OpenSSL CHANGES
_______________
+ Changes between 0.9.8zg and 0.9.8zh [xx XXX xxxx]
+
+ *)
+
+ Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015]
+
+ *) Malformed ECParameters causes infinite loop
+
+ When processing an ECParameters structure OpenSSL enters an infinite loop
+ if the curve specified is over a specially malformed binary polynomial
+ field.
+
+ This can be used to perform denial of service against any
+ system which processes public keys, certificate requests or
+ certificates. This includes TLS clients and TLS servers with
+ client authentication enabled.
+
+ This issue was reported to OpenSSL by Joseph Barr-Pixton.
+ (CVE-2015-1788)
+ [Andy Polyakov]
+
+ *) Exploitable out-of-bounds read in X509_cmp_time
+
+ X509_cmp_time does not properly check the length of the ASN1_TIME
+ string and can read a few bytes out of bounds. In addition,
+ X509_cmp_time accepts an arbitrary number of fractional seconds in the
+ time string.
+
+ An attacker can use this to craft malformed certificates and CRLs of
+ various sizes and potentially cause a segmentation fault, resulting in
+ a DoS on applications that verify certificates or CRLs. TLS clients
+ that verify CRLs are affected. TLS clients and servers with client
+ authentication enabled may be affected if they use custom verification
+ callbacks.
+
+ This issue was reported to OpenSSL by Robert Swiecki (Google), and
+ independently by Hanno Böck.
+ (CVE-2015-1789)
+ [Emilia Käsper]
+
+ *) PKCS7 crash with missing EnvelopedContent
+
+ The PKCS#7 parsing code does not handle missing inner EncryptedContent
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+ with missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+ structures from untrusted sources are affected. OpenSSL clients and
+ servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ (CVE-2015-1790)
+ [Emilia Käsper]
+
+ *) CMS verify infinite loop with unknown hash function
+
+ When verifying a signedData message the CMS code can enter an infinite loop
+ if presented with an unknown hash function OID. This can be used to perform
+ denial of service against any system which verifies signedData messages using
+ the CMS code.
+ This issue was reported to OpenSSL by Johannes Bauer.
+ (CVE-2015-1792)
+ [Stephen Henson]
+
+ *) Race condition handling NewSessionTicket
+
+ If a NewSessionTicket is received by a multi-threaded client when attempting to
+ reuse a previous ticket then a race condition can occur potentially leading to
+ a double free of the ticket data.
+ (CVE-2015-1791)
+ [Matt Caswell]
+
+ Changes between 0.9.8ze and 0.9.8zf [19 Mar 2015]
+
+ *) Segmentation fault in ASN1_TYPE_cmp fix
+
+ The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+ made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+ certificate signature algorithm consistency this can be used to crash any
+ certificate verification operation and exploited in a DoS attack. Any
+ application which performs certificate verification is vulnerable including
+ OpenSSL clients and servers which enable client authentication.
+ (CVE-2015-0286)
+ [Stephen Henson]
+
+ *) ASN.1 structure reuse memory corruption fix
+
+ Reusing a structure in ASN.1 parsing may allow an attacker to cause
+ memory corruption via an invalid write. Such reuse is and has been
+ strongly discouraged and is believed to be rare.
+
+ Applications that parse structures containing CHOICE or ANY DEFINED BY
+ components may be affected. Certificate parsing (d2i_X509 and related
+ functions) are however not affected. OpenSSL clients and servers are
+ not affected.
+ (CVE-2015-0287)
+ [Stephen Henson]
+
+ *) PKCS7 NULL pointer dereferences fix
+
+ The PKCS#7 parsing code does not handle missing outer ContentInfo
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+ missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+ otherwise parse PKCS#7 structures from untrusted sources are
+ affected. OpenSSL clients and servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ (CVE-2015-0289)
+ [Emilia Käsper]
+
+ *) DoS via reachable assert in SSLv2 servers fix
+
+ A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+ servers that both support SSLv2 and enable export cipher suites by sending
+ a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+ This issue was discovered by Sean Burford (Google) and Emilia Käsper
+ (OpenSSL development team).
+ (CVE-2015-0293)
+ [Emilia Käsper]
+
+ *) Use After Free following d2i_ECPrivatekey error fix
+
+ A malformed EC private key file consumed via the d2i_ECPrivateKey function
+ could cause a use after free condition. This, in turn, could cause a double
+ free in several private key parsing functions (such as d2i_PrivateKey
+ or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+ for applications that receive EC private keys from untrusted
+ sources. This scenario is considered rare.
+
+ This issue was discovered by the BoringSSL project and fixed in their
+ commit 517073cd4b.
+ (CVE-2015-0209)
+ [Matt Caswell]
+
+ *) X509_to_X509_REQ NULL pointer deref fix
+
+ The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+ the certificate key is invalid. This function is rarely used in practice.
+
+ This issue was discovered by Brian Carpenter.
+ (CVE-2015-0288)
+ [Stephen Henson]
+
+ *) Removed the export and SSLv2 ciphers from the DEFAULT ciphers
+ [Kurt Roeckx]
+
+ Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]
+
+ *) Build fixes for the Windows and OpenVMS platforms
+ [Matt Caswell and Richard Levitte]
+
+ Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015]
+
+ *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+ message can cause a segmentation fault in OpenSSL due to a NULL pointer
+ dereference. This could lead to a Denial Of Service attack. Thanks to
+ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+ (CVE-2014-3571)
+ [Steve Henson]
+
+ *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+ method would be set to NULL which could later result in a NULL pointer
+ dereference. Thanks to Frank Schmirler for reporting this issue.
+ (CVE-2014-3569)
+ [Kurt Roeckx]
+
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
+ *) Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ (CVE-2014-8275)
+ [Steve Henson]
+
+ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ (CVE-2014-3570)
+ [Andy Polyakov]
+
+ Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
+ Changes between 0.9.8za and 0.9.8zb [6 Aug 2014]
+
+ *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
+
+ Thanks to Felix Gröbert (Google) for discovering and researching this
+ issue.
+ (CVE-2014-3510)
+ [Emilia Käsper]
+
+ *) By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3507)
+ [Adam Langley]
+
+ *) An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3506)
+ [Adam Langley]
+
+ *) An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+ this issue.
+ (CVE-2014-3505)
+ [Adam Langley]
+
+ *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
+
+ Thanks to Ivan Fratric (Google) for discovering this issue.
+ (CVE-2014-3508)
+ [Emilia Käsper, and Steve Henson]
+
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ Changes between 0.9.8y and 0.9.8za [5 Jun 2014]
+
+ *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
+
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. (CVE-2014-0224)
+ [KIKUCHI Masashi, Steve Henson]
+
+ *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
+
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ (CVE-2014-0221)
+ [Imre Rad, Steve Henson]
+
+ *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
+
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
+
+ *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
+
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. (CVE-2014-3470)
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ Thanks to mancha for backporting the fix to the 0.9.8 branch.
+
+ *) Fix handling of warning-level alerts in SSL23 client mode so they
+ don't cause client-side termination (eg. on SNI unrecognized_name
+ warnings). Add client and server support for six additional alerts
+ per RFC 6066 and RFC 4279.
+ [mancha]
+
+ *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ [Rob Stradling, Adam Langley]
+
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
Changes between 0.9.8w and 0.9.8x [10 May 2012]
*) Sanity check record length before skipping explicit IV in DTLS
projects / thirdparty / openssl.git / blobdiff