[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
-### Changes between 3.0.7 and 3.0.8 [xx XXX xxxx]
+### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
+
+ * Fixed NULL dereference during PKCS7 data verification.
+
+ A NULL pointer can be dereferenced when signatures are being
+ verified on PKCS7 signed or signedAndEnveloped data. In case the hash
+ algorithm used for the signature is known to the OpenSSL library but
+ the implementation of the hash algorithm is not available the digest
+ initialization will fail. There is a missing check for the return
+ value from the initialization function which later leads to invalid
+ usage of the digest API most likely leading to a crash.
+ ([CVE-2023-0401])
+
+ PKCS7 data is processed by the SMIME library calls and also by the
+ time stamp (TS) library calls. The TLS implementation in OpenSSL does
+ not call these functions however third party applications would be
+ affected if they call these functions to verify signatures on untrusted
+ data.
+
+ *Tomáš Mráz*
+
+ * Fixed X.400 address type confusion in X.509 GeneralName.
+
+ There is a type confusion vulnerability relating to X.400 address processing
+ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+ but the public structure definition for GENERAL_NAME incorrectly specified
+ the type of the x400Address field as ASN1_TYPE. This field is subsequently
+ interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
+ than an ASN1_STRING.
+
+ When CRL checking is enabled (i.e. the application sets the
+ X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
+ pass arbitrary pointers to a memcmp call, enabling them to read memory
+ contents or enact a denial of service.
+ ([CVE-2023-0286])
+
+ *Hugo Landau*
+
+ * Fixed NULL dereference validating DSA public key.
+
+ An invalid pointer dereference on read can be triggered when an
+ application tries to check a malformed DSA public key by the
+ EVP_PKEY_public_check() function. This will most likely lead
+ to an application crash. This function can be called on public
+ keys supplied from untrusted sources which could allow an attacker
+ to cause a denial of service attack.
+
+ The TLS implementation in OpenSSL does not call this function
+ but applications might call the function if there are additional
+ security requirements imposed by standards such as FIPS 140-3.
+ ([CVE-2023-0217])
+
+ *Shane Lontis, Tomáš Mráz*
+
+ * Fixed Invalid pointer dereference in d2i_PKCS7 functions.
+
+ An invalid pointer dereference on read can be triggered when an
+ application tries to load malformed PKCS7 data with the
+ d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
+
+ The result of the dereference is an application crash which could
+ lead to a denial of service attack. The TLS implementation in OpenSSL
+ does not call this function however third party applications might
+ call these functions on untrusted data.
+ ([CVE-2023-0216])
+
+ *Tomáš Mráz*
+
+ * Fixed Use-after-free following BIO_new_NDEF.
+
+ The public API function BIO_new_NDEF is a helper function used for
+ streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
+ to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
+ be called directly by end user applications.
+
+ The function receives a BIO from the caller, prepends a new BIO_f_asn1
+ filter BIO onto the front of it to form a BIO chain, and then returns
+ the new head of the BIO chain to the caller. Under certain conditions,
+ for example if a CMS recipient public key is invalid, the new filter BIO
+ is freed and the function returns a NULL result indicating a failure.
+ However, in this case, the BIO chain is not properly cleaned up and the
+ BIO passed by the caller still retains internal pointers to the previously
+ freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
+ then a use-after-free will occur. This will most likely result in a crash.
+ ([CVE-2023-0215])
+
+ *Viktor Dukhovni, Matt Caswell*
+
+ * Fixed Double free after calling PEM_read_bio_ex.
+
+ The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+ decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+ data. If the function succeeds then the "name_out", "header" and "data"
+ arguments are populated with pointers to buffers containing the relevant
+ decoded data. The caller is responsible for freeing those buffers. It is
+ possible to construct a PEM file that results in 0 bytes of payload data.
+ In this case PEM_read_bio_ex() will return a failure code but will populate
+ the header argument with a pointer to a buffer that has already been freed.
+ If the caller also frees this buffer then a double free will occur. This
+ will most likely lead to a crash.
+
+ The functions PEM_read_bio() and PEM_read() are simple wrappers around
+ PEM_read_bio_ex() and therefore these functions are also directly affected.
+
+ These functions are also called indirectly by a number of other OpenSSL
+ functions including PEM_X509_INFO_read_bio_ex() and
+ SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
+ internal uses of these functions are not vulnerable because the caller does
+ not free the header argument if PEM_read_bio_ex() returns a failure code.
+ ([CVE-2022-4450])
+
+ *Kurt Roeckx, Matt Caswell*
+
+ * Fixed Timing Oracle in RSA Decryption.
+
+ A timing based side channel exists in the OpenSSL RSA Decryption
+ implementation which could be sufficient to recover a plaintext across
+ a network in a Bleichenbacher style attack. To achieve a successful
+ decryption an attacker would have to be able to send a very large number
+ of trial messages for decryption. The vulnerability affects all RSA padding
+ modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
+ ([CVE-2022-4304])
+
+ *Dmitry Belyavsky, Hubert Kario*
+
+ * Fixed X.509 Name Constraints Read Buffer Overflow.
+
+ A read buffer overrun can be triggered in X.509 certificate verification,
+ specifically in name constraint checking. The read buffer overrun might
+ result in a crash which could lead to a denial of service attack.
+ In a TLS client, this can be triggered by connecting to a malicious
+ server. In a TLS server, this can be triggered if the server requests
+ client authentication and a malicious client connects.
+ ([CVE-2022-4203])
+
+ *Viktor Dukhovni*
+
+ * Fixed X.509 Policy Constraints Double Locking security issue.
+
+ If an X.509 certificate contains a malformed policy constraint and
+ policy processing is enabled, then a write lock will be taken twice
+ recursively. On some operating systems (most widely: Windows) this
+ results in a denial of service when the affected process hangs. Policy
+ processing being enabled on a publicly facing server is not considered
+ to be a common setup.
+ ([CVE-2022-3996])
+
+ *Paul Dale*
* Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
`OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
<!-- Links -->
+[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
+[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
+[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
+[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
+[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
+[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
+[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
+[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
+[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
+[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
+[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
OpenSSL 3.0
-----------
+### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
+
+ * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
+ * Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])
+ * Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
+ * Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216])
+ * Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
+ * Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
+ * Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
+ * Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
+ * Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])
+
### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022]
* Added RIPEMD160 to the default provider.
* Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
occuppied by the removed hash table entries ([CVE-2022-1473])
-### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2
+### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022]
* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli ([CVE-2022-0778])
-### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1
+### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021]
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
([CVE-2021-4044])
* Allow fetching an operation from the provider that owns an unexportable key
as a fallback if that is still allowed by the property query.
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021]
* Enhanced 'openssl list' with many new options.
* Added migration guide to man7.
* Support for various new platforms
<!-- Links -->
-
+[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
+[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
+[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
+[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
+[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
+[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
+[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
+[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
+[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
+[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
+[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
projects / openssl.git / commitdiff