ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 are coming soon
From Randall@21:1/5 to All on Tue Feb 7 08:31:42 2023
Hi All,
Because of the power outage in Texas where our system is, we are somewhat delayed getting the two release to you. However, the bulk of the work is done (applying changes and so forth). There will be another notice when the software is available. Please
consider moving to 3.0.8 if you able as this is the currently best supported release.
Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)
Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])
Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216])
Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])
Regard,
Randall Becker
On Behalf of the ITUGLIB Technical Committee