a “grand redesign” of the OpenSSL random number generator
Wasn't that in the first version of LibreSSL?
Developers working with OpenSSL can finally start to work with TLS 1.3, thanks to the alpha version of OpenSSL 1.1.1 that landed yesterday. Getting TLS 1.3 into users hands and working with infrastructure has been a long, slow process: the first version of its Internet-Draft dates back to April 2014, it reached version 23 in …
This is great, I invite everyone to test this version, we have to find and squash bugs still present and need everybody's help. This library is used in a gazillion pieces of software on all currently developed platforms, we need to help the OpenSSL guyz here ... just download, compile, run a few tests and report any issues you find - we need everybody to join in because this software is used by every single netizen.
And beer due for the OpenSSL team!
Easy there cowboy, while I respect your enthusiasm to help get this rolled out, we do want to make note of the key component of both that title and the point of release; OpenSSL alpha. This stuff be sandbox/playtime only in my books. Which is why I'm rejecting a code promotion from an idiot developer who cannot read. This goes nowhere near prod systems yet.
I have a vm or three what will get this, but I'll be kicking this off the Dev host now.
The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.
A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve.
The vulnerability stems from a bug in the BN_mod_sqrt() function, which the OpenSSL team said is used to parse certificates that "contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form." As it turns out, all you need to do to trigger an infinite loop in BN_mod_sqrt() is hand an OpenSSL-based application or service a certificate with invalid explicit curve parameters.
This parsing happens prior to verification of the certificate's signature. Slip a bad certificate to any app or server using BN_mod_sqrt() to parse certs, and the software will get caught in the loop and stop working.
The OpenSSL team has released version 3.0 of its eponymous secure communications library after a lengthy gestation period.
Coming nearly three years after its predecessor, version 1.1.1, the update lays claim to 17 alpha releases, two beta releases, and more than 7,500 commits. Equally significant is a near-doubling of the amount of documentation since upgrading an application to use it might not be an entirely simple process.
"OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release," explained Matt Caswell of the OpenSSL Management Committee.
Biting the hand that feeds IT © 1998–2022