1. Forum
  2. Usenet
  3. COMP.SYS.TANDEM

  • ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q

    From Randall@21:1/5 to All on Tue Jul 5 08:34:42 2022
    Hi Everyone,

    Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow.
    J-series takes a lot longer.

    You can download tarballs or obtain OpenSSL source from
    * https://www.openssl.org/source/
    * ftp://ftp.openssl.org/source/
    * https://github.com/ituglib/openssl.git (ituglib_release branch)

    The release involve the following High CVE (URLs are below).

    Regards,
    Randall Becker
    On Behalf of the ITUGLIB Technical Committee

    Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================

    Severity: High

    The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
    This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution
    on the machine performing the computation.

    SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

    Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.

    Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.

    References
    ==========

    URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Randall@21:1/5 to Randall on Tue Jul 5 16:15:03 2022
    On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
    Hi Everyone,

    Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that
    tomorrow. J-series takes a lot longer.

    You can download tarballs or obtain OpenSSL source from
    * https://www.openssl.org/source/
    * ftp://ftp.openssl.org/source/
    * https://github.com/ituglib/openssl.git (ituglib_release branch)

    The release involve the following High CVE (URLs are below).

    Regards,
    Randall Becker
    On Behalf of the ITUGLIB Technical Committee

    Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================

    Severity: High

    The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
    This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution
    on the machine performing the computation.

    SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

    Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.

    Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.

    References
    ==========

    URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txt

    OpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Randall@21:1/5 to Randall on Tue Jul 5 19:13:46 2022
    On Tuesday, July 5, 2022 at 7:15:04 p.m. UTC-4, Randall wrote:
    On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
    Hi Everyone,

    Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that
    tomorrow. J-series takes a lot longer.

    You can download tarballs or obtain OpenSSL source from
    * https://www.openssl.org/source/
    * ftp://ftp.openssl.org/source/
    * https://github.com/ituglib/openssl.git (ituglib_release branch)

    The release involve the following High CVE (URLs are below).

    Regards,
    Randall Becker
    On Behalf of the ITUGLIB Technical Committee

    Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================

    Severity: High

    The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
    This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code
    execution on the machine performing the computation.

    SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

    Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.

    Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.

    References
    ==========

    URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txt
    OpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.

    OpenSSL 1.1.1q builds for L-series (unthreaded, PUT, SPT, IEEE) are now on the ITUGLIB website. More to come as we move to J-series builds.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Randall@21:1/5 to Randall on Thu Jul 7 07:27:29 2022
    On Tuesday, July 5, 2022 at 10:13:47 p.m. UTC-4, Randall wrote:
    On Tuesday, July 5, 2022 at 7:15:04 p.m. UTC-4, Randall wrote:
    On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
    Hi Everyone,

    Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that
    tomorrow. J-series takes a lot longer.

    You can download tarballs or obtain OpenSSL source from
    * https://www.openssl.org/source/
    * ftp://ftp.openssl.org/source/
    * https://github.com/ituglib/openssl.git (ituglib_release branch)

    The release involve the following High CVE (URLs are below).

    Regards,
    Randall Becker
    On Behalf of the ITUGLIB Technical Committee

    Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================

    Severity: High

    The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
    This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code
    execution on the machine performing the computation.

    SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

    Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.

    Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.

    References
    ==========

    URL for this Security Advisory: https://www.openssl.org/news/secadv/20220705.txt
    OpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.
    OpenSSL 1.1.1q builds for L-series (unthreaded, PUT, SPT, IEEE) are now on the ITUGLIB website. More to come as we move to J-series builds.

    J-series packages are now available on the ITUGLIB website. Enjoy!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)