=========================
We plan on retiring more legacy cryptography in a near-future
release, specifically:
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
================================
This release disables a number of legacy cryptographic algorithms
by default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
and the rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
Changes since OpenSSH 7.1p2
===========================
This is primarily a bugfix release.
Security
--------
* ssh(1), sshd(8): remove unfinished and unused roaming code (was
already forcibly disabled in OpenSSH 7.1p2).
* ssh(1): eliminate fallback from untrusted X11 forwarding to
trusted forwarding when the X server disables the SECURITY
extension.
* ssh(1), sshd(8): increase the minimum modulus size supported for
diffie-hellman-group-exchange to 2048 bits.
* sshd(8): pre-auth sandboxing is now enabled by default (previous
releases enabled it for new installations via sshd_config).
New Features
------------
* all: add support for RSA signatures using SHA-256/512 hash
algorithms based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt.
* ssh(1): Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
enabled, a private key that is used during authentication will be
added to ssh-agent if it is running (with confirmation enabled if
set to 'confirm').
* sshd(8): add a new authorized_keys option "restrict" that includes
all current and future key restrictions (no-*-forwarding, etc.).
Also add permissive versions of the existing restrictions, e.g.
"no-pty" -> "pty". This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.
* ssh(1): add ssh_config CertificateFile option to explicitly list
certificates. bz#2436
* ssh-keygen(1): allow ssh-keygen to change the key comment for all
supported formats.
* ssh-keygen(1): allow fingerprinting from standard input, e.g.
"ssh-keygen -lf -"
* ssh-keygen(1): allow fingerprinting multiple public keys in a
file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
* sshd(8): support "none" as an argument for sshd_config
Foreground and ChrootDirectory. Useful inside Match blocks to
override a global default. bz#2486
* ssh-keygen(1): support multiple certificates (one per line) and
reading from standard input (using "-f -") for "ssh-keygen -L"
* ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
certificates instead of plain keys.
* ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
hostname canonicalisation - treat them as already canonical and
remove the trailing '.' before matching ssh_config.
Bugfixes
--------
* sftp(1): existing destination directories should not terminate
recursive uploads (regression in openssh 6.8) bz#2528
* ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
replies to unexpected messages during key exchange. bz#2949
* ssh(1): refuse attempts to set ConnectionAttempts=0, which does
not make sense and would cause ssh to print an uninitialised stack
variable. bz#2500
* ssh(1): fix errors when attempting to connect to scoped IPv6
addresses with hostname canonicalisation enabled.
* sshd_config(5): list a couple more options usable in Match blocks.
bz#2489
* sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
* ssh(1): expand tilde characters in filenames passed to -i options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g. "-i ~/file"
vs. "-i~/file"). bz#2481
* ssh(1): do not prepend "exec" to the shell command run by "Match
exec" in a config file, which could cause some commands to fail
in certain environments. bz#2471
* ssh-keyscan(1): fix output for multiple hosts/addrs on one line
when host hashing or a non standard port is in use bz#2479
* sshd(8): skip "Could not chdir to home directory" message when
ChrootDirectory is active. bz#2485
* ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
* sshd(8): avoid changing TunnelForwarding device flags if they are
already what is needed; makes it possible to use tun/tap
networking as non-root user if device permissions and interface
flags are pre-established
* ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
bz#2521
* ssh(1): fix multiplexing master failure to notice client exit.
* ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
empty key IDs. bz#1773
* sshd(8): avoid printf of NULL argument. bz#2535
* ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
* ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
support.
* ssh(1), sshd(8): fix connections with peers that use the key
exchange guess feature of the protocol. bz#2515
* sshd(8): include remote port number in log messages. bz#2503
* ssh(1): don't try to load SSHv1 private key when compiled without
SSHv1 support. bz#2505
* ssh-agent(1), ssh(1): fix incorrect error messages during key
loading and signing errors. bz#2507
* ssh-keygen(1): don't leave empty temporary files when performing
known_hosts file edits when known_hosts doesn't exist.
* sshd(8): correct packet format for tcpip-forward replies for
requests that don't allocate a port bz#2509
* ssh(1), sshd(8): fix possible hang on closed output. bz#2469
* ssh(1): expand %i in ControlPath to UID. bz#2449
* ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
* ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
* ssh(1): add a some debug output before DNS resolution; it's a
place where ssh could previously silently stall in cases of
unresponsive DNS servers. bz#2433
* ssh(1): remove spurious newline in visual hostkey. bz#2686
* ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
* ssh(1): fix expansion of HostkeyAlgorithms=+...
Documentation
-------------
* ssh_config(5), sshd_config(5): update default algorithm lists to
match current reality. bz#2527
* ssh(1): mention -Q key-plain and -Q key-cert query options.
bz#2455
* sshd_config(8): more clearly describe what AuthorizedKeysFile=none
does.
* ssh_config(5): better document ExitOnForwardFailure. bz#2444
* sshd(5): mention internal DH-GEX fallback groups in manual.
bz#2302
* sshd_config(5): better description for MaxSessions option.
bz#2531
Portability
-----------
* ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
Solaris fine-grained privileges. Including a pre-auth privsep
sandbox and several pledge() emulations. bz#2511
* Renovate redhat/openssh.spec, removing deprecated options and
syntax.
* configure: allow --without-ssl-engine with --without-openssl
* sshd(8): fix multiple authentication using S/Key. bz#2502
* sshd(8): read back from libcrypto RAND_* before dropping
privileges. Avoids sandboxing violations with BoringSSL.
* Fix name collision with system-provided glob(3) functions.
bz#2463
* Adapt Makefile to use ssh-keygen -A when generating host keys.
bz#2459
* configure: correct default value for --with-ssh1 bz#2457
* configure: better detection of _res symbol bz#2259
* support getrandom() syscall on Linux
=========================================
NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================
Severity: High
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).
Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).
Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.
OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
SSLv2 is now by default disabled at build-time. Builds that are not configured
with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.
In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell
of OpenSSL.
Double-free in DSA code (CVE-2016-0705)
=======================================
Severity: Low
A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 7th 2016 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson
of OpenSSL.
Memory leak in SRP database lookups (CVE-2016-0798)
===================================================
Severity: Low
The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no way of
distinguishing these two cases.
Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection. Servers that do not configure SRP, or
configure SRP but do not configure a seed are not vulnerable.
In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured
a seed. Applications are advised to migrate to
SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
guarantees about the indistinguishability of valid and invalid
logins. In particular, computations are currently not carried out in
constant time.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was discovered on February 23rd 2016 by Emilia Käsper of
the OpenSSL development team. Emilia Käsper also developed the fix.
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
======================================================================
Severity: Low
In the BN_hex2bn function the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
is negative. This can leave the internal BIGNUM data field as NULL leading to a
subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
could be a positive value smaller than |i|. In this case memory is allocated to
the internal BIGNUM data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could have security
consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
very large untrusted hex/dec data. This is anticipated to be a rare occurrence.
All OpenSSL internal usage of these functions use data that is not expected to
be untrusted, e.g. config file data or application command line arguments. If
user developed applications generate config file data based on untrusted data
then it is possible that this could also lead to security consequences. This is
also anticipated to be rare.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 19th 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Fix memory issues in BIO_*printf functions (CVE-2016-0799)
==========================================================
Severity: Low
The internal |fmtstr| function used in processing a "%s" format string in the
BIO_*printf functions could overflow while calculating the length of a string
and cause an OOB read when printing very long strings.
Additionally the internal |doapr_outch| function can attempt to write to an OOB
memory location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size of a
buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
a very long "%s" format string. Memory leaks can also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data is
passed to the BIO_*printf functions. If applications use these functions in this
way then they could be vulnerable. OpenSSL itself uses these functions when
printing out human-readable dumps of ASN.1 data. Therefore applications that
print this data could be vulnerable if the data is from untrusted sources.
OpenSSL command line applications could also be vulnerable where they print out
ASN.1 data, or if untrusted data is passed as command line arguments.
Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 23rd by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Side channel attack on modular exponentiation (CVE-2016-0702)
=============================================================
Severity: Low
A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys. The ability to exploit this issue is limited as it relies on an attacker
who has control of code in a thread running on the same hyper-threaded core as
the victim thread which is performing decryptions.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The
University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv
University, and Nadia Heninger, University of Pennsylvania with more
information at http://cachebleed.info. The fix was developed by Andy Polyakov
of OpenSSL.
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
================================================================
Severity: High
This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address vulnerability CVE-2015-0293.
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation.
More importantly, this leads to a more efficient version of DROWN that is
effective against non-export ciphersuites, and requires no significant
computation.
This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).
This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan. The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
==============================================
Severity: Moderate
This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address the vulnerability CVE-2015-0293.
s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites. This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.
This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).
This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan. The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160301.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
_______________
Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
*) Protection for DH small subgroup attacks
As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
switched on by default and cannot be disabled. This could have some
performance impact.
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
*) Reject DH handshakes with parameters shorter than 1024 bits.
[Kurt Roeckx]
OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=============================================================
[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
included in the released packages but was missed from the advisory text.
NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================
Severity: Moderate
The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.
X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================
Severity: Moderate
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.
This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh
This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.
Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================
Severity: Low
If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.
This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.
OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t
The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).
The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
============================================================
Severity: Low
If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
the value of p set to 0 then a seg fault can occur leading to a possible denial
of service attack.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 3 2015 by Guy Leaver (Cisco). The
fix was developed by Matt Caswell of the OpenSSL development team.
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
Changes since OpenSSH 6.9
=========================
This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.
Security
--------
* sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.
* sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
* sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution. Also reported by Moritz Jodeit.
* sshd(8): fix circumvention of MaxAuthTries using keyboard-
interactive authentication. By specifying a long, repeating
keyboard-interactive "devices" string, an attacker could request
the same authentication method be tried thousands of times in
a single pass. The LoginGraceTime timeout in sshd(8) and any
authentication failure delays implemented by the authentication
mechanism itself were still applied. Found by Kingcope.
Potentially-incompatible Changes
--------------------------------
* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
New Features
------------
* ssh_config(5): add PubkeyAcceptedKeyTypes option to control which
public key types are available for user authentication.
* sshd_config(5): add HostKeyAlgorithms option to control which
public key types are offered for host authentications.
* ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
options to allow appending to the default set of algorithms
instead of replacing it. Options may now be prefixed with a '+'
to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".
* sshd_config(5): PermitRootLogin now accepts an argument of
'prohibit-password' as a less-ambiguous synonym of 'without-
password'.
Bugfixes
--------
* ssh(1), sshd(8): add compatability workarounds for Cisco and more
PuTTY versions. bz#2424
* Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
documentation relating to Unix domain socket forwarding;
bz#2421 bz#2422
* ssh(1): Improve the ssh(1) manual page to include a better
description of Unix domain socket forwarding; bz#2423
* ssh(1), ssh-agent(1): skip uninitialised PKCS#11 slots, fixing
failures to load keys when they are present. bz#2427
* ssh(1), ssh-agent(1): do not ignore PKCS#11 hosted keys that wth
empty CKA_ID; bz#2429
* sshd(8): clarify documentation for UseDNS option; bz#2045
the support in the rest of the source tree.
X11 sets could use some cleaning up perhaps (just deletion, as
we've never really marked the old X11R6 as obsolete for native
xorg using platforms so far either.)
*) Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
[Matt Caswell]
=========================
This is primarily a bugfix release.
Security
--------
* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.
* ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
New Features
------------
* ssh(1), sshd(8): promote chacha20-poly1305@openssh.com to be the
default cipher
* sshd(8): support admin-specified arguments to AuthorizedKeysCommand;
bz#2081
* sshd(8): add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than
a file.
* ssh(1), ssh-add(1): support PKCS#11 devices with external PIN
entry devices bz#2240
* sshd(8): allow GSSAPI host credential check to be relaxed for
multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928
* ssh-keygen(1): support "ssh-keygen -lF hostname" to search
known_hosts and print key hashes rather than full keys.
* ssh-agent(1): add -D flag to leave ssh-agent in foreground without
enabling debug mode; bz#2381
Bugfixes
--------
* ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
message and do not try to use it against some 3rd-party SSH
implementations that use it (older PuTTY, WinSCP).
* Many fixes for problems caused by compile-time deactivation of
SSH1 support (including bz#2369)
* ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco
implementations as some would fail when attempting to use group
sizes >4K; bz#2209
* ssh(1): fix out-of-bound read in EscapeChar configuration option
parsing; bz#2396
* sshd(8): fix application of PermitTunnel, LoginGraceTime,
AuthenticationMethods and StreamLocalBindMask options in Match
blocks
* ssh(1), sshd(8): improve disconnection message on TCP reset;
bz#2257
* ssh(1): remove failed remote forwards established by muliplexing
from the list of active forwards; bz#2363
* sshd(8): make parsing of authorized_keys "environment=" options
independent of PermitUserEnv being enabled; bz#2329
* sshd(8): fix post-auth crash with permitopen=none; bz#2355
* ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys
to be encrypted with AEAD ciphers; bz#2366
* ssh(1): allow ListenAddress, Port and AddressFamily configuration
options to appear in any order; bz#86
* sshd(8): check for and reject missing arguments for VersionAddendum
and ForceCommand; bz#2281
* ssh(1), sshd(8): don't treat unknown certificate extensions as
fatal; bz#2387
* ssh-keygen(1): make stdout and stderr output consistent; bz#2325
* ssh(1): mention missing DISPLAY environment in debug log when X11
forwarding requested; bz#1682
* sshd(8): correctly record login when UseLogin is set; bz#378
* sshd(8): Add some missing options to sshd -T output and fix output
of VersionAddendum and HostCertificate. bz#2346
* Document and improve consistency of options that accept a "none"
argument" TrustedUserCAKeys, RevokedKeys (bz#2382),
AuthorizedPrincipalsFile (bz#2288)
* ssh(1): include remote username in debug output; bz#2368
* sshd(8): avoid compatibility problem with some versions of Tera
Term, which would crash when they received the hostkeys notification
message (hostkeys-00@openssh.com)
* sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5
host key fingerprints; bz#2332
* ssh(1): clarify pseudo-terminal request behaviour and use make
manual language consistent; bz#1716
* ssh(1): document that the TERM environment variable is not subject
to SendEnv and AcceptEnv; bz#2386
*) Malformed ECParameters causes infinite loop
When processing an ECParameters structure OpenSSL enters an infinite loop
if the curve specified is over a specially malformed binary polynomial
field.
This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
(CVE-2015-1788)
[Andy Polyakov]
*) Exploitable out-of-bounds read in X509_cmp_time
X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
(CVE-2015-1789)
[Emilia Käsper]
*) PKCS7 crash with missing EnvelopedContent
The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
[Emilia Käsper]
*) CMS verify infinite loop with unknown hash function
When verifying a signedData message the CMS code can enter an infinite loop
if presented with an unknown hash function OID. This can be used to perform
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
(CVE-2015-1792)
[Stephen Henson]
*) Race condition handling NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
(CVE-2015-1791)
[Matt Caswell]
*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
=========================
This is a major release, containing a number of new features as
well as a large internal re-factoring.
Potentially-incompatible changes
--------------------------------
* sshd(8): UseDNS now defaults to 'no'. Configurations that match
against the client host name (via sshd_config or authorized_keys)
may need to re-enable it or convert to matching against addresses.
New Features
------------
* Much of OpenSSH's internal code has been re-factored to be more
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.
* Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
command-line flags to the other tools to control algorithm used
for key fingerprints. The default changes from MD5 to SHA256 and
format from hex to base64.
Fingerprints now have the hash algorithm prepended. An example of
the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
Please note that visual host keys will also be different.
* ssh(1), sshd(8): Experimental host key rotation support. Add a
protocol extension for a server to inform a client of all its
available host keys after authentication has completed. The client
may record the keys in known_hosts, allowing it to upgrade to better
host key algorithms and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default off).
* ssh(1): Add a ssh_config HostbasedKeyType option to control which
host public key types are tried during host-based authentication.
* ssh(1), sshd(8): fix connection-killing host key mismatch errors
when sshd offers multiple ECDSA keys of different lengths.
* ssh(1): when host name canonicalisation is enabled, try to
parse host names as addresses before looking them up for
canonicalisation. fixes bz#2074 and avoiding needless DNS
lookups in some cases.
* ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
require OpenSSH to be compiled with OpenSSL support.
* ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
authentication.
* sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
Bleichenbacher Side Channel Attack. Fake up a bignum key before
RSA decryption.
* sshd(8): Remember which public keys have been used for
authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ public keys.
* sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what
public key types will be accepted. Currently defaults to all.
* sshd(8): Don't count partial authentication success as a failure
against MaxAuthTries.
* ssh(1): Add RevokedHostKeys option for the client to allow
text-file or KRL-based revocation of host keys.
* ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
serial number or key ID without scoping to a particular CA.
* ssh(1): Add a "Match canonical" criteria that allows ssh_config
Match blocks to trigger only in the second config pass.
* ssh(1): Add a -G option to ssh that causes it to parse its
configuration and dump the result to stdout, similar to "sshd -T".
* ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
* The regression test suite has been extended to cover more OpenSSH
features. The unit tests have been expanded and now cover key
exchange.
Bugfixes
* ssh-keyscan(1): ssh-keyscan has been made much more robust again
servers that hang or violate the SSH protocol.
* ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
being lost as comment fields.
* ssh(1): Allow ssh_config Port options set in the second config
parse phase to be applied (they were being ignored). bz#2286
* ssh(1): Tweak config re-parsing with host canonicalisation - make
the second pass through the config files always run when host name
canonicalisation is enabled (and not whenever the host name
changes) bz#2267
* ssh(1): Fix passing of wildcard forward bind addresses when
connection multiplexing is in use; bz#2324;
* ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
formats; bz#2345.
* ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
use.
* Various fixes to manual pages: bz#2288, bz#2316, bz#2273
Portable OpenSSH
* Support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features,
including SSH protocol 1 are not supported and the set of crypto
options is greatly restricted. This will only work on systems
with native arc4random or /dev/urandom.
Considered highly experimental for now.
* Support --without-ssh1 option at configure time
Allows disabling support for SSH protocol 1.
* sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296
* Allow custom service name for sshd on Cygwin. Permits the use of
multiple sshd running with different service names.
Checksums:
==========
- SHA1 (openssh-6.8.tar.gz) = 99903c6ca76e0a2c044711017f81127e12459d37
- SHA256 (openssh-6.8.tar.gz) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw=
- SHA1 (openssh-6.8p1.tar.gz) = cdbc51e46a902b30d263b05fdc71340920e91c92
- SHA256 (openssh-6.8p1.tar.gz) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4=
Please note that the PGP key used to sign releases was recently rotated.
The new key has been signed by the old key to provide continuity. It is
available from the mirror sites as RELEASE_KEY.asc.
Reporting Bugs:
===============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
The vulnerabilities listed below were previously fixed by patches
supplied by the OpenSSL project.
Thus, this import is not about vulnerabilities, but about the change
in source style OpenSSL applied before 1.0.1m (as well as small fixes
not listed in the changelog that make us have a 'proper' 1.0.1m).
Upstream Changelog:
Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
(CVE-2015-0286)
[Stephen Henson]
*) ASN.1 structure reuse memory corruption fix
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
(CVE-2015-0287)
[Stephen Henson]
*) PKCS7 NULL pointer dereferences fix
The PKCS#7 parsing code does not handle missing outer ContentInfo
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-0289)
[Emilia Käsper]
*) DoS via reachable assert in SSLv2 servers fix
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
(CVE-2015-0293)
[Emilia Käsper]
*) Use After Free following d2i_ECPrivatekey error fix
A malformed EC private key file consumed via the d2i_ECPrivateKey function
could cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
(CVE-2015-0209)
[Matt Caswell]
*) X509_to_X509_REQ NULL pointer deref fix
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
(CVE-2015-0288)
[Stephen Henson]
*) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]
Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
*) Build fixes for the Windows and OpenVMS platforms
[Matt Caswell and Richard Levitte]
lines are changed into either #define SOMETHING or #undef SOMETHING,
but in our in-tree build it is installed verbatim - so comment out all
#undef parts, to allow our makefile fragments to freely -DSOMETHING
and not have it silently canceld here.
to NetBSD base:
OpenSSL Security Advisory [19 Mar 2015]
=======================================
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================
Severity: High
This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".
This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
** issue already committed see last release **
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
===================================================
Severity: Moderate
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit 1b8ac2b07d02207f2b88e0b009b0bff4ef7eda96
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit ee5a1253285e5c9f406c8b57b0686319b70c07d8
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit 1e3ca524cb38ec92deea37629718e98aba43bc5d
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit 7058bd1712828a78d34457b1cfc32bdc1e6d3d33
This issue was discovered and fixed by Stephen Henson of the OpenSSL
development team.
ASN.1 structure reuse memory corruption (CVE-2015-0287)
=======================================================
Severity: Moderate
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit 0ca8edbe6ec402e39c9e095f8ae11dba8fa93fc1
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit d96692c933fe02829c3e922bf7f239e0bd003759
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit 5722767d5dc1a3b5505058fe27877fc993fe9a5a
This issue was discovered by Emilia Käsper and a fix developed by
Stephen Henson of the OpenSSL development team.
PKCS7 NULL pointer dereferences (CVE-2015-0289)
===============================================
Severity: Moderate
The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit e0d6a791c53b64da64277c5565eb89b1cb149fc3
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit d3d52c73544bba800c2a8f5ef3376358158cf2ca
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit 1f858109d0556b5864bb6a0aa3e2d177b1cc4552
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit f20caf7f66cb1eb9ba9562e6097bc7b64d207cb9
This issue was reported to OpenSSL on February 16th 2015 by Michal
Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
development team.
Base64 decode (CVE-2015-0292)
=============================
Severity: Moderate
A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. This was addressed in previous versions of OpenSSL but has not been
included in any security advisory until now.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 0.9.8 users should upgrade to 0.9.8za.
The fix for this issue can be identified by commits d0666f289a (1.0.1),
84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
Robert Dugal and subsequently by David Ramos.
DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
=========================================================
Severity: Moderate
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit b29d57f20d4821a9d3f4e19673a89615e4c6fcf0
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit ee4435e5b587879e7bd66df10d4d9ec274e2b163
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit ab646ee5a6a7b8cace425a617a053ad6d7977086
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team) in March 2015 and the fix was developed by
Emilia Käsper.
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
===============================================================
Severity: Low
A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
** issue already committed **
OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
1b4a8df38f
This issue was discovered by the BoringSSL project and fixed in their commit
517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
development team.
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
===================================================
Severity: Low
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
** issue already committed **
OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
This issue was discovered by Brian Carpenter and a fix developed by Stephen
Henson of the OpenSSL development team.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150319.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
> ----------------------------
> revision 1.10
> date: 2015-02-04 16:58:02 -0800; author: agc; state: Exp; lines: +1 -0; commitid: 0v3HoBPFTnhDSK8y;
> appease compiler warning police - initialise a variable in case it's otherwise
> "used uninitialised". ride previous version bump.
> ----------------------------
> revision 1.9
> date: 2015-02-04 16:21:57 -0800; author: agc; state: Exp; lines: +48 -21; commitid: ElUADrlljB46GK8y;
> Update netpgpverify (and libnetpgpverify) to version 20150205
>
> + recognise signatures made by subkeys as well as by primary keys
>
> + print out the relevant key which signed the file, even if it's
> a subkey and not the primary key itself.
>
> + keep the same API as before
>
> with many thanks to Jonathan Perkin
> ----------------------------
> revision 1.8
> date: 2015-02-03 13:34:57 -0800; author: agc; state: Exp; lines: +1 -3; commitid: 6qTclEbv7hmZMB8y;
> Update netpgpverify, and libnetpgpverify, to 20150204
>
> + dump the huge output in testing script to /dev/null so that we can
> see what's happening with the other tests in testit.sh
>
> + fix from jperkin@, don't try to be clever when selecting the only
> key id in a keyring
>
> + add a test for single key (non-ssh) pubring
> ----------------------------
> revision 1.7
> date: 2015-02-03 13:13:17 -0800; author: agc; state: Exp; lines: +3 -0; commitid: ztXbqAi9ocXGFB8y;
> Update netpgpverify, and libnetpgpverify, to 20150203
>
> + portability fixes to make netpgpverify build on freebsd 10.1 with WARNS=5
>
> + fixed an oversight in the testit.sh script
- bump the shared library versions
- adjust set lists
- regenerate man pages
- note the import in doc/3RDPARTY and doc/CHANGES
there were no changes in asm parts
Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
(CVE-2014-3571)
[Steve Henson]
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
dtls1_buffer_record function under certain conditions. In particular this
could occur if an attacker sent repeated DTLS records with the same
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
(CVE-2015-0206)
[Matt Caswell]
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
(CVE-2014-3569)
[Kurt Roeckx]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
(CVE-2014-3572)
[Steve Henson]
*) Remove non-export ephemeral RSA code on client and server. This code
violated the TLS standard by allowing the use of temporary RSA keys in
non-export ciphersuites and could be used by a server to effectively
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
(CVE-2015-0204)
[Steve Henson]
*) Fixed issue where DH client certificates are accepted without verification.
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client to
authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
(CVE-2015-0205)
[Steve Henson]
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
The session ID context is typically set from the parent SSL_CTX,
and can vary with the CTX.
[Adam Langley]
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
Thanks to Konrad Kraszewski from Google for reporting this issue.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
(CVE-2014-8275)
[Steve Henson]
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
results on some platforms, including x86_64. This bug occurs at random
with a very low probability, and is not known to be exploitable in any
way, though its exact impact is difficult to determine. Thanks to Pieter
Wuille (Blockstream) who reported this issue and also suggested an initial
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
(CVE-2014-3570)
[Andy Polyakov]
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
[David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
[Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
[Emilia Käsper]
+ Remove unused logmessage helper function
+ Add pgpv_get_cursor_element for easier manipulation of results
returned.
+ libnetpgpverify(3) man page improvements
+ Standardise on WARNS=5 settings (6 is too intrusive and distracting)
+ Also install the library and header file for netpgpverify. This
allows scripting languages to use the same verification methods via a
shared library, rather than being forced to exec the netpgpverify(1)
command line utility.
+ libnetpgpverify is now a standalone library, and requires no
pre-requsisite libraries to function
+ get rid of old libnetpgp-based source from /usr/src/crypto/external
tree, it's not been used in a while
+ enhancement to tiger.c (from apb, IIRC) to use the union rather than
dubious and probably unportable casts.
+ bump version number
=========================
Potentially-incompatible changes
* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
* sshd(8): Support for tcpwrappers/libwrap has been removed.
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve25519-sha256@libssh.org KEX exchange method to fail
when connecting with something that implements the specification
correctly. OpenSSH 6.7 disables this KEX method when speaking to
one of the affected versions.
New Features
* Major internal refactoring to begin to make part of OpenSSH usable
as a library. So far the wire parsing, key handling and KRL code
has been refactored. Please note that we do not consider the API
stable yet, nor do we offer the library in separable form.
* ssh(1), sshd(8): Add support for Unix domain socket forwarding.
A remote TCP port may be forwarded to a local Unix domain socket
and vice versa or both ends may be a Unix domain socket.
* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.
* sftp(1): Allow resumption of interrupted uploads.
* ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
is the same as the one sent during initial key exchange; bz#2154
* sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
addresses when GatewayPorts=no; allows client to choose address
family; bz#2222
* sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option; bz#2160
* ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
that expands to a unique identifer based on a hash of the tuple of
(local host, remote user, hostname, port). Helps avoid exceeding
miserly pathname limits for Unix domain sockets in multiplexing
control paths; bz#2220
* sshd(8): Make the "Too many authentication failures" message
include the user, source address, port and protocol in a format
similar to the authentication success / failure messages; bz#2199
* Added unit and fuzz tests for refactored code. These are run
automatically in portable OpenSSH via the "make tests" target.
Bugfixes
* sshd(8): Fix remote forwarding with the same listen port but
different listen address.
* ssh(1): Fix inverted test that caused PKCS#11 keys that were
explicitly listed in ssh_config or on the commandline not to be
preferred.
* ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
revoked certificate serial number ranges could be serialised to an
invalid format. Readers of a broken KRL caused by this bug will
fail closed, so no should-have-been-revoked key will be accepted.
* ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
exit status. Previously we were always returning 0; bz#2255
* ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
randomart border; bz#2247
* ssh-agent(1): Only cleanup agent socket in the main agent process
and not in any subprocesses it may have started (e.g. forked
askpass). Fixes agent sockets being zapped when askpass processes
fatal(); bz#2236
* ssh-add(1): Make stdout line-buffered; saves partial output getting
lost when ssh-add fatal()s part-way through (e.g. when listing keys
from an agent that supports key types that ssh-add doesn't);
bz#2234
* ssh-keygen(1): When hashing or removing hosts, don't choke on
@revoked markers and don't remove @cert-authority markers; bz#2241
* ssh(1): Don't fatal when hostname canonicalisation fails and a
ProxyCommand is in use; continue and allow the ProxyCommand to
connect anyway (e.g. to a host with a name outside the DNS behind
a bastion)
* scp(1): When copying local->remote fails during read, don't send
uninitialised heap to the remote end.
* sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
filenames with a single quote char somewhere in the string;
bz#2238
* ssh-keyscan(1): Scan for Ed25519 keys by default.
* ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
convert any certificate keys to plain keys and attempt SSHFP
resolution. Prevents a server from skipping SSHFP lookup and
forcing a new-hostkey dialog by offering only certificate keys.
* sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
* Fix some strict-alignment errors.
Portable OpenSSH
* Portable OpenSSH now supports building against libressl-portable.
* Portable OpenSSH now requires openssl 0.9.8f or greater. Older
versions are no longer supported.
* In the OpenSSL version check, allow fix version upgrades (but not
downgrades. Debian bug #748150.
* sshd(8): On Cygwin, determine privilege separation user at runtime,
since it may need to be a domain account.
* sshd(8): Don't attempt to use vhangup on Linux. It doesn't work for
non-root users, and for them it just messes up the tty settings.
* Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly. bz#2228
* Add support for ed25519 to opensshd.init init script.
* sftp-server(8): On platforms that support it, use prctl() to
prevent sftp-server from accessing /proc/self/{mem,maps}
Changes since OpenSSH 6.5
=========================
This is primarily a bugfix release.
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
tricked into accepting any enviornment variable that contains the
characters before the wildcard character.
New / changed features:
* ssh(1), sshd(8): this release removes the J-PAKE authentication code.
This code was experimental, never enabled and had been unmaintained
for some time.
* ssh(1): when processing Match blocks, skip 'exec' clauses other clauses
predicates failed to match.
* ssh(1): if hostname canonicalisation is enabled and results in the
destination hostname being changed, then re-parse ssh_config(5) files
using the new destination hostname. This gives 'Host' and 'Match'
directives that use the expanded hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace
sandbox modes, as it is reachable if the connection is terminated
during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum
parsing. Minimum key length checks render this bug unexploitable to
compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears in
multiple matching Match blocks. bz#2184
* ssh(1): avoid unnecessary hostname lookups when canonicalisation is
disabled. bz#2205
* sshd(8): avoid sandbox violation crashes in GSSAPI code by caching
the supported list of GSSAPI mechanism OIDs before entering the
sandbox. bz#2107
* ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption
that the SOCKS username is nul-terminated.
* ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is
not specified.
* ssh(1), sshd(8): fix memory leak in ECDSA signature verification.
* ssh(1): fix matching of 'Host' directives in ssh_config(5) files
to be case-insensitive again (regression in 6.5).
Portable OpenSSH:
* sshd(8): don't fatal if the FreeBSD Capsicum is offered by the
system headers and libc but is not supported by the kernel.
* Fix build using the HP-UX compiler.
Changes since OpenSSH 6.4
=========================
This is a feature-focused release.
New features:
* ssh(1), sshd(8): Add support for key exchange using elliptic-curve
Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
method is the default when both the client and server support it.
* ssh(1), sshd(8): Add support for Ed25519 as a public key type.
Ed25519 is a elliptic curve signature scheme that offers
better security than ECDSA and DSA and good performance. It may be
used for both user and host keys.
* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. This format is used unconditionally for
Ed25519 keys, but may be requested when generating or saving
existing keys of other types via the -o ssh-keygen(1) option.
We intend to make the new format the default in the near future.
Details of the new format are in the PROTOCOL.key file.
* ssh(1), sshd(8): Add a new transport cipher
"chacha20-poly1305@openssh.com" that combines Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
* ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
servers that use the obsolete RSA+MD5 signature scheme. It will
still be possible to connect with these clients/servers but only
DSA keys will be accepted, and OpenSSH will refuse connection
entirely in a future release.
* ssh(1), sshd(8): Refuse old proprietary clients and servers that
use a weaker key exchange hash calculation.
* ssh(1): Increase the size of the Diffie-Hellman groups requested
for each symmetric key size. New values from NIST Special
Publication 800-57 with the upper limit specified by RFC4419.
* ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide
X.509 certs instead of raw public keys (requested as bz#1908).
* ssh(1): Add a ssh_config(5) "Match" keyword that allows
conditional configuration to be applied by matching on hostname,
user and result of arbitrary commands.
* ssh(1): Add support for client-side hostname canonicalisation
using a set of DNS suffixes and rules in ssh_config(5). This
allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
known_hosts or checking host certificate names.
* sftp-server(8): Add the ability to whitelist and/or blacklist sftp
protocol requests by name.
* sftp-server(8): Add a sftp "fsync@openssh.com" to support calling
fsync(2) on an open file handle.
* sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
mirroring the longstanding no-pty authorized_keys option.
* ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
use of ProxyCommands that establish a connection and then pass a
connected file descriptor back to ssh(1). This allows the
ProxyCommand to exit rather than staying around to transfer data.
Bugfixes:
* ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
certificates.
* ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.
* sftp(1): bz#2137: fix the progress meter for resumed transfer.
* ssh-add(1): bz#2187: do not request smartcard PIN when removing
keys from ssh-agent.
* sshd(8): bz#2139: fix re-exec fallback when original sshd binary
cannot be executed.
* ssh-keygen(1): Make relative-specified certificate expiry times
relative to current time and not the validity start time.
* sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.
* sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
the target path.
* ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
helper executable.
* sshd(8): Improve logging of sessions to include the user name,
remote host and port, the session type (shell, command, etc.) and
allocated TTY (if any).
* sshd(8): bz#1297: tell the client (via a debug message) when
their preferred listen address has been overridden by the
server's GatewayPorts setting.
* sshd(8): bz#2162: include report port in bad protocol banner
message.
* sftp(1): bz#2163: fix memory leak in error path in do_readdir().
* sftp(1): bz#2171: don't leak file descriptor on error.
* sshd(8): Include the local address and port in "Connection from
..." message (only shown at loglevel>=verbose).
Portable OpenSSH:
* Please note that this is the last version of Portable OpenSSH that
will support versions of OpenSSL prior to 0.9.6. Support (i.e.
SSH_OLD_EVP) will be removed following the 6.5p1 release.
* Portable OpenSSH will attempt compile and link as a Position
Independent Executable on Linux, OS X and OpenBSD on recent gcc-
like compilers. Other platforms and older/other compilers may
request this using the --with-pie configure flag.
* A number of other toolchain-related hardening options are used
automatically if available, including -ftrapv to abort on signed
integer overflow and options to write-protect dynamic linking
information. The use of these options may be disabled using the
--without-hardening configure flag.
* If the toolchain supports it, one of the -fstack-protector-strong,
-fstack-protector-all or -fstack-protector compilation flag are
used to add guards to mitigate attacks based on stack overflows.
The use of these options may be disabled using the
--without-stackprotect configure option.
* sshd(8): Add support for pre-authentication sandboxing using the
Capsicum API introduced in FreeBSD 10.
* Switch to a ChaCha20-based arc4random() PRNG for platforms that do
not provide their own.
* sshd(8): bz#2156: restore Linux oom_adj setting when handling
SIGHUP to maintain behaviour over retart.
* sshd(8): bz#2032: use local username in krb5_kuserok check rather
than full client name which may be of form user@REALM.
* ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
OpenSSL and that they actually work. Fedora (at least) has
NID_secp521r1 that doesn't work.
* bz#2173: use pkg-config --libs to include correct -L location for
libedit.
Upstream condensed log:
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]
*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]
*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]
*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]
*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
_______________
Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue. (CVE-2014-0224)
[KIKUCHI Masashi, Steve Henson]
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(CVE-2014-0221)
[Imre Rad, Steve Henson]
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
[Jüri Aedla, Steve Henson]
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
[Felix Gröbert, Ivan Fratric, Steve Henson]
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha <mancha1@zoho.com>]
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey.
[mancha <mancha1@zoho.com>]
*) Fix some double frees. These are not thought to be exploitable.
[mancha <mancha1@zoho.com>]
christos