Skip to content
This repository was archived by the owner on Aug 29, 2024. It is now read-only.

Add 3.0.9 to table of validated versions #467

Closed
wants to merge 2 commits into from
Closed

Add 3.0.9 to table of validated versions #467

wants to merge 2 commits into from

Conversation

mattcaswell
Copy link
Member

3.0.9 has been validated so should be in the table of validated versions on the the download page.

@mattcaswell
Add 3.0.9 to table of validated versions
d4a0282 
3.0.9 has been validated so should be in the table of validated versions
on the the download page.
t8m
t8m reviewed Feb 16, 2024
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how should we handle the 3.0.0 version. It is not validated anymore.

@paulidale
Copy link
Contributor

3.0.0 should be marked historic (or removed). It's not longer FIPS approved and hasn't been since 3.0.8 was released.

Technically 3.0.8 and 3.0.9 are also no longer approved since the publication of the FIPS impacting CVE 2023-6237. A 3A sub is required to regain compliance.

@t8m
Copy link
Member

t8m commented Feb 19, 2024

Technically 3.0.8 and 3.0.9 are also no longer approved since the publication of the FIPS impacting CVE 2023-6237. A 3A sub is required to regain compliance.

@paulidale Where do you see this strict implication that any CVE impacting a module makes the module not being validated? Is it documented somewhere in IGs or so? IMO, especially for this kind of low severity issues it does not make any sense for the module to lose the validated status. Which of course does not imply that we should not bother doing a 3A revalidation. But it will definitely take some time to get a new validation certificate for 3.0.13 or whatever version it will be that undergoes the revalidation.

@paulidale
Copy link
Contributor

paulidale commented Feb 20, 2024
edited
Loading

IG G.8: Because the change to the module is to address a security-relevant CVE, the previous version of the module is no longer considered validated and will be removed from the certificate; ...

It isn't clear if the FIPS validation remains intact for the duration of this process or not. Our lab has indicated that it doesn't previously (which might or might not be correct), my reading is it probably does. Not undertaking th 3A sub process is clearer IMO: the validation sunsets.

The problem with revalidating using 3.0.13 is that it will likely require both a 3A (CVE fix) and a 3B (everything else) sub. The latter is very slow, the former would be enough to maintain the validation and really should be in process already.

If it's a paperwork only change, the 3.0.9/3.0.8 certificate could be updated via a 3A sub submission. We got significant pushback on paperwork fixes for the 3.0.8/3.0.9 submission.

@mattcaswell
Copy link
Member Author

mattcaswell commented Feb 21, 2024
edited
Loading

I've updated this to mark the 3.0.0 version as historic.

@arapov - please reconfirm. Needs a second OMC approval.

@t8m t8m added the URGENT label Feb 21, 2024
@t8m t8m requested review from kroeckx, arapov and t-j-h February 21, 2024 14:19
@t8m
Copy link
Member

t8m commented Feb 22, 2024

Merged. Thank you.

@t8m t8m closed this Feb 22, 2024
openssl-machine pushed a commit that referenced this pull request Feb 22, 2024
@mattcaswell @t8m
Add 3.0.9 to table of validated versions
d0631b3 
3.0.9 has been validated so should be in the table of validated versions
on the the download page.

Reviewed-by: Anton Arapov <anton@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #467)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@arapov arapov arapov approved these changes

@t8m t8m t8m approved these changes

@levitte levitte Awaiting requested review from levitte

@kroeckx kroeckx Awaiting requested review from kroeckx

@t-j-h t-j-h Awaiting requested review from t-j-h

Assignees
No one assigned
Labels
URGENT
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mattcaswell @paulidale @t8m @arapov