1.0.0 on 20100329
-->
-<security updated="20170216">
+<!-- The updated attribute should be the same as the first public issue,
+ unless an old entry was updated. -->
+<security updated="20171102">
+ <issue public="20171207">
+ <impact severity="Moderate"/>
+ <cve name="2017-3737"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
+ <problemtype>Unauthenticated read/unencrypted write</problemtype>
+ <title>Read/write after SSL object in error state</title>
+ <description>
+ OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
+ mechanism. The intent was that if a fatal error occurred during a handshake then
+ OpenSSL would move into the error state and would immediately fail if you
+ attempted to continue the handshake. This works as designed for the explicit
+ handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
+ however due to a bug it does not work correctly if SSL_read() or SSL_write() is
+ called directly. In that scenario, if the handshake fails then a fatal error
+ will be returned in the initial function call. If SSL_read()/SSL_write() is
+ subsequently called by the application for the same SSL object then it will
+ succeed and the data is passed without being decrypted/encrypted directly from
+ the SSL/TLS record layer.
+
+ In order to exploit this issue an application bug would have to be present that
+ resulted in a call to SSL_read()/SSL_write() being issued after having already
+ received a fatal error.
+ </description>
+ <advisory url="/news/secadv/20171207.txt"/>
+ <reported source="David Benjamin (Google)"/>
+ </issue>
+ <issue public="20171207">
+ <impact severity="Low"/>
+ <cve name="2017-3738"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
+ <fixed base="1.1.0" version="1.1.0h-dev" date="20171207"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>bn_sqrx8x_internal carry bug on x86_64</title>
+ <description>
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this defect
+ would be very difficult to perform and are not believed likely. Attacks
+ against DH1024 are considered just feasible, because most of the work
+ necessary to deduce information about a private key may be performed offline.
+ The amount of resources required for such an attack would be significant.
+ However, for an attack on TLS to be meaningful, the server would have to share
+ the DH1024 private key among multiple clients, which is no longer an option
+ since CVE-2016-0701.
+
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
+
+ Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
+ and CVE-2015-3193.
+
+ Due to the low severity of this issue we are not issuing a new release of
+ OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
+ becomes available. The fix is also available in commit e502cc86d in the OpenSSL
+ git repository.
+ </description>
+ <advisory url="/news/secadv/20171207.txt"/>
+ <reported source="David Benjamin (Google)/Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20171102">
+ <impact severity="Moderate"/>
+ <cve name="2017-3736"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
+ <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>bn_sqrx8x_internal carry bug on x86_64</title>
+ <description>
+ There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
+ EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
+ as a result of this defect would be very difficult to perform and are not
+ believed likely. Attacks against DH are considered just feasible (although very
+ difficult) because most of the work necessary to deduce information
+ about a private key may be performed offline. The amount of resources
+ required for such an attack would be very significant and likely only
+ accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions like
+ Intel Broadwell (5th generation) and later or AMD Ryzen.
+ </description>
+ <advisory url="/news/secadv/20171102.txt"/>
+ <reported source="Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20170828">
+ <impact severity="Low"/>
+ <cve name="2017-3735"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
+ <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
+ <problemtype>out-of-bounds read</problemtype>
+ <title>Possible Overread in parsing X.509 IPAdressFamily</title>
+ <description>
+ While parsing an IPAdressFamily extension in an X.509 certificate,
+ it is possible to do a one-byte overread. This would result in
+ an incorrect text display of the certificate.
+ </description>
+ <advisory url="/news/secadv/20170828.txt"/>
+ <reported source="Google OSS-Fuzz"/>
+ </issue>
<issue public="20170216">
<impact severity="High"/>
<cve name="2017-3733"/>
unlikely. Namely multiple clients have to choose the curve in question and
the server has to share the private key among them, neither of which is
default behaviour. Even then only clients that chose the curve will be
- affected.ctures using a callback which do not handle NULL value are
affected.
</description>
<advisory url="/news/secadv/20161110.txt"/>
<issue public="20020730">
<cve name="2002-0657"/>
<advisory url="/news/secadv/20020730.txt"/>
+ <affects base="0.9.7" version="0.9.7-beta3"/>
+ <fixed base="0.9.7" version="0.9.7" date="20021210"/>
<reported source="OpenSSL Group (A.L. Digital)"/>
<description>
A buffer overflow when Kerberos is enabled allowed attackers
<issue public="20020730">
<cve name="2002-0659"/>
+ <advisory url="/news/secadv/20020730.txt"/>
<affects base="0.9.6" version="0.9.6a"/>
<affects base="0.9.6" version="0.9.6b"/>
<affects base="0.9.6" version="0.9.6c"/>
</description>
</issue>
- <issue>
+ <issue public="20020808">
<cve name="2002-1568"/>
<affects base="0.9.6" version="0.9.6e"/>
- <fixed base="0.9.6" version="0.9.6f" date="20020808"/>
+ <fixed base="0.9.6" version="0.9.6f" date="20020808">
+ <git hash="517a0e7fa0f5453c860a3aec17b678bd55d5aad7"/>
+ </fixed>
<description>
The use of assertions when detecting buffer overflow attacks
allowed remote attackers to cause a denial of service (crash) by
<affects base="0.9.6" version="0.9.6k"/>
<affects base="0.9.6" version="0.9.6l"/>
<affects base="0.9.6" version="0.9.6m"/>
- <fixed base="0.9.7" version="0.9.7f" date="20050322"/>
+ <fixed base="0.9.7" version="0.9.7f" date="20050322">
+ <git hash="5fee606442a6738fd06a756d7076be53b7b7734c"/>
+ </fixed>
<fixed base="0.9.6" version="0.9.6-cvs" date="20041114"/>
<!-- der_chop was removed 20041114 -->
<cve name="2007-5502"/>
<advisory url="/news/secadv/20071129.txt"/>
<reported source="Geoff Lowe"/>
-
+ <affects base="fips-1.1" version="fips-1.1.1"/>
+ <fixed base="fips-1.1" version="fips-1.1.2" date="20071201"/>
<description>
The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does
not perform auto-seeding during the FIPS self-test, which generates
<affects base="0.9.8" version="0.9.8f"/>
<affects base="0.9.8" version="0.9.8g"/>
<affects base="0.9.8" version="0.9.8h"/>
- <fixed base="0.9.8" version="0.9.8i" date="20080915"/>
+ <fixed base="0.9.8" version="0.9.8i" date="20080915">
+ <git hash="1cbf663a6c89dcf8f7706d30a8bae675e2e0199a"/>
+ </fixed>
<reported source="Alex Lam"/>
<description>
Fix a NULL pointer dereference if a DTLS server recieved
<issue public="20090205">
<cve name="2009-1387"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>
<issue public="20090512">
<cve name="2009-1377"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="88b48dc68024dcc437da4296c9fb04419b0ccbe1"/>
+ </fixed>
+ <reported source="Daniel Mentz, Robin Seggelmann"/>
+ <description>
+Fix a denial of service flaw in the DTLS implementation.
+Records are buffered if they arrive with a future epoch to be
+processed after finishing the corresponding handshake. There is
+currently no limitation to this buffer allowing an attacker to perform
+a DOS attack to a DTLS server by sending records with future epochs until there is no
+memory left.
+ </description>
+ </issue>
+
+ <issue public="20090512">
<cve name="2009-1378"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="abda7c114791fa7fe95672ec7a66fc4733c40dbc"/>
+ </fixed>
+ <reported source="Daniel Mentz, Robin Seggelmann"/>
+ <description>
+ Fix a denial of service flaw in the DTLS implementation.
+In dtls1_process_out_of_seq_message() the check if the current message
+is already buffered was missing. For every new message was memory
+allocated, allowing an attacker to perform an denial of service attack
+against a DTLS server by sending out of seq handshake messages until there is no memory
+left.
+ </description>
+ </issue>
+
+ <issue public="20090512">
<cve name="2009-1379"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>
<affects base="0.9.8" version="0.9.8j"/>
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
- <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="561cbe567846a376153bea7f1f2d061e78029c2d"/>
+ </fixed>
<reported source="Daniel Mentz, Robin Seggelmann"/>
<description>
-Fix denial of service flaws in the DTLS implementation. A
-remote attacker could use these flaws to cause a DTLS server to use
-excessive amounts of memory, or crash.
+ Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment
+ function could cause a client accessing a malicious DTLS server to
+ crash.
</description>
</issue>
<affects base="0.9.8" version="0.9.8j"/>
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
- <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="1b31b5ad560b16e2fe1cad54a755e3e6b5e778a3"/>
+ </fixed>
<reported source="Michael K Johnson and Andy Grimm (rPath)"/>
<description>
A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
<affects base="0.9.8" version="0.9.8j"/>
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
- <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="7e4cae1d2f555cbe9226b377aff4b56c9f7ddd4d"/>
+ </fixed>
<reported source="Martin Olsson, Neel Mehta"/>
<description>
It was discovered that OpenSSL did not always check the return value of the
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
<affects base="0.9.8" version="0.9.8m"/>
- <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
+ <fixed base="0.9.8" version="0.9.8n" date="20100324">
+ <git hash="cca1cd9a3447dd067503e4a85ebd1679ee78a48e"/>
+ </fixed>
<reported source="Todd Rinaldo, Tomas Hoger (Red Hat)"/>
<description>
A missing return value check flaw was discovered in OpenSSL, that could
</issue>
<issue public="20140106">
- <cve name="2013-4353"/>
+ <cve name="2013-4353"/>
<affects base="1.0.1" version="1.0.1"/>
<affects base="1.0.1" version="1.0.1a"/>
<affects base="1.0.1" version="1.0.1b"/>
<issue public="20140214">
<cve name="2014-0076"/>
+ <advisory url="/news/secadv/20140605.txt"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>
projects / openssl-web.git / blobdiff