OpenSSL version 0.9.6a released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.6a of our open source toolkit for SSL/TLS. This new OpenSSL version is mostly a bugfix release and incorporates at least 55 changes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). The most significant changes are: o Security fix: change behavior of OpenSSL to avoid using environment variables when running as root. o Security fix: check the result of RSA-CRT to reduce the possibility of deducing the private key from an incorrectly calculated signature. o Security fix: prevent Bleichenbacher's DSA attack. o Security fix: Zero the premaster secret after deriving the master secret in DH ciphersuites. o Reimplement SSL_peek(), which had various problems. o Compatibility fix: the function des_encrypt() renamed to des_encrypt1() to avoid clashes with some Unixen libc. o Bug fixes for Win32, HP/UX and Irix. o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and memory checking routines. o Bug fixes for RSA operations in threaded enviroments. o Bug fixes in misc. openssl applications. o Remove a few potential memory leaks. o Add tighter checks of BIGNUM routines. o Shared library support has been reworked for generality. o More documentation. o New function BN_rand_range(). o Add "-rand" option to openssl s_client and s_server. We consider OpenSSL 0.9.6a to be the best version of OpenSSL available and we strongly recommend that users of older versions, especially of old SSLeay versions, upgrade as soon as possible. OpenSSL 0.9.6a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ [1] OpenSSL comes in the form of two distributions this time as well. The reasons for this is that we want to deploy the external crypto device support but don't want to have it part of the "normal" distribution just yet. The distribution containing the external crypto device support is popularly called "engine", and is considered experimental. It's been fairly well tested on Unix and flavors thereof. If run on a system with no external crypto device, it will work just like the "normal" distribution. The distribution file names are: o openssl-0.9.6a.tar.gz [normal] o openssl-engine-0.9.6a.tar.gz [engine] Yours, The OpenSSL Project Team... Mark J. Cox Richard Levitte Andy Polyakov Ralf S. Engelschall Bodo Möller Holger Reif Dr. Stephen Henson Ulf Möller Geoff Thorpe Ben Laurie Lutz Jänicke --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com