Tag: OpenSSL

openssl 3.5.5 rpms released

openssl 3.5.5 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)

Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)

Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)

Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB (CVE-2025-15469)

Fixed TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)

Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)

Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
function calls (CVE-2025-69418)

Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)

Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
function (CVE-2025-69420)

Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function (CVE-2025-69421)

Fixed Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)

Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
function (CVE-2026-22796)

OpenSSL 3.5 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

OpenSSL 3.5.4 rpms released

openssl 3.5.4 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

CVE-2025-9230 – Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
CVE-2025-9231 – Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
CVE-2025-9232 – Fix Out-of-bounds read in HTTP client no_proxy handling.

OpenSSL 3.5 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

OpenSSL 3.5.1 rpms released

openssl 3.5.1 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

Fix x509 application adds trusted use instead of rejected use (CVE-2025-4575)

OpenSSL 3.5.1 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

OpenSSL 3.5.0 with official QUIC server support rpms released

openssl 3.5.0 rpms released and added to all supported platforms.

OpenSSL 3.5.0 is a major release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

All the libraries stack rebuilt with OpenSSL 3.5.0, including ngtcp2 (quic client name changed from qtlsclient to osslclient).

openssl+quic (quictls) 3.0.16 rpms released

openssl+quic (quictls) 3.0.16 rpms released and added to all supported platforms.

OpenSSL 3.0.16 is a security patch release.

This release incorporates the following bug fixes and mitigations:

Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

OpenSSL+quic builds

We started providing builds for OpenSSL+quic project (Akamai and Microsoft initiative) for EL7/EL8. This will allow us to have NGINX HTTP/3 (ex-QUIC) support. libs package does not conflict with bundled OpenSSL libs: so-libs files version is prefixed with “81.”: libssl.81.1.1 and libcrypto.81.1.1 instead of bundled libssl.1.1 and libcrypto.1.1.

To install you can run: dnf install openssl-quic-libs

Devel package is also available: openssl-quic-devel.