Update CHANGES

Resync CHANGES with the latest version from 1.0.2. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-18 09:35:22 +00:00 · 2015-03-18 09:35:22 +00:00 · bdc234f3c3
commit bdc234f3c3
parent c225c3cf9b
1 changed files with 215 additions and 281 deletions
--- a/496
+++ b/496
@ -370,7 +370,170 @@
     whose return value is often ignored. 
     [Steve Henson]
- Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
+ Changes between 1.0.2 and 1.0.2a [xx XXX xxxx]
  *) ClientHello sigalgs DoS fix
     If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
     invalid signature algorithms extension a NULL pointer dereference will
     occur. This can be exploited in a DoS attack against the server.
     This issue was was reported to OpenSSL by David Ramos of Stanford
     University.
     (CVE-2015-0291)
     [Stephen Henson and Matt Caswell]
  *) Multiblock corrupted pointer fix
     OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
     feature only applies on 64 bit x86 architecture platforms that support AES
     NI instructions. A defect in the implementation of "multiblock" can cause
     OpenSSL's internal write buffer to become incorrectly set to NULL when
     using non-blocking IO. Typically, when the user application is using a
     socket BIO for writing, this will only result in a failed connection.
     However if some other BIO is used then it is likely that a segmentation
     fault will be triggered, thus enabling a potential DoS attack.
     This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
     (CVE-2015-0290)
     [Matt Caswell]
  *) Segmentation fault in DTLSv1_listen fix
     The DTLSv1_listen function is intended to be stateless and processes the
     initial ClientHello from many peers. It is common for user code to loop
     over the call to DTLSv1_listen until a valid ClientHello is received with
     an associated cookie. A defect in the implementation of DTLSv1_listen means
     that state is preserved in the SSL object from one invocation to the next
     that can lead to a segmentation fault. Errors processing the initial
     ClientHello can trigger this scenario. An example of such an error could be
     that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
     server.
     This issue was reported to OpenSSL by Per Allansson.
     (CVE-2015-0207)
     [Matt Caswell]
  *) Segmentation fault in ASN1_TYPE_cmp fix
     The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
     made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
     certificate signature algorithm consistency this can be used to crash any
     certificate verification operation and exploited in a DoS attack. Any
     application which performs certificate verification is vulnerable including
     OpenSSL clients and servers which enable client authentication.
     (CVE-2015-0286)
     [Stephen Henson]
  *) Segmentation fault for invalid PSS parameters fix
     The signature verification routines will crash with a NULL pointer
     dereference if presented with an ASN.1 signature using the RSA PSS
     algorithm and invalid parameters. Since these routines are used to verify
     certificate signature algorithms this can be used to crash any
     certificate verification operation and exploited in a DoS attack. Any
     application which performs certificate verification is vulnerable including
     OpenSSL clients and servers which enable client authentication.
     This issue was was reported to OpenSSL by Brian Carpenter.
     (CVE-2015-0208)
     [Stephen Henson]
  *) ASN.1 structure reuse memory corruption fix
     Reusing a structure in ASN.1 parsing may allow an attacker to cause
     memory corruption via an invalid write. Such reuse is and has been
     strongly discouraged and is believed to be rare.
     Applications that parse structures containing CHOICE or ANY DEFINED BY
     components may be affected. Certificate parsing (d2i_X509 and related
     functions) are however not affected. OpenSSL clients and servers are
     not affected.
     (CVE-2015-0287)
     [Stephen Henson]
  *) PKCS7 NULL pointer dereferences fix
     The PKCS#7 parsing code does not handle missing outer ContentInfo
     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
     missing content and trigger a NULL pointer dereference on parsing.
     Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
     otherwise parse PKCS#7 structures from untrusted sources are
     affected. OpenSSL clients and servers are not affected.
     This issue was reported to OpenSSL by Michal Zalewski (Google).
     (CVE-2015-0289)
     [Emilia Käsper]
  *) DoS via reachable assert in SSLv2 servers fix
     A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
     servers that both support SSLv2 and enable export cipher suites by sending
     a specially crafted SSLv2 CLIENT-MASTER-KEY message.
     This issue was discovered by Sean Burford (Google) and Emilia Käsper
     (OpenSSL development team).
     (CVE-2015-0293)
     [Emilia Käsper]
  *) Empty CKE with client auth and DHE fix
     If client auth is used then a server can seg fault in the event of a DHE
     ciphersuite being selected and a zero length ClientKeyExchange message
     being sent by the client. This could be exploited in a DoS attack.
     (CVE-2015-1787)
     [Matt Caswell]
  *) Handshake with unseeded PRNG fix
     Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
     with an unseeded PRNG. The conditions are:
     - The client is on a platform where the PRNG has not been seeded
     automatically, and the user has not seeded manually
     - A protocol specific client method version has been used (i.e. not
     SSL_client_methodv23)
     - A ciphersuite is used that does not require additional random data from
     the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
     If the handshake succeeds then the client random that has been used will
     have been generated from a PRNG with insufficient entropy and therefore the
     output may be predictable.
     For example using the following command with an unseeded openssl will
     succeed on an unpatched platform:
     openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
     (CVE-2015-0285)
     [Matt Caswell]
  *) Use After Free following d2i_ECPrivatekey error fix
     A malformed EC private key file consumed via the d2i_ECPrivateKey function
     could cause a use after free condition. This, in turn, could cause a double
     free in several private key parsing functions (such as d2i_PrivateKey
     or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
     for applications that receive EC private keys from untrusted
     sources. This scenario is considered rare.
     This issue was discovered by the BoringSSL project and fixed in their
     commit 517073cd4b.
     (CVE-2015-0209)
     [Matt Caswell]
  *) X509_to_X509_REQ NULL pointer deref fix
     The function X509_to_X509_REQ will crash with a NULL pointer dereference if
     the certificate key is invalid. This function is rarely used in practice.
     This issue was discovered by Brian Carpenter.
     (CVE-2015-0288)
     [Stephen Henson]
  *) Removed the export ciphers from the DEFAULT ciphers
     [Kurt Roeckx]
 Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
  *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
     ARMv5 through ARMv8, as opposite to "locking" it to single one.
@ -700,7 +863,35 @@
     X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
     X509_CINF_get_signature were reverted post internal team review.
- Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
  *) Build fixes for the Windows and OpenVMS platforms
     [Matt Caswell and Richard Levitte]
 Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
     message can cause a segmentation fault in OpenSSL due to a NULL pointer
     dereference. This could lead to a Denial Of Service attack. Thanks to
     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
     (CVE-2014-3571)
     [Steve Henson]
  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
     dtls1_buffer_record function under certain conditions. In particular this
     could occur if an attacker sent repeated DTLS records with the same
     sequence number but for the next epoch. The memory leak could be exploited
     by an attacker in a Denial of Service attack through memory exhaustion.
     Thanks to Chris Mueller for reporting this issue.
     (CVE-2015-0206)
     [Matt Caswell]
  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
     method would be set to NULL which could later result in a NULL pointer
     dereference. Thanks to Frank Schmirler for reporting this issue.
     (CVE-2014-3569)
     [Kurt Roeckx]
  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.
@ -719,6 +910,17 @@
     (CVE-2015-0204)
     [Steve Henson]
  *) Fixed issue where DH client certificates are accepted without verification.
     An OpenSSL server will accept a DH certificate for client authentication
     without the certificate verify message. This effectively allows a client to
     authenticate without the use of a private key. This only affects servers
     which trust a client certificate authority which issues certificates
     containing DH keys: these are extremely rare and hardly ever encountered.
     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
     this issue.
     (CVE-2015-0205)
     [Steve Henson]
  *) Ensure that the session ID context of an SSL is updated when its
     SSL_CTX is updated via SSL_set_SSL_CTX.
@ -763,6 +965,17 @@
     (CVE-2014-8275)
     [Steve Henson]
   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
      results on some platforms, including x86_64. This bug occurs at random
      with a very low probability, and is not known to be exploitable in any
      way, though its exact impact is difficult to determine. Thanks to Pieter
      Wuille (Blockstream) who reported this issue and also suggested an initial
      fix. Further analysis was conducted by the OpenSSL development team and
      Adam Langley of Google. The final fix was developed by Andy Polyakov of
      the OpenSSL core team.
      (CVE-2014-3570)
      [Andy Polyakov]
   *) Do not resume sessions on the server if the negotiated protocol
      version does not match the session's version. Resuming with a different
      version, while not strictly forbidden by the RFC, is of questionable
@ -1419,63 +1632,6 @@
       Add command line options to s_client/s_server.
     [Steve Henson]
 Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]
  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     (This is a backport)
     [Rob Stradling <rob.stradling@comodo.com>]
  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]
 Changes between 1.0.0i and 1.0.0j [10 May 2012]
  [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
  OpenSSL 1.0.1.]
  *) Sanity check record length before skipping explicit IV in DTLS
     to fix DoS attack.
     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]
  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]
 Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.
     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
 Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
@ -2466,228 +2622,6 @@
  *) Change 'Configure' script to enable Camellia by default.
     [NTT]
 Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]
  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     (This is a backport)
     [Rob Stradling <rob.stradling@comodo.com>]
  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]
 Changes between 0.9.8w and 0.9.8x [10 May 2012]
  *) Sanity check record length before skipping explicit IV in DTLS
     to fix DoS attack.
     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]
  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]
 Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
  *) The fix for CVE-2012-2110 did not take into account that the 
     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
     rejecting negative len parameter. (CVE-2012-2131)
     [Tomas Hoger <thoger@redhat.com>]
 Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.
     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
 Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
     in CMS and PKCS7 code. When RSA decryption fails use a random key for
     content decryption and always return the same error. Note: this attack
     needs on average 2^20 messages so it only affects automated senders. The
     old behaviour can be reenabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
     an MMA defence is not necessary.
     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
     this issue. (CVE-2012-0884)
     [Steve Henson]
  *) Fix CVE-2011-4619: make sure we really are receiving a 
     client hello before rejecting multiple SGC restarts. Thanks to
     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
     [Steve Henson]
 Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
     Thanks to Antonio Martin, Enterprise Secure Access Research and
     Development, Cisco Systems, Inc. for discovering this bug and
     preparing a fix. (CVE-2012-0050)
     [Antonio Martin]
 Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
     of the Vaudenay padding oracle attack on CBC mode encryption
     which enables an efficient plaintext recovery attack against
     the OpenSSL implementation of DTLS. Their attack exploits timing
     differences arising during decryption processing. A research
     paper describing this attack can be found at:
                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
     for preparing the fix. (CVE-2011-4108)
     [Robin Seggelmann, Michael Tuexen]
  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
     [Ben Laurie, Kasper <ekasper@google.com>]
  *) Clear bytes used for block padding of SSL 3.0 records.
     (CVE-2011-4576)
     [Adam Langley (Google)]
  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
     Kadianakis <desnacked@gmail.com> for discovering this issue and
     Adam Langley for preparing the fix. (CVE-2011-4619)
     [Adam Langley (Google)]
  *) Prevent malformed RFC3779 data triggering an assertion failure.
     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
     [Rob Austein <sra@hactrn.net>]
  *) Fix ssl_ciph.c set-up race.
     [Adam Langley (Google)]
  *) Fix spurious failures in ecdsatest.c.
     [Emilia Käsper (Google)]
  *) Fix the BIO_f_buffer() implementation (which was mixing different
     interpretations of the '..._len' fields).
     [Adam Langley (Google)]
  *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
     BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
     threads won't reuse the same blinding coefficients.
     This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
     lock to call BN_BLINDING_invert_ex, and avoids one use of
     BN_BLINDING_update for each BN_BLINDING structure (previously,
     the last update always remained unused).
     [Emilia Käsper (Google)]
  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
     for multi-threaded use of ECDH.
     [Adam Langley (Google)]
  *) Fix x509_name_ex_d2i memory leak on bad inputs.
     [Bodo Moeller]
  *) Add protection against ECDSA timing attacks as mentioned in the paper
     by Billy Bob Brumley and Nicola Tuveri, see:
 	http://eprint.iacr.org/2011/232.pdf
     [Billy Bob Brumley and Nicola Tuveri]
 Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
  *) Fix bug in string printing code: if *any* escaping is enabled we must
     escape the escape character (backslash) or the resulting string is
     ambiguous.
     [Steve Henson]
 Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
  *) Disable code workaround for ancient and obsolete Netscape browsers
     and servers: an attacker can use it in a ciphersuite downgrade attack.
     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
     [Steve Henson]
  *) Fixed J-PAKE implementation error, originally discovered by
     Sebastien Martini, further info and confirmation from Stefan
     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
     [Ben Laurie]
 Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
  *) Fix extension code to avoid race conditions which can result in a buffer
     overrun vulnerability: resumed sessions must not be modified as they can
     be shared by multiple threads. CVE-2010-3864
     [Steve Henson]
  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
     [Steve Henson]
  *) Don't reencode certificate when calculating signature: cache and use
     the original encoding instead. This makes signature verification of
     some broken encodings work correctly.
     [Steve Henson]
  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
     is also one of the inputs.
     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
  *) Don't repeatedly append PBE algorithms to table if they already exist.
     Sort table on each new add. This effectively makes the table read only
     after all algorithms are added and subsequent calls to PKCS12_pbe_add
     etc are non-op.
     [Steve Henson]
 Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after
  OpenSSL 1.0.0.]
  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
     access or freeing data twice (CVE-2010-0742)
     [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
     common in certificates and some applications which only call
     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
     [Steve Henson]
  *) VMS fixes: 
     Reduce copying into .apps and .test in makevms.com
     Don't try to use blank CA certificate in CA.com
     Allow use of C files from original directories in maketests.com
     [Steven M. Schweda" <sms@antinode.info>]
 Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
  *) When rejecting SSL/TLS records due to an incorrect version number, never