サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
TGS2024
www.openssl.org
Today we published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”). Please read the advisory for specific details about these CVEs and how they might impact you. This blog post will address some common questions that we expect to be asked about these CVEs. Q: The 3.0.7 release was announced as
20 years ago, on the 23rd December 1998, the first version of OpenSSL was released. OpenSSL was not the original name planned for the project but it was changed over just a few hours before the site went live. Let’s take a look at some of the early history of OpenSSL as some of the background has not been documented before. Back in the late 1990’s, Eric Young and Tim Hudson were well known for the
The OpenSSL Management Committee has been looking at the versioning scheme that is currently in use. Over the years we’ve received plenty of feedback about the “uniqueness” of this scheme, and it does cause some confusion for some users. We would like to adopt a more typical version numbering approach. The current versioning scheme has this format: MAJOR.MINOR.FIX[PATCH] The new scheme will have t
After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illust
Note: This is an outdated version of this blog post. This information is now maintained in a wiki page. See here for the latest version. The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3. The new release will be binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version o
The following is a press release that we just released, with the cooperation and financial support of the Core Infrastructure Initiative and the Linux Foundation. In the next few days we’ll start sending out email to all contributors asking them to approve the change. In the meantime, you can visit the licensing website and search for your name and request the email. If you have changed email addr
Licensing Update Posted by Rich Salz , Mar 22 nd , 2017 12:00 pm The following is a press release that we just released, with the cooperation and financial support of the Core Infrastructure Initiative and the Linux Foundation. In the next few days we’ll start sending out email to all contributors asking them to approve the change. In the meantime, you can visit the licensing website and search fo
This post talks about OpenSSL and threads. In particular, using OpenSSL in multi-threaded applications. It traces through the history, explains what was changed for the 1.1.0 release, and will hopefully provide some guidance to developers. While none of the behaviors have really changed, and therefore none of this should be new information, the documentation has not been as clear as it could, or s
This is another in the series of posts about decisions we made at our face-to-face meeting a couple of weeks ago. We updated the project roadmap. I think the most important news here, is that our next release will include TLS 1.3. Our current plan is that this will be 1.1.1, which means that it is API-compatible with the current 1.1.0 release. This is really only possible because of the work we di
Today, Karthik Bhargavan and Gaetan Leurent from Inria have unveiled a new attack on Triple-DES, SWEET32, Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. It has been assigned CVE-2016-2183. This post gives a bit of background and describes what OpenSSL is doing. For more details, see their website. Because DES (and triple-DES) has only a 64-bit block size, birthday attacks are a real
In commits a004e72b9 (1.0.2) and 6f35f6deb (1.0.1) we released a fix for CVE-2016-2177. The fix corrects a common coding idiom present in OpenSSL 1.0.2 and OpenSSL 1.0.1 which actually relies on a usage of pointer arithmetic that is undefined in the C specification. The problem does not exist in master (OpenSSL 1.1.0) which refactored this code some while ago. This usage could give rise to a low s
Security Policy Reporting security issues If you wish to report a possible security issue in OpenSSL please notify us. Issue triage Notifications are received by the OMC and OTC. We engage resources within OpenSSL to start the investigation and prioritisation. We may work in private with individuals who are not on the OMC or OTC as well as other organisations and our employers where we believe thi
Today, an international group of researchers unveiled DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), aka CVE-2016-0800, a novel cross-protocol attack that uses SSLv2 handshakes to decrypt TLS sessions. Over the past weeks, the OpenSSL team worked closely with the researchers to determine the exact impact of DROWN on OpenSSL and devise countermeasures to protect our users. Today’s Op
The major changes and known issues for the 1.1.0 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository. More details can be found in the ChangeLog. Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019] Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)For built-in EC cu
次のページ
このページを最初にブックマークしてみませんか?
『OpenSSL: The Open Source toolkit for SSL/TLS』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く