Yunqa • The Delphi Inspiration

Delphi Components and Applications

User Tools

Site Tools


products:openssl:history_3.0

YuOpenSSL: Version History

YuOpenSSL is a Delphi port of the OpenSSL cryptography and SSL/TSL library. All code is statically compiled into applications. OpenSSL DLLs are not needed. Over 5000 functions, procedures, constants, and types are ready to use in a single Delphi unit.

YuOpenSSL-3.0 v1.3.4 – 4 Sep 2024

  • Update to OpenSSL 3.0.15.
    • Fixed possible denial of service in X.509 name checks (CVE-2024-6119).
    • Fixed possible buffer overread in SSL_select_next_proto (CVE-2024-5535).

YuOpenSSL-3.0 v1.3.3 – 24 Aug 2024

  • Rename from YuOpenSSL to YuOpenSSL-3.0.
  • New common folder for all 3rd-party components' info and code.

YuOpenSSL-3.0 v1.3.2 – 4 Jun 2024

  • Update to OpenSSL 3.0.14.
    • Fixed potential use after free after SSL_free_buffers is called (CVE-2024-4741).
    • Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603).
    • Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511).

YuOpenSSL-3.0 v1.3.1 – 31 Jan 2024

  • Update to OpenSSL 3.0.13.
    • Fix PKCS12 decoding crashes (CVE-2024-0727).
    • Fix excessive time spent checking invalid RSA public keys (CVE-2023-6237).
    • Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678).

YuOpenSSL-3.0 v1.3.0 – 22 Nov 2023

  • Support Delphi 12 Athens Win32 and Win64.

YuOpenSSL-3.0 v1.2.13 – 25 Oct 2023

  • Update OpenSSL to 3.0.12.
    • Moderate Severity:
      • Fix CVE-2023-5363: Incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2, EVP_DecryptInit_ex2 or EVP_CipherInit_ex2 with OSSL_PARAM parameters that alter the key or IV length.
    • Other, non critical bug fixes.

YuOpenSSL-3.0 v1.2.12 – 19 Sep 2023

  • Update to OpenSSL 3.0.11.

YuOpenSSL-3.0 v1.2.11 – 1 Aug 2023

  • Update to OpenSSL 3.0.10.
    • Fix CVE-2023-3817: Excessive time spent checking DH q parameter value.

YuOpenSSL-3.0 v1.2.10 – 22 Jun 2023

  • Fix CVE-2023-2975: AES-SIV implementation ignores empty associated data entries.
  • Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters.

YuOpenSSL-3.0 v1.2.9 – 31 May 2023

  • Update to OpenSSL 3.0.9.
    • Moderate Severity:
      • Fixed processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Applications that use OBJ_obj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.
    • Other, non critical bug fixes.

YuOpenSSL-3.0 v1.2.8 – 26 Apr 2023

  • Add APIs for YuXMLSec v1.1.0.
  • Cherry pick low severity CVE fixes:
    • Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465).
    • Limited the number of nodes created in a policy tree (CVE-2023-0464).

YuOpenSSL-3.0 v1.2.7 – 8 Feb 2023

  • Update to OpenSSL 3.0.8.
    • High Severity:
      • Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286).
    • Moderate Severity:
      • Fixed Timing Oracle in RSA Decryption (CVE-2022-4304).
      • Fixed X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203).
      • Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215).
      • Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450).
      • Fixed Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216).
      • Fixed NULL dereference validating DSA public key (CVE-2023-0217).
      • Fixed NULL dereference during PKCS7 data verification (CVE-2023-0401).
      • Fixed X.509 Policy Constraints Double Locking (CVE-2022-3996).
  • Added dozens new API declarations.

YuOpenSSL-3.0 v1.2.6 – 18 Dec 2022

  • Add APIs for YuXmlSec v1.0.3.

YuOpenSSL-3.0 v1.2.5 – 2 Nov 2022

  • Update to OpenSSL 3.0.7 (OpenSSL 3.0.6 was withdrawn by the OpenSSL developers).
    • Fixed two high vulnerability buffer overflows in punycode decoding functions, CVE-2022-3786 and CVE-2022-3602.
    • Added RIPEMD160 to the default provider.
    • Other minor bug fixes.

YuOpenSSL-3.0 v1.2.4 – 5 Jul 2022

  • Update to OpenSSL 3.0.5.
    • Fix BN_gcd to check return value when calling BN_one.
    • Add a check for the return of i2s_ASN1_INTEGER.
    • Fix X509v3_addr_add_range, X509v3_addr_canonize, and X509v3_addr_is_canonical to return the correct result.
    • Fix memory leak in EC_GROUP_new_from_ecparameters.
    • Add and improve various checks.

YuOpenSSL-3.0 v1.2.3 – 21 Jun 2022

  • Update to OpenSSL 3.0.4.
    • Minor bug fixes.
    • Add some constants and functions, mainly related to EVP_KEYEXCH… and X509v3_addr….

YuOpenSSL-3.0 v1.2.2 – 6 May 2022

  • Fix OpenSSL version reported by OpenSSL_version…() functions and constants like OPENSSL_FULL_VERSION_STR.

YuOpenSSL-3.0 v1.2.1 – 3 May 2022

  • Update to OpenSSL 3.0.3.
    • Fixed a bug in the function OCSP_basic_verify that verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flag OCSP_NOCHECKS is used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify.
    • Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key. This made the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check.
    • Fix a bug in the OPENSSL_LH_flush function that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time.

YuOpenSSL-3.0 v1.2.0 – 15 Mar 2022

  • Update to OpenSSL 3.0.2:
    • Fixed a bug in the BN_mod_sqrt function that can cause it to loop forever for non-prime moduli (CVE-2022-0778). Vulnerable situations include:
      • TLS clients consuming server certificates
      • TLS servers consuming client certificates
      • Hosting providers taking certificates or private keys from customers
      • Certificate authorities parsing certification requests from subscribers
      • Anything else which parses ASN.1 elliptic curve parameters
      • Also any other applications that use the BN_mod_sqrt where the attacker can control the parameter values are vulnerable to this DoS issue.
    • Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3.
    • Fixed PEM_write_bio_PKCS8PrivateKey to make it possible to use empty passphrase strings.
    • The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify function.
  • Add OCSP API functions for Internet Component Suite (ICS).

YuOpenSSL-3.0 v1.1.0 – 4 Feb 2022

  • Add HTTP APIs like OSSL_HTTP_get. They allow to obtain data from HTTP or secure HTTPS using just YuOpenSSL and no additional 3-rd party Internet components. See YuOpenSSL_HTTP_get.dpr demo for usage.
  • Add APIs for YuXMLSec v1.0.0.

YuOpenSSL-3.0 v1.0.1 – 14 Dec 2021

  • Update to OpenSSL 3.0.1:
    • Fixed invalid handling of X509_verify_cert internal errors (CVE-2021-4044).
    • Fixed EVP_PKEY_eq to make it possible to use it with strictly private keys.
    • Fixed PVK encoder to properly query for the passphrase.
    • Multiple fixes in the OSSL_HTTP API functions.
    • Allow sign extension in OSSL_PARAM_allocate_from_text for the OSSL_PARAM_INTEGER_ data type and return error on negative numbers used with the OSSL_PARAM_UNSIGNED_INTEGER_ data type. Make OSSL_PARAM_BLD_push_BN and OSSL_PARAM_BLD_push_BN_pad return an error on negative numbers.
    • Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
    • Multiple threading fixes.
    • Added NULL digest implementation to keep compatibility with 1.1.1 version.
    • Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.
  • Update Indy IOHandler with latest new features and bug fixes.

YuOpenSSL-3.0 v1.0.0 – 17 Nov 2021

  • Initial release, based on OpenSSL 3.0.0.
products/openssl/history_3.0.txt · Last modified: 2024/09/04 13:14 by 127.0.0.1