From 7ff84d88036237dc36f4c2cf2dc814e4bf611084 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 10 Sep 2019 10:26:07 +0100 Subject: [PATCH] Update CHANGES and NEWS for the new release Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9841) --- CHANGES | 28 ++++++++++++++++++++++++++++ NEWS | 15 ++++++++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1b9299fba7..6679f6ed5f 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,33 @@ Changes between 1.1.1c and 1.1.1d [xx XXX xxxx] + *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random + number generator (RNG). This was intended to include protection in the + event of a fork() system call in order to ensure that the parent and child + processes did not share the same RNG state. However this protection was not + being used in the default case. + + A partial mitigation for this issue is that the output from a high + precision timer is mixed into the RNG state so the likelihood of a parent + and child process sharing state is significantly reduced. + + If an application already calls OPENSSL_init_crypto() explicitly using + OPENSSL_INIT_ATFORK then this problem does not occur at all. + (CVE-2019-1549) + [Matthias St. Pierre] + + *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations + where an attacker receives automated notification of the success or failure + of a decryption attempt an attacker, after sending a very large number of + messages to be decrypted, can recover a CMS/PKCS7 transported encryption + key or decrypt any RSA encrypted message that was encrypted with the public + RSA key, using a Bleichenbacher padding oracle attack. Applications are not + affected if they use a certificate together with the private RSA key to the + CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info + to decrypt. + (CVE-2019-1563) + [Bernd Edlinger] + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ @@ -70,6 +97,7 @@ was decided to revert this feature and leave it up to the OS resp. the platform maintainer to ensure a proper initialization during early boot time. + [Matthias St. Pierre] Changes between 1.1.1b and 1.1.1c [28 May 2019] diff --git a/NEWS b/NEWS index f6264bf6b7..22be168091 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,20 @@ Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [under development] - o + o Fixed a fork protection issue (CVE-2019-1549) + o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() + (CVE-2019-1563) + o For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters + o Compute ECC cofactors if not provided during EC_GROUP construction + (CVE-2019-1547) + o Early start up entropy quality from the DEVRANDOM seed source has been + improved for older Linux systems + o Correct the extended master secret constant on EBCDIC systems + o Use Windows installation paths in the mingw builds (CVE-2019-1552) + o Changed DH_check to accept parameters with order q and 2q subgroups + o Significantly reduce secure memory usage by the randomness pools + o Revert the DEVRANDOM_WAIT feature for Linux systems Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019] -- 2.25.1