Page 1 of 1

OpenSSL Bug

Posted: 2020-04-22 13:19
by Kelden
Because of a security bug in OpenSSL, I updated the version in hMailServer to 1.1.1g and it works.
http://wiki.overbyte.eu/arch/openssl-1.1.1g-win32.zip
I have used this version and replaced the DLLs. I also saw that there were old OpenSSL DLLs with other names which I deleted.

Re: OpenSSL Bug

Posted: 2020-04-22 13:35
by RvdH
Apparently the openSSL developers do not update the changelogs anymore, makes you wonder what they are doing.... 17 Mar 2020 1.1.1e , 18 Mar 2020 1.1.1f and now 1.1.1g :shock:

Re: OpenSSL Bug

Posted: 2020-04-22 14:05
by Dravion

Re: OpenSSL Bug

Posted: 2020-04-22 15:01
by RvdH
Exactly what i meant, you might at least read before you post something.... where the changes from 1.1.1e > 1.1.1f and 1.1.1f to 1.1.1g?

Re: OpenSSL Bug

Posted: 2020-04-22 15:58
by Dravion
RvdH wrote:
2020-04-22 15:01
Exactly what i meant, you might at least read before you post something....
Something you should do yourself.

Ints in the CHANGES file if you download it, as mentioned on the OpenSSL Website.

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]

*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]

Changes between 1.1.1e and 1.1.1f [31 Mar 2020]

*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]

Re: OpenSSL Bug

Posted: 2020-04-22 16:11
by jimimaseye
The intro of the page says:
For other branches, the changelogs are distributed with the source, but are also available here:1.1.1
(details behind the link)

[Entered by mobile. Excuse my spelling.]

Re: OpenSSL Bug

Posted: 2020-04-22 17:37
by RvdH
Dravion wrote:
2020-04-22 15:58
RvdH wrote:
2020-04-22 15:01
Exactly what i meant, you might at least read before you post something....
Something you should do yourself.

Ints in the CHANGES file if you download it, as mentioned on the OpenSSL Website.

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]

*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]

Changes between 1.1.1e and 1.1.1f [31 Mar 2020]

*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]
@Dravion
Sure, try to make a point by quoting contents of a different document, bravo!

@jimimaseye, thanks...overlooked that link

Re: OpenSSL Bug

Posted: 2020-04-22 17:50
by Dravion
You looked for the latest Changelog and didn't find it.
You got help and now you are bitching like a little Girl, Nice.

Re: OpenSSL Bug

Posted: 2020-04-22 17:57
by RvdH
@Kelden

Martin has published build using the new openssl 1.1.1g, to be sure openssl libraries are build the proper way, get it here: https://build.hmailserver.com, login as guest and look under artifacts

Re: OpenSSL Bug

Posted: 2020-04-22 18:48
by SorenR
@RvdH & @Dravion

Re: OpenSSL Bug

Posted: 2020-04-22 19:08
by RvdH
SorenR wrote:
2020-04-22 18:48
@RvdH & @Dravion
LOL :mrgreen:
Maybe you are right, this lockdown is taking far to long and it might start to act on my nerves (a little bit...i hope :) )