What is the UnixWare OpenSSL 3.0.18 Package? KEYWORDS: openssl-3.0.18 OpenSSL 3.0.18 RELEASE: OpenSSL 3.0.18 OpenSSL: A robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength general purpose cryptographic library, which can also be used stand-alone. The OpenSSL 3.0.18 package is an updated OpenSSL for UnixWare 7D and OpenServer 6D that addresses the following problems or new features. Problems Fixed Changes between openssl-3.0.16-UnixWare-i386.pkg.xz and openssl-3.0.18a-UnixWare-i386.pkg.xz Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap ([CVE-2025-9230]) Fix Out-of-bounds read in HTTP client no_proxy handling ([CVE-2025-9232]) Avoided a potential race condition introduced in 3.0.17, where `OSSL_STORE_CTX` kept open during lookup while potentially being used by multiple threads simultaneously, that could lead to potential crashes when multiple concurrent TLS connections are served. Secure memory allocation calls are no longer used for HMAC keys. `openssl req` no longer generates certificates with an empty extension list when SKID/AKID are set to `none` during generation. The man page date is now derived from the release date provided in `VERSION.dat` and not the current date for the released builds. Hardened the provider implementation of the RSA public key "encrypt" operation to add a missing check that the caller-indicated output buffer size is at least as large as the byte count of the RSA modulus. Changes between openssl-3.0.15-UnixWare-i386.pkg.xz and openssl-3.0.16-UnixWare-i386.pkg.xz Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176]) Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. ([CVE-2024-9143]) Changes between openssl-3.0.13-UnixWare-i386.pkg.xz and openssl-3.0.15-UnixWare-i386.pkg.xz Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) Fixed issue where Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer (CVE-2024-5535) Fixed possible denial of service in X.509 name checks (CVE-2024-6119) Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535) Changes between openssl-3.0.12-UnixWare-i386.pkg.xz and openssl-3.0.13-UnixWare-i386.pkg.xz Fixed PKCS12 Decoding crashes (CVE-2024-0727) Fixed Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) Packaging modified to also install on OpenServer 6D OpenSSL 3.0.12 released for Update Pack 1 See https://www.openssl.org/news/openssl-3.0-notes.html Note: includes openssl 1.0.2 libs for backward compatability. Old /usr/bin/openssl has been renamed /usr/bin/openssl.102 Changes between openssl-1.0.2uj legacy libs and openssl-1.0.2uk legacy libs first packaged in openssl-3.0.18 Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Due to the Raccoon attack static "DH" ciphersuites have been moved to to the "weak-ssl-ciphers" list. Support for the "weak-ssl-ciphers" is not compiled in by default. Support can be added by configuring OpenSSL at compile time with the "enable-weak-ssl-ciphers" option. This is not recommended. CVE-2020-1968 Fixed an SSLv2 rollback attack vulnerability CVE-2021-23839 Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection. CVE-2022-1292 Fixed additional bugs in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection. CVE-2022-2068 Fixed Timing Oracle in RSA Decryption. CVE-2022-4304 Fixed Use-after-free following BIO_new_NDEF. CVE-2023-0215 Make DH_check_pub_key() and DH_generate_key() safer yet. CVE-2023-5678 Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. CVE-2024-9143 Fixed timing side-channel in ECDSA signature computation. CVE-2024-13176 Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. CVE-2025-9230 Changes between openssl-1.0.2uh legacy libs and openssl-1.0.2uj legacy libs first packaged in openssl-3.0.14 Fixed PKCS12 Decoding crashes CVE-2024-0727 Fixed possible buffer overread in SSL_select_next_proto() CVE-2024-5535 Changes between openssl-1.0.2ug-UnixWare7D-i386.pkg and openssl-1.0.2uh-UnixWare7D-i386.pkg (legacy libs first packaged in openssl-3.0.12) Fix excessive time spent checking DH q parameter value CVE-2023-3817 Changes between openssl-1.0.2uf-UnixWare7D-i386.pkg and openssl-1.0.2ug-UnixWare7D-i386.pkg Fix DH_check() excessive time with over sized modulus CVE-2023-3446 Changes between openssl-1.0.2ue-UnixWare7D-i386.pkg and openssl-1.0.2uf-UnixWare7D-i386.pkg Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt Changes between openssl-1.0.2ud-UnixWare7D-i386.pkg and openssl-1.0.2ue-UnixWare7D-i386.pkg CVE-2023-0286 X.400 address type confusion in X.509 GeneralName CVE-2023-0464 x509: excessive resource use verifying policy constraints CVE-2023-0465 Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. CVE-2023-0466 Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. A packaging error was corrected to include the Let's Encrypt R3 cert. Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt Changes between openssl-1.0.2uc-UnixWare7D-i386.pkg and openssl-1.0.2ud-UnixWare7D-i386.pkg CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings CVE-2022-2078 Infinite loop in BN_mod_sqrt() reachable when parsing certificates Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Changes between openssl-1.0.2ub-UnixWare7D-i386.pkg and openssl-1.0.2uc-UnixWare7D-i386.pkg Patched for CVE-2021-23840 and CVE-2021-23841 Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Changes between openssl-1.0.2ua-UnixWare7D-i386.pkg and openssl-1.0.2ub-UnixWare7D-i386.pkg Patched for CVE-2020-1971 Changes between openssl-1.0.2u-UnixWare7D-i386.pkg and openssl-1.0.2ua-UnixWare7D-i386.pkg There are no binary changes. Packaging changes to have /etc/ssl/private group readable by ssl-cert Updated root certificate bundle /etc/ssl/certs/xinuos-ca-bundle.crt See aditional notes below about xinuos-ca-bundle.crt Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019] * Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey ([11]CVE-2019-1563) * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters * Compute ECC cofactors if not provided during EC_GROUP construction ([12]CVE-2019-1547) * Document issue with installation paths in diverse Windows builds ([13]CVE-2019-1552) Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] * None References ========== See OpenSSL release notes at https://www.openssl.org/news/openssl-3.0-notes.html Features Added to this package --------------------------------- 1. openssl utilities can handle files larger than 2GB 2. /etc/ssl/certs/xinuos-ca-bundle.crt certificate bundle is provided for your convenience. See text starting at line 229 of that file. If /etc/ssl/certs/ca-bundle.crt does not exist at install time, xinuos-ca-bundle.crt will be copied to ca-bundle.crt /etc/ssl/certs/ca-bundle.crt is the file the packages will use. From time to time an updated openssl package may provide a newer xinuos-ca-bundle.crt but it is the sysadmin's responsibility to keep ca-bundle.crt up to date. Xinuos makes no warranties as to the trustworthiness or RFC 3647 compliance of the certification authorities whose certificates are included in this package. Assessment and verification of trust is the complete responsibility of the system administrator. Contents -------- openssl-3.0.18a-UnixWare-i386.pkg.xz openssl-dev-3.0.18a-UnixWare-i386.pkg.xz ---------------------------------------------------------- I. Software Notes and Recommendations openssl should only be installed on: UnixWare 7 Definitive D2M1 with MP1 or later or SCO OpenServer 6 Definitive D2M2 with MP1 or later. ---------------------------------------------------------- II. Installation Instructions To install openssl-3.0.18 follow these steps: 1. Login as root 2. Download the openssl-3.0.18a-UnixWare-i386.pkg.xz file and optionally openssl-dev-3.0.18a-UnixWare-i386.pkg.xz to the /tmp directory on your machine. 3. After the download is complete, change to /tmp and run the following to command(s) to verify the integrity of the download: sha256 openssl-3.0.18a-UnixWare-i386.pkg.xz sha256 openssl-dev-3.0.18a-UnixWare-i386.pkg.xz The output should be: SHA256 (openssl-3.0.18a-UnixWare-i386.pkg.xz) = d08eeeed0955f8790c6cdee68dcbdb4666b3552aad3cb5c9b309e7795fe347c7 SHA256 (openssl-dev-3.0.18a-UnixWare-i386.pkg.xz) = d07e3bfb7f3171834e0e2be3d5ae8a3c6470d5f551a92860538429324fef0542 4. After verifying the sums match, As root, add the package to your system using these commands: $ su - Password: # xzcat openssl-3.0.18a-UnixWare-i386.pkg.xz | pkgadd -d - Alternatively, this package may be installed in quiet mode by using these commands: $ su - Password: # xzcat openssl-3.0.18a-UnixWare-i386.pkg.xz | pkgadd -qd - all If you are doing software development on software requiring OpenSSL libraries and include files, repeat steps for openssl-dev-3.0.18a-UnixWare-i386.pkg.xz 5. Installation of package openssl-3.0.18 is now complete. 6. Once the installation has completed, you can remove or archive openssl-3.0.18a-UnixWare-i386.pkg.xz downloaded in step 2. 7. The system should be rebooted after installing this package to insure all the services using the openssl libraries are restarted. 8. The upgrade process will not modify existing /etc/ssl/openssl.cnf settings if modifications have been made. OpenSSL 3.0.18 may have modified default option settings as well as have additional options than the earlier openSSL being replaced. The default configuration file is /etc/ssl/openssl.cnf.dfl. System administrators should review the 3.0.18 default options and update /etc/ssl/openssl.cnf settings accordingly. ---------------------------------------------------------- III. Removal Instructions (not recommended) 1. Your system will not contain an OpenSSL after removal of this package. Note: removing OpenSSL will break OpenSSH and any other software linked against the OpenSSL libraries (like OpenSSH). 2. As root, remove the package using these commands: $ su - Password: # pkgrm -a check openssl If you have questions regarding this package, or the product on which it is installed, please contact your software supplier. ------------------------------------------------------------------------------- (C) Copyright 2025 Xinuos, Inc. All Rights Reserved.