]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
3a9a0321 MC |
5 | Changes between 1.0.1l and 1.0.1m [xx XXX xxxx] |
6 | ||
7 | *) | |
8 | ||
b83ceba7 | 9 | Changes between 1.0.1k and 1.0.1l [15 Jan 2015] |
8437225d | 10 | |
583f0bc4 MC |
11 | *) Build fixes for the Windows and OpenVMS platforms |
12 | [Matt Caswell and Richard Levitte] | |
8437225d | 13 | |
b4a57c4c | 14 | Changes between 1.0.1j and 1.0.1k [8 Jan 2015] |
e356ac5c | 15 | |
e02863b5 MC |
16 | *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS |
17 | message can cause a segmentation fault in OpenSSL due to a NULL pointer | |
18 | dereference. This could lead to a Denial Of Service attack. Thanks to | |
19 | Markus Stenberg of Cisco Systems, Inc. for reporting this issue. | |
20 | (CVE-2014-3571) | |
21 | [Steve Henson] | |
22 | ||
23 | *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the | |
24 | dtls1_buffer_record function under certain conditions. In particular this | |
25 | could occur if an attacker sent repeated DTLS records with the same | |
26 | sequence number but for the next epoch. The memory leak could be exploited | |
27 | by an attacker in a Denial of Service attack through memory exhaustion. | |
28 | Thanks to Chris Mueller for reporting this issue. | |
29 | (CVE-2015-0206) | |
30 | [Matt Caswell] | |
31 | ||
32 | *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is | |
33 | built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl | |
34 | method would be set to NULL which could later result in a NULL pointer | |
35 | dereference. Thanks to Frank Schmirler for reporting this issue. | |
36 | (CVE-2014-3569) | |
37 | [Kurt Roeckx] | |
38 | ||
ef28c6d6 DSH |
39 | *) Abort handshake if server key exchange message is omitted for ephemeral |
40 | ECDH ciphersuites. | |
41 | ||
293c1e22 DSH |
42 | Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for |
43 | reporting this issue. | |
ef28c6d6 DSH |
44 | (CVE-2014-3572) |
45 | [Steve Henson] | |
46 | ||
37580f43 DSH |
47 | *) Remove non-export ephemeral RSA code on client and server. This code |
48 | violated the TLS standard by allowing the use of temporary RSA keys in | |
49 | non-export ciphersuites and could be used by a server to effectively | |
50 | downgrade the RSA key length used to a value smaller than the server | |
293c1e22 DSH |
51 | certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at |
52 | INRIA or reporting this issue. | |
37580f43 DSH |
53 | (CVE-2015-0204) |
54 | [Steve Henson] | |
55 | ||
e02863b5 MC |
56 | *) Fixed issue where DH client certificates are accepted without verification. |
57 | An OpenSSL server will accept a DH certificate for client authentication | |
58 | without the certificate verify message. This effectively allows a client to | |
59 | authenticate without the use of a private key. This only affects servers | |
60 | which trust a client certificate authority which issues certificates | |
61 | containing DH keys: these are extremely rare and hardly ever encountered. | |
62 | Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting | |
63 | this issue. | |
64 | (CVE-2015-0205) | |
65 | [Steve Henson] | |
66 | ||
2357cd2e AL |
67 | *) Ensure that the session ID context of an SSL is updated when its |
68 | SSL_CTX is updated via SSL_set_SSL_CTX. | |
69 | ||
70 | The session ID context is typically set from the parent SSL_CTX, | |
71 | and can vary with the CTX. | |
72 | [Adam Langley] | |
73 | ||
a8565530 DSH |
74 | *) Fix various certificate fingerprint issues. |
75 | ||
76 | By using non-DER or invalid encodings outside the signed portion of a | |
77 | certificate the fingerprint can be changed without breaking the signature. | |
78 | Although no details of the signed portion of the certificate can be changed | |
79 | this can cause problems with some applications: e.g. those using the | |
80 | certificate fingerprint for blacklists. | |
81 | ||
82 | 1. Reject signatures with non zero unused bits. | |
83 | ||
84 | If the BIT STRING containing the signature has non zero unused bits reject | |
85 | the signature. All current signature algorithms require zero unused bits. | |
86 | ||
87 | 2. Check certificate algorithm consistency. | |
88 | ||
89 | Check the AlgorithmIdentifier inside TBS matches the one in the | |
90 | certificate signature. NB: this will result in signature failure | |
91 | errors for some broken certificates. | |
92 | ||
93 | Thanks to Konrad Kraszewski from Google for reporting this issue. | |
94 | ||
95 | 3. Check DSA/ECDSA signatures use DER. | |
96 | ||
97 | Reencode DSA/ECDSA signatures and compare with the original received | |
98 | signature. Return an error if there is a mismatch. | |
99 | ||
100 | This will reject various cases including garbage after signature | |
101 | (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS | |
102 | program for discovering this case) and use of BER or invalid ASN.1 INTEGERs | |
103 | (negative or with leading zeroes). | |
104 | ||
105 | Further analysis was conducted and fixes were developed by Stephen Henson | |
106 | of the OpenSSL core team. | |
107 | ||
108 | (CVE-2014-8275) | |
109 | [Steve Henson] | |
110 | ||
e02863b5 MC |
111 | *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect |
112 | results on some platforms, including x86_64. This bug occurs at random | |
113 | with a very low probability, and is not known to be exploitable in any | |
114 | way, though its exact impact is difficult to determine. Thanks to Pieter | |
115 | Wuille (Blockstream) who reported this issue and also suggested an initial | |
116 | fix. Further analysis was conducted by the OpenSSL development team and | |
117 | Adam Langley of Google. The final fix was developed by Andy Polyakov of | |
118 | the OpenSSL core team. | |
119 | (CVE-2014-3570) | |
120 | [Andy Polyakov] | |
121 | ||
7fc5f4f1 DB |
122 | *) Do not resume sessions on the server if the negotiated protocol |
123 | version does not match the session's version. Resuming with a different | |
124 | version, while not strictly forbidden by the RFC, is of questionable | |
125 | sanity and breaks all known clients. | |
126 |