OpenSSL CHANGES
_______________
- Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
+ Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
+
+ *) SRTP Memory Leak.
+
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack. This issue affects OpenSSL
+ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+ whether SRTP is used or configured. Implementations of OpenSSL that
+ have been compiled with OPENSSL_NO_SRTP defined are not affected.
+
+ The fix was developed by the OpenSSL team.
+ (CVE-2014-3513)
+ [OpenSSL team]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Accelerated NIST P-256 elliptic curve implementation for x86_64
+ (other platforms pending).
+ [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
+
+ *) Add support for the SignedCertificateTimestampList certificate and
+ OCSP response extensions from RFC6962.
+ [Rob Stradling]
+
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
+ This covers AES, SHA256/512 and GHASH. "Initial" means that most
+ common cases are optimized and there still is room for further
+ improvements. Vector Permutation AES for Altivec is also added.
+ [Andy Polyakov]
+
+ *) Add support for little-endian ppc64 Linux target.
+ [Marcelo Cerri (IBM)]
+
+ *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
+ SHA1, SHA256 and GHASH. "Initial" means that most common cases
+ are optimized and there still is room for further improvements.
+ Both 32- and 64-bit modes are supported.
+ [Andy Polyakov, Ard Biesheuvel (Linaro)]
+
+ *) Improved ARMv7 NEON support.
+ [Andy Polyakov]
+
+ *) Support for SPARC Architecture 2011 crypto extensions, first
+ implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
+ SHA256/512, MD5, GHASH and modular exponentiation.
+ [Andy Polyakov, David Miller]
+
+ *) Accelerated modular exponentiation for Intel processors, a.k.a.
+ RSAZ.
+ [Shay Gueron & Vlad Krasnov (Intel Corp)]
+
+ *) Support for new and upcoming Intel processors, including AVX2,
+ BMI and SHA ISA extensions. This includes additional "stitched"
+ implementations, AESNI-SHA256 and GCM, and multi-buffer support
+ for TLS encrypt.
+
+ This work was sponsored by Intel Corp.
+ [Andy Polyakov]
+
+ *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
+ supports both DTLS 1.2 and 1.0 and should use whatever version the peer
+ supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
+ [Steve Henson]
+
+ *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+ this fixes a limiation in previous versions of OpenSSL.
+ [Steve Henson]
+
+ *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
+ MGF1 digest and OAEP label.
+ [Steve Henson]
+
+ *) Add EVP support for key wrapping algorithms, to avoid problems with
+ existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
+ the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
+ algorithms and include tests cases.
+ [Steve Henson]
+
+ *) Add functions to allocate and set the fields of an ECDSA_METHOD
+ structure.
+ [Douglas E. Engert, Steve Henson]
+
+ *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
+ difference in days and seconds between two tm or ASN1_TIME structures.
+ [Steve Henson]
+
+ *) Add -rev test option to s_server to just reverse order of characters
+ received by client and send back to server. Also prints an abbreviated
+ summary of the connection parameters.
+ [Steve Henson]
+
+ *) New option -brief for s_client and s_server to print out a brief summary
+ of connection parameters.
+ [Steve Henson]
+
+ *) Add callbacks for arbitrary TLS extensions.
+ [Trevor Perrin <trevp@trevp.net> and Ben Laurie]
+
+ *) New option -crl_download in several openssl utilities to download CRLs
+ from CRLDP extension in certificates.
+ [Steve Henson]
+
+ *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+ [Steve Henson]
+
+ *) New function X509_CRL_diff to generate a delta CRL from the difference
+ of two full CRLs. Add support to "crl" utility.
+ [Steve Henson]
*) New functions to set lookup_crls function and to retrieve
X509_STORE from X509_STORE_CTX.
[Steve Henson]
*) New ctrl and macro to retrieve supported points extensions.
- Print out extension in s_server.
+ Print out extension in s_server and s_client.
[Steve Henson]
*) New functions to retrieve certificate signature and signature
*) Fix OCSP checking.
[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
- *) Backport support for partial chain verification: if an intermediate
- certificate is explicitly trusted (using -addtrust option to x509
- utility for example) the verification is sucessful even if the chain
- is not complete.
- The OCSP checking fix depends on this backport.
- [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]
+ *) Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust (e.g., -addtrust option to the x509
+ utility) or reject.
+ [Steve Henson]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
platform support for Linux and Android.
[Andy Polyakov]
- *) Call OCSP Stapling callback after ciphersuite has been chosen, so
- the right response is stapled. Also change current certificate to
- the certificate actually sent.
- See http://rt.openssl.org/Ticket/Display.html?id=2836.
- [Rob Stradling <rob.stradling@comodo.com>]
-
*) Support for linux-x32, ILP32 environment in x86_64 framework.
[Andy Polyakov]
- *) RFC 5878 support.
- [Emilia Kasper, Adam Langley, Ben Laurie (Google)]
-
*) Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
certificates.
[Steve Henson]
- Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
+ *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
+ the certificate.
+ Note: Related 1.0.2-beta specific macros X509_get_cert_info,
+ X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
+ X509_CINF_get_signature were reverted post internal team review.
+
+ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+
+ *) Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
+ [David Benjamin, Emilia Käsper]
+
+ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
+ [Emilia Käsper]
+
+ *) Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
+
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
+ [Emilia Käsper]
+
+ Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
+
+ *) SRTP Memory Leak.
+
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack. This issue affects OpenSSL
+ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+ whether SRTP is used or configured. Implementations of OpenSSL that
+ have been compiled with OPENSSL_NO_SRTP defined are not affected.
+
+ The fix was developed by the OpenSSL team.
+ (CVE-2014-3513)
+ [OpenSSL team]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
+ Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
+
+ *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+ SRP code can be overrun an internal buffer. Add sanity check that
+ g, A, B < N to SRP code.
+
+ Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
+ Group for discovering this issue.
+ (CVE-2014-3512)
+ [Steve Henson]
+
+ *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+ TLS 1.0 instead of higher protocol versions when the ClientHello message
+ is badly fragmented. This allows a man-in-the-middle attacker to force a
+ downgrade to TLS 1.0 even if both the server and the client support a
+ higher protocol version, by modifying the client's TLS records.
+
+ Thanks to David Benjamin and Adam Langley (Google) for discovering and
+ researching this issue.
+ (CVE-2014-3511)
+ [David Benjamin]
+
+ *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
+
+ Thanks to Felix Gröbert (Google) for discovering and researching this
+ issue.
+ (CVE-2014-3510)
+ [Emilia Käsper]
+
+ *) By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3507)
+ [Adam Langley]
+
+ *) An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3506)
+ [Adam Langley]
+
+ *) An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+ this issue.
+ (CVE-2014-3505)
+ [Adam Langley]
+
+ *) If a multithreaded client connects to a malicious server using a resumed
+ session and the server sends an ec point format extension it could write
+ up to 255 bytes to freed memory.
+
+ Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
+ issue.
+ (CVE-2014-3509)
+ [Gabor Tyukasz]
+
+ *) A malicious server can crash an OpenSSL client with a null pointer
+ dereference (read) by specifying an SRP ciphersuite even though it was not
+ properly negotiated with the client. This can be exploited through a
+ Denial of Service attack.
+
+ Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+ discovering and researching this issue.
+ (CVE-2014-5139)
+ [Steve Henson]
+
+ *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
+
+ Thanks to Ivan Fratric (Google) for discovering this issue.
+ (CVE-2014-3508)
+ [Emilia Käsper, and Steve Henson]
+
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ Changes between 1.0.1i and 1.0.1j [xx XXX xxxx]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+ *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
+
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. (CVE-2014-0224)
+ [KIKUCHI Masashi, Steve Henson]
+
+ *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
+
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ (CVE-2014-0221)
+ [Imre Rad, Steve Henson]
+
+ *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
+
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
+
+ *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
+
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. (CVE-2014-3470)
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+ *) Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix some double frees. These are not thought to be exploitable.
+ [mancha <mancha1@zoho.com>]
+
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+ *) A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
+
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+ preparing the fix (CVE-2014-0160)
+ [Adam Langley, Bodo Moeller]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ *) TLS pad extension: draft-agl-tls-padding-03
+
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be > 255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
+
+ [Adam Langley, Steve Henson]
+
+ Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
+
+ *) Fix for TLS record tampering bug. A carefully crafted invalid
+ handshake could crash OpenSSL with a NULL pointer exception.
+ Thanks to Anton Johansson for reporting this issues.
+ (CVE-2013-4353)
+
+ *) Keep original DTLS digest and encryption contexts in retransmission
+ structures so we can use the previous session parameters if they need
+ to be resent. (CVE-2013-6450)
+ [Steve Henson]
+
+ *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ [Rob Stradling, Adam Langley]
+
+ Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
+
+ *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+ supporting platforms or when small records were transferred.
+ [Andy Polyakov, Steve Henson]
+
+ Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
+ ciphersuites which can be exploited in a denial of service attack.
+ Thanks go to and to Adam Langley <agl@chromium.org> for discovering
+ and detecting this bug and to Wolfgang Ettlinger
+ <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
+ (CVE-2012-2686)
+ [Adam Langley]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
*) Make openssl verify return errors.
[Chris Palmer <palmer@google.com> and Ben Laurie]
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ [Rob Stradling <rob.stradling@comodo.com>]
+
*) Fix possible deadlock when decoding public keys.
[Steve Henson]
Changes between 1.0.1b and 1.0.1c [10 May 2012]
*) Sanity check record length before skipping explicit IV in TLS
- 1.2, 1.1 and DTLS to avoid DoS attack.
+ 1.2, 1.1 and DTLS to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
[Adam Langley]
*) Workarounds for some broken servers that "hang" if a client hello
- record length exceeds 255 bytes:
-
+ record length exceeds 255 bytes.
+
1. Do not use record version number > TLS 1.0 in initial client
hello: some (but not all) hanging servers will now work.
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
- the number of ciphers sent in the client hello. This should be
+ the number of ciphers sent in the client hello. This should be
set to an even number, such as 50, for example by passing:
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
Most broken servers should now work.
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
- TLS 1.2 client support entirely.
+ TLS 1.2 client support entirely.
[Steve Henson]
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
Add command line options to s_client/s_server.
[Steve Henson]
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 1.0.0i and 1.0.0j [10 May 2012]
+
+ [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+ OpenSSL 1.0.1.]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
*) Change 'Configure' script to enable Camellia by default.
[NTT]
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+ *) The fix for CVE-2012-2110 did not take into account that the
+ 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+ int in OpenSSL 0.9.8, making it still vulnerable. Fix by
+ rejecting negative len parameter. (CVE-2012-2131)
+ [Tomas Hoger <thoger@redhat.com>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+ *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+ in CMS and PKCS7 code. When RSA decryption fails use a random key for
+ content decryption and always return the same error. Note: this attack
+ needs on average 2^20 messages so it only affects automated senders. The
+ old behaviour can be reenabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+ an MMA defence is not necessary.
+ Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+ this issue. (CVE-2012-0884)
+ [Steve Henson]
+
+ *) Fix CVE-2011-4619: make sure we really are receiving a
+ client hello before rejecting multiple SGC restarts. Thanks to
+ Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+ [Steve Henson]
+
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
-
+
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
projects / openssl.git / blobdiff