From a8b1e52ff45e1dac1c1b1636042dc8008888a7cd Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 17 Mar 2015 15:58:40 +0000 Subject: [PATCH] Fix CHANGES discrepancies There were some discrepancies in the CHANGES file between the 1.0.1 version and 1.0.2. This corrects it. Reviewed-by: Richard Levitte --- CHANGES | 96 +++++++++++++++++++++++++++------------------------------ 1 file changed, 45 insertions(+), 51 deletions(-) diff --git a/CHANGES b/CHANGES index 5080aee45e..e4bbbb5ae4 100644 --- a/CHANGES +++ b/CHANGES @@ -9,45 +9,6 @@ Changes between 1.0.1l and 1.0.2 [22 Jan 2015] - *) SRTP Memory Leak. - - A flaw in the DTLS SRTP extension parsing code allows an attacker, who - sends a carefully crafted handshake message, to cause OpenSSL to fail - to free up to 64k of memory causing a memory leak. This could be - exploited in a Denial Of Service attack. This issue affects OpenSSL - 1.0.1 server implementations for both SSL/TLS and DTLS regardless of - whether SRTP is used or configured. Implementations of OpenSSL that - have been compiled with OPENSSL_NO_SRTP defined are not affected. - - The fix was developed by the OpenSSL team. - (CVE-2014-3513) - [OpenSSL team] - - *) Session Ticket Memory Leak. - - When an OpenSSL SSL/TLS/DTLS server receives a session ticket the - integrity of that ticket is first verified. In the event of a session - ticket integrity check failing, OpenSSL will fail to free memory - causing a memory leak. By sending a large number of invalid session - tickets an attacker could exploit this issue in a Denial Of Service - attack. - (CVE-2014-3567) - [Steve Henson] - - *) Build option no-ssl3 is incomplete. - - When OpenSSL is configured with "no-ssl3" as a build option, servers - could accept and complete a SSL 3.0 handshake, and clients could be - configured to send them. - (CVE-2014-3568) - [Akamai and the OpenSSL team] - - *) Add support for TLS_FALLBACK_SCSV. - Client applications doing fallback retries should call - SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). - (CVE-2014-3566) - [Adam Langley, Bodo Moeller] - *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. ARMv5 through ARMv8, as opposite to "locking" it to single one. So far those who have to target multiple plaforms would compromise @@ -383,6 +344,29 @@ Changes between 1.0.1j and 1.0.1k [8 Jan 2015] + *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS + message can cause a segmentation fault in OpenSSL due to a NULL pointer + dereference. This could lead to a Denial Of Service attack. Thanks to + Markus Stenberg of Cisco Systems, Inc. for reporting this issue. + (CVE-2014-3571) + [Steve Henson] + + *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the + dtls1_buffer_record function under certain conditions. In particular this + could occur if an attacker sent repeated DTLS records with the same + sequence number but for the next epoch. The memory leak could be exploited + by an attacker in a Denial of Service attack through memory exhaustion. + Thanks to Chris Mueller for reporting this issue. + (CVE-2015-0206) + [Matt Caswell] + + *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is + built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl + method would be set to NULL which could later result in a NULL pointer + dereference. Thanks to Frank Schmirler for reporting this issue. + (CVE-2014-3569) + [Kurt Roeckx] + *) Abort handshake if server key exchange message is omitted for ephemeral ECDH ciphersuites. @@ -400,6 +384,17 @@ (CVE-2015-0204) [Steve Henson] + *) Fixed issue where DH client certificates are accepted without verification. + An OpenSSL server will accept a DH certificate for client authentication + without the certificate verify message. This effectively allows a client to + authenticate without the use of a private key. This only affects servers + which trust a client certificate authority which issues certificates + containing DH keys: these are extremely rare and hardly ever encountered. + Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting + this issue. + (CVE-2015-0205) + [Steve Henson] + *) Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. @@ -444,6 +439,17 @@ (CVE-2014-8275) [Steve Henson] + *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect + results on some platforms, including x86_64. This bug occurs at random + with a very low probability, and is not known to be exploitable in any + way, though its exact impact is difficult to determine. Thanks to Pieter + Wuille (Blockstream) who reported this issue and also suggested an initial + fix. Further analysis was conducted by the OpenSSL development team and + Adam Langley of Google. The final fix was developed by Andy Polyakov of + the OpenSSL core team. + (CVE-2014-3570) + [Andy Polyakov] + *) Do not resume sessions on the server if the negotiated protocol version does not match the session's version. Resuming with a different version, while not strictly forbidden by the RFC, is of questionable @@ -603,18 +609,6 @@ bogus results, with non-infinity inputs mapped to infinity too.) [Bodo Moeller] - Changes between 1.0.1i and 1.0.1j [xx XXX xxxx] - - *) Add additional DigestInfo checks. - - Reencode DigestInto in DER and check against the original when - verifying RSA signature: this will reject any improperly encoded - DigestInfo structures. - - Note: this is a precautionary measure and no attacks are currently known. - - [Steve Henson] - Changes between 1.0.1g and 1.0.1h [5 Jun 2014] *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted -- 2.25.1