openssl+quic (quictls) 3.0.16 rpms released and added to all supported platforms.
OpenSSL 3.0.16 is a security patch release.
This release incorporates the following bug fixes and mitigations:
Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)
Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)
openssl+quic (quictls) 3.0.15 rpms released and added to all supported platforms.
Several bug and security fixes (CVEs assigned) fixed.
We started providing builds for OpenSSL+quic project (Akamai and Microsoft initiative) for EL7/EL8. This will allow us to have NGINX HTTP/3 (ex-QUIC) support. libs package does not conflict with bundled OpenSSL libs: so-libs files version is prefixed with “81.”: libssl.81.1.1 and libcrypto.81.1.1 instead of bundled libssl.1.1 and libcrypto.1.1.
To install you can run:
dnf install openssl-quic-libs
Devel package is also available: openssl-quic-devel.
One question here.
Should we build next mainline nginx against OpenSSL tls1.-draft-18 branch? Stable 1.10 won’t be affected.
Please share your thoughts in comments.
