Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Matt Caswell
parent
f5da52e308
commit
0e6b8bf4bb
2 changed files with 97 additions and 1 deletions
87
CHANGES
87
CHANGES
|
|
@ -4,6 +4,93 @@
|
|||
|
||||
Changes between 1.0.1s and 1.0.1t [xx XXX xxxx]
|
||||
|
||||
*) Prevent padding oracle in AES-NI CBC MAC check
|
||||
|
||||
A MITM attacker can use a padding oracle attack to decrypt traffic
|
||||
when the connection uses an AES CBC cipher and the server support
|
||||
AES-NI.
|
||||
|
||||
This issue was introduced as part of the fix for Lucky 13 padding
|
||||
attack (CVE-2013-0169). The padding check was rewritten to be in
|
||||
constant time by making sure that always the same bytes are read and
|
||||
compared against either the MAC or padding bytes. But it no longer
|
||||
checked that there was enough data to have both the MAC and padding
|
||||
bytes.
|
||||
|
||||
This issue was reported by Juraj Somorovsky using TLS-Attacker.
|
||||
(CVE-2016-2107)
|
||||
[Kurt Roeckx]
|
||||
|
||||
*) Fix EVP_EncodeUpdate overflow
|
||||
|
||||
An overflow can occur in the EVP_EncodeUpdate() function which is used for
|
||||
Base64 encoding of binary data. If an attacker is able to supply very large
|
||||
amounts of input data then a length check can overflow resulting in a heap
|
||||
corruption.
|
||||
|
||||
Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
|
||||
the PEM_write_bio* family of functions. These are mainly used within the
|
||||
OpenSSL command line applications, so any application which processes data
|
||||
from an untrusted source and outputs it as a PEM file should be considered
|
||||
vulnerable to this issue. User applications that call these APIs directly
|
||||
with large amounts of untrusted data may also be vulnerable.
|
||||
|
||||
This issue was reported by Guido Vranken.
|
||||
(CVE-2016-2105)
|
||||
[Matt Caswell]
|
||||
|
||||
*) Fix EVP_EncryptUpdate overflow
|
||||
|
||||
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
|
||||
is able to supply very large amounts of input data after a previous call to
|
||||
EVP_EncryptUpdate() with a partial block then a length check can overflow
|
||||
resulting in a heap corruption. Following an analysis of all OpenSSL
|
||||
internal usage of the EVP_EncryptUpdate() function all usage is one of two
|
||||
forms. The first form is where the EVP_EncryptUpdate() call is known to be
|
||||
the first called function after an EVP_EncryptInit(), and therefore that
|
||||
specific call must be safe. The second form is where the length passed to
|
||||
EVP_EncryptUpdate() can be seen from the code to be some small value and
|
||||
therefore there is no possibility of an overflow. Since all instances are
|
||||
one of these two forms, it is believed that there can be no overflows in
|
||||
internal code due to this problem. It should be noted that
|
||||
EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
|
||||
Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
|
||||
of these calls have also been analysed too and it is believed there are no
|
||||
instances in internal usage where an overflow could occur.
|
||||
|
||||
This issue was reported by Guido Vranken.
|
||||
(CVE-2016-2106)
|
||||
[Matt Caswell]
|
||||
|
||||
*) Prevent ASN.1 BIO excessive memory allocation
|
||||
|
||||
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
|
||||
a short invalid encoding can casuse allocation of large amounts of memory
|
||||
potentially consuming excessive resources or exhausting memory.
|
||||
|
||||
Any application parsing untrusted data through d2i BIO functions is
|
||||
affected. The memory based functions such as d2i_X509() are *not* affected.
|
||||
Since the memory based functions are used by the TLS library, TLS
|
||||
applications are not affected.
|
||||
|
||||
This issue was reported by Brian Carpenter.
|
||||
(CVE-2016-2109)
|
||||
[Stephen Henson]
|
||||
|
||||
*) EBCDIC overread
|
||||
|
||||
ASN1 Strings that are over 1024 bytes can cause an overread in applications
|
||||
using the X509_NAME_oneline() function on EBCDIC systems. This could result
|
||||
in arbitrary stack data being returned in the buffer.
|
||||
|
||||
This issue was reported by Guido Vranken.
|
||||
(CVE-2016-2176)
|
||||
[Matt Caswell]
|
||||
|
||||
*) Modify behavior of ALPN to invoke callback after SNI/servername
|
||||
callback, such that updates to the SSL_CTX affect ALPN.
|
||||
[Todd Short]
|
||||
|
||||
*) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
|
||||
default.
|
||||
[Kurt Roeckx]
|
||||
|
|
|
|||
11
NEWS
11
NEWS
|
|
@ -7,7 +7,16 @@
|
|||
|
||||
Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [under development]
|
||||
|
||||
o
|
||||
o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
|
||||
o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
|
||||
o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
|
||||
o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
|
||||
o EBCDIC overread (CVE-2016-2176)
|
||||
o Modify behavior of ALPN to invoke callback after SNI/servername
|
||||
callback, such that updates to the SSL_CTX affect ALPN.
|
||||
o Remove LOW from the DEFAULT cipher list. This removes singles DES from
|
||||
the default.
|
||||
o Only remove the SSLv2 methods with the no-ssl2-method option.
|
||||
|
||||
Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue