What is the UnixWare OpenSSL 3.0.15 Package? The OpenSSL Project is a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptograpic library. The OpenSSL 3.0.15 package is an updated OpenSSL for UnixWare 7D and OpenServer 6D that addresses the following problems or new features. Problems Fixed Changes between openssl-3.0.13-UnixWare-i386.pkg.xz and openssl-3.0.15-UnixWare-i386.pkg.xz Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) Fixed issue where Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer (CVE-2024-5535) Fixed possible denial of service in X.509 name checks (CVE-2024-6119) Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535) Changes between openssl-3.0.12-UnixWare-i386.pkg.xz and openssl-3.0.13-UnixWare-i386.pkg.xz Fixed PKCS12 Decoding crashes (CVE-2024-0727) Fixed Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) Packaging modified to also install on OpenServer 6D OpenSSL 3.0.12 released for Update Pack 1 See https://www.openssl.org/news/openssl-3.0-notes.html Note: includes openssl 1.0.2 libs for backward compatability. Old /usr/bin/openssl has been renamed /usr/bin/openssl.102 Changes between openssl-1.0.2ug-UnixWare7D-i386.pkg and openssl-1.0.2uh-UnixWare7D-i386.pkg Fix excessive time spent checking DH q parameter value CVE-2023-3817 Changes between openssl-1.0.2uf-UnixWare7D-i386.pkg and openssl-1.0.2ug-UnixWare7D-i386.pkg Fix DH_check() excessive time with over sized modulus CVE-2023-3446 Changes between openssl-1.0.2ue-UnixWare7D-i386.pkg and openssl-1.0.2uf-UnixWare7D-i386.pkg Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt Changes between openssl-1.0.2ud-UnixWare7D-i386.pkg and openssl-1.0.2ue-UnixWare7D-i386.pkg CVE-2023-0286 X.400 address type confusion in X.509 GeneralName CVE-2023-0464 x509: excessive resource use verifying policy constraints CVE-2023-0465 Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. CVE-2023-0466 Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. A packaging error was corrected to include the Let's Encrypt R3 cert. Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt Changes between openssl-1.0.2uc-UnixWare7D-i386.pkg and openssl-1.0.2ud-UnixWare7D-i386.pkg CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings CVE-2022-2078 Infinite loop in BN_mod_sqrt() reachable when parsing certificates Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Changes between openssl-1.0.2ub-UnixWare7D-i386.pkg and openssl-1.0.2uc-UnixWare7D-i386.pkg Patched for CVE-2021-23840 and CVE-2021-23841 Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Changes between openssl-1.0.2ua-UnixWare7D-i386.pkg and openssl-1.0.2ub-UnixWare7D-i386.pkg Patched for CVE-2020-1971 Changes between openssl-1.0.2u-UnixWare7D-i386.pkg and openssl-1.0.2ua-UnixWare7D-i386.pkg There are no binary changes. Packaging changes to have /etc/ssl/private group readable by ssl-cert Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019] * Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey ([11]CVE-2019-1563) * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters * Compute ECC cofactors if not provided during EC_GROUP construction ([12]CVE-2019-1547) * Document issue with installation paths in diverse Windows builds ([13]CVE-2019-1552) Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] * None References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-3.0-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 229 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt /etc/ssl/certs/ca-bundle.crt is the file the packages will use. From time to time an updated openssl package may provide a newer xinuos-ca-bundle.crt but it is the sysadmin's responsibility to keep ca-bundle.crt up to date. Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-3.0.15-UnixWare-i386.pkg.xz openssl-dev-3.0.15-UnixWare-i386.pkg.xz Verify the integrity of the download with: sha256 openssl-3.0.15-UnixWare-i386.pkg.xz sha256 openssl-dev-3.0.15-UnixWare-i386.pkg.xz The output should be: SHA256 (openssl-3.0.15-UnixWare-i386.pkg.xz) = 6c3ddf8bd85981ba0e6152749bf3c673c7352a096f77ffd8afcdbadc305181b3 SHA256 (openssl-dev-3.0.15-UnixWare-i386.pkg.xz) = eeb751dd7ba713b9252f38fab06063e558290ba57a010f6a23108258acecc892 Software Notes and Recommendations ---------------------------------- The UnixWare OpenSSL 3.0.15 package is intended for installation on UnixWare 7 Definitive 2018 (also known as D2M1) with ptf9151 or OpenServer 6 Definitive 2018 (also known as D2M1) with oss726i Installation Instructions ------------------------- 1. Download openssl-3.0.15-UnixWare-i386.pkg.xz and openssl-dev-3.0.15-UnixWare-i386.pkg.xz files to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # xzcat /tmp/openssl-3.0.15-UnixWare-i386.pkg.xz | pkgadd -qd - all If you develop software using the OpenSSL libraries, install the development package. # xzcat /tmp/openssl-dev-3.0.15-UnixWare-i386.pkg.xz | pkgadd -qd - all 3. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 4. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 3.0.15 may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 3.0.15 default options and update /etc/ssl/openssl.cnf settings accordingly. Removal Instructions -------------------- 1. Your system will not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries (like OpenSSH). 2. As root, remove the package using these commands: $ su - Password: # pkgrm -a check openssl If you have questions regarding this supplement, or the product on which it is installed, please contact your Xinuos software supplier. ------------------------------------------------------------------------------- (C) Copyright 2024 Xinuos, Inc. All Rights Reserved.