|
2 | 2 | OpenSSL CHANGES |
3 | 3 | _______________ |
4 | 4 |
|
| 5 | + Changes between 1.0.1l and 1.0.1m [19 Mar 2015] |
| 6 | + |
| 7 | + *) Segmentation fault in ASN1_TYPE_cmp fix |
| 8 | + |
| 9 | + The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is |
| 10 | + made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check |
| 11 | + certificate signature algorithm consistency this can be used to crash any |
| 12 | + certificate verification operation and exploited in a DoS attack. Any |
| 13 | + application which performs certificate verification is vulnerable including |
| 14 | + OpenSSL clients and servers which enable client authentication. |
| 15 | + (CVE-2015-0286) |
| 16 | + [Stephen Henson] |
| 17 | + |
| 18 | + *) ASN.1 structure reuse memory corruption fix |
| 19 | + |
| 20 | + Reusing a structure in ASN.1 parsing may allow an attacker to cause |
| 21 | + memory corruption via an invalid write. Such reuse is and has been |
| 22 | + strongly discouraged and is believed to be rare. |
| 23 | + |
| 24 | + Applications that parse structures containing CHOICE or ANY DEFINED BY |
| 25 | + components may be affected. Certificate parsing (d2i_X509 and related |
| 26 | + functions) are however not affected. OpenSSL clients and servers are |
| 27 | + not affected. |
| 28 | + (CVE-2015-0287) |
| 29 | + [Stephen Henson] |
| 30 | + |
| 31 | + *) PKCS7 NULL pointer dereferences fix |
| 32 | + |
| 33 | + The PKCS#7 parsing code does not handle missing outer ContentInfo |
| 34 | + correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with |
| 35 | + missing content and trigger a NULL pointer dereference on parsing. |
| 36 | + |
| 37 | + Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or |
| 38 | + otherwise parse PKCS#7 structures from untrusted sources are |
| 39 | + affected. OpenSSL clients and servers are not affected. |
| 40 | + |
| 41 | + This issue was reported to OpenSSL by Michal Zalewski (Google). |
| 42 | + (CVE-2015-0289) |
| 43 | + [Emilia K�sper] |
| 44 | + |
| 45 | + *) DoS via reachable assert in SSLv2 servers fix |
| 46 | + |
| 47 | + A malicious client can trigger an OPENSSL_assert (i.e., an abort) in |
| 48 | + servers that both support SSLv2 and enable export cipher suites by sending |
| 49 | + a specially crafted SSLv2 CLIENT-MASTER-KEY message. |
| 50 | + |
| 51 | + This issue was discovered by Sean Burford (Google) and Emilia K�sper |
| 52 | + (OpenSSL development team). |
| 53 | + (CVE-2015-0293) |
| 54 | + [Emilia K�sper] |
| 55 | + |
| 56 | + *) Use After Free following d2i_ECPrivatekey error fix |
| 57 | + |
| 58 | + A malformed EC private key file consumed via the d2i_ECPrivateKey function |
| 59 | + could cause a use after free condition. This, in turn, could cause a double |
| 60 | + free in several private key parsing functions (such as d2i_PrivateKey |
| 61 | + or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption |
| 62 | + for applications that receive EC private keys from untrusted |
| 63 | + sources. This scenario is considered rare. |
| 64 | + |
| 65 | + This issue was discovered by the BoringSSL project and fixed in their |
| 66 | + commit 517073cd4b. |
| 67 | + (CVE-2015-0209) |
| 68 | + [Matt Caswell] |
| 69 | + |
| 70 | + *) X509_to_X509_REQ NULL pointer deref fix |
| 71 | + |
| 72 | + The function X509_to_X509_REQ will crash with a NULL pointer dereference if |
| 73 | + the certificate key is invalid. This function is rarely used in practice. |
| 74 | + |
| 75 | + This issue was discovered by Brian Carpenter. |
| 76 | + (CVE-2015-0288) |
| 77 | + [Stephen Henson] |
| 78 | + |
| 79 | + *) Removed the export ciphers from the DEFAULT ciphers |
| 80 | + [Kurt Roeckx] |
| 81 | + |
5 | 82 | Changes between 1.0.1k and 1.0.1l [15 Jan 2015] |
6 | 83 |
|
7 | 84 | *) Build fixes for the Windows and OpenVMS platforms |
|
771 | 848 | Add command line options to s_client/s_server. |
772 | 849 | [Steve Henson] |
773 | 850 |
|
774 | | - Changes between 1.0.0j and 1.0.0k [5 Feb 2013] |
775 | | - |
776 | | - *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. |
777 | | - |
778 | | - This addresses the flaw in CBC record processing discovered by |
779 | | - Nadhem Alfardan and Kenny Paterson. Details of this attack can be found |
780 | | - at: http://www.isg.rhul.ac.uk/tls/ |
781 | | - |
782 | | - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
783 | | - Security Group at Royal Holloway, University of London |
784 | | - (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and |
785 | | - Emilia K�sper for the initial patch. |
786 | | - (CVE-2013-0169) |
787 | | - [Emilia K�sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] |
788 | | - |
789 | | - *) Return an error when checking OCSP signatures when key is NULL. |
790 | | - This fixes a DoS attack. (CVE-2013-0166) |
791 | | - [Steve Henson] |
792 | | - |
793 | | - *) Call OCSP Stapling callback after ciphersuite has been chosen, so |
794 | | - the right response is stapled. Also change SSL_get_certificate() |
795 | | - so it returns the certificate actually sent. |
796 | | - See http://rt.openssl.org/Ticket/Display.html?id=2836. |
797 | | - (This is a backport) |
798 | | - [Rob Stradling <rob.stradling@comodo.com>] |
799 | | - |
800 | | - *) Fix possible deadlock when decoding public keys. |
801 | | - [Steve Henson] |
802 | | - |
803 | | - Changes between 1.0.0i and 1.0.0j [10 May 2012] |
804 | | - |
805 | | - [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after |
806 | | - OpenSSL 1.0.1.] |
807 | | - |
808 | | - *) Sanity check record length before skipping explicit IV in DTLS |
809 | | - to fix DoS attack. |
810 | | - |
811 | | - Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic |
812 | | - fuzzing as a service testing platform. |
813 | | - (CVE-2012-2333) |
814 | | - [Steve Henson] |
815 | | - |
816 | | - *) Initialise tkeylen properly when encrypting CMS messages. |
817 | | - Thanks to Solar Designer of Openwall for reporting this issue. |
818 | | - [Steve Henson] |
819 | | - |
820 | | - Changes between 1.0.0h and 1.0.0i [19 Apr 2012] |
821 | | - |
822 | | - *) Check for potentially exploitable overflows in asn1_d2i_read_bio |
823 | | - BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer |
824 | | - in CRYPTO_realloc_clean. |
825 | | - |
826 | | - Thanks to Tavis Ormandy, Google Security Team, for discovering this |
827 | | - issue and to Adam Langley <agl@chromium.org> for fixing it. |
828 | | - (CVE-2012-2110) |
829 | | - [Adam Langley (Google), Tavis Ormandy, Google Security Team] |
830 | | - |
831 | 851 | Changes between 1.0.0g and 1.0.0h [12 Mar 2012] |
832 | 852 |
|
833 | 853 | *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness |
|
1818 | 1838 | *) Change 'Configure' script to enable Camellia by default. |
1819 | 1839 | [NTT] |
1820 | 1840 |
|
1821 | | - Changes between 0.9.8x and 0.9.8y [5 Feb 2013] |
1822 | | - |
1823 | | - *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. |
1824 | | - |
1825 | | - This addresses the flaw in CBC record processing discovered by |
1826 | | - Nadhem Alfardan and Kenny Paterson. Details of this attack can be found |
1827 | | - at: http://www.isg.rhul.ac.uk/tls/ |
1828 | | - |
1829 | | - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
1830 | | - Security Group at Royal Holloway, University of London |
1831 | | - (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and |
1832 | | - Emilia K�sper for the initial patch. |
1833 | | - (CVE-2013-0169) |
1834 | | - [Emilia K�sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] |
1835 | | - |
1836 | | - *) Return an error when checking OCSP signatures when key is NULL. |
1837 | | - This fixes a DoS attack. (CVE-2013-0166) |
1838 | | - [Steve Henson] |
1839 | | - |
1840 | | - *) Call OCSP Stapling callback after ciphersuite has been chosen, so |
1841 | | - the right response is stapled. Also change SSL_get_certificate() |
1842 | | - so it returns the certificate actually sent. |
1843 | | - See http://rt.openssl.org/Ticket/Display.html?id=2836. |
1844 | | - (This is a backport) |
1845 | | - [Rob Stradling <rob.stradling@comodo.com>] |
1846 | | - |
1847 | | - *) Fix possible deadlock when decoding public keys. |
1848 | | - [Steve Henson] |
1849 | | - |
1850 | | - Changes between 0.9.8w and 0.9.8x [10 May 2012] |
1851 | | - |
1852 | | - *) Sanity check record length before skipping explicit IV in DTLS |
1853 | | - to fix DoS attack. |
1854 | | - |
1855 | | - Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic |
1856 | | - fuzzing as a service testing platform. |
1857 | | - (CVE-2012-2333) |
1858 | | - [Steve Henson] |
1859 | | - |
1860 | | - *) Initialise tkeylen properly when encrypting CMS messages. |
1861 | | - Thanks to Solar Designer of Openwall for reporting this issue. |
1862 | | - [Steve Henson] |
1863 | | - |
1864 | | - Changes between 0.9.8v and 0.9.8w [23 Apr 2012] |
1865 | | - |
1866 | | - *) The fix for CVE-2012-2110 did not take into account that the |
1867 | | - 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an |
1868 | | - int in OpenSSL 0.9.8, making it still vulnerable. Fix by |
1869 | | - rejecting negative len parameter. (CVE-2012-2131) |
1870 | | - [Tomas Hoger <thoger@redhat.com>] |
1871 | | - |
1872 | | - Changes between 0.9.8u and 0.9.8v [19 Apr 2012] |
1873 | | - |
1874 | | - *) Check for potentially exploitable overflows in asn1_d2i_read_bio |
1875 | | - BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer |
1876 | | - in CRYPTO_realloc_clean. |
1877 | | - |
1878 | | - Thanks to Tavis Ormandy, Google Security Team, for discovering this |
1879 | | - issue and to Adam Langley <agl@chromium.org> for fixing it. |
1880 | | - (CVE-2012-2110) |
1881 | | - [Adam Langley (Google), Tavis Ormandy, Google Security Team] |
1882 | | - |
1883 | | - Changes between 0.9.8t and 0.9.8u [12 Mar 2012] |
1884 | | - |
1885 | | - *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness |
1886 | | - in CMS and PKCS7 code. When RSA decryption fails use a random key for |
1887 | | - content decryption and always return the same error. Note: this attack |
1888 | | - needs on average 2^20 messages so it only affects automated senders. The |
1889 | | - old behaviour can be reenabled in the CMS code by setting the |
1890 | | - CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where |
1891 | | - an MMA defence is not necessary. |
1892 | | - Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering |
1893 | | - this issue. (CVE-2012-0884) |
1894 | | - [Steve Henson] |
1895 | | - |
1896 | | - *) Fix CVE-2011-4619: make sure we really are receiving a |
1897 | | - client hello before rejecting multiple SGC restarts. Thanks to |
1898 | | - Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. |
1899 | | - [Steve Henson] |
1900 | | - |
1901 | | - Changes between 0.9.8s and 0.9.8t [18 Jan 2012] |
1902 | | - |
1903 | | - *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. |
1904 | | - Thanks to Antonio Martin, Enterprise Secure Access Research and |
1905 | | - Development, Cisco Systems, Inc. for discovering this bug and |
1906 | | - preparing a fix. (CVE-2012-0050) |
1907 | | - [Antonio Martin] |
1908 | | - |
1909 | | - Changes between 0.9.8r and 0.9.8s [4 Jan 2012] |
1910 | | - |
1911 | | - *) Nadhem Alfardan and Kenny Paterson have discovered an extension |
1912 | | - of the Vaudenay padding oracle attack on CBC mode encryption |
1913 | | - which enables an efficient plaintext recovery attack against |
1914 | | - the OpenSSL implementation of DTLS. Their attack exploits timing |
1915 | | - differences arising during decryption processing. A research |
1916 | | - paper describing this attack can be found at: |
1917 | | - http://www.isg.rhul.ac.uk/~kp/dtls.pdf |
1918 | | - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
1919 | | - Security Group at Royal Holloway, University of London |
1920 | | - (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann |
1921 | | - <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> |
1922 | | - for preparing the fix. (CVE-2011-4108) |
1923 | | - [Robin Seggelmann, Michael Tuexen] |
1924 | | - |
1925 | | - *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) |
1926 | | - [Ben Laurie, Kasper <ekasper@google.com>] |
1927 | | - |
1928 | | - *) Clear bytes used for block padding of SSL 3.0 records. |
1929 | | - (CVE-2011-4576) |
1930 | | - [Adam Langley (Google)] |
1931 | | - |
1932 | | - *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George |
1933 | | - Kadianakis <desnacked@gmail.com> for discovering this issue and |
1934 | | - Adam Langley for preparing the fix. (CVE-2011-4619) |
1935 | | - [Adam Langley (Google)] |
1936 | | - |
1937 | | - *) Prevent malformed RFC3779 data triggering an assertion failure. |
1938 | | - Thanks to Andrew Chi, BBN Technologies, for discovering the flaw |
1939 | | - and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) |
1940 | | - [Rob Austein <sra@hactrn.net>] |
1941 | | - |
1942 | | - *) Fix ssl_ciph.c set-up race. |
1943 | | - [Adam Langley (Google)] |
1944 | | - |
1945 | | - *) Fix spurious failures in ecdsatest.c. |
1946 | | - [Emilia K�sper (Google)] |
1947 | | - |
1948 | | - *) Fix the BIO_f_buffer() implementation (which was mixing different |
1949 | | - interpretations of the '..._len' fields). |
1950 | | - [Adam Langley (Google)] |
1951 | | - |
1952 | | - *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than |
1953 | | - BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent |
1954 | | - threads won't reuse the same blinding coefficients. |
1955 | | - |
1956 | | - This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING |
1957 | | - lock to call BN_BLINDING_invert_ex, and avoids one use of |
1958 | | - BN_BLINDING_update for each BN_BLINDING structure (previously, |
1959 | | - the last update always remained unused). |
1960 | | - [Emilia K�sper (Google)] |
1961 | | - |
1962 | | - *) Fix SSL memory handling for (EC)DH ciphersuites, in particular |
1963 | | - for multi-threaded use of ECDH. |
1964 | | - [Adam Langley (Google)] |
1965 | | - |
1966 | | - *) Fix x509_name_ex_d2i memory leak on bad inputs. |
1967 | | - [Bodo Moeller] |
1968 | | - |
1969 | | - *) Add protection against ECDSA timing attacks as mentioned in the paper |
1970 | | - by Billy Bob Brumley and Nicola Tuveri, see: |
1971 | | - |
1972 | | - http://eprint.iacr.org/2011/232.pdf |
1973 | | - |
1974 | | - [Billy Bob Brumley and Nicola Tuveri] |
1975 | | - |
1976 | | - Changes between 0.9.8q and 0.9.8r [8 Feb 2011] |
1977 | | - |
1978 | | - *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 |
1979 | | - [Neel Mehta, Adam Langley, Bodo Moeller (Google)] |
1980 | | - |
1981 | | - *) Fix bug in string printing code: if *any* escaping is enabled we must |
1982 | | - escape the escape character (backslash) or the resulting string is |
1983 | | - ambiguous. |
1984 | | - [Steve Henson] |
1985 | | - |
1986 | | - Changes between 0.9.8p and 0.9.8q [2 Dec 2010] |
1987 | | - |
1988 | | - *) Disable code workaround for ancient and obsolete Netscape browsers |
1989 | | - and servers: an attacker can use it in a ciphersuite downgrade attack. |
1990 | | - Thanks to Martin Rex for discovering this bug. CVE-2010-4180 |
1991 | | - [Steve Henson] |
1992 | | - |
1993 | | - *) Fixed J-PAKE implementation error, originally discovered by |
1994 | | - Sebastien Martini, further info and confirmation from Stefan |
1995 | | - Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 |
1996 | | - [Ben Laurie] |
1997 | | - |
1998 | | - Changes between 0.9.8o and 0.9.8p [16 Nov 2010] |
1999 | | - |
2000 | | - *) Fix extension code to avoid race conditions which can result in a buffer |
2001 | | - overrun vulnerability: resumed sessions must not be modified as they can |
2002 | | - be shared by multiple threads. CVE-2010-3864 |
2003 | | - [Steve Henson] |
2004 | | - |
2005 | | - *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 |
2006 | | - [Steve Henson] |
2007 | | - |
2008 | | - *) Don't reencode certificate when calculating signature: cache and use |
2009 | | - the original encoding instead. This makes signature verification of |
2010 | | - some broken encodings work correctly. |
2011 | | - [Steve Henson] |
2012 | | - |
2013 | | - *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT |
2014 | | - is also one of the inputs. |
2015 | | - [Emilia K�sper <emilia.kasper@esat.kuleuven.be> (Google)] |
2016 | | - |
2017 | | - *) Don't repeatedly append PBE algorithms to table if they already exist. |
2018 | | - Sort table on each new add. This effectively makes the table read only |
2019 | | - after all algorithms are added and subsequent calls to PKCS12_pbe_add |
2020 | | - etc are non-op. |
2021 | | - [Steve Henson] |
2022 | | - |
2023 | | - Changes between 0.9.8n and 0.9.8o [01 Jun 2010] |
2024 | | - |
2025 | | - [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after |
2026 | | - OpenSSL 1.0.0.] |
2027 | | - |
2028 | | - *) Correct a typo in the CMS ASN1 module which can result in invalid memory |
2029 | | - access or freeing data twice (CVE-2010-0742) |
2030 | | - [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>] |
2031 | | - |
2032 | | - *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more |
2033 | | - common in certificates and some applications which only call |
2034 | | - SSL_library_init and not OpenSSL_add_all_algorithms() will fail. |
2035 | | - [Steve Henson] |
2036 | | - |
2037 | | - *) VMS fixes: |
2038 | | - Reduce copying into .apps and .test in makevms.com |
2039 | | - Don't try to use blank CA certificate in CA.com |
2040 | | - Allow use of C files from original directories in maketests.com |
2041 | | - [Steven M. Schweda" <sms@antinode.info>] |
2042 | | - |
2043 | 1841 | Changes between 0.9.8m and 0.9.8n [24 Mar 2010] |
2044 | 1842 |
|
2045 | 1843 | *) When rejecting SSL/TLS records due to an incorrect version number, never |
|
0 commit comments