Category: security

OpenSSL 3.5.0

April 8th, 2025
The most fascinating feature is the support for post-quantum cryptography (PQC) algorithms !!!

This release adds the following new features:
- Support for server side QUIC (RFC 9000)
- Support for 3rd party QUIC stacks including 0-RTT support
- Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
- A new configuration option no-tls-deprecated-ec to disable support for
  TLS groups deprecated in RFC8422
- A new configuration option enable-fips-jitter to make the FIPS provider
  to use the JITTER seed source
- Support for central key generation in CMP
- Support added for opaque symmetric key objects (EVP_SKEY)
- Support for multiple TLS keyshares and improved TLS key establishment group
  configurability
- API support for pipelining in provided cipher algorithms
https://github.com/openssl/openssl/releases/tag/openssl-3.5.0
FreeBSD not affected by xz backdoor

March 30th, 2024
1. All supported FreeBSD releases include versions of xz that predate the affected releases.
2. The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import.
3. Additionally, FreeBSD does not use the upstream’s build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.
4. The FreeBSD ports collection does not include xz/liblzma.
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
xz repo in GitHub has been disabled

March 30th, 2024

Crazy stuff

https://github.com/tukaani-project/xz
xz package backdoor!!!

March 29th, 2024

Seems pretty serious! Update your systems now !!!

The vulnerability affects xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1).

Andres Freund noticed odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) and concluded that the xz package has been backdoored.

The backdoor is present in the tarballs released upstream and contains the following line (originally not present in the source code):

After the update:

Running ldd (shared libraries utility) to ensure no linkage between openssh and liblzma.

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://archlinux.org/news/the-xz-package-has-been-backdoored

https://security.archlinux.org/ASA-202403-1
OpenSSH 9.6

December 25th, 2023

Among notable changes, this release includes a fix for the Terrapin Attack.

https://www.undeadly.org/cgi?action=article;sid=20231219122431

https://www.openssh.com/releasenotes.html#9.6
New Terrapin attack with prefix truncation

December 21st, 2023

One of SSH’s few vulnerabilities

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

https://terrapin-attack.com/
Critical zero-day in Chrome

December 1st, 2023

https://arstechnica.com/security/2023/11/google-researchers-report-critical-zero-days-in-chrome-and-all-apple-oses/

https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html