novaBBS - comp.sys.tandem - ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available

ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available

<3545a5f5-1b98-4589-8cc1-2da4627c58acn@googlegroups.com>

https://www.novabbs.com/computers/article-flat.php?id=592&group=comp.sys.tandem#592

X-Received: by 2002:a37:bf85:0:b0:71f:f0c7:df52 with SMTP id p127-20020a37bf85000000b0071ff0c7df52mr867789qkf.76.1675948057956;
Thu, 09 Feb 2023 05:07:37 -0800 (PST)
X-Received: by 2002:a05:6871:711:b0:16a:2a14:6b03 with SMTP id
f17-20020a056871071100b0016a2a146b03mr713253oap.62.1675948057453; Thu, 09 Feb
2023 05:07:37 -0800 (PST)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.tandem
Date: Thu, 9 Feb 2023 05:07:37 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=15.223.77.192; posting-account=6VebZwoAAAAgrpUtsowyjrKRLNlqxnXo
NNTP-Posting-Host: 15.223.77.192
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <3545a5f5-1b98-4589-8cc1-2da4627c58acn@googlegroups.com>
Subject: ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available
From: rsbec...@nexbridge.com (Randall)
Injection-Date: Thu, 09 Feb 2023 13:07:37 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3265

by: Randall - Thu, 9 Feb 2023 13:07 UTC

Hi Everyone,

The usual builds for OpenSSL on NonStop are now available on the ITUGLIB website. These are important builds representing fixes to some high and medium CVEs (Critical Vulnerabilities and Exposures). Please upgrade immediately.. These CVEs can apply to both client and server operating modes:

Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]

Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)

Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]

Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])
Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216])
Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])

The OpenSSL website has details on these and release notes at https://www.openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-1.1.1-notes.html.

Note that the OpenSSL 1.1.1 Long Term Support will end in Sept 2023 (that is 7 months away, so get planning to move to 3.0). OpenSSL 3.0 support is planned through 2026 and is planned to be replaced with 3.1.

Note that the CVEs also apply to the 1.0.2 release. If you are stuck on 1.0..2, and cannot move to 1.1.1 or 3.0.8, please contact me and as my company is authorized by Connect to set up a support contact for 1.0.2.

To find the proper build, go to https://ituglib.connect-community.org/apps/Ituglib/SrchOpenSrcLib.xhtml putting openssl in the package field. This will bring up all available builds.

Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee

Re: ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available

<910fb680-e8a9-4c4a-b1ad-476cd0304d02n@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=593&group=comp.sys.tandem#593

copy link Newsgroups: comp.sys.tandem

X-Received: by 2002:ac8:5f87:0:b0:3bb:7885:476f with SMTP id j7-20020ac85f87000000b003bb7885476fmr812255qta.139.1675948479070;
Thu, 09 Feb 2023 05:14:39 -0800 (PST)
X-Received: by 2002:aca:5e44:0:b0:37a:b856:bafc with SMTP id
s65-20020aca5e44000000b0037ab856bafcmr530605oib.119.1675948478661; Thu, 09
Feb 2023 05:14:38 -0800 (PST)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border-2.nntp.ord.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.tandem
Date: Thu, 9 Feb 2023 05:14:38 -0800 (PST)
In-Reply-To: <3545a5f5-1b98-4589-8cc1-2da4627c58acn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=15.223.77.192; posting-account=6VebZwoAAAAgrpUtsowyjrKRLNlqxnXo
NNTP-Posting-Host: 15.223.77.192
References: <3545a5f5-1b98-4589-8cc1-2da4627c58acn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <910fb680-e8a9-4c4a-b1ad-476cd0304d02n@googlegroups.com>
Subject: Re: ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available
From: rsbec...@nexbridge.com (Randall)
Injection-Date: Thu, 09 Feb 2023 13:14:39 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 54

by: Randall - Thu, 9 Feb 2023 13:14 UTC

On Thursday, February 9, 2023 at 8:07:38 a.m. UTC-5, Randall wrote:
> Hi Everyone,
>
> The usual builds for OpenSSL on NonStop are now available on the ITUGLIB website. These are important builds representing fixes to some high and medium CVEs (Critical Vulnerabilities and Exposures). Please upgrade immediately. These CVEs can apply to both client and server operating modes:
>
> Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
>
> Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
> Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
> Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
> Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)
>
> Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
>
> Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
> Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])
> Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
> Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216])
> Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
> Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
> Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
> Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
> Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])
>
> The OpenSSL website has details on these and release notes at https://www..openssl.org/news/openssl-3.0-notes.html and https://www.openssl.org/news/openssl-1.1.1-notes.html.
>
> Note that the OpenSSL 1.1.1 Long Term Support will end in Sept 2023 (that is 7 months away, so get planning to move to 3.0). OpenSSL 3.0 support is planned through 2026 and is planned to be replaced with 3.1.
>
> Note that the CVEs also apply to the 1.0.2 release. If you are stuck on 1..0.2, and cannot move to 1.1.1 or 3.0.8, please contact me and as my company is authorized by Connect to set up a support contact for 1.0.2.
>
> To find the proper build, go to https://ituglib.connect-community.org/apps/Ituglib/SrchOpenSrcLib.xhtml putting openssl in the package field. This will bring up all available builds.
>
> Regards,
> Randall Becker
> On Behalf of the ITUGLIB Technical Committee

If you are looking for the 1.1.1t source, it is in the ITUGLIB repository at GitHub: https://github.com/ituglib/openssl.git on the ituglib_release branch. Each release is tagged with an _NSK suffix and you can compare these to the standard releases which are also in the repository.

Let's call it an accidental feature. -- Larry Wall

computers / comp.sys.tandem / ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available

Subject	Author
ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available	Randall
Re: ITUGLIB Update: OpenSSL 1.1.1t and 3.0.8 Available	Randall