OpenSSL CHANGES
_______________
- Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
+ Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx]
+
+ *)
+
+ Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
+ Changes between 0.9.8za and 0.9.8zb [6 Aug 2014]
+
+ *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
+
+ Thanks to Felix Gröbert (Google) for discovering and researching this
+ issue.
+ (CVE-2014-3510)
+ [Emilia Käsper]
+
+ *) By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3507)
+ [Adam Langley]
+
+ *) An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3506)
+ [Adam Langley]
+
+ *) An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+ this issue.
+ (CVE-2014-3505)
+ [Adam Langley]
+
+ *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
+
+ Thanks to Ivan Fratric (Google) for discovering this issue.
+ (CVE-2014-3508)
+ [Emilia Käsper, and Steve Henson]
+
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ Changes between 0.9.8y and 0.9.8za [5 Jun 2014]
+
+ *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
+
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. (CVE-2014-0224)
+ [KIKUCHI Masashi, Steve Henson]
+
+ *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
+
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ (CVE-2014-0221)
+ [Imre Rad, Steve Henson]
+
+ *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
+
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
+
+ *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
+
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. (CVE-2014-3470)
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ Thanks to mancha for backporting the fix to the 0.9.8 branch.
+
+ *) Fix handling of warning-level alerts in SSL23 client mode so they
+ don't cause client-side termination (eg. on SNI unrecognized_name
+ warnings). Add client and server support for six additional alerts
+ per RFC 6066 and RFC 4279.
+ [mancha]
+
+ *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ [Rob Stradling, Adam Langley]
+
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+ *) The fix for CVE-2012-2110 did not take into account that the
+ 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+ int in OpenSSL 0.9.8, making it still vulnerable. Fix by
+ rejecting negative len parameter. (CVE-2012-2131)
+ [Tomas Hoger <thoger@redhat.com>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+ *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+ in CMS and PKCS7 code. When RSA decryption fails use a random key for
+ content decryption and always return the same error. Note: this attack
+ needs on average 2^20 messages so it only affects automated senders. The
+ old behaviour can be reenabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+ an MMA defence is not necessary.
+ Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+ this issue. (CVE-2012-0884)
+ [Steve Henson]
+
+ *) Fix CVE-2011-4619: make sure we really are receiving a
+ client hello before rejecting multiple SGC restarts. Thanks to
+ Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+ [Steve Henson]
+
+ Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
+
+ *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
+ Thanks to Antonio Martin, Enterprise Secure Access Research and
+ Development, Cisco Systems, Inc. for discovering this bug and
+ preparing a fix. (CVE-2012-0050)
+ [Antonio Martin]
+
+ Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
+
+ *) Nadhem Alfardan and Kenny Paterson have discovered an extension
+ of the Vaudenay padding oracle attack on CBC mode encryption
+ which enables an efficient plaintext recovery attack against
+ the OpenSSL implementation of DTLS. Their attack exploits timing
+ differences arising during decryption processing. A research
+ paper describing this attack can be found at:
+ http://www.isg.rhul.ac.uk/~kp/dtls.pdf
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
+ <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
+ for preparing the fix. (CVE-2011-4108)
+ [Robin Seggelmann, Michael Tuexen]
+
+ *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
+ [Ben Laurie, Kasper <ekasper@google.com>]
+
+ *) Clear bytes used for block padding of SSL 3.0 records.
+ (CVE-2011-4576)
+ [Adam Langley (Google)]
+
+ *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
+ Kadianakis <desnacked@gmail.com> for discovering this issue and
+ Adam Langley for preparing the fix. (CVE-2011-4619)
+ [Adam Langley (Google)]
+
+ *) Prevent malformed RFC3779 data triggering an assertion failure.
+ Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
+ and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
+ [Rob Austein <sra@hactrn.net>]
+
+ *) Fix ssl_ciph.c set-up race.
+ [Adam Langley (Google)]
+
+ *) Fix spurious failures in ecdsatest.c.
+ [Emilia Käsper (Google)]
+
+ *) Fix the BIO_f_buffer() implementation (which was mixing different
+ interpretations of the '..._len' fields).
+ [Adam Langley (Google)]
+
+ *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
+ BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
+ threads won't reuse the same blinding coefficients.
+
+ This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
+ lock to call BN_BLINDING_invert_ex, and avoids one use of
+ BN_BLINDING_update for each BN_BLINDING structure (previously,
+ the last update always remained unused).
+ [Emilia Käsper (Google)]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH.
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see: