X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=6933da65028218417da9bdeff200f7013c559c5e;hp=477d18527d668c8bba87c9fc2d6dbcd9289c40ad;hb=48c16012e743a31c42d823a75bc3cb72b8fad85f;hpb=f0e0fd51fd8307f6eae64862ad9aaea113f1177a diff --git a/CHANGES b/CHANGES index 477d18527d..6933da6502 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,32 @@ Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + *) Automatic Darwin/OSX configuration has had a refresh, it will now + recognise x86_64 architectures automatically. You can still decide + to build for a different bitness with the environment variable + KERNEL_BITS (can be 32 or 64), for example: + + KERNEL_BITS=32 ./config + + [Richard Levitte] + + *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, + 256 bit AES and HMAC with SHA256. + [Steve Henson] + + *) Remove support for MIPS o32 ABI on IRIX (and IRIX only). + [Andy Polyakov] + + *) Triple-DES ciphers have been moved from HIGH to MEDIUM. + [Rich Salz] + + *) To enable users to have their own config files and build file templates, + Configure looks in the directory indicated by the environment variable + OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/ + directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical + name and is used as is. + [Richard Levitte] + *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type X509_CERT_FILE_CTX was removed. @@ -988,6 +1014,103 @@ validated when establishing a connection. [Rob Percival ] + Changes between 1.0.2g and 1.0.2h [3 May 2016] + + *) Prevent padding oracle in AES-NI CBC MAC check + + A MITM attacker can use a padding oracle attack to decrypt traffic + when the connection uses an AES CBC cipher and the server support + AES-NI. + + This issue was introduced as part of the fix for Lucky 13 padding + attack (CVE-2013-0169). The padding check was rewritten to be in + constant time by making sure that always the same bytes are read and + compared against either the MAC or padding bytes. But it no longer + checked that there was enough data to have both the MAC and padding + bytes. + + This issue was reported by Juraj Somorovsky using TLS-Attacker. + (CVE-2016-2107) + [Kurt Roeckx] + + *) Fix EVP_EncodeUpdate overflow + + An overflow can occur in the EVP_EncodeUpdate() function which is used for + Base64 encoding of binary data. If an attacker is able to supply very large + amounts of input data then a length check can overflow resulting in a heap + corruption. + + Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by + the PEM_write_bio* family of functions. These are mainly used within the + OpenSSL command line applications, so any application which processes data + from an untrusted source and outputs it as a PEM file should be considered + vulnerable to this issue. User applications that call these APIs directly + with large amounts of untrusted data may also be vulnerable. + + This issue was reported by Guido Vranken. + (CVE-2016-2105) + [Matt Caswell] + + *) Fix EVP_EncryptUpdate overflow + + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker + is able to supply very large amounts of input data after a previous call to + EVP_EncryptUpdate() with a partial block then a length check can overflow + resulting in a heap corruption. Following an analysis of all OpenSSL + internal usage of the EVP_EncryptUpdate() function all usage is one of two + forms. The first form is where the EVP_EncryptUpdate() call is known to be + the first called function after an EVP_EncryptInit(), and therefore that + specific call must be safe. The second form is where the length passed to + EVP_EncryptUpdate() can be seen from the code to be some small value and + therefore there is no possibility of an overflow. Since all instances are + one of these two forms, it is believed that there can be no overflows in + internal code due to this problem. It should be noted that + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances + of these calls have also been analysed too and it is believed there are no + instances in internal usage where an overflow could occur. + + This issue was reported by Guido Vranken. + (CVE-2016-2106) + [Matt Caswell] + + *) Prevent ASN.1 BIO excessive memory allocation + + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() + a short invalid encoding can cause allocation of large amounts of memory + potentially consuming excessive resources or exhausting memory. + + Any application parsing untrusted data through d2i BIO functions is + affected. The memory based functions such as d2i_X509() are *not* affected. + Since the memory based functions are used by the TLS library, TLS + applications are not affected. + + This issue was reported by Brian Carpenter. + (CVE-2016-2109) + [Stephen Henson] + + *) EBCDIC overread + + ASN1 Strings that are over 1024 bytes can cause an overread in applications + using the X509_NAME_oneline() function on EBCDIC systems. This could result + in arbitrary stack data being returned in the buffer. + + This issue was reported by Guido Vranken. + (CVE-2016-2176) + [Matt Caswell] + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the + default. + [Kurt Roeckx] + + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + [Kurt Roeckx] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. @@ -1226,7 +1349,7 @@ *) Alternate chains certificate forgery - During certificate verfification, OpenSSL will attempt to find an + During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be @@ -1484,7 +1607,7 @@ *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. ARMv5 through ARMv8, as opposite to "locking" it to single one. - So far those who have to target multiple plaforms would compromise + So far those who have to target multiple platforms would compromise and argue that binary targeting say ARMv5 would still execute on ARMv8. "Universal" build resolves this compromise by providing near-optimal performance even on newer platforms. @@ -1544,7 +1667,7 @@ [Steve Henson] *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): - this fixes a limiation in previous versions of OpenSSL. + this fixes a limitation in previous versions of OpenSSL. [Steve Henson] *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, @@ -1653,7 +1776,7 @@ *) Add support for certificate stores in CERT structure. This makes it possible to have different stores per SSL structure or one store in - the parent SSL_CTX. Include distint stores for certificate chain + the parent SSL_CTX. Include distinct stores for certificate chain verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN to build and store a certificate chain in CERT structure: returing an error if the chain cannot be built: this will allow applications @@ -1716,7 +1839,7 @@ [Steve Henson] *) Integrate hostname, email address and IP address checking with certificate - verification. New verify options supporting checking in opensl utility. + verification. New verify options supporting checking in openssl utility. [Steve Henson] *) Fixes and wildcard matching support to hostname and email checking