]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
ba442a7e MC |
5 | Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx] |
6 | ||
c85c1e08 KR |
7 | *) Removed the export and SSLv2 ciphers from the DEFAULT ciphers |
8 | [Kurt Roeckx] | |
ba442a7e | 9 | |
e8ccaee3 | 10 | Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015] |
bc253b09 | 11 | |
346a46f0 MC |
12 | *) Build fixes for the Windows and OpenVMS platforms |
13 | [Matt Caswell and Richard Levitte] | |
bc253b09 | 14 | |
b873409e | 15 | Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015] |
94f735ca | 16 | |
1dc6a544 MC |
17 | *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS |
18 | message can cause a segmentation fault in OpenSSL due to a NULL pointer | |
19 | dereference. This could lead to a Denial Of Service attack. Thanks to | |
20 | Markus Stenberg of Cisco Systems, Inc. for reporting this issue. | |
21 | (CVE-2014-3571) | |
22 | [Steve Henson] | |
23 | ||
24 | *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is | |
25 | built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl | |
26 | method would be set to NULL which could later result in a NULL pointer | |
27 | dereference. Thanks to Frank Schmirler for reporting this issue. | |
28 | (CVE-2014-3569) | |
29 | [Kurt Roeckx] | |
30 | ||
e42a2aba DSH |
31 | *) Abort handshake if server key exchange message is omitted for ephemeral |
32 | ECDH ciphersuites. | |
33 | ||
9c6c6640 DSH |
34 | Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for |
35 | reporting this issue. | |
e42a2aba DSH |
36 | (CVE-2014-3572) |
37 | [Steve Henson] | |
38 | ||
72f18153 DSH |
39 | *) Remove non-export ephemeral RSA code on client and server. This code |
40 | violated the TLS standard by allowing the use of temporary RSA keys in | |
41 | non-export ciphersuites and could be used by a server to effectively | |
42 | downgrade the RSA key length used to a value smaller than the server | |
9c6c6640 DSH |
43 | certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at |
44 | INRIA or reporting this issue. | |
72f18153 DSH |
45 | (CVE-2015-0204) |
46 | [Steve Henson] | |
47 | ||
ec2fede9 DSH |
48 | *) Fix various certificate fingerprint issues. |
49 | ||
50 | By using non-DER or invalid encodings outside the signed portion of a | |
51 | certificate the fingerprint can be changed without breaking the signature. | |
52 | Although no details of the signed portion of the certificate can be changed | |
53 | this can cause problems with some applications: e.g. those using the | |
54 | certificate fingerprint for blacklists. | |
55 | ||
56 | 1. Reject signatures with non zero unused bits. | |
57 | ||
58 | If the BIT STRING containing the signature has non zero unused bits reject | |
59 | the signature. All current signature algorithms require zero unused bits. | |
60 | ||
61 | 2. Check certificate algorithm consistency. | |
62 | ||
63 | Check the AlgorithmIdentifier inside TBS matches the one in the | |
64 | certificate signature. NB: this will result in signature failure | |
65 | errors for some broken certificates. | |
66 | ||
67 | Thanks to Konrad Kraszewski from Google for reporting this issue. | |
68 | ||
69 | 3. Check DSA/ECDSA signatures use DER. | |
70 | ||
71 | Reencode DSA/ECDSA signatures and compare with the original received | |
72 | signature. Return an error if there is a mismatch. | |
73 | ||
74 | This will reject various cases including garbage after signature | |
75 | (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS | |
76 | program for discovering this case) and use of BER or invalid ASN.1 INTEGERs | |
77 | (negative or with leading zeroes). | |
78 | ||
79 | Further analysis was conducted and fixes were developed by Stephen Henson | |
80 | of the OpenSSL core team. | |
81 | ||
82 | (CVE-2014-8275) | |
83 | [Steve Henson] | |
94f735ca | 84 | |
1dc6a544 MC |
85 | *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect |
86 | results on some platforms, including x86_64. This bug occurs at random | |
87 | with a very low probability, and is not known to be exploitable in any | |
88 | way, though its exact impact is difficult to determine. Thanks to Pieter | |
89 | Wuille (Blockstream) who reported this issue and also suggested an initial | |
90 | fix. Further analysis was conducted by the OpenSSL development team and | |
91 | Adam Langley of Google. The final fix was developed by Andy Polyakov of | |
92 | the OpenSSL core team. | |
93 | (CVE-2014-3570) | |
94 | [Andy Polyakov] | |
95 | ||
36216218 | 96 | Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014] |
4ff07f4c | 97 | |
4d2efa29 MC |
98 | *) Session Ticket Memory Leak. |
99 | ||
100 | When an OpenSSL SSL/TLS/DTLS server receives a session ticket the | |
101 | integrity of that ticket is first verified. In the event of a session | |
102 | ticket integrity check failing, OpenSSL will fail to free memory | |
103 | causing a memory leak. By sending a large number of invalid session | |
104 | tickets an attacker could exploit this issue in a Denial Of Service | |
105 | attack. | |
106 | (CVE-2014-3567) | |
107 | [Steve Henson] | |
108 | ||
109 | *) Build option no-ssl3 is incomplete. | |
110 | ||
111 | When OpenSSL is configured with "no-ssl3" as a build option, servers | |
112 | could accept and complete a SSL 3.0 handshake, and clients could be | |
113 | configured to send them. | |
114 | (CVE-2014-3568) | |
115 | [Akamai and the OpenSSL team] | |
116 | ||
c6a87647 BM |
117 | *) Add support for TLS_FALLBACK_SCSV. |
118 | Client applications doing fallback retries should call | |
119 | SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). | |
120 | (CVE-2014-3566) | |
121 | [Adam Langley, Bodo Moeller] | |
122 | ||
5a7fc893 DSH |
123 | *) Add additional DigestInfo checks. |
124 | ||
125 | Reencode DigestInto in DER and check against the original when | |
126 | verifying RSA signature: this will reject any improperly encoded | |
127 | DigestInfo structures. | |
128 | ||
129 | Note: this is a precautionary measure and no attacks are currently known. | |
130 | ||
131 | [Steve Henson] | |
4ff07f4c | 132 | |
1c5f396d | 133 | Changes between 0.9.8za and 0.9.8zb [6 Aug 2014] |
4a1190be | 134 | |
9fcaaef3 MC |
135 | *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject |
136 | to a denial of service attack. A malicious server can crash the client | |
137 | with a null pointer dereference (read) by specifying an anonymous (EC)DH | |
138 | ciphersuite and sending carefully crafted handshake messages. | |
139 | ||
140 |