From owner-freebsd-audit Mon Apr 2 7:57:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0BB5337B722 for ; Mon, 2 Apr 2001 07:57:11 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f32EvBh90055 for ; Mon, 2 Apr 2001 10:57:11 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 2 Apr 2001 10:57:11 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-audit@FreeBSD.org Subject: [ANNOUNCEMENT] OpenSSL 0.9.6a Beta 3 released (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I notice that one of the release notes in the 0.9.6a OpenSSL release has to do with avoiding the use of environmental variables when running as root. Could someone take a look at our OpenSSL code and see if we have problems relating to this, also, it might be worth checking that the OpenSSL folk use issetguid() rather than get*id(). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services ---------- Forwarded message ---------- Date: Fri, 30 Mar 2001 22:45:06 +0200 From: Richard Levitte Reply-To: openssl-dev@openssl.org To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net, cryptography@c2.net, VMS-SSH@ALPHA.SGGW.WAW.PL, INFO-VAX@MVB.SAIC.COM, VMS-WEB-DAEMON@KJSL.COM, info-wasd@vsm.com.au Subject: [ANNOUNCEMENT] OpenSSL 0.9.6a Beta 3 released The third beta release of OpenSSL 0.9.6a is now available from the OpenSSL FTP site . OpenSSL 0.9.6a is a bug-fix release of version 0.9.6, and currently contains 52 documented changes. Among others, this release should build on all Windows platforms, which 0.9.6 failed to do. Just as for version 0.9.6, this one comes in two variants, one containing the now well-known ENGINE code and one that doesn't. The tar files are: openssl-0.9.6a-beta3.tar.gz openssl-engine-0.9.6a-beta3.tar.gz The news section for 0.9.6a gives the following: o Security fix: change behavior of OpenSSL to avoid using environment variables when running as root. o Security fix: check the result of RSA-CRT to reduce the possibility of deducing the private key from an incorrectly calculated signature. o Security fix: prevent Bleichenbacher's DSA attack. o Security fix: Zero the premaster secret after deriving the master secret in DH ciphersuites. o Reimplement SSL_peek(), which had various problems. o Compatibility fix: the function des_encrypt() renamed to des_encrypt1() to avoid clashes with some Unixen libc. o Bug fixes for Win32, HP/UX and Irix. o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and memory checking routines. o Bug fixes for RSA operations in threaded enviroments. o Bug fixes in misc. openssl applications. o Remove a few potential memory leaks. o Add tighter checks of BIGNUM routines. o Shared library support has been reworked for generality. o More documentation. o New function BN_rand_range(). o Add "-rand" option to openssl s_client and s_server. The next (hopefully real) release is scheduled for Tuesday 2001-04-03. To make sure that it will work correctly, please test this version (especially on less common platforms), and report any problems to . -- Richard Levitte levitte@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ Software Engineer, Celo Communications: http://www.celocom.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majordomo@openssl.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message