From f22896a2ee674a59facbd51a9a2744703a5a7308 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 14 Mar 2022 16:34:55 +0000 Subject: [PATCH] Update CHANGES/NEWS for new release Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell --- CHANGES | 29 +++++++++++++++++++++++++++++ NEWS | 3 ++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index ca60f359c90..a455201f522 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,35 @@ Changes between 1.1.1m and 1.1.1n [xx XXX xxxx] + *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli. + + Internally this function is used when parsing certificates that contain + elliptic curve public keys in compressed form or explicit elliptic curve + parameters with a base point encoded in compressed form. + + It is possible to trigger the infinite loop by crafting a certificate that + has invalid explicit curve parameters. + + Since certificate parsing happens prior to verification of the certificate + signature, any process that parses an externally supplied certificate may + thus be subject to a denial of service attack. The infinite loop can also + be reached when parsing crafted private keys as they can contain explicit + elliptic curve parameters. + + Thus vulnerable situations include: + + - TLS clients consuming server certificates + - TLS servers consuming client certificates + - Hosting providers taking certificates or private keys from customers + - Certificate authorities parsing certification requests from subscribers + - Anything else which parses ASN.1 elliptic curve parameters + + Also any other applications that use the BN_mod_sqrt() where the attacker + can control the parameter values are vulnerable to this DoS issue. + (CVE-2022-0778) + [Tomáš Mráz] + *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. diff --git a/NEWS b/NEWS index a10c981491b..8ba42afa3df 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [under development] - o + o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop + forever for non-prime moduli ([CVE-2022-0778]) Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] -- 2.47.2