#8343: openssl-1.0.2i
-------------------------+-------------------------
Reporter: renodr | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: high | Milestone: 7.11
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-------------------------
New minor version.
[https://www.openssl.org/news/secadv/20160922.txt]
{{{
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=====================================================================
Severity: High
A malicious client can send an excessively large OCSP Status Request
extension.
If that client continually requests renegotiation, sending a large OCSP
Status
Request extension each time, then there will be unbounded memory growth on
the
server. This will eventually lead to a Denial Of Service attack through
memory
exhaustion. Servers with a default configuration are vulnerable even if
they do
not support OCSP. Builds using the "no-ocsp" build time option are not
affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a
default
configuration, instead only if an application explicitly enables OCSP
stapling
support.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear
Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
}}}
{{{
SWEET32 Mitigation (CVE-2016-2183)
==================================
Severity: Low
SWEET32 (https://sweet32.info) is an attack on older block cipher
algorithms
that use a block size of 64 bits. In mitigation for the SWEET32 attack DES
based
ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in
OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had
these
ciphersuites disabled by default.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan
Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz
of the
OpenSSL development team.
}}}
{{{
OOB write in MDC2_Update() (CVE-2016-6303)
==========================================
Severity: Low
An overflow can occur in MDC2_Update() either if called directly or
through the EVP_DigestUpdate() function using MDC2. If an attacker
is able to supply very large amounts of input data after a previous
call to EVP_EncryptUpdate() with a partial block then a length check
can overflow resulting in a heap corruption.
The amount of data needed is comparable to SIZE_MAX which is impractical
on most platforms.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear
Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
}}}
{{{
Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================
Severity: Low
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.
The use of SHA512 in TLS session tickets is comparatively rare as it
requires
a custom server callback and ticket lookup mechanism.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear
Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
}}}
{{{
OOB write in BN_bn2dec() (CVE-2016-2182)
========================================
Severity: Low
The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large
certificate
or CRL is printed out from an untrusted source. TLS is not affected
because
record limits will reject an oversized certificate before it is parsed.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear
Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
}}}
{{{
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
==============================================
Severity: Low
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
the total length the OID text representation would use and not the amount
of data written. This will result in OOB reads when large OIDs are
presented.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear
Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
}}}
{{{
Pointer arithmetic undefined behaviour (CVE-2016-2177)
======================================================
Severity: Low
Avoid some undefined pointer arithmetic
A common idiom in the codebase is to check limits in the following manner:
"p + len > limit"
Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE
"len" here could be from some externally supplied data (e.g. from a TLS
message).
The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.
For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
}}}
{{{
Constant time flag not preserved in DSA signing (CVE-2016-2178)
===============================================================
Severity: Low
Operations in the DSA signing algorithm should run in constant time in
order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means
that
a non-constant time codepath is followed for certain operations. This has
been
demonstrated through a cache-timing attack to be sufficient for an
attacker to
recover the private DSA key.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 23rd May 2016 by César Pereida
(Aalto
University), Billy Brumley (Tampere University of Technology), and Yuval
Yarom
(The University of Adelaide and NICTA). The fix was developed by César
Pereida.
}}}
{{{
DTLS buffered message DoS (CVE-2016-2179)
=========================================
Severity: Low
In a DTLS connection where handshake messages are delivered out-of-order
those
messages that OpenSSL is not yet ready to process will be buffered for
later
use. Under certain circumstances, a flaw in the logic means that those
messages
do not get removed from the buffer even though the handshake has been
completed.
An attacker could force up to approx. 15 messages to remain in the buffer
when
they are no longer required. These messages will be cleared when the DTLS
connection is closed. The default maximum size for a message is 100k.
Therefore
the attacker could force an additional 1500k to be consumed per
connection. By
opening many simulataneous connections an attacker could cause a DoS
attack
through memory exhaustion.
OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix
was
developed by Matt Caswell of the OpenSSL development team.
}}}
{{{
DTLS replay protection DoS (CVE-2016-2181)
==========================================
Severity: Low
A flaw in the DTLS replay attack protection mechanism means that records
that
arrive for future epochs update the replay protection "window" before the
MAC
for the record has been validated. This could be exploited by an attacker
by
sending a record for the next epoch (which does not have to decrypt or
have a
valid MAC), with a very large sequence number. This means that all
subsequent
legitimate packets are dropped causing a denial of service for a specific
DTLS connection.
OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 21st November 2015 by the OCAP audit
team.
The fix was developed by Matt Caswell of the OpenSSL development team.
}}}
{{{
Certificate message OOB reads (CVE-2016-6306)
=============================================
Severity: Low
In OpenSSL 1.0.2 and earlier some missing message length checks can result
in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a
theoretical
DoS risk but this has not been observed in practice on common platforms.
The messages affected are client certificate, client certificate request
and
server certificate. As a result the attack can only be performed against
a client or a server which enables client authentication.
OpenSSL 1.1.0 is not affected.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear
Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
}}}
[https://mta.openssl.org/pipermail/openssl-
announce/2016-September/000078.html]
[https://mta.openssl.org/pipermail/openssl-
announce/2016-September/000080.html]
[https://sweet32.info/]
{{{
Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
SWEET32 Mitigation (CVE-2016-2183)
OOB write in MDC2_Update() (CVE-2016-6303)
Malformed SHA512 ticket DoS (CVE-2016-6302)
OOB write in BN_bn2dec() (CVE-2016-2182)
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
Pointer arithmetic undefined behaviour (CVE-2016-2177)
Constant time flag not preserved in DSA signing (CVE-2016-2178)
DTLS buffered message DoS (CVE-2016-2179)
DTLS replay protection DoS (CVE-2016-2181)
Certificate message OOB reads (CVE-2016-6306)
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/8343>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
