From 28c43df9288c50be6e03ee5b52dfc0e261d9eb60 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 26 Feb 2019 10:21:24 +0000 Subject: [PATCH] Updates CHANGES and NEWS for the new release Reviewed-by: Richard Levitte --- CHANGES | 22 ++++++++++++++++++++++ NEWS | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index bc805bf261..19db7baaeb 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,28 @@ Changes between 1.0.2q and 1.0.2r [xx XXX xxxx] + *) 0-byte record padding oracle + + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) + then OpenSSL can respond differently to the calling application if a 0 byte + record is received with invalid padding compared to if a 0 byte record is + received with an invalid MAC. If the application then behaves differently + based on that in a way that is detectable to the remote peer, then this + amounts to a padding oracle that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in + use. Stitched ciphersuites are optimised implementations of certain + commonly used ciphersuites. Also the application must call SSL_shutdown() + twice even if a protocol error has occurred (applications should not do + this but some do anyway). + + This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod + Aviram, with additional investigation by Steven Collison and Andrew + Hourselt. It was reported to OpenSSL on 10th December 2018. + (CVE-2019-1559) + [Matt Caswell] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] diff --git a/NEWS b/NEWS index 566ce438fd..49f4fdd398 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [under development] - o + o 0-byte record padding oracle (CVE-2019-1559) Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] -- 2.39.2