The branch master has been updated
       via  96fab6a7b7406a9d4334c7b8d76c9da02dc35a62 (commit)
      from  3529993430cd665987db1ade8fa5e6f17fd9fdc7 (commit)


- Log -----------------------------------------------------------------
commit 96fab6a7b7406a9d4334c7b8d76c9da02dc35a62
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Feb 16 15:47:12 2021 +0000

    Updates for the new release
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 news/newsflash.txt       |   1 +
 news/secadv/20210216.txt | 123 ++++++++++++++++++++++++++++++
 news/vulnerabilities.xml | 193 ++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 316 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20210216.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 176275b..16f4f7c 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -5,6 +5,7 @@
 # headings.  URL paths must all be absolute.
 Date: Item
 
+16-Feb-2021: OpenSSL 1.1.1j is now available, including bug and security fixes
 28-Jan-2021: Alpha 11 of OpenSSL 3.0 is now available: please download and 
test it
 07-Jan-2021: Alpha 10 of OpenSSL 3.0 is now available: please download and 
test it
 08-Dec-2020: OpenSSL 1.1.1i is now available, including bug and security fixes
diff --git a/news/secadv/20210216.txt b/news/secadv/20210216.txt
new file mode 100644
index 0000000..bac4b39
--- /dev/null
+++ b/news/secadv/20210216.txt
@@ -0,0 +1,123 @@
+OpenSSL Security Advisory [16 February 2021]
+============================================
+
+Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
+====================================================================
+
+Severity: Moderate
+
+The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
+create a unique hash value based on the issuer and serial number data contained
+within an X509 certificate. However it fails to correctly handle any errors
+that may occur while parsing the issuer field (which might occur if the issuer
+field is maliciously constructed). This may subsequently result in a NULL
+pointer deref and a crash leading to a potential denial of service attack.
+
+The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
+itself so applications are only vulnerable if they use this function directly
+and they use it on certificates that may have been obtained from untrusted
+sources.
+
+OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
+versions should upgrade to OpenSSL 1.1.1j.
+
+OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
+1.0.2 is out of support and no longer receiving public updates. Premium support
+customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
+to 1.1.1j.
+
+This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from
+Google. The fix was developed by Matt Caswell.
+
+Incorrect SSLv2 rollback protection (CVE-2021-23839)
+====================================================
+
+Severity: Low
+
+OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
+server that is configured to support both SSLv2 and more recent SSL and TLS
+versions then a check is made for a version rollback attack when unpadding an
+RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
+supposed to use a special form of padding. A server that supports greater than
+SSLv2 is supposed to reject connection attempts from a client where this 
special
+form of padding is present, because this indicates that a version rollback has
+occurred (i.e. both client and server support greater than SSLv2, and yet this
+is the version that is being requested).
+
+The implementation of this padding check inverted the logic so that the
+connection attempt is accepted if the padding is present, and rejected if it
+is absent. This means that such as server will accept a connection if a version
+rollback attack has occurred. Further the server will erroneously reject a
+connection if a normal SSLv2 connection attempt is made.
+
+Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
+issue. In order to be vulnerable a 1.0.2 server must:
+
+1) have configured SSLv2 support at compile time (this is off by default),
+2) have configured SSLv2 support at runtime (this is off by default),
+3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
+   list)
+
+OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
+this issue. The underlying error is in the implementation of the
+RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
+padding mode used by various other functions. Although 1.1.1 does not support
+SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
+RSA_SSLV23_PADDING padding mode. Applications that directly call that function
+or use that padding mode will encounter this issue. However since there is no
+support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
+security issue in that version.
+
+OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
+support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
+upgrade to 1.1.1j.
+
+This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel
+Luellwitz from Trustwave. The fix was developed by Matt Caswell.
+
+Integer overflow in CipherUpdate (CVE-2021-23840)
+=================================================
+
+Severity: Low
+
+Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
+the output length argument in some cases where the input length is close to the
+maximum permissable length for an integer on the platform. In such cases the
+return value from the function call will be 1 (indicating success), but the
+output length value will be negative. This could cause applications to behave
+incorrectly or crash.
+
+OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
+versions should upgrade to OpenSSL 1.1.1j.
+
+OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
+1.0.2 is out of support and no longer receiving public updates. Premium support
+customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
+to 1.1.1j.
+
+This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The 
fix
+was developed by Matt Caswell.
+
+Note
+====
+
+OpenSSL 1.0.2 is out of support and no longer receiving public updates. 
Extended
+support is available for premium support customers:
+https://www.openssl.org/support/contracts.html
+
+OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
+The impact of these issues on OpenSSL 1.1.0 has not been analysed.
+
+Users of these versions should upgrade to OpenSSL 1.1.1.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20210216.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 93543ac..5ac7dc8 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7,7 +7,198 @@
 
 <!-- The updated attribute should be the same as the first public issue,
      unless an old entry was updated. -->
-<security updated="20201208">
+<security updated="20210216">
+  <issue public="20210216">
+    <impact severity="Moderate"/>
+    <cve name="2021-23841"/>
+    <affects base="1.1.1" version="1.1.1"/>
+    <affects base="1.1.1" version="1.1.1a"/>
+    <affects base="1.1.1" version="1.1.1b"/>
+    <affects base="1.1.1" version="1.1.1c"/>
+    <affects base="1.1.1" version="1.1.1d"/>
+    <affects base="1.1.1" version="1.1.1e"/>
+    <affects base="1.1.1" version="1.1.1f"/>
+    <affects base="1.1.1" version="1.1.1g"/>
+    <affects base="1.1.1" version="1.1.1h"/>
+    <affects base="1.1.1" version="1.1.1i"/>
+    <affects base="1.0.2" version="1.0.2"/>
+    <affects base="1.0.2" version="1.0.2a"/>
+    <affects base="1.0.2" version="1.0.2b"/>
+    <affects base="1.0.2" version="1.0.2c"/>
+    <affects base="1.0.2" version="1.0.2d"/>
+    <affects base="1.0.2" version="1.0.2e"/>
+    <affects base="1.0.2" version="1.0.2f"/>
+    <affects base="1.0.2" version="1.0.2g"/>
+    <affects base="1.0.2" version="1.0.2h"/>
+    <affects base="1.0.2" version="1.0.2i"/>
+    <affects base="1.0.2" version="1.0.2j"/>
+    <affects base="1.0.2" version="1.0.2k"/>
+    <affects base="1.0.2" version="1.0.2l"/>
+    <affects base="1.0.2" version="1.0.2m"/>
+    <affects base="1.0.2" version="1.0.2n"/>
+    <affects base="1.0.2" version="1.0.2o"/>
+    <affects base="1.0.2" version="1.0.2p"/>
+    <affects base="1.0.2" version="1.0.2q"/>
+    <affects base="1.0.2" version="1.0.2r"/>
+    <affects base="1.0.2" version="1.0.2s"/>
+    <affects base="1.0.2" version="1.0.2t"/>
+    <affects base="1.0.2" version="1.0.2u"/>
+    <affects base="1.0.2" version="1.0.2v"/>
+    <affects base="1.0.2" version="1.0.2w"/>
+    <affects base="1.0.2" version="1.0.2x"/>
+    <fixed base="1.1.1" version="1.1.1j" date="20210216">
+      <git hash="122a19ab48091c657f7cb1fb3af9fc07bd557bbf"/>
+    </fixed>
+    <fixed base="1.0.2" version="1.0.2y" date="20210216">
+      <git hash="8252ee4d90f3f2004d3d0aeeed003ad49c9a7807"/>
+    </fixed>
+    <problemtype>NULL pointer dereference</problemtype>
+    <title>Null pointer deref in X509_issuer_and_serial_hash()</title>
+    <description>
+The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
+create a unique hash value based on the issuer and serial number data contained
+within an X509 certificate. However it fails to correctly handle any errors
+that may occur while parsing the issuer field (which might occur if the issuer
+field is maliciously constructed). This may subsequently result in a NULL
+pointer deref and a crash leading to a potential denial of service attack.
+
+The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
+itself so applications are only vulnerable if they use this function directly
+and they use it on certificates that may have been obtained from untrusted
+sources.
+
+OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
+versions should upgrade to OpenSSL 1.1.1j.
+
+OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
+1.0.2 is out of support and no longer receiving public updates. Premium support
+customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
+to 1.1.1j.
+    </description>
+    <advisory url="/news/secadv/20210216.txt"/>
+    <reported source="Tavis Ormandy (Google)"/>
+  </issue>
+  <issue public="20210216">
+    <impact severity="Low"/>
+    <cve name="2021-23839"/>
+    <affects base="1.0.2" version="1.0.2s"/>
+    <affects base="1.0.2" version="1.0.2t"/>
+    <affects base="1.0.2" version="1.0.2u"/>
+    <affects base="1.0.2" version="1.0.2v"/>
+    <affects base="1.0.2" version="1.0.2w"/>
+    <affects base="1.0.2" version="1.0.2x"/>
+    <fixed base="1.0.2" version="1.0.2y" date="20210216">
+      <git hash="30919ab80a478f2d81f2e9acdcca3fa4740cd547"/>
+    </fixed>
+    <problemtype>Rollback attack</problemtype>
+    <title>Incorrect SSLv2 rollback protection</title>
+    <description>
+OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
+server that is configured to support both SSLv2 and more recent SSL and TLS
+versions then a check is made for a version rollback attack when unpadding an
+RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
+supposed to use a special form of padding. A server that supports greater than
+SSLv2 is supposed to reject connection attempts from a client where this 
special
+form of padding is present, because this indicates that a version rollback has
+occurred (i.e. both client and server support greater than SSLv2, and yet this
+is the version that is being requested).
+
+The implementation of this padding check inverted the logic so that the
+connection attempt is accepted if the padding is present, and rejected if it
+is absent. This means that such as server will accept a connection if a version
+rollback attack has occurred. Further the server will erroneously reject a
+connection if a normal SSLv2 connection attempt is made.
+
+Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
+issue. In order to be vulnerable a 1.0.2 server must:
+
+1) have configured SSLv2 support at compile time (this is off by default),
+2) have configured SSLv2 support at runtime (this is off by default),
+3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
+   list)
+
+OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
+this issue. The underlying error is in the implementation of the
+RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
+padding mode used by various other functions. Although 1.1.1 does not support
+SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
+RSA_SSLV23_PADDING padding mode. Applications that directly call that function
+or use that padding mode will encounter this issue. However since there is no
+support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
+security issue in that version.
+
+OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
+support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
+upgrade to 1.1.1j.
+    </description>
+    <advisory url="/news/secadv/20210216.txt"/>
+    <reported source="D. Katz and Joel Luellwitz (Trustwave)"/>
+  </issue>
+  <issue public="20210216">
+    <impact severity="Low"/>
+    <cve name="2021-23841"/>
+    <affects base="1.1.1" version="1.1.1"/>
+    <affects base="1.1.1" version="1.1.1a"/>
+    <affects base="1.1.1" version="1.1.1b"/>
+    <affects base="1.1.1" version="1.1.1c"/>
+    <affects base="1.1.1" version="1.1.1d"/>
+    <affects base="1.1.1" version="1.1.1e"/>
+    <affects base="1.1.1" version="1.1.1f"/>
+    <affects base="1.1.1" version="1.1.1g"/>
+    <affects base="1.1.1" version="1.1.1h"/>
+    <affects base="1.1.1" version="1.1.1i"/>
+    <affects base="1.0.2" version="1.0.2"/>
+    <affects base="1.0.2" version="1.0.2a"/>
+    <affects base="1.0.2" version="1.0.2b"/>
+    <affects base="1.0.2" version="1.0.2c"/>
+    <affects base="1.0.2" version="1.0.2d"/>
+    <affects base="1.0.2" version="1.0.2e"/>
+    <affects base="1.0.2" version="1.0.2f"/>
+    <affects base="1.0.2" version="1.0.2g"/>
+    <affects base="1.0.2" version="1.0.2h"/>
+    <affects base="1.0.2" version="1.0.2i"/>
+    <affects base="1.0.2" version="1.0.2j"/>
+    <affects base="1.0.2" version="1.0.2k"/>
+    <affects base="1.0.2" version="1.0.2l"/>
+    <affects base="1.0.2" version="1.0.2m"/>
+    <affects base="1.0.2" version="1.0.2n"/>
+    <affects base="1.0.2" version="1.0.2o"/>
+    <affects base="1.0.2" version="1.0.2p"/>
+    <affects base="1.0.2" version="1.0.2q"/>
+    <affects base="1.0.2" version="1.0.2r"/>
+    <affects base="1.0.2" version="1.0.2s"/>
+    <affects base="1.0.2" version="1.0.2t"/>
+    <affects base="1.0.2" version="1.0.2u"/>
+    <affects base="1.0.2" version="1.0.2v"/>
+    <affects base="1.0.2" version="1.0.2w"/>
+    <affects base="1.0.2" version="1.0.2x"/>
+    <fixed base="1.1.1" version="1.1.1j" date="20210216">
+      <git hash="6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1"/>
+    </fixed>
+    <fixed base="1.0.2" version="1.0.2y" date="20210216">
+      <git hash="9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2"/>
+    </fixed>
+    <problemtype>Overflow</problemtype>
+    <title>Integer overflow in CipherUpdate</title>
+    <description>
+Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
+the output length argument in some cases where the input length is close to the
+maximum permissable length for an integer on the platform. In such cases the
+return value from the function call will be 1 (indicating success), but the
+output length value will be negative. This could cause applications to behave
+incorrectly or crash.
+
+OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
+versions should upgrade to OpenSSL 1.1.1j.
+
+OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
+1.0.2 is out of support and no longer receiving public updates. Premium support
+customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
+to 1.1.1j.
+    </description>
+    <advisory url="/news/secadv/20210216.txt"/>
+    <reported source="Paul Kehrer"/>
+  </issue>
   <issue public="20201208">
     <impact severity="High"/>
     <cve name="2020-1971"/>

Reply via email to