1. Forum
  2. Usenet
  3. COMP.SYS.TANDEM

  • ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available

    From Randall@21:1/5 to All on Thu Feb 9 05:07:37 2023
    Hi Everyone,

    The usual builds for OpenSSL on NonStop are now available on the ITUGLIB website. These are important builds representing fixes to some high and medium CVEs (Critical Vulnerabilities and Exposures). Please upgrade immediately. These CVEs can apply to
    both client and server operating modes:

    Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]

    Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
    Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
    Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
    Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)

    Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]

    Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
    Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])
    Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
    Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
    Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
    Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
    Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
    Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])

    The OpenSSL website has details on these and release notes at https://www.openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-1.1.1-notes.html.

    Note that the OpenSSL 1.1.1 Long Term Support will end in Sept 2023 (that is 7 months away, so get planning to move to 3.0). OpenSSL 3.0 support is planned through 2026 and is planned to be replaced with 3.1.

    Note that the CVEs also apply to the 1.0.2 release. If you are stuck on 1.0.2, and cannot move to 1.1.1 or 3.0.8, please contact me and as my company is authorized by Connect to set up a support contact for 1.0.2.

    To find the proper build, go to https://ituglib.connect-community.org/apps/Ituglib/SrchOpenSrcLib.xhtml putting openssl in the package field. This will bring up all available builds.

    Regards,
    Randall Becker
    On Behalf of the ITUGLIB Technical Committee

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Randall@21:1/5 to Randall on Thu Feb 9 05:14:38 2023
    On Thursday, February 9, 2023 at 8:07:38 a.m. UTC-5, Randall wrote:
    Hi Everyone,

    The usual builds for OpenSSL on NonStop are now available on the ITUGLIB website. These are important builds representing fixes to some high and medium CVEs (Critical Vulnerabilities and Exposures). Please upgrade immediately. These CVEs can apply to
    both client and server operating modes:

    Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]

    Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
    Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
    Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)

    Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]

    Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286]) Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
    Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
    Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
    Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
    Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
    Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])

    The OpenSSL website has details on these and release notes at https://www.openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-1.1.1-notes.html.

    Note that the OpenSSL 1.1.1 Long Term Support will end in Sept 2023 (that is 7 months away, so get planning to move to 3.0). OpenSSL 3.0 support is planned through 2026 and is planned to be replaced with 3.1.

    Note that the CVEs also apply to the 1.0.2 release. If you are stuck on 1.0.2, and cannot move to 1.1.1 or 3.0.8, please contact me and as my company is authorized by Connect to set up a support contact for 1.0.2.

    To find the proper build, go to https://ituglib.connect-community.org/apps/Ituglib/SrchOpenSrcLib.xhtml putting openssl in the package field. This will bring up all available builds.

    Regards,
    Randall Becker
    On Behalf of the ITUGLIB Technical Committee

    If you are looking for the 1.1.1t source, it is in the ITUGLIB repository at GitHub: https://github.com/ituglib/openssl.git on the ituglib_release branch. Each release is tagged with an _NSK suffix and you can compare these to the standard releases which
    are also in the repository.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)