]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
ba442a7e MC |
5 | Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx] |
6 | ||
7 | *) | |
8 | ||
e8ccaee3 | 9 | Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015] |
bc253b09 | 10 | |
346a46f0 MC |
11 | *) Build fixes for the Windows and OpenVMS platforms |
12 | [Matt Caswell and Richard Levitte] | |
bc253b09 | 13 | |
b873409e | 14 | Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015] |
94f735ca | 15 | |
1dc6a544 MC |
16 | *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS |
17 | message can cause a segmentation fault in OpenSSL due to a NULL pointer | |
18 | dereference. This could lead to a Denial Of Service attack. Thanks to | |
19 | Markus Stenberg of Cisco Systems, Inc. for reporting this issue. | |
20 | (CVE-2014-3571) | |
21 | [Steve Henson] | |
22 | ||
23 | *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is | |
24 | built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl | |
25 | method would be set to NULL which could later result in a NULL pointer | |
26 | dereference. Thanks to Frank Schmirler for reporting this issue. | |
27 | (CVE-2014-3569) | |
28 | [Kurt Roeckx] | |
29 | ||
e42a2aba DSH |
30 | *) Abort handshake if server key exchange message is omitted for ephemeral |
31 | ECDH ciphersuites. | |
32 | ||
9c6c6640 DSH |
33 | Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for |
34 | reporting this issue. | |
e42a2aba DSH |
35 | (CVE-2014-3572) |
36 | [Steve Henson] | |
37 | ||
72f18153 DSH |
38 | *) Remove non-export ephemeral RSA code on client and server. This code |
39 | violated the TLS standard by allowing the use of temporary RSA keys in | |
40 | non-export ciphersuites and could be used by a server to effectively | |
41 | downgrade the RSA key length used to a value smaller than the server | |
9c6c6640 DSH |
42 | certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at |
43 | INRIA or reporting this issue. | |
72f18153 DSH |
44 | (CVE-2015-0204) |
45 | [Steve Henson] | |
46 | ||
ec2fede9 DSH |
47 | *) Fix various certificate fingerprint issues. |
48 | ||
49 | By using non-DER or invalid encodings outside the signed portion of a | |
50 | certificate the fingerprint can be changed without breaking the signature. | |
51 | Although no details of the signed portion of the certificate can be changed | |
52 | this can cause problems with some applications: e.g. those using the | |
53 | certificate fingerprint for blacklists. | |
54 | ||
55 | 1. Reject signatures with non zero unused bits. | |
56 | ||
57 | If the BIT STRING containing the signature has non zero unused bits reject | |
58 | the signature. All current signature algorithms require zero unused bits. | |
59 | ||
60 | 2. Check certificate algorithm consistency. | |
61 | ||
62 | Check the AlgorithmIdentifier inside TBS matches the one in the | |
63 | certificate signature. NB: this will result in signature failure | |
64 | errors for some broken certificates. | |
65 | ||
66 | Thanks to Konrad Kraszewski from Google for reporting this issue. | |
67 | ||
68 | 3. Check DSA/ECDSA signatures use DER. | |
69 | ||
70 | Reencode DSA/ECDSA signatures and compare with the original received | |
71 | signature. Return an error if there is a mismatch. | |
72 | ||
73 | This will reject various cases including garbage after signature | |
74 | (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS | |
75 | program for discovering this case) and use of BER or invalid ASN.1 INTEGERs | |
76 | (negative or with leading zeroes). | |
77 | ||
78 | Further analysis was conducted and fixes were developed by Stephen Henson | |
79 | of the OpenSSL core team. | |
80 | ||
81 | (CVE-2014-8275) | |
82 | [Steve Henson] | |
94f735ca | 83 | |
1dc6a544 MC |
84 | *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect |
85 | results on some platforms, including x86_64. This bug occurs at random | |
86 | with a very low probability, and is not known to be exploitable in any | |
87 | way, though its exact impact is difficult to determine. Thanks to Pieter | |
88 | Wuille (Blockstream) who reported this issue and also suggested an initial | |
89 | fix. Further analysis was conducted by the OpenSSL development team and | |
90 | Adam Langley of Google. The final fix was developed by Andy Polyakov of | |
91 | the OpenSSL core team. | |
92 | (CVE-2014-3570) | |
93 | [Andy Polyakov] | |
94 | ||
36216218 | 95 | Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014] |
4ff07f4c | 96 | |
4d2efa29 MC |
97 | *) Session Ticket Memory Leak. |
98 | ||
99 | When an OpenSSL SSL/TLS/DTLS server receives a session ticket the | |
100 | integrity of that ticket is first verified. In the event of a session | |
101 | ticket integrity check failing, OpenSSL will fail to free memory | |
102 | causing a memory leak. By sending a large number of invalid session | |
103 | tickets an attacker could exploit this issue in a Denial Of Service | |
104 | attack. | |
105 | (CVE-2014-3567) | |
106 | [Steve Henson] | |
107 | ||
108 | *) Build option no-ssl3 is incomplete. | |
109 | ||
110 | When OpenSSL is configured with "no-ssl3" as a build option, servers | |
111 | could accept and complete a SSL 3.0 handshake, and clients could be | |
112 | configured to send them. | |
113 | (CVE-2014-3568) | |
114 | [Akamai and the OpenSSL team] | |
115 | ||
c6a87647 BM |
116 | *) Add support for TLS_FALLBACK_SCSV. |
117 | Client applications doing fallback retries should call | |
118 | SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). | |
119 | (CVE-2014-3566) | |
120 | [Adam Langley, Bodo Moeller] | |
121 | ||
5a7fc893 DSH |
122 | *) Add additional DigestInfo checks. |
123 | ||
124 | Reencode DigestInto in DER and check against the original when | |
125 | verifying RSA signature: this will reject any improperly encoded | |
126 | DigestInfo structures. | |
127 | ||
128 | Note: this is a precautionary measure and no attacks are currently known. | |
129 | ||
130 | [Steve Henson] | |
4ff07f4c | 131 | |
1c5f396d | 132 | Changes between 0.9.8za and 0.9.8zb [6 Aug 2014] |
4a1190be | 133 | |
9fcaaef3 MC |
134 | *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject |
135 | to a denial of service attack. A malicious server can crash the client | |
136 | with a null pointer dereference (read) by specifying an anonymous (EC)DH | |
137 | ciphersuite and sending carefully crafted handshake messages. | |
138 | ||
139 |