What is the UnixWare 7D OpenSSL 1.0.2r Package? The OpenSSL 1.0.2r package is an updated OpenSSL for UnixWare 7D that addresses the following problems or new features. Problems Fixed -------------- Changes between 1.0.2q and 1.0.2r [26 Feb 2019] *) 0-byte record padding oracle If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. (CVE-2019-1559) [Matt Caswell] *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-1.0.2-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 210 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-1.0.2r-UnixWare7D-i386.pkg.gz openssl-dev-1.0.2r-UnixWare7D-i386.pkg.gz MD5 (openssl-1.0.2r-UnixWare7D-i386.pkg.gz) = a4287d44ae7a72ed18e69f90d1cf1400 MD5 (openssl-dev-1.0.2r-UnixWare7D-i386.pkg.gz) = 712c13b0e58e370805c7a7df63da5841 SHA256(openssl-1.0.2r-UnixWare7D-i386.pkg.gz)= 3b87b7a82f0e71259c8dc290cd4157c888cdebf101694f3de7d7284a3f998caa SHA256(openssl-dev-1.0.2r-UnixWare7D-i386.pkg.gz)= 5a7c12dd6f699b3ec1753bfdacc695abcc0804a604501d0f260a9c48327414e3 Software Notes and Recommendations ---------------------------------- The UW7D OpenSSL 1.0.2r package is intended for installation on UnixWare 7 Definitive 2018 Installation Instructions ------------------------- 1. Download openssl-1.0.2r-UnixWare7D-i386.pkg.gz and openssl-dev-1.0.2r-UnixWare7D-i386.pkg.gz files to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # gzcat /tmp/openssl-1.0.2r-UnixWare7D-i386.pkg.gz | pkgadd -qd - all If you develop software using the OpenSSL libraries, install the development package. # gzcat /tmp/openssl-dev-1.0.2r-UnixWare7D-i386.pkg.gz | pkgadd -qd - all 3. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 4. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 1.0.2n may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 1.0.2n default options and update /etc/ssl/openssl.cnf settings accordingly. Removal Instructions -------------------- 1. As root, remove the package using these commands: $ su - Password: # pkgrm openssl 2. Your system does not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries. If you have questions regarding this supplement, or the product on which it is installed, please contact your Xinuos software supplier.