New OpenSSL patch releases available

New OpenSSL patch releases are available

OpenSSL has released the following new patch level releases, available for download now. Notable changes for each release are as follows:

OpenSSL-3.0.14

  • Fixes for various memory leaks
  • Various build and behavioral fixes on VMS
  • Various fixes in response to CVE-2024-4741
  • Explicit setup of cpuid flags in the fips provider
  • DSA size checking (CVE-2024-4603)
  • Fix for an sm2 encryption implementation bug
  • Addition of a linux-arm64ilp32-clang build target
  • Fix unconstrained session cache growth in TLSv1.3 (CVE-2024-2511)
  • Fix unbounded memory growth when using no-cached-fetch
  • Add atexit configuration option to using atexit() in libcrypto at build-time

OpenSSL-3.1.6

  • Fixes for various memory leaks
  • Various build and behavioral fixes on VMS
  • Various fixes in response to CVE-2024-4741
  • Explicit setup of cpuid flags in the fips provider
  • DSA size checking (CVE-2024-4603)
  • Fix for an sm2 encryption implementation bug
  • Addition of a linux-arm64ilp32-clang build target
  • Various fixes for CVE-2024-2511
  • Fix unconstrained session cache growth in TLSv1.3 (CVE-2024-2511)
  • Fix unbounded memory growth when using no-cached-fetch
  • Add atexit configuration option to using atexit() in libcrypto at build-time

OpenSSL-3.2.2

  • Fixes for various memory leaks
  • Various build and behavioral fixes on VMS
  • Various fixes in response to CVE-2024-4741
  • Fix race for X509 store found by thread sanitizer
  • Various bug fixes to the QUIC client
  • Explicit setup of cpuid flags in the fips provider
  • DSA size checking (CVE-2024-4603)
  • Fix for an sm2 encryption implementation bug
  • Addition of a linux-arm64ilp32-clang build target
  • Various fixes for CVE-2024-2511
  • Fix unconstrained session cache growth in TLSv1.3 (CVE-2024-2511)
  • Fix unbounded memory growth when using no-cached-fetch
  • Add atexit configuration option to using atexit() in libcrypto at build-time
  • Fix sm4-xts aarch64 assembly implementation bug
  • Fix compilation on Windows using icc

OpenSSL-3.3.1

  • Support updated to oqs-provider 0.6.0
  • Add demo for ECDH key exchange
  • Fixes for various memory leaks
  • Various build and behavioral fixes on VMS
  • Various fixes in response to CVE-2024-4741
  • Fix race for X509 store found by thread sanitizer
  • Various bug fixes to the QUIC client
  • Explicit setup of cpuid flags in the fips provider
  • DSA size checking (CVE-2024-4603)
  • Fix for an sm2 encryption implementation bug
  • Addition of a linux-arm64ilp32-clang build target
  • Various fixes for CVE-2024-2511
  • Fix unconstrained session cache growth in TLSv1.3 (CVE-2024-2511)
  • Fix unbounded memory growth when using no-cached-fetch
  • Add atexit configuration option to using atexit() in libcrypto at build-time
  • Fix sm4-xts aarch64 assembly implementation bug
  • Fix compilation on Windows using icc

Bug reports and issues relating to OpenSSL can be filed on our issue tracker, and questions about using OpenSSL can be posted on GitHub Discussions.