Hi Everyone,tomorrow. J-series takes a lot longer.
Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that
You can download tarballs or obtain OpenSSL source fromon the machine performing the computation.
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
* https://github.com/ituglib/openssl.git (ituglib_release branch)
The release involve the following High CVE (URLs are below).
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
Severity: High
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution
SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
References
==========
URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txt
On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:tomorrow. J-series takes a lot longer.
Hi Everyone,
Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that
execution on the machine performing the computation.You can download tarballs or obtain OpenSSL source from
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
* https://github.com/ituglib/openssl.git (ituglib_release branch)
The release involve the following High CVE (URLs are below).
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
Severity: High
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code
SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
References
==========
URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txtOpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.
On Tuesday, July 5, 2022 at 7:15:04 p.m. UTC-4, Randall wrote:tomorrow. J-series takes a lot longer.
On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
Hi Everyone,
Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that
execution on the machine performing the computation.You can download tarballs or obtain OpenSSL source from
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
* https://github.com/ituglib/openssl.git (ituglib_release branch)
The release involve the following High CVE (URLs are below).
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
Severity: High
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code
SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
References
==========
OpenSSL 1.1.1q builds for L-series (unthreaded, PUT, SPT, IEEE) are now on the ITUGLIB website. More to come as we move to J-series builds.URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txtOpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 47:08:19 |
Calls: | 6,910 |
Files: | 12,379 |
Messages: | 5,429,613 |