Sync with current 1.0.2 CHANGES file.
This commit is contained in:
Bodo Moeller
parent
0fe73d6c36
commit
38c654819c
130
CHANGES
130
CHANGES
@ -308,7 +308,7 @@
|
||||
whose return value is often ignored.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.1e and 1.0.2 [xx XXX xxxx]
|
||||
Changes between 1.0.1h and 1.0.2 [xx XXX xxxx]
|
||||
|
||||
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
|
||||
for corner cases. (Certain input points at infinity could lead to
|
||||
@ -350,19 +350,30 @@
|
||||
This work was sponsored by Intel Corp.
|
||||
[Andy Polyakov]
|
||||
|
||||
*) Keep original DTLS digest and encryption contexts in retransmission
|
||||
structures so we can use the previous session parameters if they need
|
||||
to be resent. (CVE-2013-6450)
|
||||
*) Harmonize version and its documentation. -f flag is used to display
|
||||
compilation flags.
|
||||
[mancha <mancha1@zoho.com>]
|
||||
|
||||
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
|
||||
in i2d_ECPrivateKey.
|
||||
[mancha <mancha1@zoho.com>]
|
||||
|
||||
*) Fix some double frees. These are not thought to be exploitable.
|
||||
[mancha <mancha1@zoho.com>]
|
||||
|
||||
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
|
||||
this fixes a limiation in previous versions of OpenSSL.
|
||||
[Steve Henson]
|
||||
|
||||
*) TLS pad extension: draft-agl-tls-padding-03
|
||||
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
|
||||
MGF1 digest and OAEP label.
|
||||
[Steve Henson]
|
||||
|
||||
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
|
||||
TLS client Hello record length value would otherwise be > 255 and
|
||||
less that 512 pad with a dummy extension containing zeroes so it
|
||||
is at least 512 bytes long.
|
||||
|
||||
[Adam Langley, Steve Henson]
|
||||
*) Add EVP support for key wrapping algorithms, to avoid problems with
|
||||
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
|
||||
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
|
||||
algorithms and include tests cases.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add functions to allocate and set the fields of an ECDSA_METHOD
|
||||
structure.
|
||||
@ -619,6 +630,99 @@
|
||||
certificates.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
|
||||
|
||||
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
|
||||
handshake can force the use of weak keying material in OpenSSL
|
||||
SSL/TLS clients and servers.
|
||||
|
||||
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
|
||||
researching this issue. (CVE-2014-0224)
|
||||
[KIKUCHI Masashi, Steve Henson]
|
||||
|
||||
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
|
||||
OpenSSL DTLS client the code can be made to recurse eventually crashing
|
||||
in a DoS attack.
|
||||
|
||||
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
|
||||
(CVE-2014-0221)
|
||||
[Imre Rad, Steve Henson]
|
||||
|
||||
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
|
||||
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
|
||||
client or server. This is potentially exploitable to run arbitrary
|
||||
code on a vulnerable client or server.
|
||||
|
||||
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
|
||||
[Jüri Aedla, Steve Henson]
|
||||
|
||||
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
|
||||
are subject to a denial of service attack.
|
||||
|
||||
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
|
||||
this issue. (CVE-2014-3470)
|
||||
[Felix Gröbert, Ivan Fratric, Steve Henson]
|
||||
|
||||
*) Harmonize version and its documentation. -f flag is used to display
|
||||
compilation flags.
|
||||
[mancha <mancha1@zoho.com>]
|
||||
|
||||
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
|
||||
in i2d_ECPrivateKey.
|
||||
[mancha <mancha1@zoho.com>]
|
||||
|
||||
*) Fix some double frees. These are not thought to be exploitable.
|
||||
[mancha <mancha1@zoho.com>]
|
||||
|
||||
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
|
||||
|
||||
*) A missing bounds check in the handling of the TLS heartbeat extension
|
||||
can be used to reveal up to 64k of memory to a connected client or
|
||||
server.
|
||||
|
||||
Thanks for Neel Mehta of Google Security for discovering this bug and to
|
||||
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
|
||||
preparing the fix (CVE-2014-0160)
|
||||
[Adam Langley, Bodo Moeller]
|
||||
|
||||
*) Fix for the attack described in the paper "Recovering OpenSSL
|
||||
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
|
||||
by Yuval Yarom and Naomi Benger. Details can be obtained from:
|
||||
http://eprint.iacr.org/2014/140
|
||||
|
||||
Thanks to Yuval Yarom and Naomi Benger for discovering this
|
||||
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
|
||||
[Yuval Yarom and Naomi Benger]
|
||||
|
||||
*) TLS pad extension: draft-agl-tls-padding-03
|
||||
|
||||
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
|
||||
TLS client Hello record length value would otherwise be > 255 and
|
||||
less that 512 pad with a dummy extension containing zeroes so it
|
||||
is at least 512 bytes long.
|
||||
|
||||
[Adam Langley, Steve Henson]
|
||||
|
||||
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
|
||||
|
||||
*) Fix for TLS record tampering bug. A carefully crafted invalid
|
||||
handshake could crash OpenSSL with a NULL pointer exception.
|
||||
Thanks to Anton Johansson for reporting this issues.
|
||||
(CVE-2013-4353)
|
||||
|
||||
*) Keep original DTLS digest and encryption contexts in retransmission
|
||||
structures so we can use the previous session parameters if they need
|
||||
to be resent. (CVE-2013-6450)
|
||||
[Steve Henson]
|
||||
|
||||
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
|
||||
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
|
||||
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
|
||||
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
|
||||
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
|
||||
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
|
||||
[Rob Stradling, Adam Langley]
|
||||
|
||||
Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
|
||||
|
||||
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
|
||||
@ -2089,10 +2193,6 @@
|
||||
This fixes a DoS attack. (CVE-2013-0166)
|
||||
[Steve Henson]
|
||||
|
||||
*) Return an error when checking OCSP signatures when key is NULL.
|
||||
This fixes a DoS attack. (CVE-2013-0166)
|
||||
[Steve Henson]
|
||||
|
||||
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
|
||||
the right response is stapled. Also change SSL_get_certificate()
|
||||
so it returns the certificate actually sent.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user