What is the UnixWare 7D OpenSSL 1.0.2p Package? The OpenSSL 1.0.2p package is an updated OpenSSL for UnixWare 7D that addresses the following problems or new features. Problems Fixed -------------- Changes between 1.0.2o and 1.0.2p [14 Aug 2018] *) Client DoS due to large DH parameter During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken (CVE-2018-0732) [Guido Vranken] *) Cache timing vulnerability in RSA Key Generation The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. (CVE-2018-0737) [Billy Brumley] *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. [Richard Levitte] *) Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication. [Andy Polyakov] *) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. [Kurt Roeckx, Annie Yousar] *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. [Kurt Roeckx] *) Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group). [Matt Caswell] *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. [Richard Levitte] *) Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. [Emilia Käsper] References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-1.0.2-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 210 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-1.0.2p-UnixWare7D-i386.pkg.gz openssl-dev-1.0.2p-UnixWare7D-i386.pkg.gz MD5 (openssl-1.0.2p-UnixWare7D-i386.pkg.gz) = 557071d6b2ab4576161b68b0b79a80c4 MD5 (openssl-dev-1.0.2p-UnixWare7D-i386.pkg.gz) = 66e4987515b0f7d0c2e37b77d47465aa SHA256(openssl-1.0.2p-UnixWare7D-i386.pkg.gz)= d830ac7b25ca13bfe14323aa1de7bf9c0a2c9364322d47d55d1776aa7189412f SHA256(openssl-dev-1.0.2p-UnixWare7D-i386.pkg.gz)= 34f258e6d203cc60a4bcb007ec7a58a0f8f7e1c1258b91388ce9ec690e3ed7d9 Software Notes and Recommendations ---------------------------------- The UW7D OpenSSL 1.0.2p package is intended for installation on UnixWare 7 Definitive 2018 Installation Instructions ------------------------- 1. Download openssl-1.0.2p-UnixWare7D-i386.pkg.gz and openssl-dev-1.0.2p-UnixWare7D-i386.pkg.gz files to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # gzcat /tmp/openssl-1.0.2p-UnixWare7D-i386.pkg.gz | pkgadd -qd - all If you develop software using the OpenSSL libraries, install the development package. # gzcat /tmp/openssl-dev-1.0.2p-UnixWare7D-i386.pkg.gz | pkgadd -qd - all 3. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 4. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 1.0.2n may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 1.0.2n default options and update /etc/ssl/openssl.cnf settings accordingly. Removal Instructions -------------------- 1. As root, remove the package using these commands: $ su - Password: # pkgrm openssl 2. Your system does not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries. If you have questions regarding this supplement, or the product on which it is installed, please contact your Xinuos software supplier.