The branch master has been updated via 61bead2a571724dab0540bcd2b390a559f1fd515 (commit) from e7fa3cd70c15cfc026bb84142e39b3202f1e2526 (commit)
- Log ----------------------------------------------------------------- commit 61bead2a571724dab0540bcd2b390a559f1fd515 Author: Matt Caswell <m...@openssl.org> Date: Thu Jan 28 14:37:36 2016 +0000 Updates for the new release ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 2 + news/secadv/20160128.txt | 138 +++++++++++++++++++++++++++++++++++++++++++++++ news/vulnerabilities.xml | 103 ++++++++++++++++++++++++++++++++++- 3 files changed, 242 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20160128.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 4ec145d..0a9c18b 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +28-Jan-2016: OpenSSL 1.0.2f is now available, including bug and security fixes +28-Jan-2016: OpenSSL 1.0.1r is now available, including bug and security fixes 25-Jan-2016: OpenSSL 1.0.2f and 1.0.1r <a href="https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html">security releases due 28th Jan 2016</a> 14-Jan-2016: Alpha 2 of OpenSSL 1.1.0 is now available: please download and test it 10-Dec-2015: Alpha 1 of OpenSSL 1.1.0 is now available: please download and test it diff --git a/news/secadv/20160128.txt b/news/secadv/20160128.txt new file mode 100644 index 0000000..43a8933 --- /dev/null +++ b/news/secadv/20160128.txt @@ -0,0 +1,138 @@ +OpenSSL Security Advisory [28th Jan 2016] +========================================= + +NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO +SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES +ONLY ARE BEING APPLIED. + +DH small subgroups (CVE-2016-0701) +================================== + +Severity: High + +Historically OpenSSL usually only ever generated DH parameters based on "safe" +primes. More recently (in version 1.0.2) support was provided for generating +X9.42 style parameter files such as those required for RFC 5114 support. The +primes used in such files may not be "safe". Where an application is using DH +configured with parameters based on primes that are not "safe" then an attacker +could use this fact to find a peer's private DH exponent. This attack requires +that the attacker complete multiple handshakes in which the peer uses the same +private DH exponent. For example this could be used to discover a TLS server's +private DH exponent if it's reusing the private DH exponent or it's using a +static DH ciphersuite. + +OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. +It is not on by default. If the option is not set then the server reuses the +same private DH exponent for the life of the server process and would be +vulnerable to this attack. It is believed that many popular applications do set +this option and would therefore not be at risk. + +OpenSSL before 1.0.2f will reuse the key if: +- SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not + set. +- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the + parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is + an undocumted feature and parameter files don't contain the key. +- Static DH ciphersuites are used. The key is part of the certificate and + so it will always reuse it. This is only supported in 1.0.2. + +It will not reuse the key for DHE ciphers suites if: +- SSL_OP_SINGLE_DH_USE is set +- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the + callback does not provide the key, only the parameters. The callback is + almost always used like this. + +Non-safe primes are generated by OpenSSL when using: +- genpkey with the dh_rfc5114 option. This will write an X9.42 style file + including the prime-order subgroup size "q". This is supported since the 1.0.2 + version. Older versions can't read files generated in this way. +- dhparam with the -dsaparam option. This has always been documented as + requiring the single use. + +The fix for this issue adds an additional check where a "q" parameter is +available (as is the case in X9.42 based parameters). This detects the +only known attack, and is the only possible defense for static DH ciphersuites. +This could have some performance impact. + +Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default +and cannot be disabled. This could have some performance impact. + +This issue affects OpenSSL version 1.0.2. + +OpenSSL 1.0.2 users should upgrade to 1.0.2f + +OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 +based parameters. It is possible to generate parameters using non "safe" primes, +but this option has always been documented as requiring single use and is not +the default or believed to be common. However, as a precaution, the +SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r. + +This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe). +The fix was developed by Matt Caswell of the OpenSSL development team +(incorporating some work originally written by Stephen Henson of the OpenSSL +core team). + +SSLv2 doesn't block disabled ciphers (CVE-2015-3197) +==================================================== + +Severity: Low + +A malicious client can negotiate SSLv2 ciphers that have been disabled on the +server and complete SSLv2 handshakes even if all SSLv2 ciphers have been +disabled, provided that the SSLv2 protocol was not also disabled via +SSL_OP_NO_SSLv2. + +This issue affects OpenSSL versions 1.0.2 and 1.0.1. + +OpenSSL 1.0.2 users should upgrade to 1.0.2f +OpenSSL 1.0.1 users should upgrade to 1.0.1r + +This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and +Sebastian Schinzel. The fix was developed by Nimrod Aviram with further +development by Viktor Dukhovni of the OpenSSL development team. + + +An update on DHE man-in-the-middle protection (Logjam) +==================================================================== + +A previously published vulnerability in the TLS protocol allows a +man-in-the-middle attacker to downgrade vulnerable TLS connections +using ephemeral Diffie-Hellman key exchange to 512-bit export-grade +cryptography. This vulnerability is known as Logjam +(CVE-2015-4000). OpenSSL added Logjam mitigation for TLS clients by +rejecting handshakes with DH parameters shorter than 768 bits in +releases 1.0.2b and 1.0.1n. + +This limit has been increased to 1024 bits in this release, to offer +stronger cryptographic assurance for all TLS connections using +ephemeral Diffie-Hellman key exchange. + +OpenSSL 1.0.2 users should upgrade to 1.0.2f +OpenSSL 1.0.1 users should upgrade to 1.0.1r + +The fix was developed by Kurt Roeckx of the OpenSSL development team. + +Note +==== + +As per our previous announcements and our Release Strategy +(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL +version 1.0.1 will cease on 31st December 2016. No security updates for that +version will be provided after that date. Users of 1.0.1 are +advised to upgrade. + +Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions +are no longer receiving security updates. + +References +========== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20160128.txt + +Note: the online version of the advisory may be updated with additional +details over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html + diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index e7b720e..fb59f52 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -5,7 +5,108 @@ 1.0.0 on 20100329 --> -<security updated="20151203"> +<security updated="20160128"> + <issue public="20160128"> + <impact severity="High"/> + <cve name="2016-0701"/> + <affects base="1.0.2" version="1.0.2"/> + <affects base="1.0.2" version="1.0.2a"/> + <affects base="1.0.2" version="1.0.2b"/> + <affects base="1.0.2" version="1.0.2c"/> + <affects base="1.0.2" version="1.0.2d"/> + <affects base="1.0.2" version="1.0.2e"/> + <fixed base="1.0.2" version="1.0.2f" date="2016-0701"/> + + <description> + Historically OpenSSL usually only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for generating + X9.42 style parameter files such as those required for RFC 5114 support. The + primes used in such files may not be "safe". Where an application is using DH + configured with parameters based on primes that are not "safe" then an attacker + could use this fact to find a peer's private DH exponent. This attack requires + that the attacker complete multiple handshakes in which the peer uses the same + private DH exponent. For example this could be used to discover a TLS server's + private DH exponent if it's reusing the private DH exponent or it's using a + static DH ciphersuite. + + OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. + It is not on by default. If the option is not set then the server reuses the + same private DH exponent for the life of the server process and would be + vulnerable to this attack. It is believed that many popular applications do set + this option and would therefore not be at risk. + + OpenSSL before 1.0.2f will reuse the key if: + - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not + set. + - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the + parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is + an undocumted feature and parameter files don't contain the key. + - Static DH ciphersuites are used. The key is part of the certificate and + so it will always reuse it. This is only supported in 1.0.2. + + It will not reuse the key for DHE ciphers suites if: + - SSL_OP_SINGLE_DH_USE is set + - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the + callback does not provide the key, only the parameters. The callback is + almost always used like this. + + Non-safe primes are generated by OpenSSL when using: + - genpkey with the dh_rfc5114 option. This will write an X9.42 style file + including the prime-order subgroup size "q". This is supported since the 1.0.2 + version. Older versions can't read files generated in this way. + - dhparam with the -dsaparam option. This has always been documented as + requiring the single use. + + The fix for this issue adds an additional check where a "q" parameter is + available (as is the case in X9.42 based parameters). This detects the + only known attack, and is the only possible defense for static DH ciphersuites. + This could have some performance impact. + + Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default + and cannot be disabled. This could have some performance impact. + </description> + <advisory url="/news/secadv/20160128.txt"/> + <reported source="Antonio Sanso (Adobe)"/> + </issue> + <issue public="20160128"> + <impact severity="Low"/> + <cve name="2015-3197"/> + <affects base="1.0.1" version="1.0.1"/> + <affects base="1.0.1" version="1.0.1a"/> + <affects base="1.0.1" version="1.0.1b"/> + <affects base="1.0.1" version="1.0.1c"/> + <affects base="1.0.1" version="1.0.1d"/> + <affects base="1.0.1" version="1.0.1e"/> + <affects base="1.0.1" version="1.0.1f"/> + <affects base="1.0.1" version="1.0.1g"/> + <affects base="1.0.1" version="1.0.1h"/> + <affects base="1.0.1" version="1.0.1i"/> + <affects base="1.0.1" version="1.0.1j"/> + <affects base="1.0.1" version="1.0.1k"/> + <affects base="1.0.1" version="1.0.1l"/> + <affects base="1.0.1" version="1.0.1m"/> + <affects base="1.0.1" version="1.0.1n"/> + <affects base="1.0.1" version="1.0.1o"/> + <affects base="1.0.1" version="1.0.1p"/> + <affects base="1.0.1" version="1.0.1q"/> + <affects base="1.0.2" version="1.0.2"/> + <affects base="1.0.2" version="1.0.2a"/> + <affects base="1.0.2" version="1.0.2b"/> + <affects base="1.0.2" version="1.0.2c"/> + <affects base="1.0.2" version="1.0.2d"/> + <affects base="1.0.2" version="1.0.2e"/> + <fixed base="1.0.1" version="1.0.1r" date="20160128"/> + <fixed base="1.0.2" version="1.0.2f" date="20160128"/> + + <description> + A malicious client can negotiate SSLv2 ciphers that have been disabled on the + server and complete SSLv2 handshakes even if all SSLv2 ciphers have been + disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + </description> + <advisory url="/news/secadv/20160128.txt"/> + <reported source="Nimrod Aviram and Sebastian Schinzel"/> + </issue> <issue public="20150811"> <impact severity="Low"/> <cve name="2015-1794"/> _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits