Subject: Re: upgrading in-tree openssl to 0.9.6a
To: Daniel Carosone <dan@geek.com.au>
From: None <itojun@iijlab.net>
List: tech-security
Date: 04/11/2001 19:02:01 
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6685.986983305.1@itojun.org>

> > 	i plan to upgrade in-tree openssl to 0.9.6a.  there will be a lot of
> > 	conflicts on import so it may take some time.  there seem to be
> > 	a couple of security-related fixes in 0.9.5a -> 0.9.6a, so it would
> > 	be important.
>Anything needing an advisory - ie, causing an actual problem?

	even for 0.9.6 -> 0.9.6a, there are four "security fix"es.

itojun

------- =_aaaaaaaaaa0
Content-Type: message/rfc822
Content-ID: <6685.986983305.2@itojun.org>

Delivery-Date: Mon Apr  9 04:10:48 2001
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id EAA27691
	for <itojun@itojun.org>; Mon, 9 Apr 2001 04:10:45 +0900 (JST)
	id E5DEE36C63; Sun,  8 Apr 2001 12:06:44 -0400 (EDT)
	id D0B1536C62; Sun,  8 Apr 2001 12:06:44 -0400 (EDT)
	by mononoke.wasabisystems.com (Postfix) with ESMTP id AC1BF36C5E
	for <cryptography@wasabisystems.com>; Sun,  8 Apr 2001 12:06:43 -0400 (EDT)
	id 65DCD1E0067; Sun,  8 Apr 2001 12:06:43 -0400 (EDT)
	by mononoke.wasabisystems.com (Postfix) with ESMTP id 377C936C5A
	for <cryptography@wasabisystems.com>; Fri,  6 Apr 2001 06:03:42 -0400 (EDT)
	id MAA03072; Fri, 6 Apr 2001 12:03:40 +0200 (MET DST)
Date: Fri, 6 Apr 2001 12:03:39 +0200
From: Richard Levitte <levitte@openssl.org>
To: openssl-announce@openssl.org, openssl-users@openssl.org,
        openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net,
        cryptography@wasabisystems.com, INFO-VAX@MVB.SAIC.COM,
        VMS-WEB-DAEMON@KJSL.COM, VMS-SSH@ALPHA.SGGW.WAW.PL,
        INFO-WASD@VSM.COM.AU
Subject: [ANNOUNCE] Release of OpenSSL 0.9.6a
Message-ID: <20010406120338.L438@openssl.org>
Reply-To: levitte@openssl.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Organization: OpenSSL Project
Sender: owner-cryptography@wasabisystems.com

  OpenSSL version 0.9.6a released
  ===============================

  OpenSSL - The Open Source toolkit for SSL/TLS
  http://www.openssl.org/

  The OpenSSL project team is pleased to announce the release of version
  0.9.6a of our open source toolkit for SSL/TLS.  This new OpenSSL version
  is mostly a bugfix release and incorporates at least 55 changes to the
  toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).

  The most significant changes are:

    o Security fix: change behavior of OpenSSL to avoid using
      environment variables when running as root.
    o Security fix: check the result of RSA-CRT to reduce the
      possibility of deducing the private key from an incorrectly
      calculated signature.
    o Security fix: prevent Bleichenbacher's DSA attack.
    o Security fix: Zero the premaster secret after deriving the
      master secret in DH ciphersuites.
    o Reimplement SSL_peek(), which had various problems.
    o Compatibility fix: the function des_encrypt() renamed to
      des_encrypt1() to avoid clashes with some Unixen libc.
    o Bug fixes for Win32, HP/UX and Irix.
    o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
      memory checking routines.
    o Bug fixes for RSA operations in threaded enviroments.
    o Bug fixes in misc. openssl applications.
    o Remove a few potential memory leaks.
    o Add tighter checks of BIGNUM routines.
    o Shared library support has been reworked for generality.
    o More documentation.
    o New function BN_rand_range().
    o Add "-rand" option to openssl s_client and s_server.

  We consider OpenSSL 0.9.6a to be the best version of OpenSSL available and we
  strongly recommend that users of older versions, especially of old SSLeay
  versions, upgrade as soon as possible.  OpenSSL 0.9.6a is available for
  download via HTTP and FTP from the following master locations (you can find
  the various FTP mirrors under http://www.openssl.org/source/mirror.html):

    o http://www.openssl.org/source/
    o ftp://ftp.openssl.org/source/

  [1] OpenSSL comes in the form of two distributions this time as well.
  The reasons for this is that we want to deploy the external crypto device
  support but don't want to have it part of the "normal" distribution just
  yet.  The distribution containing the external crypto device support is
  popularly called "engine", and is considered experimental.  It's been
  fairly well tested on Unix and flavors thereof.  If run on a system with
  no external crypto device, it will work just like the "normal" distribution.

  The distribution file names are:

      o openssl-0.9.6a.tar.gz [normal]
      o openssl-engine-0.9.6a.tar.gz [engine]

  Yours,
  The OpenSSL Project Team...  

    Mark J. Cox             Richard Levitte    Andy Polyakov
    Ralf S. Engelschall     Bodo Möller        Holger Reif
    Dr. Stephen Henson      Ulf Möller         Geoff Thorpe
    Ben Laurie              Lutz Jänicke



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com

------- =_aaaaaaaaaa0--