Message-ID:

I was attacked by dselect as a small child and have since avoided debian. -- Andrew Morton

computers / comp.sys.tandem / ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q

ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q

<9237fd91-45a3-41d9-9d1f-78cfc225554an@googlegroups.com>

https://www.novabbs.com/computers/article-flat.php?id=502&group=comp.sys.tandem#502

X-Received: by 2002:a05:620a:4902:b0:6af:2766:45e8 with SMTP id ed2-20020a05620a490200b006af276645e8mr22588737qkb.689.1657035283237;
Tue, 05 Jul 2022 08:34:43 -0700 (PDT)
X-Received: by 2002:a0d:ff81:0:b0:317:bfca:bb33 with SMTP id
p123-20020a0dff81000000b00317bfcabb33mr39931921ywf.516.1657035282997; Tue, 05
Jul 2022 08:34:42 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.tandem
Date: Tue, 5 Jul 2022 08:34:42 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=2607:fea8:3fa0:4b9:c1c0:b54:18f5:a901;
posting-account=6VebZwoAAAAgrpUtsowyjrKRLNlqxnXo
NNTP-Posting-Host: 2607:fea8:3fa0:4b9:c1c0:b54:18f5:a901
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <9237fd91-45a3-41d9-9d1f-78cfc225554an@googlegroups.com>
Subject: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q
From: rsbec...@nexbridge.com (Randall)
Injection-Date: Tue, 05 Jul 2022 15:34:43 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 52

by: Randall - Tue, 5 Jul 2022 15:34 UTC

Hi Everyone,

Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow. J-series takes a lot longer.

You can download tarballs or obtain OpenSSL source from
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
* https://github.com/ituglib/openssl.git (ituglib_release branch)

The release involve the following High CVE (URLs are below).

Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee

Heap memory corruption with RSA private key operation (CVE-2022-2274) ====================================================================
Severity: High

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation.. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.

Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.

References
=========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220705.txt

Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q

<8db2de89-7535-425c-b537-63d46315ccbbn@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=506&group=comp.sys.tandem#506

copy link Newsgroups: comp.sys.tandem

X-Received: by 2002:a37:c401:0:b0:6b4:8cb4:b81e with SMTP id d1-20020a37c401000000b006b48cb4b81emr3002235qki.768.1657062903691;
Tue, 05 Jul 2022 16:15:03 -0700 (PDT)
X-Received: by 2002:a81:af27:0:b0:31c:833f:eda5 with SMTP id
n39-20020a81af27000000b0031c833feda5mr21558076ywh.358.1657062903519; Tue, 05
Jul 2022 16:15:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.tandem
Date: Tue, 5 Jul 2022 16:15:03 -0700 (PDT)
In-Reply-To: <9237fd91-45a3-41d9-9d1f-78cfc225554an@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2607:fea8:3fa0:4b9:7003:6644:9e8d:9c2c;
posting-account=6VebZwoAAAAgrpUtsowyjrKRLNlqxnXo
NNTP-Posting-Host: 2607:fea8:3fa0:4b9:7003:6644:9e8d:9c2c
References: <9237fd91-45a3-41d9-9d1f-78cfc225554an@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <8db2de89-7535-425c-b537-63d46315ccbbn@googlegroups.com>
Subject: Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q
From: rsbec...@nexbridge.com (Randall)
Injection-Date: Tue, 05 Jul 2022 23:15:03 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 55

by: Randall - Tue, 5 Jul 2022 23:15 UTC

On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
> Hi Everyone,
>
> Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow. J-series takes a lot longer.
>
> You can download tarballs or obtain OpenSSL source from
> * https://www.openssl.org/source/
> * ftp://ftp.openssl.org/source/
> * https://github.com/ituglib/openssl.git (ituglib_release branch)
>
> The release involve the following High CVE (URLs are below).
>
> Regards,
> Randall Becker
> On Behalf of the ITUGLIB Technical Committee
>
> Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
>
> Severity: High
>
> The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
> This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.
>
> SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
>
> Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
>
> Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
>
> OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
>
> This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
>
> References
> ==========
>
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv/20220705.txt

OpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.

Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q

<7953fa2c-b2bb-47d0-8287-5695012c06e6n@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=507&group=comp.sys.tandem#507

copy link Newsgroups: comp.sys.tandem

X-Received: by 2002:a05:6214:621:b0:432:5e0d:cb64 with SMTP id a1-20020a056214062100b004325e0dcb64mr33508477qvx.65.1657073626666;
Tue, 05 Jul 2022 19:13:46 -0700 (PDT)
X-Received: by 2002:a81:8304:0:b0:31c:862b:a9e9 with SMTP id
t4-20020a818304000000b0031c862ba9e9mr21046022ywf.156.1657073626463; Tue, 05
Jul 2022 19:13:46 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.tandem
Date: Tue, 5 Jul 2022 19:13:46 -0700 (PDT)
In-Reply-To: <8db2de89-7535-425c-b537-63d46315ccbbn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2607:fea8:3fa0:4b9:7003:6644:9e8d:9c2c;
posting-account=6VebZwoAAAAgrpUtsowyjrKRLNlqxnXo
NNTP-Posting-Host: 2607:fea8:3fa0:4b9:7003:6644:9e8d:9c2c
References: <9237fd91-45a3-41d9-9d1f-78cfc225554an@googlegroups.com> <8db2de89-7535-425c-b537-63d46315ccbbn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <7953fa2c-b2bb-47d0-8287-5695012c06e6n@googlegroups.com>
Subject: Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q
From: rsbec...@nexbridge.com (Randall)
Injection-Date: Wed, 06 Jul 2022 02:13:46 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 59

by: Randall - Wed, 6 Jul 2022 02:13 UTC

On Tuesday, July 5, 2022 at 7:15:04 p.m. UTC-4, Randall wrote:
> On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
> > Hi Everyone,
> >
> > Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow. J-series takes a lot longer.
> >
> > You can download tarballs or obtain OpenSSL source from
> > * https://www.openssl.org/source/
> > * ftp://ftp.openssl.org/source/
> > * https://github.com/ituglib/openssl.git (ituglib_release branch)
> >
> > The release involve the following High CVE (URLs are below).
> >
> > Regards,
> > Randall Becker
> > On Behalf of the ITUGLIB Technical Committee
> >
> > Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
> >
> > Severity: High
> >
> > The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
> > This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.
> >
> > SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
> >
> > Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
> >
> > Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
> >
> > OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
> >
> > This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
> >
> > References
> > ==========
> >
> > URL for this Security Advisory:
> > https://www.openssl.org/news/secadv/20220705.txt
> OpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.

OpenSSL 1.1.1q builds for L-series (unthreaded, PUT, SPT, IEEE) are now on the ITUGLIB website. More to come as we move to J-series builds.

Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q

<a603b70d-5a99-4fbf-9a48-c49c287ca9f8n@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=511&group=comp.sys.tandem#511

copy link Newsgroups: comp.sys.tandem

X-Received: by 2002:a05:622a:4:b0:31d:2a64:3d1c with SMTP id x4-20020a05622a000400b0031d2a643d1cmr33392137qtw.43.1657204049609;
Thu, 07 Jul 2022 07:27:29 -0700 (PDT)
X-Received: by 2002:a25:1e44:0:b0:66e:c918:bd2d with SMTP id
e65-20020a251e44000000b0066ec918bd2dmr1098368ybe.40.1657204049297; Thu, 07
Jul 2022 07:27:29 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.tandem
Date: Thu, 7 Jul 2022 07:27:29 -0700 (PDT)
In-Reply-To: <7953fa2c-b2bb-47d0-8287-5695012c06e6n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2607:fea8:3fa0:4b9:2852:15e6:f06c:7995;
posting-account=6VebZwoAAAAgrpUtsowyjrKRLNlqxnXo
NNTP-Posting-Host: 2607:fea8:3fa0:4b9:2852:15e6:f06c:7995
References: <9237fd91-45a3-41d9-9d1f-78cfc225554an@googlegroups.com>
<8db2de89-7535-425c-b537-63d46315ccbbn@googlegroups.com> <7953fa2c-b2bb-47d0-8287-5695012c06e6n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <a603b70d-5a99-4fbf-9a48-c49c287ca9f8n@googlegroups.com>
Subject: Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q
From: rsbec...@nexbridge.com (Randall)
Injection-Date: Thu, 07 Jul 2022 14:27:29 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 4334

by: Randall - Thu, 7 Jul 2022 14:27 UTC

On Tuesday, July 5, 2022 at 10:13:47 p.m. UTC-4, Randall wrote:
> On Tuesday, July 5, 2022 at 7:15:04 p.m. UTC-4, Randall wrote:
> > On Tuesday, July 5, 2022 at 11:34:44 a.m. UTC-4, Randall wrote:
> > > Hi Everyone,
> > >
> > > Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow. J-series takes a lot longer.
> > >
> > > You can download tarballs or obtain OpenSSL source from
> > > * https://www.openssl.org/source/
> > > * ftp://ftp.openssl.org/source/
> > > * https://github.com/ituglib/openssl.git (ituglib_release branch)
> > >
> > > The release involve the following High CVE (URLs are below).
> > >
> > > Regards,
> > > Randall Becker
> > > On Behalf of the ITUGLIB Technical Committee
> > >
> > > Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
> > >
> > > Severity: High
> > >
> > > The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
> > > This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation..
> > >
> > > SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
> > >
> > > Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
> > >
> > > Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
> > >
> > > OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
> > >
> > > This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
> > >
> > > References
> > > ==========
> > >
> > > URL for this Security Advisory:
> > > https://www.openssl.org/news/secadv/20220705.txt
> > OpenSSL 3.0.5 builds for L-series (32-bit, 64-bit, PUT-64-bit, and SPT-32-bit) are now on the ITUGLIB website. More to come.
> OpenSSL 1.1.1q builds for L-series (unthreaded, PUT, SPT, IEEE) are now on the ITUGLIB website. More to come as we move to J-series builds.

J-series packages are now available on the ITUGLIB website. Enjoy!

Subject	Author
ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q	Randall
Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q	Randall
Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q	Randall
Re: ITUGLIB Update: OpenSSL 3.0.5 and 1.1.1q	Randall