What is the UnixWare 7D OpenSSL 1.0.2q Package? The OpenSSL 1.0.2q package is an updated OpenSSL for UnixWare 7D that addresses the following problems or new features. Problems Fixed -------------- Changes between 1.0.2p and 1.0.2q [20 Nov 2018] *) Microarchitecture timing vulnerability in ECC scalar multiplication OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. (CVE-2018-5407) [Billy Brumley] *) Timing vulnerability in DSA signature generation The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. (CVE-2018-0734) [Paul Dale] *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode. [Nicola Tuveri] References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-1.0.2-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 210 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-1.0.2q-UnixWare7D-i386.pkg.gz openssl-dev-1.0.2q-UnixWare7D-i386.pkg.gz MD5 (openssl-1.0.2q-UnixWare7D-i386.pkg.gz) = e29fbea6316ac2f0e999806bc39c443e MD5 (openssl-dev-1.0.2q-UnixWare7D-i386.pkg.gz) = 6f8d930d09852629866436ede94c1639 SHA256(openssl-1.0.2q-UnixWare7D-i386.pkg.gz)= 40d303551c5f301535a7c959a6bc962689fb3af7b870a0ba130d631a4bba6c93 SHA256(openssl-dev-1.0.2q-UnixWare7D-i386.pkg.gz)= 02c52f3b2a1a9f0249a625b240d0abe5b606fffdcd78aaa51275f4c87ec6347f Software Notes and Recommendations ---------------------------------- The UW7D OpenSSL 1.0.2q package is intended for installation on UnixWare 7 Definitive 2018 Installation Instructions ------------------------- 1. Download openssl-1.0.2q-UnixWare7D-i386.pkg.gz and openssl-dev-1.0.2q-UnixWare7D-i386.pkg.gz files to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # gzcat /tmp/openssl-1.0.2q-UnixWare7D-i386.pkg.gz | pkgadd -qd - all If you develop software using the OpenSSL libraries, install the development package. # gzcat /tmp/openssl-dev-1.0.2q-UnixWare7D-i386.pkg.gz | pkgadd -qd - all 3. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 4. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 1.0.2n may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 1.0.2n default options and update /etc/ssl/openssl.cnf settings accordingly. Removal Instructions -------------------- 1. As root, remove the package using these commands: $ su - Password: # pkgrm openssl 2. Your system does not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries. If you have questions regarding this supplement, or the product on which it is installed, please contact your Xinuos software supplier.