What is the UnixWare 7D OpenSSL 1.0.2ug Package? The OpenSSL Project is a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptograpic library. The OpenSSL 1.0.2ug package is an updated OpenSSL for UnixWare 7D that addresses the following problems or new features. Problems Fixed Changes between openssl-1.0.2uf-UnixWare7D-i386.pkg and openssl-1.0.2ug-UnixWare7D-i386.pkg Fix DH_check() excessive time with over sized modulus CVE-2023-3446 Changes between openssl-1.0.2ue-UnixWare7D-i386.pkg and openssl-1.0.2uf-UnixWare7D-i386.pkg Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt Changes between openssl-1.0.2ud-UnixWare7D-i386.pkg and openssl-1.0.2ue-UnixWare7D-i386.pkg CVE-2023-0286 X.400 address type confusion in X.509 GeneralName CVE-2023-0464 x509: excessive resource use verifying policy constraints CVE-2023-0465 Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. CVE-2023-0466 Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. A packaging error was corrected to include the Let's Encrypt R3 cert. Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt Changes between openssl-1.0.2uc-UnixWare7D-i386.pkg and openssl-1.0.2ud-UnixWare7D-i386.pkg CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings CVE-2022-2078 Infinite loop in BN_mod_sqrt() reachable when parsing certificates Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Changes between openssl-1.0.2ub-UnixWare7D-i386.pkg and openssl-1.0.2uc-UnixWare7D-i386.pkg Patched for CVE-2021-23840 and CVE-2021-23841 Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Changes between openssl-1.0.2ua-UnixWare7D-i386.pkg and openssl-1.0.2ub-UnixWare7D-i386.pkg Patched for CVE-2020-1971 Changes between openssl-1.0.2u-UnixWare7D-i386.pkg and openssl-1.0.2ua-UnixWare7D-i386.pkg There are no binary changes. Packaging changes to have /etc/ssl/private group readable by ssl-cert Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019] * Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey ([11]CVE-2019-1563) * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters * Compute ECC cofactors if not provided during EC_GROUP construction ([12]CVE-2019-1547) * Document issue with installation paths in diverse Windows builds ([13]CVE-2019-1552) Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] * None References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-1.0.2-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 229 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt /etc/ssl/certs/ca-bundle.crt is the file the packages will use. From time to time an updated openssl package may provide a newer xinuos-ca-bundle.crt but it is the sysadmin's responsibility to keep ca-bundle.crt up to date. Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-1.0.2ug-UnixWare7D-i386.pkg.gz openssl-dev-1.0.2ug-UnixWare7D-i386.pkg.gz Verify the integrity of the download with: openssl sha256 openssl-1.0.2ug-UnixWare7D-i386.pkg.gz openssl sha256 openssl-dev-1.0.2ug-UnixWare7D-i386.pkg.gz The output should be: SHA256 (openssl-1.0.2ug-UnixWare7D-i386.pkg.gz) = 99613a31e66736753a8f1e84a6f0f4e046f92ba56d0bdc70a60b5cfd55e37f0d SHA256 (openssl-dev-1.0.2ug-UnixWare7D-i386.pkg.gz) = aa8a454e63539f8f59b926da67eeb79e7be20182334b7498f50a0c7c8cb3d6bd Software Notes and Recommendations ---------------------------------- The UW7D OpenSSL 1.0.2ug package is intended for installation on UnixWare 7 Definitive 2018 (also known as D2M1) Installation Instructions ------------------------- 1. Download openssl-1.0.2ug-UnixWare7D-i386.pkg.gz and openssl-dev-1.0.2ug-UnixWare7D-i386.pkg.gz files to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # gzcat /tmp/openssl-1.0.2ug-UnixWare7D-i386.pkg.gz | pkgadd -qd - all If you develop software using the OpenSSL libraries, install the development package. # gzcat /tmp/openssl-dev-1.0.2ug-UnixWare7D-i386.pkg.gz | pkgadd -qd - all 3. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 4. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 1.0.2u may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 1.0.2u default options and update /etc/ssl/openssl.cnf settings accordingly. Removal Instructions -------------------- 1. As root, remove the package using these commands: $ su - Password: # pkgrm openssl 2. Your system will not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries. If you have questions regarding this supplement, or the product on which it is installed, please contact your Xinuos software supplier. ------------------------------------------------------------------------------- (C) Copyright 2023 Xinuos, Inc. All Rights Reserved.