products:openssl:history_3
Delphi 12 Athens Updates Available!
To download, click your product: DIContainers, DIConverters, DICreole, DIFileFinder, DIGoogleReader, DIHtmlLabel, DIHtmlParser, DIMime, DIRegEx, DISQLite3, DITidy, DIUcl, DIUnicode, DIXml, YuBrotli, YuImage, YuNetSurf, YuOpenSSL, YuPcre2, YuPdf, YuStemmer, YuXmlSec, YuZip.
To download, click your product: DIContainers, DIConverters, DICreole, DIFileFinder, DIGoogleReader, DIHtmlLabel, DIHtmlParser, DIMime, DIRegEx, DISQLite3, DITidy, DIUcl, DIUnicode, DIXml, YuBrotli, YuImage, YuNetSurf, YuOpenSSL, YuPcre2, YuPdf, YuStemmer, YuXmlSec, YuZip.
Table of Contents
YuOpenSSL: Version History
YuOpenSSL-3 v1.3.1 – 31 Jan 2024
- Update OpenSSL to 3.0.13.
- Fix PKCS12 decoding crashes (CVE-2024-0727).
- Fix excessive time spent checking invalid RSA public keys (CVE-2023-6237).
- Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678).
YuOpenSSL-3 v1.3.0 – 22 Nov 2023
- Support Delphi 12 Athens Win32 and Win64.
YuOpenSSL-3 v1.2.13 – 25 Oct 2023
- Update OpenSSL to 3.0.12.
- Moderate Severity:
- Fix CVE-2023-5363: Incorrect key and IV resizing issues when calling
EVP_EncryptInit_ex2,EVP_DecryptInit_ex2orEVP_CipherInit_ex2withOSSL_PARAMparameters that alter the key or IV length.
- Other, non critical bug fixes.
YuOpenSSL-3 v1.2.12 – 19 Sep 2023
- Update OpenSSL to 3.0.11.
YuOpenSSL-3 v1.2.11 – 1 Aug 2023
- Update OpenSSL to 3.0.10.
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value.
YuOpenSSL-3 v1.2.10 – 22 Jun 2023
- Fix CVE-2023-2975: AES-SIV implementation ignores empty associated data entries.
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters.
YuOpenSSL-3 v1.2.9 – 31 May 2023
- Update OpenSSL to 3.0.9.
- Moderate Severity:
- Fixed processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Applications that use
OBJ_obj2txtdirectly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.
- Other, non critical bug fixes.
YuOpenSSL-3 v1.2.8 – 26 Apr 2023
- Add APIs for YuXMLSec v1.1.0.
- Cherry pick low severity CVE fixes:
- Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465).
- Limited the number of nodes created in a policy tree (CVE-2023-0464).
YuOpenSSL-3 v1.2.7 – 8 Feb 2023
- Update OpenSSL to 3.0.8.
- High Severity:
- Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286).
- Moderate Severity:
- Fixed Timing Oracle in RSA Decryption (CVE-2022-4304).
- Fixed X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203).
- Fixed Use-after-free following
BIO_new_NDEF(CVE-2023-0215). - Fixed Double free after calling
PEM_read_bio_ex(CVE-2022-4450). - Fixed Invalid pointer dereference in
d2i_PKCS7functions (CVE-2023-0216). - Fixed NULL dereference validating DSA public key (CVE-2023-0217).
- Fixed NULL dereference during PKCS7 data verification (CVE-2023-0401).
- Fixed X.509 Policy Constraints Double Locking (CVE-2022-3996).
- Added dozens new API declarations.
YuOpenSSL-3 v1.2.6 – 18 Dec 2022
- Add APIs for YuXmlSec v1.0.3.
YuOpenSSL-3 v1.2.5 – 2 Nov 2022
- Update OpenSSL to 3.0.7 (OpenSSL 3.0.6 was withdrawn by the OpenSSL developers).
- Fixed two high vulnerability buffer overflows in punycode decoding functions, CVE-2022-3786 and CVE-2022-3602.
- Added RIPEMD160 to the default provider.
- Other minor bug fixes.
YuOpenSSL-3 v1.2.4 – 5 Jul 2022
- Update OpenSSL to 3.0.5.
- Fix
BN_gcdto check return value when callingBN_one. - Add a check for the return of
i2s_ASN1_INTEGER. - Fix
X509v3_addr_add_range,X509v3_addr_canonize, andX509v3_addr_is_canonicalto return the correct result. - Fix memory leak in
EC_GROUP_new_from_ecparameters. - Add and improve various checks.
YuOpenSSL-3 v1.2.3 – 21 Jun 2022
- Update OpenSSL to 3.0.4.
- Minor bug fixes.
- Add some constants and functions, mainly related to
EVP_KEYEXCH…andX509v3_addr….
YuOpenSSL-3 v1.2.2 – 6 May 2022
- Fix OpenSSL version reported by
OpenSSL_version…()functions and constants likeOPENSSL_FULL_VERSION_STR.
YuOpenSSL-3 v1.2.1 – 3 May 2022
- Update OpenSSL to 3.0.3.
- Fixed a bug in the function
OCSP_basic_verifythat verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flagOCSP_NOCHECKSis used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify. - Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key. This made the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check.
- Fix a bug in the
OPENSSL_LH_flushfunction that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time.
YuOpenSSL-3 v1.2.0 – 15 Mar 2022
- Update OpenSSL to 3.0.2:
- Fixed a bug in the
BN_mod_sqrtfunction that can cause it to loop forever for non-prime moduli (CVE-2022-0778). Vulnerable situations include:- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from subscribers
- Anything else which parses ASN.1 elliptic curve parameters
- Also any other applications that use the
BN_mod_sqrtwhere the attacker can control the parameter values are vulnerable to this DoS issue.
- Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3.
- Fixed
PEM_write_bio_PKCS8PrivateKeyto make it possible to use empty passphrase strings. - The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the
SSL_set_retry_verifyfunction.
- Add OCSP API functions for Internet Component Suite (ICS).
YuOpenSSL-3 v1.1.0 – 4 Feb 2022
- Add HTTP APIs like
OSSL_HTTP_get. They allow to obtain data from HTTP or secure HTTPS using just YuOpenSSL-3 and no additional 3-rd party Internet components. SeeYuOpenSSL_HTTP_get.dprdemo for usage. - Add APIs for YuXMLSec v1.0.0.
YuOpenSSL-3 v1.0.1 – 14 Dec 2021
- Update to OpenSSL 3.0.1:
- Fixed invalid handling of
X509_verify_certinternal errors (CVE-2021-4044). - Fixed
EVP_PKEY_eqto make it possible to use it with strictly private keys. - Fixed PVK encoder to properly query for the passphrase.
- Multiple fixes in the OSSL_HTTP API functions.
- Allow sign extension in
OSSL_PARAM_allocate_from_textfor theOSSL_PARAM_INTEGER_data type and return error on negative numbers used with theOSSL_PARAM_UNSIGNED_INTEGER_data type. MakeOSSL_PARAM_BLD_push_BNandOSSL_PARAM_BLD_push_BN_padreturn an error on negative numbers. - Allow copying uninitialized digest contexts with
EVP_MD_CTX_copy_ex. - Multiple threading fixes.
- Added NULL digest implementation to keep compatibility with 1.1.1 version.
- Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.
- Update Indy IOHandler with latest new features and bug fixes.
YuOpenSSL-3 v1.0.0 – 17 Nov 2021
- Initial release, based on OpenSSL 3.0.0.
products/openssl/history_3.txt · Last modified: 2024/01/31 18:56 by 127.0.0.1