_______________
Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
*) Protection for DH small subgroup attacks
As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
switched on by default and cannot be disabled. This could have some
performance impact.
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
*) Reject DH handshakes with parameters shorter than 1024 bits.
[Kurt Roeckx]
OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=============================================================
[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
included in the released packages but was missed from the advisory text.
NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================
Severity: Moderate
The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.
X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================
Severity: Moderate
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.
This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh
This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.
Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================
Severity: Low
If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.
This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.
OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t
The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).
The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
============================================================
Severity: Low
If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
the value of p set to 0 then a seg fault can occur leading to a possible denial
of service attack.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 3 2015 by Guy Leaver (Cisco). The
fix was developed by Matt Caswell of the OpenSSL development team.
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
*) Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
[Matt Caswell]
*) Malformed ECParameters causes infinite loop
When processing an ECParameters structure OpenSSL enters an infinite loop
if the curve specified is over a specially malformed binary polynomial
field.
This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
(CVE-2015-1788)
[Andy Polyakov]
*) Exploitable out-of-bounds read in X509_cmp_time
X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
(CVE-2015-1789)
[Emilia Käsper]
*) PKCS7 crash with missing EnvelopedContent
The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
[Emilia Käsper]
*) CMS verify infinite loop with unknown hash function
When verifying a signedData message the CMS code can enter an infinite loop
if presented with an unknown hash function OID. This can be used to perform
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
(CVE-2015-1792)
[Stephen Henson]
*) Race condition handling NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
(CVE-2015-1791)
[Matt Caswell]
*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
The vulnerabilities listed below were previously fixed by patches
supplied by the OpenSSL project.
Thus, this import is not about vulnerabilities, but about the change
in source style OpenSSL applied before 1.0.1m (as well as small fixes
not listed in the changelog that make us have a 'proper' 1.0.1m).
Upstream Changelog:
Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
(CVE-2015-0286)
[Stephen Henson]
*) ASN.1 structure reuse memory corruption fix
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
(CVE-2015-0287)
[Stephen Henson]
*) PKCS7 NULL pointer dereferences fix
The PKCS#7 parsing code does not handle missing outer ContentInfo
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-0289)
[Emilia Käsper]
*) DoS via reachable assert in SSLv2 servers fix
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
(CVE-2015-0293)
[Emilia Käsper]
*) Use After Free following d2i_ECPrivatekey error fix
A malformed EC private key file consumed via the d2i_ECPrivateKey function
could cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
(CVE-2015-0209)
[Matt Caswell]
*) X509_to_X509_REQ NULL pointer deref fix
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
(CVE-2015-0288)
[Stephen Henson]
*) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]
Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
*) Build fixes for the Windows and OpenVMS platforms
[Matt Caswell and Richard Levitte]
lines are changed into either #define SOMETHING or #undef SOMETHING,
but in our in-tree build it is installed verbatim - so comment out all
#undef parts, to allow our makefile fragments to freely -DSOMETHING
and not have it silently canceld here.
to NetBSD base:
OpenSSL Security Advisory [19 Mar 2015]
=======================================
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================
Severity: High
This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".
This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
** issue already committed see last release **
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
===================================================
Severity: Moderate
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit 1b8ac2b07d02207f2b88e0b009b0bff4ef7eda96
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit ee5a1253285e5c9f406c8b57b0686319b70c07d8
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit 1e3ca524cb38ec92deea37629718e98aba43bc5d
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit 7058bd1712828a78d34457b1cfc32bdc1e6d3d33
This issue was discovered and fixed by Stephen Henson of the OpenSSL
development team.
ASN.1 structure reuse memory corruption (CVE-2015-0287)
=======================================================
Severity: Moderate
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit 0ca8edbe6ec402e39c9e095f8ae11dba8fa93fc1
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit d96692c933fe02829c3e922bf7f239e0bd003759
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit 5722767d5dc1a3b5505058fe27877fc993fe9a5a
This issue was discovered by Emilia Käsper and a fix developed by
Stephen Henson of the OpenSSL development team.
PKCS7 NULL pointer dereferences (CVE-2015-0289)
===============================================
Severity: Moderate
The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit e0d6a791c53b64da64277c5565eb89b1cb149fc3
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit d3d52c73544bba800c2a8f5ef3376358158cf2ca
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit 1f858109d0556b5864bb6a0aa3e2d177b1cc4552
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit f20caf7f66cb1eb9ba9562e6097bc7b64d207cb9
This issue was reported to OpenSSL on February 16th 2015 by Michal
Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
development team.
Base64 decode (CVE-2015-0292)
=============================
Severity: Moderate
A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. This was addressed in previous versions of OpenSSL but has not been
included in any security advisory until now.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 0.9.8 users should upgrade to 0.9.8za.
The fix for this issue can be identified by commits d0666f289a (1.0.1),
84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
Robert Dugal and subsequently by David Ramos.
DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
=========================================================
Severity: Moderate
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit b29d57f20d4821a9d3f4e19673a89615e4c6fcf0
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit ee4435e5b587879e7bd66df10d4d9ec274e2b163
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit ab646ee5a6a7b8cace425a617a053ad6d7977086
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team) in March 2015 and the fix was developed by
Emilia Käsper.
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
===============================================================
Severity: Low
A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
** issue already committed **
OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
1b4a8df38f
This issue was discovered by the BoringSSL project and fixed in their commit
517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
development team.
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
===================================================
Severity: Low
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
** issue already committed **
OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
This issue was discovered by Brian Carpenter and a fix developed by Stephen
Henson of the OpenSSL development team.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150319.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
- bump the shared library versions
- adjust set lists
- regenerate man pages
- note the import in doc/3RDPARTY and doc/CHANGES
there were no changes in asm parts
Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
(CVE-2014-3571)
[Steve Henson]
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
dtls1_buffer_record function under certain conditions. In particular this
could occur if an attacker sent repeated DTLS records with the same
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
(CVE-2015-0206)
[Matt Caswell]
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
(CVE-2014-3569)
[Kurt Roeckx]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
(CVE-2014-3572)
[Steve Henson]
*) Remove non-export ephemeral RSA code on client and server. This code
violated the TLS standard by allowing the use of temporary RSA keys in
non-export ciphersuites and could be used by a server to effectively
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
(CVE-2015-0204)
[Steve Henson]
*) Fixed issue where DH client certificates are accepted without verification.
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client to
authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
(CVE-2015-0205)
[Steve Henson]
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
The session ID context is typically set from the parent SSL_CTX,
and can vary with the CTX.
[Adam Langley]
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
Thanks to Konrad Kraszewski from Google for reporting this issue.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
(CVE-2014-8275)
[Steve Henson]
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
results on some platforms, including x86_64. This bug occurs at random
with a very low probability, and is not known to be exploitable in any
way, though its exact impact is difficult to determine. Thanks to Pieter
Wuille (Blockstream) who reported this issue and also suggested an initial
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
(CVE-2014-3570)
[Andy Polyakov]
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
[David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
[Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
[Emilia Käsper]
Upstream condensed log:
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568
christos