Discussion:
ITUGLIB Update: OpenSSL 3.0.12 and 3.1.4 Available
(too old to reply)
Randall
2023-10-25 17:42:16 UTC
Permalink
The latest patches for the OpenSSL 3.0.x and 3.1.x series are now available on the ITUGLIB website. Release notes are available at https://www.openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-3.1-notes.html.

Both releases contain fixes for CVE-2023-5363 (Moderate) - Incorrect cipher key & IV length processing described in the release notes.

The 3.2 series is still in alpha state. If you are interested in testing with this series, please let ITUGLIB know here. This series is not binary compatible with the 3.0.x and 3.1.x series, so you will need to recompile your code to use it. At present, we are not planning to release a 3.2 build until it reaches beta state.

The 1.1.1 and 1.0.2 series are no longer under official support, and do not receive security updates, so you should move off those releases. If you cannot move off those releases, please contact me to facilitate fee-based premium support from OpenSSL to obtain patched builds.

Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Randall
2023-10-25 21:17:17 UTC
Permalink
Post by Randall
The latest patches for the OpenSSL 3.0.x and 3.1.x series are now available on the ITUGLIB website. Release notes are available at https://www.openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-3.1-notes.html.
Both releases contain fixes for CVE-2023-5363 (Moderate) - Incorrect cipher key & IV length processing described in the release notes.
The 3.2 series is still in alpha state. If you are interested in testing with this series, please let ITUGLIB know here. This series is not binary compatible with the 3.0.x and 3.1.x series, so you will need to recompile your code to use it. At present, we are not planning to release a 3.2 build until it reaches beta state.
The 1.1.1 and 1.0.2 series are no longer under official support, and do not receive security updates, so you should move off those releases. If you cannot move off those releases, please contact me to facilitate fee-based premium support from OpenSSL to obtain patched builds.
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Please be aware that 3.0.12 has already had reports of breakage in the pkcs11 engine and with coreutils prngd. Please let ITUGLIB know here if you encounter any problems.
Randall
2023-10-25 21:39:22 UTC
Permalink
Post by Randall
Post by Randall
The latest patches for the OpenSSL 3.0.x and 3.1.x series are now available on the ITUGLIB website. Release notes are available at https://www.openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-3.1-notes.html.
Both releases contain fixes for CVE-2023-5363 (Moderate) - Incorrect cipher key & IV length processing described in the release notes.
The 3.2 series is still in alpha state. If you are interested in testing with this series, please let ITUGLIB know here. This series is not binary compatible with the 3.0.x and 3.1.x series, so you will need to recompile your code to use it. At present, we are not planning to release a 3.2 build until it reaches beta state.
The 1.1.1 and 1.0.2 series are no longer under official support, and do not receive security updates, so you should move off those releases. If you cannot move off those releases, please contact me to facilitate fee-based premium support from OpenSSL to obtain patched builds.
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Please be aware that 3.0.12 has already had reports of breakage in the pkcs11 engine and with coreutils prngd. Please let ITUGLIB know here if you encounter any problems.
Update: The pkcs11 engine issue appears to relates to atexit() processing, which I dealt with on NonStop a while ago, and memory leaks (which have no real impact after a process exits), so we appear to be safe for now.
Loading...