OpenSSL Bug

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Kelden
Normal user
Normal user
Posts: 44
Joined: 2011-05-02 13:58

OpenSSL Bug

Post by Kelden » 2020-04-22 13:19

Because of a security bug in OpenSSL, I updated the version in hMailServer to 1.1.1g and it works.
http://wiki.overbyte.eu/arch/openssl-1.1.1g-win32.zip
I have used this version and replaced the DLLs. I also saw that there were old OpenSSL DLLs with other names which I deleted.

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Bug

Post by RvdH » 2020-04-22 13:35

Apparently the openSSL developers do not update the changelogs anymore, makes you wonder what they are doing.... 17 Mar 2020 1.1.1e , 18 Mar 2020 1.1.1f and now 1.1.1g :shock:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: OpenSSL Bug

Post by Dravion » 2020-04-22 14:05


User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Bug

Post by RvdH » 2020-04-22 15:01

Exactly what i meant, you might at least read before you post something.... where the changes from 1.1.1e > 1.1.1f and 1.1.1f to 1.1.1g?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: OpenSSL Bug

Post by Dravion » 2020-04-22 15:58

RvdH wrote:
2020-04-22 15:01
Exactly what i meant, you might at least read before you post something....
Something you should do yourself.

Ints in the CHANGES file if you download it, as mentioned on the OpenSSL Website.

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]

*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]

Changes between 1.1.1e and 1.1.1f [31 Mar 2020]

*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: OpenSSL Bug

Post by jimimaseye » 2020-04-22 16:11

The intro of the page says:
For other branches, the changelogs are distributed with the source, but are also available here:1.1.1
(details behind the link)

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Bug

Post by RvdH » 2020-04-22 17:37

Dravion wrote:
2020-04-22 15:58
RvdH wrote:
2020-04-22 15:01
Exactly what i meant, you might at least read before you post something....
Something you should do yourself.

Ints in the CHANGES file if you download it, as mentioned on the OpenSSL Website.

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]

*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]

Changes between 1.1.1e and 1.1.1f [31 Mar 2020]

*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]
@Dravion
Sure, try to make a point by quoting contents of a different document, bravo!

@jimimaseye, thanks...overlooked that link
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: OpenSSL Bug

Post by Dravion » 2020-04-22 17:50

You looked for the latest Changelog and didn't find it.
You got help and now you are bitching like a little Girl, Nice.

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Bug

Post by RvdH » 2020-04-22 17:57

@Kelden

Martin has published build using the new openssl 1.1.1g, to be sure openssl libraries are build the proper way, get it here: https://build.hmailserver.com, login as guest and look under artifacts
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3818
Joined: 2006-08-21 15:38
Location: Denmark

Re: OpenSSL Bug

Post by SorenR » 2020-04-22 18:48

@RvdH & @Dravion
Attachments
94102160_2884072308348639_4249805693407723520_n.jpg
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: OpenSSL Bug

Post by RvdH » 2020-04-22 19:08

SorenR wrote:
2020-04-22 18:48
@RvdH & @Dravion
LOL :mrgreen:
Maybe you are right, this lockdown is taking far to long and it might start to act on my nerves (a little bit...i hope :) )
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply