The branch master has been updated via 1a14f11cca34636357f9c5e5b5c249257285ac99 (commit) from 183632aa1c25411177778fe7b465c05db7d364b0 (commit)
- Log ----------------------------------------------------------------- commit 1a14f11cca34636357f9c5e5b5c249257285ac99 Author: Matt Caswell <m...@openssl.org> Date: Thu Nov 10 14:08:54 2016 +0000 Updates for new release ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 2 + news/secadv/20161110.txt | 96 ++++++++++++++++++++++++++++++++++++++++++++++++ news/vulnerabilities.xml | 74 ++++++++++++++++++++++++++++++++++++- 3 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20161110.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 7cdd7aa..545bf1d 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +10-Nov-2016: <a href="/news/secadv/20161110.txt">Security Advisory</a>: several security fixes +10-Nov-2016: OpenSSL 1.1.0c is now available, including bug and security fixes 07-Nov-2016: OpenSSL 1.1.0c <a href="https://mta.openssl.org/pipermail/openssl-announce/2016-November/000085.html">security release due on 10th November 2016</a> 12-Oct-2016: New Blog post: <a href="https://www.openssl.org/blog/blog/2016/10/12/f2f-rt-github/">Face to Face: Goodbye RT, Hello GitHub</a> 26-Sep-2016: <a href="/news/secadv/20160926.txt">Security Advisory</a>: Two security fixes diff --git a/news/secadv/20161110.txt b/news/secadv/20161110.txt new file mode 100644 index 0000000..50c8203 --- /dev/null +++ b/news/secadv/20161110.txt @@ -0,0 +1,96 @@ + +OpenSSL Security Advisory [10 Nov 2016] +======================================== + +ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054) +====================================================== + +Severity: High + +TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS +attack by corrupting larger payloads. This can result in an OpenSSL crash. This +issue is not considered to be exploitable beyond a DoS. + +OpenSSL 1.1.0 users should upgrade to 1.1.0c + +This issue does not affect OpenSSL versions prior to 1.1.0 + +This issue was reported to OpenSSL on 25th September 2016 by Robert +Święcki (Google Security Team), and was found using honggfuzz. The fix +was developed by Richard Levitte of the OpenSSL development team. + +CMS Null dereference (CVE-2016-7053) +==================================== + +Severity: Moderate + +Applications parsing invalid CMS structures can crash with a NULL pointer +dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type +in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure +callback if an attempt is made to free certain invalid encodings. Only CHOICE +structures using a callback which do not handle NULL value are affected. + +OpenSSL 1.1.0 users should upgrade to 1.1.0c + +This issue does not affect OpenSSL versions prior to 1.1.0 + +This issue was reported to OpenSSL on 12th October 2016 by Tyler Nighswander of +ForAllSecure. The fix was developed by Stephen Henson of the OpenSSL +development team. + +Montgomery multiplication may produce incorrect results (CVE-2016-7055) +======================================================================= + +Severity: Low + +There is a carry propagating bug in the Broadwell-specific Montgomery +multiplication procedure that handles input lengths divisible by, but +longer than 256 bits. Analysis suggests that attacks against RSA, DSA +and DH private keys are impossible. This is because the subroutine in +question is not used in operations with the private key itself and an input +of the attacker's direct choice. Otherwise the bug can manifest itself as +transient authentication and key negotiation failures or reproducible +erroneous outcome of public-key operations with specially crafted input. +Among EC algorithms only Brainpool P-512 curves are affected and one +presumably can attack ECDH key negotiation. Impact was not analyzed in +detail, because pre-requisites for attack are considered unlikely. Namely +multiple clients have to choose the curve in question and the server has to +share the private key among them, neither of which is default behaviour. +Even then only clients that chose the curve will be affected. + +OpenSSL 1.1.0 users should upgrade to 1.1.0c + +This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low +severity of this defect we are not issuing a new 1.0.2 release at this time. +We recommend that 1.0.2 users wait for the next 1.0.2 release for the fix to +become available. The fix is also available in the OpenSSL git repository in +commit 57c4b9f6a2. + +This issue was publicly reported as transient failures and was not +initially recognized as a security issue. Thanks to Richard Morgan for +providing reproducible case. The fix was developed by Andy Polyakov of +the OpenSSL development team. + +Note +==== + +As per our previous announcements and our Release Strategy +(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL +version 1.0.1 will cease on 31st December 2016. No security updates for that +version will be provided after that date. Users of 1.0.1 are advised to +upgrade. + +Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those +versions are no longer receiving security updates. + +References +========== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20161110.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 392128c..1f716ff 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -5,7 +5,79 @@ 1.0.0 on 20100329 --> -<security updated="20160926"> +<security updated="20161110"> + <issue public="20161110"> + <impact severity="High"/> + <cve name="2016-7054"/> + <affects base="1.1.0" version="1.1.0"/> + <affects base="1.1.0" version="1.1.0a"/> + <affects base="1.1.0" version="1.1.0b"/> + <fixed base="1.1.0" version="1.1.0c" date="20161110"/> + <description> + TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to + a DoS attack by corrupting larger payloads. This can result in an OpenSSL + crash. This issue is not considered to be exploitable beyond a DoS. + </description> + <advisory url="/news/secadv/20161110.txt"/> + <reported source="Robert Święcki (Google Security Team)" date="20160925"/> + </issue> + <issue public="20161110"> + <impact severity="Moderate"/> + <cve name="2016-7053"/> + <affects base="1.1.0" version="1.1.0"/> + <affects base="1.1.0" version="1.1.0a"/> + <affects base="1.1.0" version="1.1.0b"/> + <fixed base="1.1.0" version="1.1.0c" date="20161110"/> + <description> + Applications parsing invalid CMS structures can crash with a NULL pointer + dereference. This is caused by a bug in the handling of the ASN.1 CHOICE + type in OpenSSL 1.1.0 which can result in a NULL value being passed to the + structure callback if an attempt is made to free certain invalid + encodings. Only CHOICE structures using a callback which do not handle + NULL value are affected. + </description> + <advisory url="/news/secadv/20161110.txt"/> + <reported source="Tyler Nighswander (ForAllSecure)" date="20161012"/> + </issue> + <issue public="20161110"> + <impact severity="Low"/> + <cve name="2016-7055"/> + <affects base="1.1.0" version="1.1.0"/> + <affects base="1.1.0" version="1.1.0a"/> + <affects base="1.1.0" version="1.1.0b"/> + <affects base="1.0.2" version="1.0.2"/> + <affects base="1.0.2" version="1.0.2a"/> + <affects base="1.0.2" version="1.0.2b"/> + <affects base="1.0.2" version="1.0.2c"/> + <affects base="1.0.2" version="1.0.2d"/> + <affects base="1.0.2" version="1.0.2e"/> + <affects base="1.0.2" version="1.0.2f"/> + <affects base="1.0.2" version="1.0.2g"/> + <affects base="1.0.2" version="1.0.2h"/> + <affects base="1.0.2" version="1.0.2i"/> + <affects base="1.0.2" version="1.0.2j"/> + <fixed base="1.1.0" version="1.1.0c" date="20161110"/> + <description> + There is a carry propagating bug in the Broadwell-specific Montgomery + multiplication procedure that handles input lengths divisible by, but + longer than 256 bits. Analysis suggests that attacks against RSA, DSA + and DH private keys are impossible. This is because the subroutine in + question is not used in operations with the private key itself and an + input of the attacker's direct choice. Otherwise the bug can manifest + itself as transient authentication and key negotiation failures or + reproducible erroneous outcome of public-key operations with specially + crafted input. Among EC algorithms only Brainpool P-512 curves are + affected and one presumably can attack ECDH key negotiation. Impact was + not analyzed in detail, because pre-requisites for attack are considered + unlikely. Namely multiple clients have to choose the curve in question and + the server has to share the private key among them, neither of which is + default behaviour. Even then only clients that chose the curve will be + affected.ctures using a callback which do not handle NULL value are + affected. + </description> + <advisory url="/news/secadv/20161110.txt"/> + <reported source="Publicly reported" /> + </issue> <issue public="20160926"> <impact severity="Critical"/> <cve name="2016-6309"/> _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits