What is the UnixWare 7D OpenSSL 1.0.2t Package? The OpenSSL 1.0.2t package is an updated OpenSSL for UnixWare 7D that addresses the following problems or new features. Problems Fixed -------------- Changes between 1.0.2s and 1.0.2t [10 Sep 2019] *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri] *) Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley] *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. (CVE-2019-1563) [Bernd Edlinger] *) Document issue with installation paths in diverse Windows builds '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL binaries and run-time config file. (CVE-2019-1552) [Richard Levitte] Changes between 1.0.2r and 1.0.2s [28 May 2019] *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation apps to use 2048 bits by default. [Kurt Roeckx] *) Add FIPS support for Android Arm 64-bit Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in Version 2.0.10. For some reason, the corresponding target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on Android Arm 64-bit. This omission has been fixed. [Matthias St. Pierre] References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-1.0.2-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 210 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-1.0.2t-UnixWare7D-i386.pkg.gz openssl-dev-1.0.2t-UnixWare7D-i386.pkg.gz MD5 (openssl-1.0.2t-UnixWare7D-i386.pkg.gz) = 62ee62d03549a5d5271ece01b77248e0 MD5 (openssl-dev-1.0.2t-UnixWare7D-i386.pkg.gz) = dcc1fb3314f2816e30c9c1b7cf9efcd1 SHA256(openssl-1.0.2t-UnixWare7D-i386.pkg.gz)= 7d3fdc31fffaa418d4e45659b77037f495c3264988472d5ce0fb39854877f51a SHA256(openssl-dev-1.0.2t-UnixWare7D-i386.pkg.gz)= 0ada01e8d9fa2c763350c06a90902e84ad67bdf3d911df901055e8e3fa8f7a12 Software Notes and Recommendations ---------------------------------- The UW7D OpenSSL 1.0.2t package is intended for installation on UnixWare 7 Definitive 2018 Installation Instructions ------------------------- 1. Download openssl-1.0.2t-UnixWare7D-i386.pkg.gz and openssl-dev-1.0.2t-UnixWare7D-i386.pkg.gz files to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # gzcat /tmp/openssl-1.0.2t-UnixWare7D-i386.pkg.gz | pkgadd -qd - all If you develop software using the OpenSSL libraries, install the development package. # gzcat /tmp/openssl-dev-1.0.2t-UnixWare7D-i386.pkg.gz | pkgadd -qd - all 3. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 4. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 1.0.2n may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 1.0.2n default options and update /etc/ssl/openssl.cnf settings accordingly. Removal Instructions -------------------- 1. As root, remove the package using these commands: $ su - Password: # pkgrm openssl 2. Your system does not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries. If you have questions regarding this supplement, or the product on which it is installed, please contact your Xinuos software supplier.