96b6a174fdf650d6bc9611f1 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.6.tar.gz openssl sha256 openssl-3.0.6.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFY/AACgkQ2cTSbQ5g RJEGTAf8DfSCPD4kU2ybbjdsP9S11gVwMWFFNbA+IWFoL434JywzZTerfHDWcC92 tyRBf4WsP+Dtv0+6E8+B20WluCp2uKHCmiHb3Zmgz6Ljg2kNhvYu6bZXwbzPE1pW 46VIqJ8FrSm81B7UoTPLkHC4WDW+YX2iEDPFTBgSdlWZliNLoXjgqVBUO5DaP/oT sdPPvc/M6x0XCc8rvM4eteHHZ+0naLKQX661tRtNcTdnledA6NcomPG+Y5Xk8h2O tRAITh3huTNdbiMJJkhveIs2Zyd9vNUYD//pebXjD8IghX6G5NBC2fXzo6th3Bis Aq3AlcbjTfaibXycCYtu59fs3WgVVw== =szfs -----END PGP SIGNATURE----- From matt at openssl.org Tue Oct 11 14:41:54 2022 From: matt at openssl.org (Matt Caswell) Date: Tue, 11 Oct 2022 14:41:54 +0000 Subject: OpenSSL Security Advisory Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL Security Advisory [11 October 2022] =========================================== Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) ================================================================================ Severity: Low OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.6. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 9th August 2022 by Chris Rapier of the Pittsburgh Supercomputing Center. The fix was developed by Matt Caswell. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20221011.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFgFcACgkQ2cTSbQ5g RJFEZwf/WiGIlYQfuis0lbwvqPHEpBZkuQgnXtkZ2nOe2SAera+fUNMKGf6/Pmbx 3orhrG9xEpTyZjczccRTjZ1pimGRpF0Lyvnv/N+RjrywpD3nTpanhKPlw8cnpH6p xlqSNEgXog9E5i3y27SYbdDw2Pu4I61vZe/zzJfI/pnpgsFkJRwAKFOPDHnS9hgh J8DdaVa6iW8/cOtWBiNHpNKebpjJ+pl5ZpbGt8CYMBHAAc1V/hmuOTesybyGeI9a I2qL5WXXl0VR5bPNNkUXLLm+q0XYFahL58lx7R2qn/HL3r3YeNtFVd7u/UV581vM dLhh43faekIct7eN3TXlsSkpKEwCQg== =EO32 -----END PGP SIGNATURE----- From noreply at github.com Wed Oct 12 06:47:30 2022 From: noreply at github.com (Richard Levitte) Date: Tue, 11 Oct 2022 23:47:30 -0700 Subject: [openssl/general-policies] 2b23a4: Move the platform policy to general-policies Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 2b23a45c28c1357b2859325f08d98ffca004488f https://github.com/openssl/general-policies/commit/2b23a45c28c1357b2859325f08d98ffca004488f Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A policies/platform-policy.md A policy-supplemental/platforms.md Log Message: ----------- Move the platform policy to general-policies This is a copy of the current platform policy, found in the repository git at github.com:openssl/web.git, policies/platformpolicy.md (or https://www.openssl.org/policies/platformpolicy.html), split up in a policy file and informational tables. From noreply at github.com Wed Oct 12 08:01:13 2022 From: noreply at github.com (Pauli) Date: Wed, 12 Oct 2022 01:01:13 -0700 Subject: [openssl/general-policies] 59fc83: add vote to stop shipping 306 Message-ID: Branch: refs/heads/vote-306-pull Home: https://github.com/openssl/general-policies Commit: 59fc83b6ac9f53846a8368a9337a40ece5384d17 https://github.com/openssl/general-policies/commit/59fc83b6ac9f53846a8368a9337a40ece5384d17 Author: Pauli Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-stop-306-111r.txt Log Message: ----------- add vote to stop shipping 306 From noreply at github.com Wed Oct 12 08:04:37 2022 From: noreply at github.com (Pauli) Date: Wed, 12 Oct 2022 01:04:37 -0700 Subject: [openssl/general-policies] 59592d: add vote to stop shipping 306 Message-ID: Branch: refs/heads/vote-306-pull Home: https://github.com/openssl/general-policies Commit: 59592dddf0dabcd92f2fcb449832de6ffb5fdac8 https://github.com/openssl/general-policies/commit/59592dddf0dabcd92f2fcb449832de6ffb5fdac8 Author: Pauli Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-stop-306-111r.txt Log Message: ----------- add vote to stop shipping 306 From pauli at openssl.org Wed Oct 12 08:05:13 2022 From: pauli at openssl.org (Dr Paul Dale) Date: Wed, 12 Oct 2022 19:05:13 +1100 Subject: OMC VOTE: stop shipping 1.1.1r and 3.0.6 releases Message-ID: <91e05703-c659-6274-01eb-a2a5169c884e@openssl.org> Topic: Stop distributing 1.1.1r and 3.0.6 while the problems are investigated. comment: An announcement should also be made. Proposed by: Pauli Issue link: https://github.com/openssl/general-policies/pull/32 Public: yes Opened: 2022-10-12 Closed: 2022-10-12 Accepted:? yes? (for: 3, against: 0, abstained: 2, not voted: 1) ? Kurt?????? [? ] ? Mark?????? [ 0] ? Matt?????? [+1] ? Pauli????? [+1] ? Richard??? [ 0] ? Tim??????? [+1] From noreply at github.com Wed Oct 12 08:10:04 2022 From: noreply at github.com (Pauli) Date: Wed, 12 Oct 2022 01:10:04 -0700 Subject: [openssl/general-policies] 408e39: add vote to stop shipping 306 Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 408e39d0c33f09f979e6ddd8f35a485d5e73c5e5 https://github.com/openssl/general-policies/commit/408e39d0c33f09f979e6ddd8f35a485d5e73c5e5 Author: Pauli Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-stop-306-111r.txt Log Message: ----------- add vote to stop shipping 306 From noreply at github.com Wed Oct 12 08:11:29 2022 From: noreply at github.com (openssl-machine) Date: Wed, 12 Oct 2022 01:11:29 -0700 Subject: [openssl/general-policies] Message-ID: Branch: refs/heads/vote-306-pull Home: https://github.com/openssl/general-policies From noreply at github.com Wed Oct 12 13:13:29 2022 From: noreply at github.com (Richard Levitte) Date: Wed, 12 Oct 2022 06:13:29 -0700 Subject: [openssl/general-policies] 59dbd9: Add vote re RIMPEMD160 in OpenSSL 3.0 Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 59dbd96730d772be7341b17db609735908becb6a https://github.com/openssl/general-policies/commit/59dbd96730d772be7341b17db609735908becb6a Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-ripemd160-in-3.0-default-provider.txt Log Message: ----------- Add vote re RIMPEMD160 in OpenSSL 3.0 From noreply at github.com Wed Oct 12 13:15:22 2022 From: noreply at github.com (Richard Levitte) Date: Wed, 12 Oct 2022 06:15:22 -0700 Subject: [openssl/general-policies] 918c86: Add vote re selection and handling for SHA1 and RI... Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 918c86138a5d2495dc83e50781fc583cd4bd1992 https://github.com/openssl/general-policies/commit/918c86138a5d2495dc83e50781fc583cd4bd1992 Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-ripemd160-in-3.0-default-provider.txt Log Message: ----------- Add vote re selection and handling for SHA1 and RIMPEMD160 From noreply at github.com Wed Oct 12 13:16:30 2022 From: noreply at github.com (Richard Levitte) Date: Wed, 12 Oct 2022 06:16:30 -0700 Subject: [openssl/general-policies] b8b852: Add vote re selection and handling for SHA1 and RI... Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: b8b85215e2596a47b98ed37ba161ef9e566ef24c https://github.com/openssl/general-policies/commit/b8b85215e2596a47b98ed37ba161ef9e566ef24c Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-handling-sha1-and-ripemd160.txt Log Message: ----------- Add vote re selection and handling for SHA1 and RIMPEMD160 From noreply at github.com Wed Oct 12 13:19:30 2022 From: noreply at github.com (Richard Levitte) Date: Wed, 12 Oct 2022 06:19:30 -0700 Subject: [openssl/general-policies] 2e5697: Add vote re RIMPEMD160 in OpenSSL 3.0 Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 2e5697419515a0a25eb0820998123a9f325ea153 https://github.com/openssl/general-policies/commit/2e5697419515a0a25eb0820998123a9f325ea153 Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: A votes/vote-20221012-ripemd160-in-3.0-default-provider.txt Log Message: ----------- Add vote re RIMPEMD160 in OpenSSL 3.0 From richard at levitte.org Wed Oct 12 13:35:19 2022 From: richard at levitte.org (Richard Levitte) Date: Wed, 12 Oct 2022 15:35:19 +0200 Subject: OMC VOTE: selection and handling for SHA1 and RIMPEMD160 Message-ID: <875ygp17xk.wl-richard@levitte.org> Topic: Provider selection and handling for SHA1 and RIPEMD160 should be identical given the current understanding of algorithm specific security issues. Proposed by: Tim Public: yes Issue link: https://github.com/openssl/general-policies/issues/35 Opened: 2022-10-12 Closed: 2022-10-12 Accepted: yes/no (for: 5, against: 0, abstained: 0, not voted: 1) Matt [+1] Mark [+1] Pauli [+1] Tim [+1] Richard [+1] Kurt [ ] From richard at levitte.org Wed Oct 12 13:37:15 2022 From: richard at levitte.org (Richard Levitte) Date: Wed, 12 Oct 2022 15:37:15 +0200 Subject: OMC VOTE: RIMPEMD160 in OpenSSL 3.0 default provider Message-ID: <874jw917uc.wl-richard@levitte.org> Topic: Accept PR#19375 to add RIPEMD160 to the default provider for 3.0 subject to the normal review process Proposed by: Tim Public: yes Opened: 2022-10-12 Closed: 2022-10-12 Accepted: yes/no (for: 3, against: 0, abstained: 2, not voted: 1) Matt [+1] Mark [+1] Pauli [ 0] Tim [ 0] Richard [+1] Kurt [ ] From matt at openssl.org Wed Oct 12 14:23:38 2022 From: matt at openssl.org (Matt Caswell) Date: Wed, 12 Oct 2022 15:23:38 +0100 Subject: Withdrawal of OpenSSL 3.0.6 and 1.1.1r Message-ID: <304011b8-cb85-6ed9-fbeb-b8c089d884c8@openssl.org> We have received a report of a significant regression in the latest 3.0.6 and 1.1.1r versions. The regression is not thought to have security consequences. While the regression is further investigated we have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and instead recommend that users remain on the previous 3.0.5 and 1.1.1q versions for now. We will issue a new plan for the release of 3.0.7 and 1.1.1s soon. Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xD9C4D26D0E604491.asc Type: application/pgp-keys Size: 2155 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From openssl-users at dukhovni.org Wed Oct 12 15:00:47 2022 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 12 Oct 2022 11:00:47 -0400 Subject: OMC VOTE: selection and handling for SHA1 and RIMPEMD160 In-Reply-To: <875ygp17xk.wl-richard@levitte.org> References: <875ygp17xk.wl-richard@levitte.org> Message-ID: On Wed, Oct 12, 2022 at 03:35:19PM +0200, Richard Levitte wrote: > Topic: Provider selection and handling for SHA1 and RIPEMD160 should be identical > given the current understanding of algorithm specific security issues. Shouldn't real-world usage be taken into account. SHA1 is widely used, and even has important use-cases that aren't going away and where collision resistance is not a major concern, e.g. NSEC3 in DNSSEC where it is used for light obfuscation, not cryptographic signing. I am not aware of any extant protocols that rely on RIPEMD160. I think that strictly looking at security margins is misguided, real world usage needs to inform any such decision, and users should be able to easily keep SHA1 without bringing RIPEMD160 along for the ride. -- Viktor. From tomas at openssl.org Wed Oct 12 15:51:35 2022 From: tomas at openssl.org (Tomas Mraz) Date: Wed, 12 Oct 2022 17:51:35 +0200 Subject: OMC VOTE: selection and handling for SHA1 and RIMPEMD160 In-Reply-To: References: <875ygp17xk.wl-richard@levitte.org> Message-ID: <1d3f5449b663a48f2b1408cdd56f544ef3504186.camel@openssl.org> On Wed, 2022-10-12 at 11:00 -0400, Viktor Dukhovni wrote: > On Wed, Oct 12, 2022 at 03:35:19PM +0200, Richard Levitte wrote: > > > Topic: Provider selection and handling for SHA1 and RIPEMD160 > > should be identical > > ?????? given the current understanding of algorithm specific > > security issues. > > Shouldn't real-world usage be taken into account.? SHA1 is widely > used, > and even has important use-cases that aren't going away and where > collision resistance is not a major concern, e.g. NSEC3 in DNSSEC > where it is used for light obfuscation, not cryptographic signing. > > I am not aware of any extant protocols that rely on RIPEMD160.? I > think > that strictly looking at security margins is misguided, real world > usage > needs to inform any such decision, and users should be able to easily > keep SHA1 without bringing RIPEMD160 along for the ride. There is one widespread "protocol" relying on RIPEMD160 - Bitcoin. -- Tom?? Mr?z, OpenSSL From noreply at github.com Wed Oct 12 21:15:30 2022 From: noreply at github.com (Richard Levitte) Date: Wed, 12 Oct 2022 14:15:30 -0700 Subject: [openssl/general-policies] 1d2377: Add Kurt's vote re selection and handling for SHA1... Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 1d2377fbe6bdd673430923eeab56d3f8d59056ce https://github.com/openssl/general-policies/commit/1d2377fbe6bdd673430923eeab56d3f8d59056ce Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: M votes/vote-20221012-handling-sha1-and-ripemd160.txt Log Message: ----------- Add Kurt's vote re selection and handling for SHA1 and RIMPEMD160 From noreply at github.com Wed Oct 12 21:17:30 2022 From: noreply at github.com (Richard Levitte) Date: Wed, 12 Oct 2022 14:17:30 -0700 Subject: [openssl/general-policies] 2dd1d8: Add Kurt's vote re RIMPEMD160 in OpenSSL 3.0 Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 2dd1d86c5c0e5c9996938449503f7f195b17d859 https://github.com/openssl/general-policies/commit/2dd1d86c5c0e5c9996938449503f7f195b17d859 Author: Richard Levitte Date: 2022-10-12 (Wed, 12 Oct 2022) Changed paths: M votes/vote-20221012-ripemd160-in-3.0-default-provider.txt Log Message: ----------- Add Kurt's vote re RIMPEMD160 in OpenSSL 3.0 From noreply at github.com Wed Oct 12 22:10:29 2022 From: noreply at github.com (Pauli) Date: Wed, 12 Oct 2022 15:10:29 -0700 Subject: [openssl/general-policies] 5f4950: Add Kurt's vote Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/general-policies Commit: 5f495051ae29e88b02cbeda544f5adb2091d14ee https://github.com/openssl/general-policies/commit/5f495051ae29e88b02cbeda544f5adb2091d14ee Author: Pauli Date: 2022-10-13 (Thu, 13 Oct 2022) Changed paths: M votes/vote-20221012-stop-306-111r.txt Log Message: ----------- Add Kurt's vote From noreply at reply.github.openssl.org Tue Oct 18 09:15:14 2022 From: noreply at reply.github.openssl.org (matt) Date: Tue, 18 Oct 2022 09:15:14 +0000 Subject: [otc/technical-policies] 27e90c: Close a vote Message-ID: Branch: refs/heads/master Home: https://github.openssl.org/otc/technical-policies Commit: 27e90c5a782bdc500efa0c86d5e625740b4c54f8 https://github.openssl.org/otc/technical-policies/commit/27e90c5a782bdc500efa0c86d5e625740b4c54f8 Author: Matt Caswell Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Close a vote From noreply at github.com Tue Oct 18 09:17:32 2022 From: noreply at github.com (Matt Caswell) Date: Tue, 18 Oct 2022 02:17:32 -0700 Subject: [openssl/technical-policies] 27e90c: Close a vote Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/technical-policies Commit: 27e90c5a782bdc500efa0c86d5e625740b4c54f8 https://github.com/openssl/technical-policies/commit/27e90c5a782bdc500efa0c86d5e625740b4c54f8 Author: Matt Caswell Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Close a vote From tomas at openssl.org Tue Oct 18 10:08:20 2022 From: tomas at openssl.org (Tomas Mraz) Date: Tue, 18 Oct 2022 12:08:20 +0200 Subject: OTC VOTE: Accept PR #19400 in master and 3.0 subject to normal review process Message-ID: <9261adfe4be68ecd62d068e8bc42ad5801b53a6b.camel@openssl.org> https://github.com/openssl/technical-policies/issues/56 This vote was immediately closed as the outcome was determined during the OTC meeting already. -- Tom?? Mr?z, OpenSSL From noreply at reply.github.openssl.org Tue Oct 18 10:11:23 2022 From: noreply at reply.github.openssl.org (matt) Date: Tue, 18 Oct 2022 10:11:23 +0000 Subject: [otc/technical-policies] 95b43d: Correct summary total in a vote Message-ID: Branch: refs/heads/master Home: https://github.openssl.org/otc/technical-policies Commit: 95b43d3949d5dc28c119069a9613db21a6ebe645 https://github.openssl.org/otc/technical-policies/commit/95b43d3949d5dc28c119069a9613db21a6ebe645 Author: Matt Caswell Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Correct summary total in a vote From noreply at reply.github.openssl.org Tue Oct 18 10:12:48 2022 From: noreply at reply.github.openssl.org (Tomas Mraz) Date: Tue, 18 Oct 2022 10:12:48 +0000 Subject: [otc/technical-policies] 471413: Add vote for accepting PR #19400 Message-ID: Branch: refs/heads/master Home: https://github.openssl.org/otc/technical-policies Commit: 471413fa8d409043847f00b8062ddacc3aef5ec7 https://github.openssl.org/otc/technical-policies/commit/471413fa8d409043847f00b8062ddacc3aef5ec7 Author: Tomas Mraz Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: A votes/vote-20221018-accept-pr19400.txt Log Message: ----------- Add vote for accepting PR #19400 From noreply at github.com Tue Oct 18 10:13:30 2022 From: noreply at github.com (Matt Caswell) Date: Tue, 18 Oct 2022 03:13:30 -0700 Subject: [openssl/technical-policies] 95b43d: Correct summary total in a vote Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/technical-policies Commit: 95b43d3949d5dc28c119069a9613db21a6ebe645 https://github.com/openssl/technical-policies/commit/95b43d3949d5dc28c119069a9613db21a6ebe645 Author: Matt Caswell Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221011-pr17984-is-a-bug-fix.txt Log Message: ----------- Correct summary total in a vote From noreply at github.com Tue Oct 18 10:14:29 2022 From: noreply at github.com (=?UTF-8?B?VG9tw6HFoSBNcsOheg==?=) Date: Tue, 18 Oct 2022 03:14:29 -0700 Subject: [openssl/technical-policies] 471413: Add vote for accepting PR #19400 Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/technical-policies Commit: 471413fa8d409043847f00b8062ddacc3aef5ec7 https://github.com/openssl/technical-policies/commit/471413fa8d409043847f00b8062ddacc3aef5ec7 Author: Tomas Mraz Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: A votes/vote-20221018-accept-pr19400.txt Log Message: ----------- Add vote for accepting PR #19400 From noreply at reply.github.openssl.org Tue Oct 18 10:37:19 2022 From: noreply at reply.github.openssl.org (Tomas Mraz) Date: Tue, 18 Oct 2022 10:37:19 +0000 Subject: [otc/technical-policies] b2beca: Record Tim's post-closing vote Message-ID: Branch: refs/heads/master Home: https://github.openssl.org/otc/technical-policies Commit: b2becad268931d274046999e2511638fb3a52eee https://github.openssl.org/otc/technical-policies/commit/b2becad268931d274046999e2511638fb3a52eee Author: Tomas Mraz Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221018-accept-pr19400.txt Log Message: ----------- Record Tim's post-closing vote From noreply at github.com Tue Oct 18 10:39:30 2022 From: noreply at github.com (=?UTF-8?B?VG9tw6HFoSBNcsOheg==?=) Date: Tue, 18 Oct 2022 03:39:30 -0700 Subject: [openssl/technical-policies] b2beca: Record Tim's post-closing vote Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/technical-policies Commit: b2becad268931d274046999e2511638fb3a52eee https://github.com/openssl/technical-policies/commit/b2becad268931d274046999e2511638fb3a52eee Author: Tomas Mraz Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221018-accept-pr19400.txt Log Message: ----------- Record Tim's post-closing vote From mkoci at openssl.org Tue Oct 18 12:33:03 2022 From: mkoci at openssl.org (Ing. Martin Koci, MBA) Date: Tue, 18 Oct 2022 14:33:03 +0200 Subject: OTC F2F proposal Message-ID: Hello, one suggestion would be to hold OTC F2F in the ICMC conference [1] week next year. The ICMC conference is held on September 20-22 2023, Shaw Centre, Ottawa, Ontario, Canada. Though, we might find more comfortable (from financial and travelling POV) to meet in Europe. This is open for discussion. /koca *[1] https://icmconference.org/ From mkoci at openssl.org Tue Oct 18 12:40:09 2022 From: mkoci at openssl.org (Ing. Martin Koci, MBA) Date: Tue, 18 Oct 2022 14:40:09 +0200 Subject: Proposal on metrics for outstanding GitHub PRs and issues Message-ID: Hello, apologize for email format (copy&paste). Anyway, here are details: ** To track the number of actual opened PRs from GitHub and expose it publicly. Tracked on daily basis. Concrete requirements/metrics below: * How many PRs in total * How many Issues in total (features, questions, bugs, regressions, ...) * How many of PRs are waiting for review * How many of PRs are waiting for an update * Optionally: PRs Removal Efficiency o How many PRs were closed vs. opened during a period of time/-/It's PRs Removal Efficiency - that is the extent to which the development team is able to handle and remove the valid PRs or defects (issues) that have been opened. o To calculate the PRs gap, get a count of the total PRs opened and the total number of that were closed by the end of the cycle. Calculate a quick percentage. o Example of defect gap including formula: o Thanks, /koca -------------- next part -------------- An HTML attachment was scrubbed... URL: From noreply at reply.github.openssl.org Tue Oct 18 14:55:11 2022 From: noreply at reply.github.openssl.org (Tomas Mraz) Date: Tue, 18 Oct 2022 14:55:11 +0000 Subject: [otc/technical-policies] 290d95: Record Kurt's post-closing vote Message-ID: Branch: refs/heads/master Home: https://github.openssl.org/otc/technical-policies Commit: 290d95d9a567f3bd647331d09bad374bf3a75bd5 https://github.openssl.org/otc/technical-policies/commit/290d95d9a567f3bd647331d09bad374bf3a75bd5 Author: Tomas Mraz Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221018-accept-pr19400.txt Log Message: ----------- Record Kurt's post-closing vote From noreply at github.com Tue Oct 18 14:56:34 2022 From: noreply at github.com (=?UTF-8?B?VG9tw6HFoSBNcsOheg==?=) Date: Tue, 18 Oct 2022 07:56:34 -0700 Subject: [openssl/technical-policies] 290d95: Record Kurt's post-closing vote Message-ID: Branch: refs/heads/master Home: https://github.com/openssl/technical-policies Commit: 290d95d9a567f3bd647331d09bad374bf3a75bd5 https://github.com/openssl/technical-policies/commit/290d95d9a567f3bd647331d09bad374bf3a75bd5 Author: Tomas Mraz Date: 2022-10-18 (Tue, 18 Oct 2022) Changed paths: M votes/vote-20221018-accept-pr19400.txt Log Message: ----------- Record Kurt's post-closing vote From mkoci at openssl.org Tue Oct 25 12:54:15 2022 From: mkoci at openssl.org (Ing. Martin Koci, MBA) Date: Tue, 25 Oct 2022 14:54:15 +0200 Subject: Forthcoming OpenSSL Releases Message-ID: Hello, The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC. OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL: https://www.openssl.org/policies/general/security-policy.html Yours The OpenSSL Project Team -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x6D0A36D2E30590A6.asc Type: application/pgp-keys Size: 2440 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From mkoci at openssl.org Tue Oct 25 18:36:25 2022 From: mkoci at openssl.org (Ing. Martin Koci, MBA) Date: Tue, 25 Oct 2022 20:36:25 +0200 Subject: Forthcoming OpenSSL Bug Fix Release Message-ID: Hello, In addition to the already announced 3.0.7 release, the OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1s that is a bug fix release. This bug fix release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC too. Yours The OpenSSL Project Team From matangi at checkpoint.com Wed Oct 26 11:17:32 2022 From: matangi at checkpoint.com (Matan Giladi) Date: Wed, 26 Oct 2022 11:17:32 +0000 Subject: Forthcoming OpenSSL Bug Fix Release In-Reply-To: References: Message-ID: <4a324f40d90b4cb5a6ceab5623615ed8@checkpoint.com> Does 1.1.1s is going to include any security fix? Can you please confirm that the critical issue found in 3.0.6 version is irrelevant for 1.1.1? -----Original Message----- From: openssl-announce On Behalf Of Ing. Martin Koci, MBA Sent: Tuesday, October 25, 2022 21:36 To: openssl-announce at openssl.org; openssl-users at openssl.org; openssl-project at openssl.org; oss-security at lists.openwall.com Subject: Forthcoming OpenSSL Bug Fix Release Hello, In addition to the already announced 3.0.7 release, the OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1s that is a bug fix release. This bug fix release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC too. Yours The OpenSSL Project Team Email secured by Check Point Report Phishing: https://mta-cnf.iaas.checkpoint.com/mta_feedback?id=b3dc9e6004806fac5adb86a1a47504d00416eb2590b631502621736f0652d7ea&ck=3D4CC6C8CB55;48DE55E160E5;C5CEAA199888;&v=m Email secured by Check Point From shawn.webb at hardenedbsd.org Wed Oct 26 15:17:37 2022 From: shawn.webb at hardenedbsd.org (Shawn Webb) Date: Wed, 26 Oct 2022 11:17:37 -0400 Subject: [oss-security] Forthcoming OpenSSL Releases In-Reply-To: References: Message-ID: <20221026151737.rtmp5eatjf5uqgnb@mutt-hbsd> On Tue, Oct 25, 2022 at 02:54:15PM +0200, Ing. Martin Koci, MBA wrote: > Hello, > > The OpenSSL project team would like to announce the forthcoming release of > OpenSSL version 3.0.7. > > This release will be made available on Tuesday 1st November 2022 between > 1300-1700 UTC. > > OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in > this release is CRITICAL: Hey there, I don't see anything on the CERT Vince site. Is there any way we could coordinate a response via CERT? Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From pauli at openssl.org Wed Oct 26 22:41:42 2022 From: pauli at openssl.org (Dr Paul Dale) Date: Thu, 27 Oct 2022 09:41:42 +1100 Subject: Forthcoming OpenSSL Bug Fix Release In-Reply-To: <4a324f40d90b4cb5a6ceab5623615ed8@checkpoint.com> References: <4a324f40d90b4cb5a6ceab5623615ed8@checkpoint.com> Message-ID: 1.1.1 is not susceptible to the CVE that is being fixed in 3.0: /the forthcoming release of OpenSSL version 1.1.1s that is a *bug fix* release/. (highlight added). Dr Paul Dale On 26/10/22 22:17, Matan Giladi wrote: > Does 1.1.1s is going to include any security fix? > Can you please confirm that the critical issue found in 3.0.6 version is irrelevant for 1.1.1? > > -----Original Message----- > From: openssl-announce On Behalf Of Ing. Martin Koci, MBA > Sent: Tuesday, October 25, 2022 21:36 > To:openssl-announce at openssl.org;openssl-users at openssl.org;openssl-project at openssl.org;oss-security at lists.openwall.com > Subject: Forthcoming OpenSSL Bug Fix Release > > Hello, > > In addition to the already announced 3.0.7 release, the OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1s that is a bug fix release. > > This bug fix release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC too. > > Yours > The OpenSSL Project Team > > > Email secured by Check Point > Report Phishing:https://mta-cnf.iaas.checkpoint.com/mta_feedback?id=b3dc9e6004806fac5adb86a1a47504d00416eb2590b631502621736f0652d7ea&ck=3D4CC6C8CB55;48DE55E160E5;C5CEAA199888;&v=m > > Email secured by Check Point -------------- next part -------------- An HTML attachment was scrubbed... URL: From christian.heinrich at cmlh.id.au Sat Oct 29 21:07:05 2022 From: christian.heinrich at cmlh.id.au (Christian Heinrich) Date: Sun, 30 Oct 2022 07:37:05 +1030 Subject: [oss-security] Forthcoming OpenSSL Releases In-Reply-To: <20221026151737.rtmp5eatjf5uqgnb@mutt-hbsd> References: <20221026151737.rtmp5eatjf5uqgnb@mutt-hbsd> Message-ID: Shawn, On Thu, 27 Oct 2022 at 02:00, Shawn Webb wrote: > I don't see anything on the CERT Vince site. Is there any way we could > coordinate a response via CERT? This is addressed within the "Prenotification policy" of https://www.openssl.org/policies/general/security-policy.html -- Regards, Christian Heinrich http://cmlh.id.au/contact