New OpenSSL Releases

[Tomas Mraz]

The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.5.4, 3.4.3, 3.3.5, 3.2.5 and 3.0.18.

We will be also releasing extended support OpenSSL versions 1.0.2zm and
1.1.1zd which will be available to premium support customers.

These releases will be made available on Tuesday 30th September 2025
between 1300-1700 UTC.

These are security-fix releases. The highest severity issue fixed in
each of these releases is Moderate:

https://openssl-library.org/policies/general/security-policy/index.html

Yours
The OpenSSL Project Team

[Martin Bonner]

I forwarded the information internally, and a colleague asked for more details. I said there weren't any at the moment, and within 15 minutes he had replied pointing at the commit that is almost certainly the cause of this release. Given it is so easy to find, is there any point in being so coy about what the problem is?

Martin Bonner

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/b6525571ac6bce35570fced2470872048a3af381.camel%40openssl.org.
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Matt Caswell]

The details of the issues this release addresses, and the associated fixes, have not been made public at this time and are not in the git repository. They will be made public next week.

Matt

To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/PH3PPF7A88A980A281EE072C788850361F9F31CA%40PH3PPF7A88A980A.namprd11.prod.outlook.com.

[Tomas Mraz]

Not really. The fixes for the security issues that will be released
with these upcoming versions are NOT present in the public github
repository of openssl. They will be merged only immediately before the
release is done.

We never merge fixes of issues with higher severity than Low to the
repository ahead of the release. And the security fixes always refer to
the CVE id of the fixed issue.

I would be interested to know which commit your colleague identified as
fixing a security issue. Most likely it is a fix for an issue that we
did not classify as security issue accoring to our security policy [1].
However if you reply to me privately with the concrete commit, I will
verify that there is no additional fix that should be classified as a
security issue.

[1]
https://openssl-library.org/policies/general/security-policy/index.html

Kind regards,

Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation

--
Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/

[Martin Bonner]

> Not really. The fixes for the security issues that will be released

> with these upcoming versions are NOT present in the public github

> repository of openssl. They will be merged only immediately before the

> release is done

 

This is the right answer!  Thanks for the clarification.

 

Martin Bonner

 

 

From: Tomas Mraz <to...@openssl.org>
Sent: 24 September 2025 08:28
To: Martin Bonner <Martin...@entrust.com>; openss...@openssl.org; openssl...@openssl.org
Subject: Re: [EXTERNAL] New OpenSSL Releases

 

Not really. The fixes for the security issues that will be released with these upcoming versions are NOT present in the public github repository of openssl. They will be merged only immediately before the release is done. We never merge fixes

Not really. The fixes for the security issues that will be released

with these upcoming versions are NOT present in the public github

repository of openssl. They will be merged only immediately before the

release is done.

We never merge fixes of issues with higher severity than Low to the

repository ahead of the release. And the security fixes always refer to

the CVE id of the fixed issue.

I would be interested to know which commit your colleague identified as

fixing a security issue. Most likely it is a fix for an issue that we

did not classify as security issue accoring to our security policy [1].

However if you reply to me privately with the concrete commit, I will

verify that there is no additional fix that should be classified as a

security issue.

[1]

https://urldefense.com/v3/__https://openssl-library.org/policies/general/security-policy/index.html__;!!FJ-Y8qCqXTj2!aqJTWIAccYLWQCsd9LXjnHJL5SsdBgvWOZRtg8bdr-KFbfx2csaIAGzdnuRkzlyCq7wolPTpDEohbsxVtQ$

Kind regards,

Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation

On Wed, 2025-09-24 at 06:45 +0000, Martin Bonner wrote:

> I forwarded the information internally, and a colleague asked for

> more details. I said there weren't any at the moment, and within 15

> minutes he had replied pointing at the commit that is almost

> certainly the cause of this release.  Given it is so easy to find, is

> there any point in being so coy about what the problem is?

> 

> Martin Bonner

> 

> 

> -----Original Message-----

> From: Tomas Mraz <to...@openssl.org>

> Sent: 23 September 2025 14:57

> To: openss...@openssl.org; openssl...@openssl.org

> Subject: [EXTERNAL] New OpenSSL Releases

> 

> The OpenSSL project team would like to announce the upcoming release

> of OpenSSL versions 3.5.4, 3.4.3, 3.3.5, 3.2.5 and 3.0.18.

> 

> We will be also releasing extended support OpenSSL versions 1.0.2zm

> and 1.1.1zd which will be available to premium support customers.

> 

> These releases will be made available on Tuesday 30th September 2025

> between 1300-1700 UTC.

> 

> These are security-fix releases. The highest severity issue fixed in

> each of these releases is Moderate:

> 

> https://urldefense.com/v3/__https://openssl-library.org/policies/general/security-policy/index.html__;!!FJ-Y8qCqXTj2!aqJTWIAccYLWQCsd9LXjnHJL5SsdBgvWOZRtg8bdr-KFbfx2csaIAGzdnuRkzlyCq7wolPTpDEohbsxVtQ$

> 

> Yours

> The OpenSSL Project Team

> 

> --

> You received this message because you are subscribed to the Google

> Groups "openssl-users" group.

> To unsubscribe from this group and stop receiving emails from it,

> send an email to openssl-user...@openssl.org.

> To view this discussion visit

> https://urldefense.com/v3/__https://groups.google.com/a/openssl.org/d/msgid/openssl-users/b6525571ac6bce35570fced2470872048a3af381.camel*40openssl.org__;JQ!!FJ-Y8qCqXTj2!aqJTWIAccYLWQCsd9LXjnHJL5SsdBgvWOZRtg8bdr-KFbfx2csaIAGzdnuRkzlyCq7wolPTpDErZ6iYNhg$

> .

> Any email and files/attachments transmitted with it are intended

> solely for the use of the individual or entity to whom they are

> addressed. If this message has been sent to you in error, you must

> not copy, distribute or disclose of the information it contains.

> Please notify Entrust immediately and delete the message from your

> system.

> 

-- 

Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation

Join the Code Protectors or support us on Github Sponsors

https://urldefense.com/v3/__https://openssl-foundation.org/donate/__;!!FJ-Y8qCqXTj2!aqJTWIAccYLWQCsd9LXjnHJL5SsdBgvWOZRtg8bdr-KFbfx2csaIAGzdnuRkzlyCq7wolPTpDEqn0cesog$