OpenSSL Security Advisory

2024-09-03 Thread Tomas Mraz
OpenSSL Security Advisory [3rd September 2024]
==

Possible denial of service in X.509 name checks (CVE-2024-6119)
===

Severity: Moderate

Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of
service.

Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.

Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a "reference identifier" (expected
identity), but rather extract the presented identity after checking the
certificate chain.  So TLS servers are generally not affected and the severity
of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.

OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.3

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.7

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15

This issue was reported on 16th June 2024 by David Benjamin (Google),
reiterating an AddressSanitizer issue raised on 30th September 2021.  The fix
was developed by Viktor Dukhovni.

General Advisory Notes
==

URL for this Security Advisory:
https://openssl-library.org/news/secadv/20240903.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://openssl-library.org/policies/general/security-policy/

-- 
You received this message because you are subscribed to the Google Groups 
"openssl-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openssl-announce+unsubscr...@openssl.org.


signature.asc
Description: This is a digitally signed message part


OpenSSL Security Advisory

2024-06-27 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [27th June 2024]
==

SSL_select_next_proto buffer overread (CVE-2024-5535)
=

Severity: Low

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an
empty supported client protocols buffer may cause a crash or memory contents to
be sent to the peer.

Impact summary: A buffer overread can have a range of potential consequences
such as unexpected application beahviour or a crash. In particular this issue
could result in up to 255 bytes of arbitrary private data from memory being sent
to the peer leading to a loss of confidentiality. However, only applications
that directly call the SSL_select_next_proto function with a 0 length list of
supported client protocols are affected by this issue. This would normally never
be a valid scenario and is typically not under attacker control but may occur by
accident in the case of a configuration or programming error in the calling
application.

The OpenSSL API function SSL_select_next_proto is typically used by TLS
applications that support ALPN (Application Layer Protocol Negotiation) or NPN
(Next Protocol Negotiation). NPN is older, was never standardised and
is deprecated in favour of ALPN. We believe that ALPN is significantly more
widely deployed than NPN. The SSL_select_next_proto function accepts a list of
protocols from the server and a list of protocols from the client and returns
the first protocol that appears in the server list that also appears in the
client list. In the case of no overlap between the two lists it returns the
first item in the client list. In either case it will signal whether an overlap
between the two lists was found. In the case where SSL_select_next_proto is
called with a zero length client list it fails to notice this condition and
returns the memory immediately following the client list pointer (and reports
that there was no overlap in the lists).

This function is typically called from a server side application callback for
ALPN or a client side application callback for NPN. In the case of ALPN the list
of protocols supplied by the client is guaranteed by libssl to never be zero in
length. The list of server protocols comes from the application and should never
normally be expected to be of zero length. In this case if the
SSL_select_next_proto function has been called as expected (with the list
supplied by the client passed in the client/client_len parameters), then the
application will not be vulnerable to this issue. If the application has
accidentally been configured with a zero length server list, and has
accidentally passed that zero length server list in the client/client_len
parameters, and has additionally failed to correctly handle a "no overlap"
response (which would normally result in a handshake failure in ALPN) then it
will be vulnerable to this problem.

In the case of NPN, the protocol permits the client to opportunistically select
a protocol when there is no overlap. OpenSSL returns the first client protocol
in the no overlap case in support of this. The list of client protocols comes
from the application and should never normally be expected to be of zero length.
However if the SSL_select_next_proto function is accidentally called with a
client_len of 0 then an invalid memory pointer will be returned instead. If the
application uses this output as the opportunistic protocol then the loss of
confidentiality will occur.

This issue has been assessed as Low severity because applications are most
likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not
widely used. It also requires an application configuration or programming error.
Finally, this issue would not typically be under attacker control making active
exploitation unlikely.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

OpenSSL 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2 once it is released.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.3 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.7 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1za once it is released
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zk once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit e86ac436f0 (for 3.3),
commit 99fb785a5f (for 3.2), commit 4ada436a19 (for 3.1) and commit cf6f91f612
(for 3.0) in the OpenSSL git repository. It is available to premium support
customers in commit b78ec0824d (for 1.1.1) 

OpenSSL Security Advisory

2024-05-28 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [28th May 2024]
=

Use After Free with SSL_free_buffers (CVE-2024-4741)


Severity: Low

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause
memory to be accessed that was previously freed in some situations

Impact summary: A use after free can have a range of potential consequences such
as the corruption of valid data, crashes or execution of arbitrary code.
However, only applications that directly call the SSL_free_buffers function are
affected by this issue. Applications that do not call this function are not
vulnerable. Our investigations indicate that this function is rarely used by
applications.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used
when processing an incoming record from the network. The call is only expected
to succeed if the buffer is not currently in use. However, two scenarios have
been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the
network and processed by OpenSSL, but the full record body has not yet arrived.
In this case calling SSL_free_buffers will succeed even though a record has only
been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has
been received and processed by OpenSSL but the application has only read part of
this data. Again a call to SSL_free_buffers will succeed even though the buffer
is still in use.

While these scenarios could occur accidentally during normal operation a
malicious attacker could attempt to engineer a stituation where this occurs.
We are not aware of this issue being actively exploited.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

OpenSSL 1.0.2 is also not affected by this issue.

OpenSSL 3.3, 3.2, 3.1, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.1 once it is released.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit e5093133c3 (for 3.3),
commit c88c3de510 (for 3.2), commit 704f725b96 (for 3.1) and commit b3f0eb0a29
(for 3.0) in the OpenSSL git repository. It is available to premium support
customers in commit f7a045f314 (for 1.1.1).

This issue was reported on 10th April 2024 by William Ahern (Akamai). The fix
was developed by Matt Caswell and Watson Ladd (Akamai).

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240528.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmZV9w0ACgkQ2cTSbQ5g
RJFleggAunT15ijQEKk29rztc82qEl01c/mDCAKCNLD0WqCr/D00lIjYhOjAcj7W
f4h9c7N8TqX4fkc1pBmV3KMM4qCzMkNdFE+lxYiDn2A/HAsZgSmh+WGpcMju7obI
5TvaINrBZbndXTa3o+10Wo4QT7oVGji/WLwsc06QzofZRLWj7BxU1h7i2JDR9Gd/
SYkg5ivgwixAgMzxpy7nQetQYKAfl6spKSUDHDymkYk0ATTvr9P14pQ5+Sr2T/gT
V8V5uTOYcxjpJCRipUbUPDN5ZUy379thry3XmR9wd2GE0AeXoVOJQMpOVK7TDhzm
TFookLZ04kCDtSU6gM0XXI8WAoEDUQ==
=UFjh
-END PGP SIGNATURE-


OpenSSL Security Advisory

2024-05-16 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [16th May 2024]
=

Excessive time spent checking DSA keys and parameters (CVE-2024-4603)
=

Severity: Low

Issue summary: Checking excessively long DSA keys or parameters may be very
slow.

Impact summary: Applications that use the functions EVP_PKEY_param_check()
or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
experience long delays. Where the key or parameters that are being checked
have been obtained from an untrusted source this may lead to a Denial of
Service.

The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform
various checks on DSA parameters. Some of those computations take a long time
if the modulus ("p" parameter) is too large.

Trying to use a very large modulus is slow and OpenSSL will not allow using
public keys with a modulus which is over 10,000 bits in length for signature
verification. However the key and parameter check functions do not limit
the modulus size when performing the checks.

An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()
and supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.

These functions are not called by OpenSSL itself on untrusted DSA keys so
only applications that directly call these functions may be vulnerable.

Also vulnerable are the OpenSSL pkey and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 53ea0648 (for 3.3),
commit da343d06 (for 3.2), commit 9c39b385 (for 3.1) and commit 3559e868
(for 3.0) in the OpenSSL git repository.

OSSfuzz first detected and automatically reported this issue on 13th February
2024 using a fuzzer recently added to OpenSSL written by Kurt Roeckx. The fix
was developed by Tomas Mraz.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240516.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmZGLbUACgkQUnRmohyn
nm27iRAAkvc/HNdfAY3l6kBJ2GVUbvPLODxFhzpei5DW1JxUojQwPXe3cXZlBs9D
PDtw85WX4IPULvcrq7BeGxOs4hDR1xkUfzr/5b0t7a9olFy1oYE/and0qpQx3AzP
eS7O9b001ssXtAs43aO6S4H0L5+3lRXPnLhyDfeh4odty4fbSIP8apLXtmaTKt6P
hdm+JLJdrx92aKjraKBcc1YKl2HgCBNRsxBnimKJzZGZVokUZsF0mIZ/G1SZVs0J
W4usEF1JuRD2vAUWcSDU92tZd0Bkz55SjVC7NVPqvqSUAo04f3LhZj1c7rMjSD5p
zjbG6c4PiCC08LRCHRtZUu56Kp1tBYy+X7zZrzDiPF1R/TY9pYYA1JKS6EvbBb/d
8IB3cxeeTzW0StnuxKmOchrMsGJtizh9hGIhy7yzjbQ8oMkhcRsUlbZDQwiHvCUk
qgXP2v0pnqBmVEBfqCBvUOKAy19XMVOUH69JBsuMEPIKzx2k7Y5QvVKZNq3DtboA
lOc0zkfLbtXrNZFDUDqpq2megmVbVlTw619NQE51jN/LPzo7b+fdw1cHTTnQE2Gt
rSQYZnklb0fmfQQJOl4HpCK16SfVebPYU4hRDJ1Yqk6jcClFbit1F7Fz6Ypjv4nM
iTOJAAoat2jQhmqg2VTpuUQGjRMAADvKlpABL4dTYCvJv6RMXTk=
=Efz1
-END PGP SIGNATURE-


OpenSSL Security Advisory

2024-04-08 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [8th April 2024]
==

Unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)


Severity: Low

Issue summary: Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger
unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is
being used (but not if early_data support is also configured and the default
anti-replay protection is in use). In this case, under certain conditions, the
session cache can get into an incorrect state and it will fail to flush properly
as it fills. The session cache will continue to grow in an unbounded manner. A
malicious client could deliberately create the scenario for this failure to
force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS
clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL
1.0.2 is also not affected by this issue.

OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit e9d7083e (for 3.2),
commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git
repository. It is available to premium support customers in commit
5f8d2577 (for 1.1.1).

This issue was reported on 27th February 2024 by Manish Patidar (Hewlett Packard
Enterprise). The fix was developed by Matt Caswell.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240408.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmYT9+oACgkQUnRmohyn
nm1jPRAAlvRaeTjSlW7PULpYxAfCrCfLlMzdC15ybP1mO12ixsbdBN4qRxcXWGFP
TMqseW1pTCvcfQzEjSzswkio6kjBCh8iN3jSEPCJSIW7FWsZBpIZLwdqytp1pMaL
D8Pe1B542dztrCQy+1pobHpxH8EbFVLX8X9VR0nbH2xx6a3cspGc+JwS7RRQzvK3
a27fW+KM/dyjRE8SGbFzxcgparZTcKDhB2WsjW4Hm0Z62J4v/mkxeC30SOrgH4j2
PBsjJW0XqxOdwM40aKqRPXfjnFwDWOaXVZDjARzT9+olnt01WJiXTpnuKKYQ9y1C
4rmUJo+qbxDnsTg+cjBiZGgsEGqH6Fu/VCw6cJF4Wj0+dZDpvludwTtLh4IRaeCp
FqO6HWkdPg+qe9yKBvvqvf84i2kOvmSu4bVrJ5Zh524G3tYj43Uq76IiTSoLxM61
xmSVG3n0ri8H7aiavIjuq8U75uPhqmylwAIbL5wjEuIJayuprCINyBLAcV5VAprs
avXD6D2XBXLFFDLZ4GEDuNIOWVxO3mGGxZ0kulpGWhESIGJaZk7Rvd+xr3jLtxwT
dWdakCmOFtFIAcAdyYow4D5vCJr1p4iaLD3RCvle5bu3KIcThzWHo0ZnTygjyWt6
EgE0LExGT/1RTdtsXQaFQxzKd+gy4gdGfgl0u8ycYbMENKJ/tpE=
=rMVW
-END PGP SIGNATURE-


OpenSSL Security Advisory

2024-01-25 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [25th January 2024]
=

PKCS12 Decoding crashes (CVE-2024-0727)
===

Severity: Low

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

OpenSSL 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.1 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.5 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.13 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1x once it is released
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zj once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit x (for 3.2),
commit x (for 3.1) and commit x (for 3.0) in the OpenSSL git
repository. It is available to premium support customers in commit
x (for 1.1.1) and in commit
x (for 1.0.2).

This issue was reported on 23rd November 2023 by Bahaa Naamneh (Crosspoint
Labs). The fix was developed by Matt Caswell.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240125.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.htm
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmWyq2gACgkQ2cTSbQ5g
RJFubAf/QN+25L2Kmev6Lk9P1BK8E2jZG+l9sa2O82tJwOyjRIimPQ0BW7KXwnKx
M+oEr952wwiCu/1I7dECn3/BOtQ/TDBVaELvS2W40RVyn4gGd2jD3igkrMsNb+Xu
U5oAu+kwfHp+PHhhCBxiGHVxj9cea17H3qH5DQZ4YK/X0ygdq16vvOBjNwkP8WTV
adfnWr107NvqUGCxhCDexyx1+YUWAdKuVfaKjkw6jBfR/MUPwH6qqBttfpqPUr1Z
o6bptN12iCuK9pQxFrUypL1OjsV83IMuxsBr0SOkrOH8+J7E9n33/xJZ7USRGSDY
rTBsL12SFQ8nxODAzgJOVT5QOp5Ayg==
=BQuZ
-END PGP SIGNATURE-


OpenSSL Security Advisory

2024-01-15 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [15th January 2024]
=

Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
=

Severity: Low

Issue summary: Checking excessively long invalid RSA public keys may take
a long time.

Impact summary: Applications that use the function EVP_PKEY_public_check()
to check RSA public keys may experience long delays. Where the key that
is being checked has been obtained from an untrusted source this may lead
to a Denial of Service.

When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.

An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.

The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to
this issue.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 0b0f7abf (for 3.2),
commit a830f551 (for 3.1) and commit 18c02492 (for 3.0) in the OpenSSL git
repository.

This issue was reported on 2nd November 2023 by OSS-Fuzz. The fix was
developed by Tomas Mraz.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240115.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmWlJXsACgkQUnRmohyn
nm067Q//X41VgBUcS9YWimbkD7Pj1nWIhgOUOTaXcBTkroNOjgiJOBuqnOKJorj6
N0KuAA9d+Jq3xVFbwFNiZZDl2O3Az8nmW9Yg63xyoZNXeB/80ZhUCcxX+mrnKeSt
XUJ8y5bSLuFrDsSp1Ew+xnfAo8DXn3DhRwHKi9Ww0kwdAN5+j84mtnGC3MfTAdLN
2WAnRY/AJGL4dACB2HEMz0zv6wU8QtV0hQUOwsDus8zw+6jkdOWpnadmqzA884MS
qJsKFLUN+ca64E0VsjLzHipJK464Qdyp1QIm7QG6hZtb3IDjb6oK4zo1M7bGvR+O
Wt6NKUMUovVYX6h3/e+Qpki0RS2rdxqbjTcXms2ijq/70iNrhP5p7nMfQWUkQM9G
QDwV0E+5OvOh1t1eHnn7MjGhUGEhTGeGXJ/oACt96i47lzYtobovi2y+B0fRhsuf
L8CPrArteBsFcPDyS/1Z/88HmOtDa9QhCawvAv9j8pwZgBxR0BV9fqsG4i+Mshdl
h88J/Xbd5+Gzp1Zt8F2eQlYk8xL3aPrIOmuYym3wbiXXXSRI894jyae7+AV2WItK
1FBVXw4wlh+ZPOaAOMEirxYMZ5+6c2wYyd9XEHlw+J6vjU+/CtM0Z2SYg/b56dkJ
ko/9Dor3UF6JjWdfOZqZXEOk8Rk20VHF9lDllJk8Xu2GAO5Wuug=
=UUwr
-END PGP SIGNATURE-


OpenSSL Security Advisory

2024-01-09 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [9th January 2024]


POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)


Severity: Low

Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.

OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to
this issue. The FIPS provider is not affected because the POLY1305 MAC
algorithm is not FIPS approved and the FIPS provider does not implement it.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 5b139f95 (for 3.2),
commit f3fc5808 (for 3.1) and commit 050d263 (for 3.0) in the OpenSSL git
repository.

This issue was reported on 9th October 2023 by Sverker Eriksson (Ericsson).
The fix was developed by Rohan McLure (IBM).

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240109.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmWddmsACgkQUnRmohyn
nm3nyBAAokn+TaX6ctAfk5TddGFSLabmBWOieIt52qAEqVxOnOn3IK/Ezuv6x3Gk
SrXzuTY9w8mAezME2ZUrDULuixji0u/n84RRXCqJaAo0s4bPl5BY9munrG+2dBsh
rusDdd8bzYdeDtRLjVeYjqMreVrpDSVx8JKto/nKcxK1w/yrzCXwpTe+n6pDu8PI
OXQAcnDvFXWN7I7x23XQrv/Gx2crwNo3GuV1Seoih+595dAjjeyTsxChQCAwAooV
MoCrHjdur6l9ALlQBj3Y4zZkBcyuUV4ngiNiptBVcBQB+ktcaVzMp2C6AVz3xARJ
eiVXBAflL/UVkYcskgBeZfuDxS/NBcImpyKyjrfp5HQPh7ahqeyLdQraQBh82VjJ
ArpKzLP/Ngl6QsCikkJZKEGAP7hTlaXShmNyKy7qIGmMNadMV4epL+lNxEEXk9aP
f65obbiumGsBypY/4BzIEv2Kr9EXXeVJiHibscAaWch5e3q9e0eQuLXO/TOHpxLf
NEhOXVSpBt6sp4C6hgztRTIX3/2H/xTH4ZqVwJezhra2x9ytrIDhiQVzOvE5tDdH
Kzr+ydZhp7H/3NrhO2LgIHC67McU3MQNv44xUx9UTm1WaspZiZtqgP+vrgEfffs4
Vx9Uv06OxZmTD/X2OHzgNhkqN5FwHaRUhnWmRzt63XThHO1Rxm4=
=8de2
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-11-06 Thread Richard Levitte
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [6th November 2023]
=

Excessive time spent in DH check / generation with large Q parameter value 
(CVE-2023-5678)
==

Severity: Low

Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays.  Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions.  An application calling any of those other
functions may similarly be affected.  The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available.
The fix is also available in commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6
(for 3.1) and commit db925ae2e65d0d925adef429afc37f75bd1c2017 (for 3.0).
It is available to premium support customers in commit
710fee740904b6290fef0dd5536fbcedbc38ff0c (for 1.1.1) and in commit
34efaef6c103d636ab507a0cc34dca4d3aecc055 (for 1.0.2). 

This issue was reported on 16th August 2023 by David Benjamin (Google). The
fix was developed by Richard Levitte.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20231106.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/general/security-policy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmVJCvoACgkQ1enkP335
7oytjRAAl2eNIEk0dNel7QoTFCTyXFl7IWUqWqNqx1WEr4oD/2SnFiOtQzOGl1U2
+Wr7y0GBz1cfY7xj5yw3JBajnq8v92rWHXfLheN4makflwhHwjx/faX/uTGey5Xp
+5ZdKZTnkSMC4gY4gS3/SWlmyHZAYVjs/OJIlKXNYRl0q+91OBydQEcixvetIF+c
tdog1im+92xvkOtm6RfYJXEg84keft4twzw+xxeiFQ8c856SvBOSEtIhewpF9gyo
mP2QS8/Ne6zeLXuw52pbwc/nXSXR1qPSwv+PDcDMIaVtAKYthdMbsugW05pNori1
+bjbDQ9lM+No+jtbkWXObGKuXciWCnqGmKxgBIDCmpvTKSVJ2Bfnewy08a+nMkG4
ZNmvOpF53dqVAaJRMPPZURW5697cYteF1WDWen48rx+eEP96KGB0u/jPitF1yGWC
larXfkpeoL8nK8c8BZS9wF1J8xUfH1TBzl78YdQInI6yNH1cIXCYquGPVYgJQU4O
TIQwqYCghL2+c46AkooepW5E7ltWK7LHB/64BU7BiTZeMKH+DO8L1YvFgliZLpzo
v9n3amunUylXzdcDznt01PtIwzTsEAKioxl0Xq7k9EQyNAdx3BL21MifkjxofUTV
54AyaYXtBVHNxqsZrdv6wVGc7F23vqmhmtS5IpgPkxtDQzKWdYk=
=FBln
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-10-24 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [24th October 2023]
=

Incorrect cipher key & IV length processing (CVE-2023-5363)
===

Severity: Moderate

Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths.  This can lead to potential truncation
or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness,
which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
the key and IV have been established.  Any alterations to the key length,
via the "keylen" parameter or the IV length, via the "ivlen" parameter,
within the OSSL_PARAM array will not take effect as intended, potentially
causing truncation or overreading of these values.  The following ciphers
and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in
loss of confidentiality.  For example, when following NIST's SP 800-38D
section 8.2.1 guidance for constructing a deterministic IV for AES in
GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will
produce incorrect results and could, in some cases, trigger a memory
exception.  However, these issues are not currently assessed as security
critical.

Changing the key and/or IV lengths is not considered to be a common operation
and the vulnerable API was recently introduced. Furthermore it is likely that
application developers will have spotted this problem during testing since
decryption would fail unless both peers in the communication were similarly
vulnerable. For these reasons we expect the probability of an application being
vulnerable to this to be quite low. However if an application is vulnerable then
this issue is considered very serious. For these reasons we have assessed this
issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because
the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.12.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.4.

This issue was reported on 21st September 2023 by Tony Battersby of
Cybernetics.  The fix was developed by Dr Paul Dale.  This problem was
independently reported on the 3rd of December 2022 as part of issue
#19822, but it was not recognised as a security vulnerability at that
time.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20231024.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/general/security-policy.html

OpenSSL 1.1.1 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU33bsACgkQ2JTizos9
efVwAg/8Dh8qiBA3LEzTP39JtwAZzf0MPUEe0I5bvS7GUXIX8EemYojcNyoa/i+x
Lr/DQtRJ0j/woiy2PhMFbej+NNMwtHD4Cu83JB+wEEiXbnt4n5yi+rWb9hw19Fs6
g17EDbsi1j5fgCQ81Psgxg02bgC/3iE2AnDYty6mRQnfMPe599SMUEnUsRfeGdTh
QGOwLbAH58a3OydMFD5tUHY6JKKwU7WhLrYanAT7YIlU4oQbAIEKL7+K0roIzhyq
3o7EjtfKAr2ttcl+iOXdJYRb+0OwP59y/BBAOOOdCcb2oqDs1fPvXB8BXHhR43Ew
i5EF47fUFxICu2kuXEe00RbbJipAqF5S0KvIKurYPjepukWjOqnNBQc4euned0gN
bYcQgMLjYoZAp79V42kRMTQ+uMP1ElUCx4gwY8iOn6R65TmHloiNWv/q0I3XhWeH
piLOv9lm/pMNmArpFGpySQzTY/wyyEvc9ZQcThSdWSiJOIebG4wFLYP+LvzG81/Q
KX0yMK1dB8nyD6n+p14aIxhaWHr/7YgNO0882YbG11OQftIB5HXIXsQT5XFdVm8h
OUCJfj1iPv1O3Xr7UkTISzGzRZyYLoUxFSi9+DrMHWaK9pQqSYDjqB6XE8vImnZN
wJJj9hGRRZzCON5pXuh5+bIPSozdUPaZtWWm9ICobB/PLyvD05M=
=aGd3
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-09-08 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [8th September 2023]
==

POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)
=

Severity: Low

Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.

Impact summary: If in an application that uses the OpenSSL library an attacker
can influence whether the POLY1305 MAC algorithm is used, the application
state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL does
not save the contents of non-volatile XMM registers on Windows 64 platform
when calculating the MAC of data larger than 64 bytes. Before returning to
the caller all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However given the contents of the registers are just zeroized so
the attacker cannot put arbitrary values inside, the most likely consequence,
if any, would be an incorrect result of some application dependent
calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of
any concrete application that would be affected by this issue therefore we
consider this a Low severity security issue.

As a workaround the AVX512-IFMA instructions support can be disabled at
runtime by setting the environment variable OPENSSL_ia32cap:

   OPENSSL_ia32cap=:~0x20

OpenSSL versions 1.1.1 to 1.1.1v, 3.0.0 to 3.0.10, and 3.1.0 to 3.1.2 are
vulnerable to this issue. The FIPS provider is not affected because the
POLY1305 MAC algorithm is not FIPS approved and the FIPS provider does not
implement it.

OpenSSL version 1.0.2 is not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 4bfac447 (for 3.1),
commit 6754de4a (for 3.0), and commit a632d534 (for 1.1.1) in the OpenSSL git
repository.

This issue was reported publicly on GitHub on 23rd July 2023 by Zach Wilson
(Nvidia) and subsequently to the OpenSSL security team on 28th August 2023
by Bernd Edlinger. The fix disabling the vulnerable codepath was developed
by Bernd Edlinger.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230908.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers. 
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmT6/5ESHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tLK8P/joFSPF9oBeoMBcSZJ5eG26WNoqvj2hh
kYggHZL++wzFpBDgRwjyQW7Pm6BsythIYwId+6+QPJNCxf7juWv7vWuO42KbMqXh
KnDk4NmFOKv6aF4TahfytgLzljVMwwRs9k+kmFfTNOq66NNiJBKFcIzTp7UlOkUD
SOwify1Yq/du6jYyXX0tD+l6IfIEBlPPx+o5L8PG5+G+yR8bvHnlu1MrM3jYlil7
7AQjqk+115Y6cJpER9FHW5oLApK2yn3mSlQ+0Cn9LjqCaYGAlJTHe1wP9OMmV+nk
fhH5S714WvMgYxfbNgAsvfLBuahJkCyZ7ddaRF/OZtU5Kk72aK+mFVqxf7hgHHd6
0W7xMIdZzhyfytQMKq3IK8bhc1T83nk83FxdDodx0XARNNoMAiYFbnQtuCtZzIM8
WVXh9Yad37Nxg27rmjYdzezyeGTGT2dlwKMhNqHlp/rf9A67sC+Lrt9UJL7nAyJo
zmmNjrZQuc+WGpQvKjHxirGuRzqLxPxQNQinXK4X23QsdbiFoMB/INd+7GqKfuOE
2kdGH3hBpSoP9MrI9LHqq1G9fNnp/NOgUuwbxFXapDoNZMbOoDftpjZwCyRKqbf5
PQSDny0hDER43/MNZOnmRlnFJHMjLKxi28BqwZpt6ZmdQM8FpZkNsMWnPic1J0tK
V+IiOjmRLVcj
=2sPx
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-07-31 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [31st July 2023]
==

Excessive time spent checking DH q parameter value (CVE-2023-3817)
==

Severity: Low

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 6a1eb62c2 (for 3.1),
commit 9002fd073 (for 3.0) and commit 91ddeba0f (for 1.1.1) in the OpenSSL git
repository. It is available to premium support customer in commit 869ad69a (for
1.0.2).

This issue was reported on 20th July 2023 by Bernd Edlinger. The fix was
developed by Tomas Mraz.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230731.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmTH1M4ACgkQ2cTSbQ5g
RJGhtAf9E3HklBKezKOXvAbsPmCqcjySMVTV/JrBjrDn14UIRjZmhVoHd5QGusN2
ReRtA3bRL41UQYdLKDkdYjp9XmlDDFb5hKO3G7P0ldtDaw21TkIQeI/90OKjgsQu
A+vpf/TcE1a1Pbz8cIRKYBjIaS3z9yIDW4eB0gytWxsqMxze+9IOYNuAbDa0KsqO
PFTUiHr5xu01wsdVdHeUMpZ01E8tGbVwgyY7tvCUAUJcjjLcTb9+gXQLn6cmVRJt
6kU8jsamkiYpL1MoKI5yQvYx0nXZUxXbH1ICPltytC4pBsMEypCCnJTkcJKhRRNt
76Z4/x3XDqMzapYMPimIRifdzPV9FQ==
=Ve/V
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-07-19 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [19th July 2023]
==

Excessive time spent checking DH keys and parameters (CVE-2023-3446)


Severity: Low

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. One of those
checks confirms that the modulus ("p" parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use a modulus which
is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus value
even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulernable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit fc9867c1 (for 3.1),
commit 1fa20cf2 (for 3.0) and commit 8780a896 (for 1.1.1) in the OpenSSL git
repository. It is available to premium support customer in commit 9a0a4d3c (for
1.0.2).

OSSfuzz first detected and automatically reported this issue on 25th June
2023 using a fuzzer recently added to OpenSSL written by Kurt Roeckx. The fix
was developed by Matt Caswell.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230714.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmS3yhISHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tn1MP/3rGGOFg5XqhMW5hjzdH/u7wbZSQIBGr
PwGCCYm8McrgHsmqvE5efo5QIxjNj09xS/6+h+WsWeXkAvuL37idzQ5FC8oAlop2
XvjI0bJfCNQA8NcEFecWROHv9G7XEX7g+yV/yBUkT1CnuzqNjdnNeqBCIYafTE/x
X4mZKaj/dJZTB/c8XI5foGZ9RklsO3QqrPt2DGhusP/u57ayghWLqv/7EyogDyeS
2FfB1yYsM0pmO7TjzrSlVhwPqAmsNGwOYVH8ggHGr9pRIbRQhrfKKVqn+o/5JLeR
XXIXQGTiXhs0eDcO3N+kgWf0PXpuA5x03EZlrGOJoJLf0Gw6Mds8mjMD8s1RWJbD
pogwwfGEavedW5WUH1f1W1cpoHqmSNwGrFIJJfZ0t1X4/z8/U6CipF6bCCjfEiFS
ROzOkj44O8rXNwU4+ACxBx/E+PLpP0zhn9uJNTzBfMTonFNyWxuFwpVv3EIHrrq+
YB/ccvbWXapejxIRHhrI41eA7tflZAPBNw8CwBfBRfQbJ+BOveKjGhaGfe3JUDiO
Ry97AGuRGlSCkhUrW9Iy5qrNTnT6AFbdUDpip77UUQDn1eYusW5YtHsLiJpouFq+
MPMn0B7mJypHjvDm4QeaUuJMaYHvcJtpRN684MXfBkcMsAldeYuwO0dl3E3HB5Dr
uP4KAxS6q91M
=sghT
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-07-14 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [14th July 2023]
==

AES-SIV implementation ignores empty associated data entries (CVE-2023-2975)


Severity: Low

Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.

Impact summary: Applications that use the AES-SIV algorithm and want to
authenticate empty data entries as associated data can be misled by removing,
adding or reordering such empty entries as these are ignored by the OpenSSL
implementation. We are currently unaware of any such applications.

The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data the
application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
NULL pointer as the output buffer and 0 as the input buffer length.
The AES-SIV implementation in OpenSSL just returns success for such a call
instead of performing the associated data authentication operation.
The empty data thus will not be authenticated.

As this issue does not affect non-empty associated data authentication and
we expect it to be rare for an application to use empty associated data
entries this is qualified as Low severity issue.

OpenSSL versions 3.0.0 to 3.0.9, and 3.1.0 to 3.1.1 are vulnerable to this
issue. The FIPS provider is not affected as the AES-SIV algorithm is not
FIPS approved and FIPS provider does not implement it.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 6a83f0c9 (for 3.1) and
commit 00e2f5ee (for 3.0) in the OpenSSL git repository.

This issue was reported on 16th May 2023 by Juerg Wullschleger (Google).
The fix was developed by Tomas Mraz.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230714.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmSxxSgACgkQUnRmohyn
nm3ogw//Zqnff7kHNFaqXQB7plwif+utEBi6/siMNC+/bTn8RSRWsuIJp0vgGTB/
EEkiD2vK5Twrf1mYpKgOiCdQq2AaneHbjqcLtkmBS2apeXcGsBB6ZQgJKe1kRhaL
nC87QJKuUdlQojS4+SBD+MIz/ET1uQNsjjvKfANpKK0L4TgUs2tHNskZG3H6p4az
Kt0uhKaAFBp7jGb+wt3zYIgoyLvnZvx51mIwrf/vv3VAJl8OgEgG+hIk+8AtAVEa
ZCWmkDRuuJxEHuwCjX0iSncwqIViph1JnpqnrXARNcdfZCMdAIfEmVdSTfXmmlQr
TmQPDiBDIlk5ZjHlOGbVCEkUnPQAwiKEQ5bi0x4zI1e/yN64RTARjjaXn5nQsyTf
XHHqFQNSCZ9Fpc4JVuJsSzzxnALKuzIC6uUwzPZxfDQ844e7EBim/V42kcbKizbZ
N073hrxkm54nGRdfXkDguGPGK82GwHJnxPo7COBiBnROswWK++o2eW9PJwD2Vkt3
dQ7t58YXDc+76+yE+L4mYuF6ml6wmUPx9kBzhzBxjgINZod5O8YyuTRrqnRbtsFU
yasNBspjAaVdS5zRFewn4ghQTKIv6OfBn2fTIUNVCfXeAR9Dzd5Ts5zAcYJTaT3o
NNLUBwvP+Fcm2rE2RZ3p6n6YmQLiY8URjtxGGPxJsLDaCTw6IiY=
=eZhV
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-05-30 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [30th May 2023]
=

Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
=

Severity: Moderate

Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -
most of which have no size limit.  OBJ_obj2txt() may be used to translate
an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL
type ASN1_OBJECT) to its canonical numeric text form, which are the
sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by
periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly large, taking up tens or hundreds
of KiBs), the translation to a decimal number in text may take a very long
time.  The time complexity is O(n^2) with 'n' being the size of the
sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names /
identifiers in string form was introduced.  This includes using OBJECT
IDENTIFIERs in canonical numeric text form as identifiers for fetching
algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure
AlgorithmIdentifier, which is commonly used in multiple protocols to specify
what cryptographic algorithm should be used to sign or verify, encrypt or
decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are
affected, with any version of OpenSSL.  If the use is for the mere purpose
of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS.  It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer's certificate chain.  Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates.  This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.

No version of the FIPS provider is affected by this issue.

OpenSSL 3.0.x and 3.1.x are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when calling
OBJ_obj2txt() directly.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support
customers only).

OSSfuzz first detected and automatically reported this issue on 16th January
2020. At that time OpenSSL 3.0 was still in early development and it was not
identified as a security concern at that time. On 23rd April 2023 the issue
was reexamined and identified as a security issue by Matt Caswell.
The fix was developed by Richard Levitte.

(*) A measurement showed about 2 seconds for 100KiB and a minute for 500KiB.
This measurement wasn't made to demonstrate exact time ranges, but rather to
demonstrate the quadratic nature of the issue.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230530.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/general/security-policy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR1/kQSHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tXS0QAJpUoGfoirteiNuvdRy4PP72E0ZHVsll
2PlsArtQwogpEJD5Z4Escq+Cb7ZPl7uqBdfosJTX31Kr3e/ri6HY3Bzjxa1xOKUo
GHC/RADZqGWemBiabr9BDtJAaadQDS3a8tGSklgab0ueHtCX9zX0ptWE3lW8NGp5
DXQ4pBVzGHpldHgN8OLhpreshbw9RJNvdAXrl445MtUNXy4rJYRTqlHCqwH6qjCM
a/a6sFaIevgspm85L30YWtx38T+vqfNFhl9RZuKbQB9PlL1g3UWpsnvVUCSrXytH
ehlNhyfCX03vNn4Ym/Gp9cj5/1EM0wsF6EVuXGBe6+D/vwh5eLTPgndLr8KKo12C
ysJF4dGdLSKg3KaL6xV4Km+XXv8S4s4MF9FOYqachF6hnBWyTdwkVcTNWBYPmexS
Kw/MpXku65hWrjZT9FGfoFsl3RBYOde9E31ubd6/gUANkzF8jqaMfn966oCmoz2O
uQb29gjEKUQWZD8Es23Yub3Jj0wTvN

OpenSSL Security Advisory

2023-04-20 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [20th April 2023]
===

Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
==

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform will read
past the end of the ciphertext buffer if the ciphertext size is 4 mod 5, e.g.
144 bytes or 1024 bytes. If the memory after the ciphertext buffer is
unmapped, this will trigger a crash which results in a denial of service.

If an attacker can control the size and location of the ciphertext buffer
being decrypted by an application using AES-XTS on 64 bit ARM, the
application is affected. This is fairly unlikely making this issue
a Low severity one.

OpenSSL versions 3.0.0 to 3.0.8, and 3.1.0 are vulnerable to this issue,
including the FIPS provider in those versions.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit bc2f61ad (for 3.1) and
commit 02ac9c94 (for 3.0) in the OpenSSL git repository.

This issue was reported on 27th February 2023 by Anton Romanov (Amazon).
The fix was developed by Nevine Ebeid (Amazon).

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230420.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmRBYoMSHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tRl4P/3pRFLUviJ+dgVd0DV25ViBRI2qEOF9O
FrcpB2buCF6JA2MQBKFV4x6kMjgzjFkj3LyP9eqUCfw6VhRtR6cnVXgUNi+XX3OL
x8fxMY6OmEy67Oq/w7FL7mth1Rz5trDJWhCoAoKvaBYOWzLhPQVqIXaJ7MY8HPGv
qoLt2ODYbm0D44LCXiigTIO13HIF5MRRxex1C2+c2ZO7XV3pq0Sr4xcVyBAcneHW
/dyYNeEsLBaa39QrFoz/h/C96pCHwc10DKRVFUC8q3o10Bs+D46sueoe666cLfeN
pm2Y/AYaXKLCCFRT3IDJwXgBtcLt+PrZr3C3iyVrCWOcoHzfNS5BzTKOQMv/CSkW
KEK7ezqOBWvvzeEcFeg6mUcILVRanUEKS+u4tZQ6JzJAck1CHjpcRQVNbxhayjzM
dTASVeLzb4xrXVVMYLqKeVBACGcOo69oyssnORDg7/iBW/Gm5toUraS/8uKft51W
NsBUV4A4eagE4VNwCT9mFH7uAXjQgWggivdA6PtaUf/S69wy5Dh1cWc+XWd3suj8
QgPTU3H0E86BTbIAkBQUatWmMnFc1gxhUpEo+rcGZY00Zkrz42PoCP/pFDsszUt6
JAlFPS7xQNYAgaUAnkyMTbkSDqFbm8nppAY6l6HpYEVywagoXtSPEgn+miSOJn6S
7I/fm11VSkjm
=SU46
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-03-28 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [28th March 2023]
===

Invalid certificate policies in leaf certificates are silently ignored 
(CVE-2023-0465)
==

Severity: Low

Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate.
A malicious CA could use this to deliberately assert invalid certificate 
policies
in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit facfb1ab (for 3.1),
commit 1dd43e07 (for 3.0), commit b013765a (for 1.1.1) in the OpenSSL
git repository, and commit 10325176 (for 1.0.2) in the OpenSSL git
repository for premium customers.

This issue was reported on 12th January 2023 by David Benjamin (Google).
The fix was developed by Matt Caswell.

Certificate policy check not enabled (CVE-2023-0466)


Severity: Low

The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.

Instead the applications that require OpenSSL to perform certificate
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with
the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not
commonly used by applications.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Applications need to be updated if they are affected by the issue.

Due to the low severity of this issue we are not creating a new release at
this time. The documentation fix is also available in commit fc814a30
(for 3.1), commit 51e8a84c (for 3.0), commit 0d16b7e9 (for 1.1.1) in the
OpenSSL git repository, and commit 73398dea (for 1.0.2) in the OpenSSL git
repository for premium customers.

This issue was reported on 12th January 2023 by David Benjamin (Google).
The documentation fix was developed by Tomas Mraz.

General Advisory Notes
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230328.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmQi8tMSHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tem4P/3ujaUzEUXSMAX58jCiMzScB8o1HFyo1
KQguXKh41dM7ooehR4J8JjveH6PExw2C0fI7CzROjdlOkcd66jfokJb5CIOTf3zs
0pDn0gH1TcY4skKlUkFoo8d51ql3zlySxLX5MGEUiUq43U+H2sog/cLaMl5KJRJ4
kDBGksdgsAb1o6rCcXpTHw40Dq5cEr3HaSy6hbbxubjt8SQv8fbK2vkZPu3pVwfw
RR6w8K43aiDwcEC6eMPO5QOx3xTOFGU0tUNEG11QZhb2gOkmgshjRBZmbf9mEyU2
mTk0P8G6ttlVP80qqXA33lSXIJlfpTqqSx9rlx6ovO4iu0TZPJYETkAhP6nBvEU6
eyy/RTSphBUK4uSh44K3RTMcnPAvplZdzlX9jOHfiuOjwG1ff8pxWnJZt0s77MNI
ByCKaOWwhyoph3jxkt+k4AP0f229qxFxryz1UKXWQ+2BXtXusXFVGs70FwHIvSWV
nGpLKXedCnebPaQqlYKqFWmJPsDf4iEcSgluFyFr4zYW7+dN+7hNF3gFzYJjSCIo
jvnKktMk3Vuu8xOMJ6uQQNmGvsEyhmDYsxqNuM/6QxaQmnfEGe8+bdp21g8PBLtG
z+tnX2/7Cltm/5oIHnqVclNChqjOev9rho5/QVK7eNFDcuDTWVosWPPyqbhkmVpw
acx7hxvK++Zl
=L6VH
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-03-22 Thread Tomas Mraz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464)
===

Severity: Low

A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 2017771e (for 3.1),
commit 959c59c7 (for 3.0), commit 879f7080 (for 1.1.1) in the OpenSSL
git repository, and commit 2dcd4f1e (for 1.0.2) in the OpenSSL git
repository for premium customers.

Once they are released:

OpenSSL 3.1 users should upgrade to 3.1.1.
OpenSSL 3.0 users should upgrade to 3.0.9.
OpenSSL 1.1.1 users should upgrade to 1.1.1u.
OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support customers only).

This issue was reported on 12th January 2023 by David Benjamin (Google).
The fix was developed by Dr Paul Dale.

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230322.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmQbItgSHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55t8AgP/3mUOflbZ7e8yLjgEMqFqCSFlSQo5bFK
gh2h2NOKBjkvzFtlqnAR+bqNPAr9CEosSRF1LiVtKu9RhaIh1LlTsp53aFWSP48p
7LekiPmd5hnorO72dB1eLlbHPIe0lh2It2cDlkYc95BVcttQEzHbyygVKBD0f0cN
WqslsIeVPIqMIZMHAlpnINz630Rsn/4cif+6U8gYgNN51f7WeCArPp3U7hAhHVuC
b7lOVXBNzdfdFzKVjSTHqvWBib/Ji+Ga4knHFZya7VLQagKjDJiQB9uBpuCOmzxD
kb9nJCSroIwf74wDxJxr4gb314/hju+jpC2Xny8l7SXxJUahdMywJLgofPMEOhWb
lRod8SHr0Je5Gpp4R+p6cmwr0PM76KPxcLOvsa7OsIwIZQvFyxMVvsGYdMxg0ads
qDqROqkb1Mx+Fa0smySe6Xru0RtEgXAk7AIltz8AqHmCvMED8S7ZwhsHipM/eLYZ
Iky8SsSYn4K3a4Sa05+IrQARWmDCZHRHp9JfHacPq0HunNrAX5unDfHUNAx1TZcX
0cSeN/SF56sds+SEjJpURCHxO+Z4toUxpaVKqZyLsDhuq/IwrbbaxhBFkNiHcWOg
vCinoWvhpjo2YBs0BVJNIu4wpNhnCwOP7+91zmTAvD28xoBhSHKWkwGuypPkW3bO
Y6lneBDfoNpj
=iUFS
-END PGP SIGNATURE-


OpenSSL Security Advisory

2023-02-07 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [7th February 2023]
=

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
=

Severity: High

There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers
only).

This issue was reported on 11th January 2023 by David Benjamin (Google).
The fix was developed by Hugo Landau.

Timing Oracle in RSA Decryption (CVE-2022-4304)
===

Severity: Moderate

A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an
encrypted pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw to send
trial messages to the server and record the time taken to process them. After a
sufficiently large number of messages the attacker could recover the pre-master
secret used for the original connection and thus be able to decrypt the
application data sent over that connection.

OpenSSL 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers
only).

An initial report of a possible timing side channel was made on 14th July 2020
by Hubert Kario (Red Hat). A refined report identifying a specific timing side
channel was made on 15th July 2022 by Hubert Kario.
The fix was developed by Dmitry Belyavsky (Red Hat) and Hubert Kario.

X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203)
===

Severity: Moderate

A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer.

The read buffer overrun might result in a crash which could lead to
a denial of service attack. In theory it could also result in the disclosure
of private memory contents (such as private keys, or sensitive plaintext)
although we are not aware of any working exploit leading to memory
contents disclosure as of the time of release of this advisory.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 3rd November 2022 by Corey Bonnell
from Digicert. The fix was developed by Viktor Dukhovni.

Use-after-free following BIO_new_NDEF (CVE-2023-0215)
=

Severity: Moderate

The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming

OpenSSL Security Advisory

2022-11-01 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [01 November 2022]


X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
==

Severity: High

A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer. An attacker can craft a malicious email address
to overflow four attacker-controlled bytes on the stack. This buffer
overflow could result in a crash (causing a denial of service) or
potentially remote code execution.

Many platforms implement stack overflow protections which would mitigate
against the risk of remote code execution. The risk may be further
mitigated based on stack layout for any given platform/compiler.

Pre-announcements of CVE-2022-3602 described this issue as CRITICAL.
Further analysis based on some of the mitigating factors described above
have led this to be downgraded to HIGH. Users are still encouraged to
upgrade to a new version as soon as possible.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 17th October 2022 by Polar Bear.
The fixes were developed by Dr Paul Dale.

We are not aware of any working exploit that could lead to code execution,
and we have no evidence of this issue being exploited as of the time of
release of this advisory (November 1st 2022).

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
===

Severity: High

A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to
have signed a malicious certificate or for an application to continue
certificate verification despite failure to construct a path to a trusted
issuer. An attacker can craft a malicious email address in a certificate
to overflow an arbitrary number of bytes containing the `.' character
(decimal 46) on the stack. This buffer overflow could result in a crash
(causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was discovered on 18th October 2022 by Viktor Dukhovni while
researching CVE-2022-3602. The fixes were developed by Dr Paul Dale.

We have no evidence of this issue being exploited as of the time of
release of this advisory (November 1st 2022).

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221101.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhRdsSHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tARIP/R4TFlh4N3wH4enjT74oJowxjmwNIu0q
uRTmmwtMwJOd1Nw0tfydVEtd3qaN/KMcMnnBMzIzvCdzQ202g8SRSzX7zeHZtAEe
idu9qQyQep1ECK7UGybdN+4Ahey30Py6J99okWejCmdHSpxo7+OOtADFdraqrV5A
5vwyojD1Iv95Z0/RqYxMmMBEoJZitsGxeraw1IxBJCqw6sL2WwDelGb9NZwKFee1
BrfeF+dwaXlAZ97Hsaai6ssDf8VOoTNbCDsrsnbo4MAbFAc6ZraynMcWMm9kwF96
y+pO+0P9etzWeHkP+qHAeCCHZqU76Rexr58XtuWQpTdmbPbmLpnwr7wgwBAZxHA0
RkhpR244vPLYrF3cIssNxEstHCi2NFX0cMtOnbY84lJfmnxgHTJqH/7LvUmHibC6
FBNM9CCSezZgEiSvERB0R/auHZnpODj9riCyWWq82sXTkk3XrqkdnN3mAjgVpnDK
3Cacx9vJxpUDl2U4ObEVCE1I1qHKomAcKVAErAMmLLsdkbzoK9dUquG2VhFaJYJW
3TtqDMhQM0fqRgRu750P42w6dm1glH/UIK41viB0eVwbBZ0RdaAnI3+Tuk2NXH2o
nZdH5Lx6scgS+l4K+IF2WzO+WCYThG0Sg22hC6NnFbdksoGA/XaXl80Kf5Ec1LJr
QLeTSjQDj6Fc
=8mrQ
-END PGP SIGNATURE-


OpenSSL Security Advisory

2022-10-11 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [11 October 2022]
===

Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)


Severity: Low

OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new()
function and associated function calls. This function was deprecated in OpenSSL
3.0 and application authors are instead encouraged to use the new provider
mechanism in order to implement custom ciphers.

OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed
to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2()
functions (as well as other similarly named encryption and decryption
initialisation functions). Instead of using the custom cipher directly it
incorrectly tries to fetch an equivalent cipher from the available providers.
An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new().
This NID is supposed to represent the unique NID for a given cipher. However it
is possible for an application to incorrectly pass NID_undef as this value in
the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the
OpenSSL encryption/decryption initialisation function will match the NULL cipher
as being equivalent and will fetch this from the available providers. This will
succeed if the default provider has been loaded (or if a third party provider
has been loaded that offers this cipher). Using the NULL cipher means that the
plaintext is emitted as the ciphertext.

Applications are only affected by this issue if they call EVP_CIPHER_meth_new()
using NID_undef and subsequently use it in a call to an encryption/decryption
initialisation function. Applications that only use SSL/TLS are not impacted by
this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.6.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 9th August 2022 by Chris Rapier of the
Pittsburgh Supercomputing Center. The fix was developed by Matt Caswell.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221011.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmNFgFcACgkQ2cTSbQ5g
RJFEZwf/WiGIlYQfuis0lbwvqPHEpBZkuQgnXtkZ2nOe2SAera+fUNMKGf6/Pmbx
3orhrG9xEpTyZjczccRTjZ1pimGRpF0Lyvnv/N+RjrywpD3nTpanhKPlw8cnpH6p
xlqSNEgXog9E5i3y27SYbdDw2Pu4I61vZe/zzJfI/pnpgsFkJRwAKFOPDHnS9hgh
J8DdaVa6iW8/cOtWBiNHpNKebpjJ+pl5ZpbGt8CYMBHAAc1V/hmuOTesybyGeI9a
I2qL5WXXl0VR5bPNNkUXLLm+q0XYFahL58lx7R2qn/HL3r3YeNtFVd7u/UV581vM
dLhh43faekIct7eN3TXlsSkpKEwCQg==
=EO32
-END PGP SIGNATURE-


OpenSSL Security Advisory

2022-07-05 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [5 July 2022]
===

Heap memory corruption with RSA private key operation (CVE-2022-2274)
=

Severity: High

The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running
on machines supporting AVX512IFMA instructions of the X86_64 architecture
are affected by this issue.

Note that on a vulnerable machine, proper testing of OpenSSL would fail and
should be noticed before deployment.

Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The
fix was developed by Xi Ruoyao.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220705.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

AES OCB fails to encrypt some bytes (CVE-2022-2097)
===

Severity: MODERATE

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances.  This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written.  In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.

This issue affects versions 1.1.1 and 3.0.  It was addressed in the
releases of 1.1.1q and 3.0.5 on the 5th July 2022.

OpenSSL 1.1.1 users should upgrade to 1.1.1q
OpenSSL 3.0 users should upgrade to 3.0.5

This issue was reported to OpenSSL on the 15th June 2022 by Alex
Chernyakhovsky from Google. The fix was developed by Alex Chernyakhovsky,
David Benjamin and Alejandro Sedeño from Google.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLEEkUACgkQ1enkP335
7ozR5g/+Ofu4COpLp2VjRUuH268vwfaRCPgr9nbv3v9/KwW7FLzAWS/JqLqTmJiI
GDP2TOM7jKSVh8oG8vnQ0c9DY1CULk28gaH6fp9jhfhvsblpva9Hdk74xYy3ebbR
5gLI++3WlROoGYf486R/t13X5vTLLJaun5R+3khf/i5+6SwDKrw4WM3UXNHLOxjM
SFJ/hIPuVSFIHagZAzwcLMwOG+qa5JVU4i5TL9hio40Bl2gDKEkpDmj5UTWBT1Tu
FZ66FMveM4sTlX3QrjWAQjAX2iq7S5Ng7PXWKsNYB4lckigG88jj2uC30oS+S8Bs
/V10Yp9zlkfPAVZNo/qjy5ui+1KrZidF/deGPCs36ULbE2e9/aYFz6xfz0zfdkmr
8hgZBhMwJ+49woC45Vo67PPf7dHGvGh3OpPbApkeX0VtwPIElanf7uK8YQ/yCvYK
+T8wKSDE/qcl9trTDZa567KTcv341LmxMFuVP5Ohxzfr+O1fKEPGCWepxOaP2GZY
zx5MmLQmahcoYDInWr9iJD0OkySaJKWbEUM90oBHvjwY5+sW770LAX0nt8Uthb6J
JPRyAeu6Un70u63GmXuPEvtuUGjYYnQsSke9/M2IgnE+1E+Hj5rfhCjWMQURUcvZ
cC/hRphJ80ReuR8vEyBaN81tdr0/Dp6MUuvDnvkcYSzNHrgJL1o=
=bJgr
-END PGP SIGNATURE-


OpenSSL Security Advisory

2022-06-21 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [21 June 2022]


The c_rehash script allows command injection (CVE-2022-2068)


Severity: Moderate

In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection were
found by code review.

When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.

This script is distributed by some operating systems in a manner where
it is automatically executed.  On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.

Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2zf (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1p
OpenSSL 3.0 users should upgrade to 3.0.4

This issue was reported to OpenSSL on the 20th May 2022.  It was found by
Chancen of Qingteng 73lab.  A further instance of the issue was found by
Daniel Fiala of OpenSSL during a code review of the script.  The fix for
these issues was developed by Daniel Fiala and Tomas Mraz from OpenSSL.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220621.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKx1vMACgkQ2cTSbQ5g
RJFo3gf/XY0cjt1lXtTrGBGu5lDf6Gou7USlUy4lo0wQwkHJ11b2PDxINS+xGNzp
GoOSxCGcQEPrUPkQTwbTtVxSDKuIkQmQG0py155zUrKzsRTad3rIsHy+NzfweBW+
RSwTYZT702J5XRMkeaLhzqG2WY5fxibydaKRKIU2IcyvOQP4tEdrRBQ1taaYKORG
ZZmlcL8Et96YgbFDotLJAeZQ9nbOnHEti7zGCvp48klOqc4llH+0QnHmRsJFxO2F
QHNd0ZUsb0gzVajEOz1rBEIotS4tYDltRCkgJz7evJSPrXrbbacXflfHGsveWjgw
h8Wr4I7UK1liE3lmb5LuW/BXf7CAQg==
=31ys
-END PGP SIGNATURE-


OpenSSL Security Advisory

2022-05-03 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [03 May 2022]
===

The c_rehash script allows command injection (CVE-2022-1292)


Severity: Moderate

The c_rehash script does not properly sanitise shell metacharacters to
prevent command injection.  This script is distributed by some operating
systems in a manner where it is automatically executed.  On such operating
systems, an attacker could execute arbitrary commands with the privileges
of the script.

Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2ze (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1o
OpenSSL 3.0 users should upgrade to 3.0.3

This issue was reported to OpenSSL on the 2nd April 2022.  It was found by
Elison Niven of Sophos.  The fix was developed by Tomas Mraz from OpenSSL.

OCSP_basic_verify may incorrectly verify the response signing certificate 
(CVE-2022-1343)
=

Severity: Moderate

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP
response. In the case where the (non-default) flag OCSP_NOCHECKS is used then
the response will be positive (meaning a successful verification) even in the
case where the response signing certificate fails to verify.

It is anticipated that most users of `OCSP_basic_verify` will not use the
OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return
a negative value (indicating a fatal error) in the case of a certificate
verification failure. The normal expected return value in this case would be 0.

This issue also impacts the command line OpenSSL "ocsp" application. When
verifying an ocsp response with the "-no_cert_checks" option the command line
application will report that the verification is successful even though it has
in fact failed. In this case the incorrect successful response will also be
accompanied by error messages showing the failure and contradicting the
apparently successful result.

This issue affects OpenSSL version 3.0.

OpenSSL 3.0 users should upgrade to 3.0.3

This issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix
was developed by Matt Caswell from OpenSSL.

Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
=

Severity: Low

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the
AAD data as the MAC key. This makes the MAC key trivially predictable.

An attacker could exploit this issue by performing a man-in-the-middle attack to
modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that
the modified data would still pass the MAC integrity check.

Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint
will always be rejected by the recipient and the connection will fail at that
point. Many application protocols require data to be sent from the client to the
server first. Therefore, in such a case, only an OpenSSL 3.0 server would be
impacted when talking to a non-OpenSSL 3.0 client.

If both endpoints are OpenSSL 3.0 then the attacker could modify data being
sent in both directions. In this case both clients and servers could be
affected, regardless of the application protocol.

Note that in the absence of an attacker this bug means that an OpenSSL 3.0
endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the
handshake when using this ciphersuite.

The confidentiality of data is not impacted by this issue, i.e. an attacker
cannot decrypt data that has been encrypted using this ciphersuite - they can
only modify it.

In order for this attack to work both endpoints must legitimately negotiate the
RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0,
and is not available within the default provider or the default ciphersuite
list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In
order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must
have occurred:

1) OpenSSL must have been compiled with the (non-default) compile time option
   enable-weak-ssl-ciphers

2) OpenSSL must have had the legacy provider explicitly loaded (either through
   application code or via configuration)

3) The ciphersuite must have been explicitly added to the ciphersuite list

4) The libssl security level must have been set to 0 (default is 1)

5) A version of SSL/TLS below TLSv1.3 must have been negotiated

6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
   others that both endpoints have in common

This issue affects OpenSSL version 3.0.

OpenSSL 3.0 use

OpenSSL Security Advisory

2022-03-15 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [15 March 2022]


Infinite loop in BN_mod_sqrt() reachable when parsing certificates 
(CVE-2022-0778)
==

Severity: High

The BN_mod_sqrt() function, which computes a modular square root, contains
a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.

Thus vulnerable situations include:

 - TLS clients consuming server certificates
 - TLS servers consuming client certificates
 - Hosting providers taking certificates or private keys from customers
 - Certificate authorities parsing certification requests from subscribers
 - Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.

In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.  It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.

OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2

This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy
from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz
from OpenSSL.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
It is affected by the issue.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwtOcACgkQ2cTSbQ5g
RJGd6wf/VColq7YEnA1dKQvd75ytnFkV8tUhb1uQ9eCjhxk76ASg3QToEar3yDd3
ykGXJZy5oPCl0zG33GORz9Pq8oWjIoCDLfhlTh3aORjWZ9uMkd+RWxVEjxyidgZp
4Rb8p5qSncxJ1EcYLoeUWu/lrDh67q1hDnwGNtNxyzVC0sqxWz++YoFXGJA2OH0m
lcYZilUdZ4HLVKmFKEfQGX/xwdvxj3VTaJNjsEI+2h1xysXBN+TpXsEL2yOGx8Cq
KzQXnRUrNhsdIQYEAJ7i3HXYmY0wHehTXvBoZsI/2yWiC19WWK8u/qZxdc3Y88v3
JDKNJRCyKGbji+ESZPnWB14yE3yZ0g==
=9ROi
-END PGP SIGNATURE-


OpenSSL Security Advisory

2022-01-28 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [28 January 2022]
===

BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)


Severity: Moderate

There is a carry propagation bug in the MIPS32 and MIPS64 squaring
procedure.  Many EC algorithms are affected, including some of the
TLS 1.3 default curves.  Impact was not analyzed in detail, because the
pre-requisites for attack are considered unlikely and include reusing
private keys.  Analysis suggests that attacks against RSA and DSA as
a result of this defect would be very difficult to perform and are
not believed likely.  Attacks against DH are considered just feasible
(although very difficult) because most of the work necessary to deduce
information about a private key may be performed offline.  The amount of
resources required for such an attack would be significant.  However,
for an attack on TLS to be meaningful, the server would have to share
the DH private key among multiple clients, which is no longer an option
since CVE-2016-0701.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0.  It was
addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For
the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to
premium support customers only. It will be made available in 1.0.2zc when it is
released.

The issue only affects OpenSSL on MIPS platforms. If that applies then:

OpenSSL 1.0.2 users should apply git commit 6fc1aaaf3 (premium support
customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1m
OpenSSL 3.0.0 users should upgrade to 3.0.1

This issue was found on the 10th of December 2021 and subsequently fixed
by Bernd Edlinger.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220128.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmH0AK4ACgkQ2cTSbQ5g
RJG4Agf9HqZVxd3uG7Jq8TnM4HIR5lrQaJAq6pszxqGvSSmjmK6fkVf8G0PI6I4M
J8gmlLMfnvDiE2a1yfmzAlXQu3+nTFRMlkkrpfPoBPIrX3ceHa+uRLIlvDm6jTeu
vEV+Zko71AlgDb4cGGP9beAEh6l2pPS2DZ94nEiK2LWl6nIUTaTWuV0WACVHnadk
Xj6YrDtbM9LpW/yELg4nUvrLCn72D+T3rjaDZVfQHCjw97/TJnSOApv5u0EgBiIi
lT3zXBT83qHDsPEfXvQ3Mk4wQiloAmOO4g9B68S84qXq/J8JSowydCQBKhOVQ9uo
u3EDFqOsMHS6ahex7RfBnvML0FBXbA==
=RvBK
-END PGP SIGNATURE-


OpenSSL Security Advisory

2021-12-14 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [14 December 2021]


Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044)


Severity: Moderate

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
verify a certificate supplied by a server. That function may return a negative
return value to indicate an internal error (for example out of memory). Such a
negative return value is mishandled by OpenSSL and will cause an IO function
(such as SSL_connect() or SSL_do_handshake()) to not indicate success and a
subsequent call to SSL_get_error() to return the value
SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned
by OpenSSL if the application has previously called
SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the
SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally
unexpected and applications may not behave correctly as a result. The exact
behaviour will depend on the application but it could result in crashes,
infinite loops or other similar incorrect responses.

This issue is made more serious in combination with a separate bug in OpenSSL
3.0 that will cause X509_verify_cert() to indicate an internal error when
processing a certificate chain. This will occur where a certificate does not
include the Subject Alternative Name extension but where a Certificate Authority
has enforced name constraints. This issue can occur even with valid chains.

By combining the two issues an attacker could induce incorrect, application
dependent behaviour.

OpenSSL 3.0.0 SSL/TLS clients are affected by this issue. Users of this version
should upgrade to OpenSSL 3.0.1.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 29th November 2021 by Tobias Nießen. The
fix was developed by Matt Caswell and Tobias Nießen.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20211214.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4zbUACgkQ2cTSbQ5g
RJG+TggAsQHgwpwy2j4FPzKFAar5hM+3cMI9hZUECu5VJBZaVUQM3fBY5Um16T5L
n6weB9EFe+xpA2ncuuDeUWGvACW5oj6j/obfse4cIRc2K4XfHNydzCi/EB1cG1Qi
d4/dqw4I8KgyZkk7iyZawtQ+vslSefsUbYSqrslBiETK7VMGjIrxNy7ohMadFdA7
E8dYicPPjkYX/4+vs/W0RiAe4kFAHKTFZIvh2ab65CBubAOGDS0CFavd57FvC10Y
UquSKdBIWIIlfueQ8IhYx3v/VEOvS4Q8OpkPkfuoRu0j3qX8lvyHV+gipHD9MK9q
zI7Kj9oa+mUqyT5cp3mhIbSqq3Qm0A==
=xJgY
-END PGP SIGNATURE-


OpenSSL Security Advisory

2021-08-24 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [24 August 2021]
==

SM2 Decryption Buffer Overflow (CVE-2021-3711)
==

Severity: High

In order to decrypt SM2 encrypted data an application is expected to call the
API function EVP_PKEY_decrypt(). Typically an application will call this
function twice. The first time, on entry, the "out" parameter can be NULL and,
on exit, the "outlen" parameter is populated with the buffer size required to
hold the decrypted plaintext. The application can then allocate a sufficiently
sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
value for the "out" parameter.

A bug in the implementation of the SM2 decryption code means that the
calculation of the buffer size required to hold the plaintext returned by the
first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
called by the application a second time with a buffer that is too small.

A malicious attacker who is able present SM2 content for decryption to an
application could cause attacker chosen data to overflow the buffer by up to a
maximum of 62 bytes altering the contents of other data held after the
buffer, possibly changing application behaviour or causing the application to
crash. The location of the buffer is application dependent but is typically
heap allocated.

OpenSSL versions 1.1.1k and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1l.

OpenSSL 1.0.2 is not impacted by this issue.

OpenSSL 3.0 alpha/beta releases are also affected but this issue will be
addressed before the final release.

This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix
was developed by Matt Caswell.

Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
=

Severity: Moderate

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
structure which contains a buffer holding the string data and a field holding
the buffer length. This contrasts with normal C strings which are repesented as
a buffer for the string data which is terminated with a NUL (0) byte.

Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
own "d2i" functions (and other similar parsing functions) as well as any string
whose value has been set with the ASN1_STRING_set() function will additionally
NUL terminate the byte array in the ASN1_STRING structure.

However, it is possible for applications to directly construct valid ASN1_STRING
structures which do not NUL terminate the byte array by directly setting the
"data" and "length" fields in the ASN1_STRING array. This can also happen by
using the ASN1_STRING_set0() function.

Numerous OpenSSL functions that print ASN.1 data have been found to assume that
the ASN1_STRING byte array will be NUL terminated, even though this is not
guaranteed for strings that have been directly constructed. Where an application
requests an ASN.1 structure to be printed, and where that ASN.1 structure
contains ASN1_STRINGs that have been directly constructed by the application
without NUL terminating the "data" field, then a read buffer overrun can occur.

The same thing can also occur during name constraints processing of certificates
(for example if a certificate has been directly constructed by the application
instead of loading it via the OpenSSL parsing functions, and the certificate
contains non NUL terminated ASN1_STRING structures). It can also occur in the
X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.

If a malicious actor can cause an application to directly construct an
ASN1_STRING and then process it through one of the affected OpenSSL functions
then this issue could be hit. This might result in a crash (causing a Denial of
Service attack). It could also result in the disclosure of private memory
contents (such as private keys, or sensitive plaintext).

OpenSSL versions 1.1.1k and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1l.

OpenSSL versions 1.0.2y and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2za. Other users should upgrade
to 1.1.1l.

An initial instance of this issue in the X509_aux_print() function was reported
to OpenSSL on 18th July 2021 by Ingo Schwarze. The bugfix was developed by Ingo
Schwarze and first publicly released in OpenBSD-current on 10th July 2021 and
subsequently in OpenSSL on 20th July 2021 (commit d9d838ddc). Subsequent
analysis by David Benjamin on 17th August 2021 identified more instances of the

OpenSSL Security Advisory

2021-03-25 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [25 March 2021]
=

CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)


Severity: High

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.

An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA.  All of the named "purpose"
values implemented in libcrypto perform this check.  Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.

In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.

OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk
from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was
developed by Tomáš Mráz.


NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=

Severity: High

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.

A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.

All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter Kästle and Samuel Sapalski from Nokia.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20210325.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBcl6sACgkQ2cTSbQ5g
RJGvnAgAtG6I7rfokDC9E5yB26KC3k0Vasfq5iH/aZz0CNRyOokWJBUyyNIVjqr0
2eZP7VsQT7zRM+tgh9c8MwH3FIghtpwJRJls4qZDHKoXts7JH4Ul4NLPd546x7xA
GcKNwTD4NkZbTqtZ72NTgliInzrj0MCC8jqQrIIkcAIleGNzvZ0f64jdE+vBXoqX
M2FOhWiA/JkAKtB3W7pthIt25qkOwHbrpTy+UUp/S5QD779NJ/EOYcsOFBRfLZiP
gA6QILuW2L55lhG6Y2u+nVE3UI2hqd2hGgSAvDIPr2lVJxq0LQpgHca7Gj5bfIRo
GLDz7n0FhN6n7NBqetP+nlHmYivcSg==
=XIXK
-END PGP SIGNATURE-


OpenSSL Security Advisory

2021-02-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [16 February 2021]


Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)


Severity: Moderate

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if the issuer
field is maliciously constructed). This may subsequently result in a NULL
pointer deref and a crash leading to a potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
itself so applications are only vulnerable if they use this function directly
and they use it on certificates that may have been obtained from untrusted
sources.

OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.

OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.

This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from
Google. The fix was developed by Matt Caswell.

Incorrect SSLv2 rollback protection (CVE-2021-23839)


Severity: Low

OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
server that is configured to support both SSLv2 and more recent SSL and TLS
versions then a check is made for a version rollback attack when unpadding an
RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
supposed to use a special form of padding. A server that supports greater than
SSLv2 is supposed to reject connection attempts from a client where this special
form of padding is present, because this indicates that a version rollback has
occurred (i.e. both client and server support greater than SSLv2, and yet this
is the version that is being requested).

The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if it
is absent. This means that such as server will accept a connection if a version
rollback attack has occurred. Further the server will erroneously reject a
connection if a normal SSLv2 connection attempt is made.

Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
issue. In order to be vulnerable a 1.0.2 server must:

1) have configured SSLv2 support at compile time (this is off by default),
2) have configured SSLv2 support at runtime (this is off by default),
3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
   list)

OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
padding mode used by various other functions. Although 1.1.1 does not support
SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
RSA_SSLV23_PADDING padding mode. Applications that directly call that function
or use that padding mode will encounter this issue. However since there is no
support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
security issue in that version.

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j.

This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel
Luellwitz from Trustwave. The fix was developed by Matt Caswell.

Integer overflow in CipherUpdate (CVE-2021-23840)
=

Severity: Low

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
the output length argument in some cases where the input length is close to the
maximum permissable length for an integer on the platform. In such cases the
return value from the function call will be 1 (indicating success), but the
output length value will be negative. This could cause applications to behave
incorrectly or crash.

OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.

OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.

This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix
was developed by Matt Caswell.

Note

OpenSSL Security Advisory

2020-12-08 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [08 December 2020]


EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
==

Severity: High

The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.

OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL
   distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp
   authority name (exposed via the API functions TS_RESP_verify_response and
   TS_RESP_verify_token)

If an attacker can control both items being compared then that attacker could
trigger a crash. For example if the attacker can trick a client or server into
checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and verify
tools have support for the "-crl_download" option which implements automatic
CRL downloading and this attack has been demonstrated to work against those
tools.

Note that an unrelated bug means that affected versions of OpenSSL cannot parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
trigger this attack.

All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL
releases are out of support and have not been checked.

OpenSSL 1.1.1 users should upgrade to 1.1.1i.

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users should
upgrade to OpenSSL 1.1.1i.

This issue was reported to OpenSSL on 9th November 2020 by David Benjamin
(Google). Initial analysis was performed by David Benjamin with additional
analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20201208.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PloEACgkQ2cTSbQ5g
RJERNQf/d8G0r7APrOuxlwOL2j0j4JX5HZoR/ilD1eD6kSj3uZmCbl/DTZgN9uhj
hMN9UTCVdF+NcWlqldwUVLLSq16/P821QLrbqKs4Q6i2NDwHIAU6VCneRZOUIOpl
VOyQ+BJDavvqQ2gNziDK29sjG8JxWUqQ10fdphfrV1vS0Wd1fV1/Kk9I0ba+yv5O
RiIyvbJobCEyNz52JdqbBsKjrSCtPh6qMra3IYm6EDJDnp+T8UpliB3RBIBuIPfU
ALRageyqmE9+J5BFYxbd1Lx37mHXq1PZsSYd6L09Y9Wg5fJLHzWffd74SfJHwRza
xZ/UTvCvkbGUbspT/U4mkuHwHzYXcg==
=41vP
-END PGP SIGNATURE-


OpenSSL Security Advisory

2020-09-09 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [09 September 2020]
=

Raccoon Attack (CVE-2020-1968)
==

Severity: Low

The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker being able to compute the pre-master secret in connections which
have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
result in the attacker being able to eavesdrop on all encrypted communications
sent over that TLS connection. The attack can only be exploited if an
implementation re-uses a DH secret across multiple TLS connections. Note that
this issue only impacts DH ciphersuites and not ECDH ciphersuites.

OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
does not implement any "static" DH ciphersuites.

OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used. These static "DH" ciphersuites are ones that start with the
text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
ciphersuites all start with "TLS_DH_" but excludes those that start with
"TLS_DH_anon_".

OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
explicitly configured. Therefore all ciphersuites that use DH in servers
(including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
response to CVE-2016-0701.

Since the vulnerability lies in the TLS specification, fixing the affected
ciphersuites is not viable. For this reason 1.0.2w moves the affected
ciphersuites into the "weak-ssl-ciphers" list. Support for the
"weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
interoperability problems in most cases since use of these ciphersuites is rare.
Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
compile time with the "enable-weak-ssl-ciphers" option. This is not recommended.

OpenSSL 1.0.2 is out of support and no longer receiving public updates.

Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
that affected ciphersuites are disabled through runtime configuration. Also
note that the affected ciphersuites are only available on the server side if a
DH certificate has been configured. These certificates are very rarely used and
for this reason this issue has been classified as LOW severity.

This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj
Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
allow co-ordinated disclosure with other implementations.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200909.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
=U7OO
-END PGP SIGNATURE-


OpenSSL Security Advisory

2020-04-21 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [21 April 2020]
=

Segmentation fault in SSL_check_chain (CVE-2020-1967)
=

Severity: High

Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This
issue did not affect OpenSSL versions prior to 1.1.1d.

Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g

This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.

Note
=

This issue did not affect OpenSSL 1.0.2 however these versions are out of
support and no longer receiving public updates. Extended support is available
for premium support customers: https://www.openssl.org/support/contracts.html

This issue did not affect OpenSSL 1.1.0 however these versions are out of
support and no longer receiving updates.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200421.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g
RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t
vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt
2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis
Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl
aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ
vj2rIjoJHRj0EXqXhHoABqBHedilJQ==
=AXyP
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-12-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [6 December 2019]
===

rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551)
===

Severity: Low

There is an overflow bug in the x64_64 Montgomery squaring procedure used in
exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
result of this defect would be very difficult to perform and are not believed
likely. Attacks against DH512 are considered just feasible. However, for an
attack the target would have to re-use the DH512 private key, which is not
recommended anyway. Also applications directly using the low level API
BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue. However due to the
low severity of this issue we are not creating new releases at this time. The
1.1.1 mitigation for this issue can be found in commit 419102400. The 1.0.2
mitigation for this issue can be found in commit f1c5eea8a.

This issue was found by OSS-Fuzz and Guido Vranken and reported to OpenSSL on
12th September 2019. The fix was developed by Andy Polyakov with additional
analysis by Bernd Edlinger.

Note
=

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019. Extended support is available for premium
support customers: https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect it.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20191206.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl3qhRUACgkQ2cTSbQ5g
RJHQvwgAhVefbdppxDZbGhiIjc/MLTeZmYC5U57rGMvGQ7WL8+xbkGVYmFPu69kp
dN+kGPVJAZySmbhJZVmbrdxgl/zCvwE1WXPh5ILQCvA8cF0z762TCJpxbDJksy/9
igmavYVMxWLePMz7+HsVo6VCcvmBNGykg8zpJm33v2/wc9dBE+c/sJoep/pcXYNI
fLrcLUnsnJoWhg23VNUXEkW8Ru4jkaXTtg4v4sdxHzPbp0qBbekdhj6GAekyFRjn
Zpv4buJDxohcJw91rBK36tXU/PZARW4tO6TR6CdVuB16T7XMye0wKp3kRNd0QPE9
O/LGrT1Jq8cFTxYHfFYeOrkVJKpgog==
=6Z6t
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-09-10 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [10 September 2019]
=

ECDSA remote timing attack (CVE-2019-1547)
==

Severity: Low

Normally in OpenSSL EC groups always have a co-factor present and this is used
in side channel resistant code paths. However, in some cases, it is possible to
construct a group using explicit parameters (instead of using a named curve). In
those cases it is possible that such a group does not have the cofactor present.
This can occur even where all the parameters match a known named curve.

If such a curve is used then OpenSSL falls back to non-side channel resistant
code paths which may result in full key recovery during an ECDSA signature
operation.

In order to be vulnerable an attacker would have to have the ability to time
the creation of a large number of signatures where explicit parameters with no
co-factor present are in use by an application using libcrypto.

For the avoidance of doubt libssl is not vulnerable because explicit parameters
are never used.

OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.

OpenSSL 1.1.1 users should upgrade to 1.1.1d
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t

This issue was reported by Cesar Pereida García, Sohaib ul Hassan,
Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley. The
fix was developed by Billy Brumley. It was reported to OpenSSL on 5th August
2019.


Fork Protection (CVE-2019-1549)
===

Severity: Low

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
intended to include protection in the event of a fork() system call in order to
ensure that the parent and child processes did not share the same RNG state.
However this protection was not being used in the default case.

A partial mitigation for this issue is that the output from a high precision
timer is mixed into the RNG state so the likelihood of a parent and child
process sharing state is significantly reduced.

If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.

OpenSSL version 1.1.1 is affected by this issue.

OpenSSL 1.1.1 users should upgrade to 1.1.1d

This issue was reported by Matt Caswell. The fix was developed by Matthias
St. Pierre. It was reported to OpenSSL on 27th May 2019.


Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)


Severity: Low

In situations where an attacker receives automated notification of the success
or failure of a decryption attempt an attacker, after sending a very large
number of messages to be decrypted, can recover a CMS/PKCS7 transported
encryption key or decrypt any RSA encrypted message that was encrypted with the
public RSA key, using a Bleichenbacher padding oracle attack. Applications are
not affected if they use a certificate together with the private RSA key to the
CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to
decrypt.

OpenSSL 1.1.1 users should upgrade to 1.1.1d
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t

This issue was reported by and the fix developed by Bernd Edlinger. It was
reported to OpenSSL on 21st August 2019.


Note
=

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019.

Support for 1.1.0 ends on 11th September 2019 so 1.1.0l is expected to be the
last 1.1.0 release.

Users of these versions should upgrade to OpenSSL 1.1.1.


References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190910.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13vK0ACgkQ2cTSbQ5g
RJGJIgf+Me900bLV9TrVDWvNRQbuRe0tOPPhP59J4tJAJiRZ1GG0JV2YITQynjTP
hrz9mvajgWbkGYlTZmPVFOdJr7LKbrUrxk7shEfXqmiiCLG8tHYiCe3PF+/Cy7gA
X1vY9CDfv//3VSqOLM9RM3CCcWAAv3KeP851X0PgCiMVvGAJbYOu3bmB+KsEKFzm
fWRDabUMbl1KCSgCIvvlNv0bKR/GfpW3cWruUvG0sfjyPWwS+yn8z0T3/ibFJqkb
Cmuqa3/kC9uZg8AhiODR+nz6D1mC2UiNZ2Wa/XO6O68rO/y3ZKbaiMGLze1qJep5
3PnybOw8b3JvpVRFYw09YwgLObBX8w==
=8bP1
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-07-30 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [30 July 2019]


Windows builds with insecure path defaults (CVE-2019-1552)
==

Severity: Low

OpenSSL has internal defaults for a directory tree where it can find a
configuration file as well as certificates used for verification in
TLS.  This directory is most commonly referred to as OPENSSLDIR, and
is configurable with the --prefix / --openssldir configuration options.

For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets
assume that resulting programs and libraries are installed in a
Unix-like environment and the default prefix for program installation
as well as for OPENSSLDIR should be '/usr/local'.

However, mingw programs are Windows programs, and as such, find
themselves looking at sub-directories of 'C:/usr/local', which may be
world writable, which enables untrusted users to modify OpenSSL's
default configuration, insert CA certificates, modify (or even
replace) existing engine modules, etc.

For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR
on all Unix and Windows targets, including Visual C builds.  However,
some build instructions for the diverse Windows targets on 1.0.2
encourage you to specify your own --prefix.

OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
Due to the limited scope of affected deployments this has been
assessed as low severity and therefore we are not creating new
releases at this time.

The mitigations are found in these commits:
- - For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e
- - For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and
  b15a19c148384e73338aa7c5b12652138e35ed28
- - For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd

The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for
mingw, while the 1.0.2 mitigation documents the issue and provides
enhanced examples.

This issue was reported by Rich Mirth.  The fix was developed by
Richard Levitte from the OpenSSL development team.  It was reported to
OpenSSL on 9th Jun 2019.

Note
=

OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates.
Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0
will end on 11th September 2019. Users of these versions should
upgrade to OpenSSL 1.1.1.


Referenses
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190730.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl1AU3sACgkQ1enkP335
7oxnEw//ebb9FK16oXpvW6nifNgSHUBYRaq+3ApvSfGG8Er1M0Zn80iD/WY8wzM7
ZabUUNlOdnOs0iQivMYzy+8QzP9NRaqX2WZk/Q1koNT5WAt9+VDCw6hhbp6FN8B9
9aeRvdawNME9JPysl3KOR6DnYJQnpJgV0yQ2pJM2yMKNuDFkvy6E9ieMoWAGx5Ya
8JZ4KGFubA1vDPj5xowkRDxZo+SLdAaEMQw0YG8DWSK5BViZV+3d4OMAAL1RjnZy
s4OSghqi7wUbgo8XO38/roN4y4BEgmEXU0IpSRNf1xrwCoFM82hEgOO3xWxPtbZk
EtDcMUTtMYa1g5IMdGIkVvS4wnNr2j2BAi8WECkPf5QCzCoaX/Xc9jutslTw20M/
UoZnyGgVoOQCsO6ECwLUnSEp772mhS1056c4OKb62kfhlIcGkWi5vk5wjWVZFxEx
rXJC7xabp29e051mnrJtLr85UWUv5B/ywREPyvbdjWg6lJBxB0dOYXMQLpJi6B5i
/bDX7czP/1EeOg+FDSGOR174JGIyMYmPqpyzGpdds72GfOQqtGHC2z41FlvHMglB
9VobSZnF97MIan4/9H4ge+gUUq0PeIZ+invvgCHzuW4oYBOngwwVD5QXfSQUjA9a
etYHkJx+3t4hPrPKAT/J0jHA7AbWtYK7dL6qTxSwli2Gl/D4ipk=
=gxli
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-03-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [6 March 2019]


ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
==

Severity: Low

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every
encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96
bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce
with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a
nonce to be set of up to 16 bytes. In this case only the last 12 bytes are
significant and any additional leading bytes are ignored.

It is a requirement of using this cipher that nonce values are unique. Messages
encrypted using a reused nonce value are susceptible to serious confidentiality
and integrity attacks. If an application changes the default nonce length to be
longer than 12 bytes and then makes a change to the leading bytes of the nonce
expecting the new value to be a new unique nonce then such an application could
inadvertently encrypt messages with a reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the integrity
guarantee of this cipher. Any application that relies on the integrity of these
ignored leading bytes of a long nonce may be further affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because
no such use sets such a long nonce value. However user applications that use
this cipher directly and set a non-default nonce length to be longer than 12
bytes may be vulnerable.

OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited
scope of affected deployments this has been assessed as low severity and
therefore we are not creating new releases at this time. The 1.1.1 mitigation
for this issue can be found in commit f426625b6a. The 1.1.0 mitigation for this
issue can be found in commit ee22257b14.

This issue does not impact OpenSSL 1.0.2.

This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developed
by Matt Caswell from the OpenSSL development team. It was reported to OpenSSL on
26th February 2019.

Note


OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190306.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx/5b4ACgkQ2cTSbQ5g
RJEXSwgAgHQkb/CyWdubYozRAeUDBT9o6gt/kgsBwPYBxAV75lRo4qwBxzfkeQ6P
6EUFSzEPhabQOhpnTY4QaqphzG2FAl4BbtDalYN+zPOZxppmH7O8Kje+j+onInDI
O4jbjXLgAlgmf5jw5IyhfxQKcaFbdLtcFGzh1t4rMEhT+ehx8ePnGnklPTjfh4ea
bN+BlM1Fm6Au3i/IJB2I6e8ayxFnTx9mAegPvV/RRYma43Ee/Hpvb6eBaTfTZ9yp
lOp0jG4iViB4r3EP3H/l5oVC9fWCAI0Am+vcLq9PsWl632fc39hDREhPrRMfnOds
40ayI4NwoUu4Z89Qdae1iWEUkgjRgA==
=Aub4
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-02-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [26 February 2019]


0-byte record padding oracle (CVE-2019-1559)


Severity: Moderate

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one) then
OpenSSL can respond differently to the calling application if a 0 byte record is
received with invalid padding compared to if a 0 byte record is received with an
invalid MAC. If the application then behaves differently based on that in a way
that is detectable to the remote peer, then this amounts to a padding oracle
that could be used to decrypt data.

In order for this to be exploitable "non-stitched" ciphersuites must be in use.
Stitched ciphersuites are optimised implementations of certain commonly used
ciphersuites. Also the application must call SSL_shutdown() twice even if a
protocol error has occurred (applications should not do this but some do
anyway).

This issue does not impact OpenSSL 1.1.1 or 1.1.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2r.

This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,
with additional investigation by Steven Collison and Andrew Hourselt. It was
reported to OpenSSL on 10th December 2018.

Note


OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190226.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1U+gACgkQ2cTSbQ5g
RJFnlAf/U9yZtCz59BjgD0Kh7Eya5KxlmUWItdBu1r3DwbY4KDgL/Wwh4UxG3Qim
D7Ht5Xsta4iAywrMRI/iPEdEQct8pcpWjq4/65lEbTYjToEnNWhIeWHH/Lw3Jfza
gcVpIfbWoWc7OL7U4uPQuGWcb/PO8fJXF+HcCdZ+kIuut0peMSgN5sK/wBnmSdsM
+sJXCei+jwVy/9WvCBMOooX7D8oerJ6NX12n2cNAYH/K7e2deiPZ7D/HB7T9MSv/
BgOi1UqFzBxcsNhFpY5NMTHG8pl0bmS0OiZ9bThN0YHwxFVJz6ZsVX/L5cYOAbm/
mJAdDE24XMmUAOlVZrROzCZKXADx/A==
=8h8L
-END PGP SIGNATURE-


[openssl-announce] OpenSSL Security Advisory

2018-11-12 Thread Matt Caswell
OpenSSL Security Advisory [12 November 2018]


Microarchitecture timing vulnerability in ECC scalar multiplication 
(CVE-2018-5407)
===

Severity: Low

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown
to be vulnerable to a microarchitecture timing side channel attack. An attacker
with sufficient access to mount local timing attacks during ECDSA signature
generation could recover the private key.

This issue does not impact OpenSSL 1.1.1 and is already fixed in the latest
version of OpenSSL 1.1.0 (1.1.0i). OpenSSL 1.0.2 is affected but due to the low
severity of this issue we are not creating a new release at this time. The 1.0.2
mitigation for this issue can be found in commit b18162a7c.

OpenSSL 1.1.0 users should upgrade to 1.1.0i.

This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri.

Note


OpenSSL 1.1.0 is currently only receiving security updates. Support for this
version will end on 11th September 2019. Users of this version should upgrade to
OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20181112.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html



signature.asc
Description: OpenPGP digital signature
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2018-06-12 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


OpenSSL Security Advisory [12 June 2018]


Client DoS due to large DH parameter (CVE-2018-0732)


Severity: Low

During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a key
for this prime resulting in a hang until the client has finished. This could be
exploited in a Denial Of Service attack.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit ea7abeeab (for 1.1.0) and commit 3984ef0b7 (for 1.0.2) in the OpenSSL git
repository.

This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken who also
developed the fix.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180612.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsfnTgACgkQ2cTSbQ5g
RJE9Twf/VSgXaFPlW+JyA2BAiwGREMr/oMQe8mhmka3WQgNb7oMQRxk4ZqwRvLi2
ggPVOQilJ+tkXgeifEQ3SDRxDnnmcUvxbWB8Lt+7tjhM6O+GYGbGbzupnkBs2IIY
72vll4l7ySMQ8/fcdU/uuNyObfigLC9XndH3tEewxffs6uvDxMyGhZmNQpq1aZNj
rGj3dETUuO/Ln8siAD7nkv9xodRINViMP76fSKAtdaikvZa3uhLBMhX5tOzpR/ta
tc2+6uthdU9JjSRZZpfDlzzhsOFqMrLfOLrJQIIXshxUNeOZyJCkmT9ED8XZRDMB
twb1kOxCKz8Ky+Xm/Rki9uRVoZFjBg==
=kKic
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2018-04-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [16 Apr 2018]


Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)


Severity: Low

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.

This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180416.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJa1MKgAAoJENnE0m0OYESRKOoIAKmRnj0YtE1y89WnRiCjMk8l
Z7XAsPk6nkEa8dlrEvEsUhS90CFSf9OcYliAlfjD/+RVZXXeK4AHn8/g7HxAdDcK
62biQiHbxICBqnrE6DCe6GrMXEy3MWuefSWnoTyd/x8W1grjdhkrlmIqe68DP0iv
WItmStRVOpx4mQDcrYqw6ZKhhu1Lv007khyAornJP+S6NSlK6brdNQyRNmp3+HO4
irqPi6xQWGcaAtrdpWi8mDnomld75j5m+G98N/gCqaCAIn7Zau+kAAW1+1dO5S4L
tsQ0CifVnRfUTz0cCL51L8G3a3RWYs34AXRZvSRi3q88AiZ1L6FCF2cHZJu1KuE=
=+TYO
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2018-03-27 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [27 Mar 2018]


Constructed ASN.1 types with a recursive definition could exceed the stack 
(CVE-2018-0739)
==

Severity: Moderate

Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There are
no such structures used within SSL/TLS that come from untrusted sources so this
is considered safe.

OpenSSL 1.1.0 users should upgrade to 1.1.0h
OpenSSL 1.0.2 users should upgrade to 1.0.2o

This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project.
The fix was developed by Matt Caswell of the OpenSSL development team.

Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)


Severity: Moderate

Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each byte.
This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the security
claims of the scheme. The module can only be compiled by the HP-UX assembler, so
that only HP-UX PA-RISC targets are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0h

This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg (IBM).
The fix was developed by Andy Polyakov of the OpenSSL development team.

rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
=

Severity: Low

This issue has been reported in a previous OpenSSL security advisory and a fix
was provided for OpenSSL 1.0.2. Due to the low severity no fix was released at
that time for OpenSSL 1.1.0. The fix is now available in OpenSSL 1.1.0h.

There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.

This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).

Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
and CVE-2015-3193.

OpenSSL 1.1.0 users should upgrade to 1.1.0h
OpenSSL 1.0.2 users should upgrade to 1.0.2n

This issue was reported to OpenSSL on 22nd November 2017 by David Benjamin
(Google). The issue was originally found via the OSS-Fuzz project. The fix was
developed by Andy Polyakov of the OpenSSL development team.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180327.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJaulEjAAoJENnE0m0OYESRc2oH/2E5ya4GF745SK7VB7ZjCWu6
tN5q3CNr1gUiZKcsvK4nl/OdP5h+KToHYQR1RBy0tusk1cFHYRuztsZhtb/mm0DD
Z3adXvnz8VFeCyNC/aptwOO0OoPbUHgqhf1L5deNaXMZJDqEjz/6WlVfFQezSeVf
h0Sy72SmX2h+Jt1Zh+VYjfX/xMTnX6CWrbyC78KKZ88s4dSYbMsYdJuJSqpar/C1
zQpgCD6Stk0L9J4DB4DYr3MAInMJXRIMyFOZlrOm4oTbZqSdcFxIglCMVPlXpES2
Ke1Gse5bab+O0sr+Ue4Vk0zsi3wv7zaUk8d7YchMpUlqJWKeY3N3i40jnacx1fU=
=ATWc
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2017-12-07 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [07 Dec 2017]


Read/write after SSL object in error state (CVE-2017-3737)
==

Severity: Moderate

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
mechanism. The intent was that if a fatal error occurred during a handshake then
OpenSSL would move into the error state and would immediately fail if you
attempted to continue the handshake. This works as designed for the explicit
handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
however due to a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a fatal error
will be returned in the initial function call. If SSL_read()/SSL_write() is
subsequently called by the application for the same SSL object then it will
succeed and the data is passed without being decrypted/encrypted directly from
the SSL/TLS record layer.

In order to exploit this issue an application bug would have to be present that
resulted in a call to SSL_read()/SSL_write() being issued after having already
received a fatal error.

This issue does not affect OpenSSL 1.1.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2n

This issue was reported to OpenSSL on 10th November 2017 by David Benjamin
(Google). The fix was proposed by David Benjamin and implemented by Matt Caswell
of the OpenSSL development team.

rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
=

Severity: Low

There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.

This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).

Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
and CVE-2015-3193.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
becomes available. The fix is also available in commit e502cc86d in the OpenSSL
git repository.

OpenSSL 1.0.2 users should upgrade to 1.0.2n

This issue was reported to OpenSSL on 22nd November 2017 by David Benjamin
(Google). The issue was originally found via the OSS-Fuzz project. The fix was
developed by Andy Polyakov of the OpenSSL development team.

Note


Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20171207.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJaKUFJAAoJENnE0m0OYESRp1UH/1Z8hBb1dM82Lnn3b0pQ1LjF
xBqs0cBFax6z8gelZzUI3CEJe78n3YB6jJiyCDOvrsrb9dx4kGvt97R9x9Np6glh
/cL98I1mVwLdLciE1WeBPBFDijp5Bii4pz3q4StFGmh9g9cQ70onz8OO0RB9GSS5
dpbRcbOZLcyt3Lnqmnx86SLAdGgF635SO0EE10txDXjgEUK3Zo+gT+/jelwoNLXT
mtYfqgXp6+Eqa08Qq3Nmrgqz4azhFLD5szixmnXQwbP+OpiT+zpNXsV5qqemWFn9
aV2qzDJJtrpObaPXSqKCBUA7C1qYmj9OmeaDUVJ29vS1mm09hs18if954ib6nbw=
=MmWs
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2017-11-02 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [02 Nov 2017]


bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
==

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.

This only affects processors that support the BMI1, BMI2 and ADX extensions like
Intel Broadwell (5th generation) and later or AMD Ryzen.

Note: This issue is very similar to CVE-2017-3732 and CVE-2015-3193 but must be
treated as a separate problem.

OpenSSL 1.1.0 users should upgrade to 1.1.0g
OpenSSL 1.0.2 users should upgrade to 1.0.2m

This issue was reported to OpenSSL on 10th August 2017 by the OSS-Fuzz project.
The fix was developed by Andy Polyakov of the OpenSSL development team.

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)


Severity: Low

This issue was previously announced in security advisory
https://www.openssl.org/news/secadv/20170828.txt, but the fix has not previously
been included in a release due to its low severity.

OpenSSL 1.1.0 users should upgrade to 1.1.0g
OpenSSL 1.0.2 users should upgrade to 1.0.2m


Note


Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20171102.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZ+y3yAAoJENnE0m0OYESRWooH/2cS+HkzBCCdnJ/CWuhKomTe
hshdBbYw/eYeZgrUYZX6CYosvhLX1Hkwef3vVMxHDXsnBnnZfGfwCS2EfXJ96xXK
KiXVchBwlpmovrOuAvrGtPqLkiVOZZpGMfopP30WCKc6tkdqjw/NvruMbg7Iz+Sy
ki5AM7Vw7kAEa18KAGjSN4jSrCHMIKkOeGkmay5hHlYLwQRQDAAo5EmWmVOJpUXF
ddvQ6h+NKqlWAMF+2/U3PhUFa4V7xqlKR3GMdRawVSaoKQUsPXvRGAhLnvqfOonx
y0yl7y9a7EJrcRl8HWf7qqZf0B/m3YapCHNNcBYWry+qk7LJgGjIHDF8VFkEABg=
=k+bJ
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2017-02-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [16 Feb 2017]


Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)


Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

This issue does not affect OpenSSL version 1.0.2.

This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.

Note


Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20170216.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJYpZMiAAoJENnE0m0OYESRMUgH/0UN9sxxgyDewSCMeTOYPauK
cSPqyw1pndQI6Lu+d3OCdWd01rdLcm+HxlbW5FOUjGZ4G9YefE0+JcvKkIuLGIpQ
1EE0g/ZuBzWDh7/MkFWcmjHceYVXi5sKewtWcQvO9uePzlPhlSZoNIL1G66n1HAo
of3ZlSL5BmibaTiz1WmpDG//0W1pgYP5OdvQ8/AVrJJf8pUnU9Oyubm1yCyK2RHi
jfJWLbMx0ENgW4G1sW4s8bPaj4GwLjIrZl8ocqoyAHhghkBv/UXUhv6i62bKHmxW
vfYwwiU0GlRVwPXzFKbbE3qqCRyDsq+XLAe/09NZZWA+BtscWuUhUpyEODBqzeY=
=zqNG
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2017-01-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [26 Jan 2017]


Truncated packet could crash via OOB read (CVE-2017-3731)
=

Severity: Moderate

If an SSL/TLS server or client is running on a 32-bit host, and a specific
cipher is being used, then a truncated packet can cause that server or client
to perform an out-of-bounds read, usually resulting in a crash.

For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305;
users should upgrade to 1.1.0d

For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have
not disabled that algorithm should update to 1.0.2k

This issue was reported to OpenSSL on 13th November 2016 by Robert Święcki of
Google. The fix was developed by Andy Polyakov of the OpenSSL development team.

Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
===

Severity: Moderate

If a malicious server supplies bad parameters for a DHE or ECDHE key exchange
then this can result in the client attempting to dereference a NULL pointer
leading to a client crash. This could be exploited in a Denial of Service
attack.

OpenSSL 1.1.0 users should upgrade to 1.1.0d

This issue does not affect OpenSSL version 1.0.2.

Note that this issue was fixed prior to it being recognised as a security
concern. This means the git commit with the fix does not contain the CVE
identifier. The relevant fix commit can be identified by commit hash efbe126e3.

This issue was reported to OpenSSL on 14th January 2017 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.

BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
==

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
similar to CVE-2015-3193 but must be treated as a separate problem.

OpenSSL 1.1.0 users should upgrade to 1.1.0d
OpenSSL 1.0.2 users should upgrade to 1.0.2k

This issue was reported to OpenSSL on 15th January 2017 by the OSS-Fuzz project.
The fix was developed by Andy Polyakov of the OpenSSL development team.

Montgomery multiplication may produce incorrect results (CVE-2016-7055)
===

Severity: Low

This issue was previously fixed in 1.1.0c and covered in security advisory
https://www.openssl.org/news/secadv/20161110.txt

OpenSSL 1.0.2k users should upgrade to 1.0.2k


Note


Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20170126.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJYifonAAoJENnE0m0OYESRnhYH/1ldFYDEZ894DleZfjRrZulX
OQkEH7w6v+D6YFp8i2v6rJaDq8caOPEhzupQCxPcqYitBUnww9UzUvYJ77aBV0CG
DQ3UvE9XeEn5D7MGAGq/ut5Z5WpvlYL7n7PaciX751vpTsWTBKfGecQ8YV0aT6y+
7V7vHz6NVFnuTQDMUYs9C9aTsCDTNy3Bl84d7gYyoDWXUXds5k008g9LFRI4YQ8l
+4z+GXRVcvAFr6fKH94Yq1RMAp6cJi0RDkyuwcGhSOUwVfSLTN8+i2v4xqzKgsx1
q2qPo3+7uederE5ZaNZScl0xAzEilotxLQyy9XSVx/DDXHz0in1500qxgxNFELU=
=12E/
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2016-11-10 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [10 Nov 2016]


ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
==

Severity: High

TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

This issue was reported to OpenSSL on 25th September 2016 by Robert
Święcki (Google Security Team), and was found using honggfuzz. The fix
was developed by Richard Levitte of the OpenSSL development team.

CMS Null dereference (CVE-2016-7053)


Severity: Moderate

Applications parsing invalid CMS structures can crash with a NULL pointer
dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
callback if an attempt is made to free certain invalid encodings. Only CHOICE
structures using a callback which do not handle NULL value are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

This issue was reported to OpenSSL on 12th October 2016 by Tyler Nighswander of
ForAllSecure. The fix was developed by Stephen Henson of the OpenSSL
development team.

Montgomery multiplication may produce incorrect results (CVE-2016-7055)
===

Severity: Low

There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low
severity of this defect we are not issuing a new 1.0.2 release at this time.
We recommend that 1.0.2 users wait for the next 1.0.2 release for the fix to
become available. The fix is also available in the OpenSSL git repository in
commit 57c4b9f6a2.

This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case. The fix was developed by Andy Polyakov of
the OpenSSL development team.

Note


As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.

Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20161110.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJYJH8JAAoJENnE0m0OYESRaZwH/1S6sjqemFtHXVk77xMMbUmY
kKGJoo5/7wJQWdw9LMPoxjXDyW0fWTKI+Ly2qfP8ZwVizONndN1HCDdWPSbT9EvN
1OG6gr0BQBmlcENCBrSuGwojAtQuMd47q3IAR3ZSx5yvYby4Lg9tXk1FjvnQ600O
Z19r1lvc6efeO1fXPBqIUUPJ4y2XN7P1DDlE5UWxacN5Xn+a6cqrieuj0g1aoZ0h
rw4fEI7o3EEufYTtodos61xLqZWq8quaMuerWEq0HfEOyMGGyDkmnQkXdU0X7o4g
U17vgzM7CvN7+weBz8hVHd0RARAl21vBjYV/G1kruBxD+cYjdavzGGAf/Z1o15w=
=MmoX
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2016-09-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


OpenSSL Security Advisory [26 Sep 2016]


This security update addresses issues that were caused by patches
included in our previous security update, released on 22nd September
2016.  Given the Critical severity of one of these flaws we have
chosen to release this advisory immediately to prevent upgrades to the
affected version, rather than delaying in order to provide our usual
public pre-notification.


Fix Use After Free for large message sizes (CVE-2016-6309)
==

Severity: Critical

This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.

The patch applied to address CVE-2016-6307 resulted in an issue where if a
message larger than approx 16k is received then the underlying buffer to store
the incoming message is reallocated and moved. Unfortunately a dangling pointer
to the old location is left which results in an attempt to write to the
previously freed location. This is likely to result in a crash, however it
could potentially lead to execution of arbitrary code.

OpenSSL 1.1.0 users should upgrade to 1.1.0b

This issue was reported to OpenSSL on 23rd September 2016 by Robert
Święcki (Google Security Team), and was found using honggfuzz. The fix
was developed by Matt Caswell of the OpenSSL development team.

Missing CRL sanity check (CVE-2016-7052)


Severity: Moderate

This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.

A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.

OpenSSL 1.0.2i users should upgrade to 1.0.2j

The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
team.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160926.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJX6PBJAAoJENnE0m0OYESRGacIALa7/Vg0SQzqjhD/KphCdKos
BjkDcEO00y3JDyYqqQxfcrM9jSwBbrNzmHdEzBcPlvvDq9qhGwsODKbGylI2St5r
zVHw1qA60/+Hu9PjaGT24a8MX+fPjA4RObB/BGZ7ViucZzCxqqtJob73InKwM8+9
OyjTmrphbyFa/Hk/OUWVzjatzQjEN+a5QplRTR2Sd4fBZDWowrtOdPGmbBQfRRgm
AbEO5ZPaVKBoRuMk6JsR3LFymZ2FpHjLs9HNBtSmLLdzfIXxVE+uOb9b5wdAMP/3
4cTMkhfeS3RF0GuMT3EyH/EuZS6KkjuE8y/aVTq5s3yhK3ah5kT85IO1ps0yDx0=
=WJwY
-END PGP SIGNATURE-
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2016-09-22 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


OpenSSL Security Advisory [22 Sep 2016]


OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=

Severity: High

A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the "no-ocsp" build time option are not affected.

Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.

OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.

SSL_peek() hang on empty record (CVE-2016-6305)
===

Severity: Moderate

OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
attack.

OpenSSL 1.1.0 users should upgrade to 1.1.0a

This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.

SWEET32 Mitigation (CVE-2016-2183)
==

Severity: Low

SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms
that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based
ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in
OpenSSL 1.0.1 and OpenSSL 1.0.2.  OpenSSL 1.1.0 since release has had these
ciphersuites disabled by default.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan
Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the
OpenSSL development team.

OOB write in MDC2_Update() (CVE-2016-6303)
==

Severity: Low

An overflow can occur in MDC2_Update() either if called directly or
through the EVP_DigestUpdate() function using MDC2. If an attacker
is able to supply very large amounts of input data after a previous
call to EVP_EncryptUpdate() with a partial block then a length check
can overflow resulting in a heap corruption.

The amount of data needed is comparable to SIZE_MAX which is impractical
on most platforms.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.

Malformed SHA512 ticket DoS (CVE-2016-6302)
===

Severity: Low

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.

The use of SHA512 in TLS session tickets is comparatively rare as it requires
a custom server callback and ticket lookup mechanism.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.

OOB write in BN_bn2dec() (CVE-2016-2182)


Severity: Low

The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.

OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
==

Severity: Low

The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
the total length the OID text representation would use and not the amount
of data written. This will result in OOB reads when large OIDs are presented.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 us

[openssl-announce] OpenSSL Security Advisory

2016-05-03 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [3rd May 2016]


Memory corruption in the ASN.1 encoder (CVE-2016-2108)
==

Severity: High

This issue affected versions of OpenSSL prior to April 2015. The bug
causing the vulnerability was fixed on April 18th 2015, and released
as part of the June 11th 2015 security releases. The security impact
of the bug was not known at the time.

In previous versions of OpenSSL, ASN.1 encoding the value zero
represented as a negative integer can cause a buffer underflow
with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
not normally create "negative zeroes" when parsing ASN.1 input, and
therefore, an attacker cannot trigger this bug.

However, a second, independent bug revealed that the ASN.1 parser
(specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
as a negative zero value. Large universal tags are not present in any
common ASN.1 structures (such as X509) but are accepted as part of ANY
structures.

Therefore, if an application deserializes untrusted ASN.1 structures
containing an ANY field, and later reserializes them, an attacker may
be able to trigger an out-of-bounds write. This has been shown to
cause memory corruption that is potentially exploitable with some
malloc implementations.

Applications that parse and re-encode X509 certificates are known to
be vulnerable. Applications that verify RSA signatures on X509
certificates may also be vulnerable; however, only certificates with
valid signatures trigger ASN.1 re-encoding and hence the
bug. Specifically, since OpenSSL's default TLS X509 chain verification
code verifies the certificate chain from root to leaf, TLS handshakes
could only be targeted with valid certificates issued by trusted
Certification Authorities.

OpenSSL 1.0.2 users should upgrade to 1.0.2c
OpenSSL 1.0.1 users should upgrade to 1.0.1o

This vulnerability is a combination of two bugs, neither of which
individually has security impact. The first bug (mishandling of
negative zero integers) was reported to OpenSSL by Huzaifa Sidhpurwala
(Red Hat) and independently by Hanno Böck in April 2015. The second
issue (mishandling of large universal tags) was found using libFuzzer,
and reported on the public issue tracker on March 1st 2016. The fact
that these two issues combined present a security vulnerability was
reported by David Benjamin (Google) on March 31st 2016. The fixes were
developed by Steve Henson of the OpenSSL development team, and David
Benjamin.  The OpenSSL team would also like to thank Mark Brand and
Ian Beer from the Google Project Zero team for their careful analysis
of the impact.

The fix for the "negative zero" memory corruption bug can be
identified by commits

3661bb4e7934668bd99ca777ea8b30eedfafa871 (1.0.2)
and
32d3b0f52f77ce86d53f38685336668d47c5bdfe (1.0.1)

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
==

Severity: High

A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 13th of April 2016 by Juraj
Somorovsky using TLS-Attacker. The fix was developed by Kurt Roeckx
of the OpenSSL development team.

EVP_EncodeUpdate overflow (CVE-2016-2105)
=

Severity: Low

An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.

Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the OpenSSL
command line applications. These internal uses are not considered vulnerable
because all calls are bounded with length checks so no overflow is possible.
User applications that call these APIs directly with large amounts of untrusted
data may be vulnerable. (Note: Initial analysis suggested that the
PEM_write_bio* were vulnerable, and this is reflected in the patch commit
message. This is no longer believed to be the case).

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 3rd March 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.

E

[openssl-announce] OpenSSL Security Advisory

2016-03-01 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [1st March 2016]
=

NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers.  We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176


Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)


Severity: High

A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle.  Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).

Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).

Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed.  Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.

OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:

SSLv2 is now by default disabled at build-time.  Builds that are not configured
with "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:

   SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
   or
   SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.

In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL.  Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell
of OpenSSL.


Double-free in DSA code (CVE-2016-0705)
===

Severity: Low

A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources.  This scenario is considered
rare.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 7th 2016 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson
of OpenSSL.


Memory leak in SRP database lookups (CVE-2016-0798)
===

Severity: Low

The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no way of
distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.  Servers that do not configure SRP, or
configure SRP but do not configure a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured
a seed.  Applications are advised to migrate to
SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
guarantees about the indistinguishability of valid and invalid
logins. In particular, computations are currentl

[openssl-announce] OpenSSL Security Advisory

2016-01-28 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [28th Jan 2016]
=

NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO
SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES
ONLY ARE BEING APPLIED.

DH small subgroups (CVE-2016-0701)
==

Severity: High

Historically OpenSSL usually only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for generating
X9.42 style parameter files such as those required for RFC 5114 support. The
primes used in such files may not be "safe". Where an application is using DH
configured with parameters based on primes that are not "safe" then an attacker
could use this fact to find a peer's private DH exponent. This attack requires
that the attacker complete multiple handshakes in which the peer uses the same
private DH exponent. For example this could be used to discover a TLS server's
private DH exponent if it's reusing the private DH exponent or it's using a
static DH ciphersuite.

OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
It is not on by default. If the option is not set then the server reuses the
same private DH exponent for the life of the server process and would be
vulnerable to this attack. It is believed that many popular applications do set
this option and would therefore not be at risk.

OpenSSL before 1.0.2f will reuse the key if:
- - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is 
not
  set.
- - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both 
the
  parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
  an undocumted feature and parameter files don't contain the key.
- - Static DH ciphersuites are used. The key is part of the certificate and
  so it will always reuse it. This is only supported in 1.0.2.

It will not reuse the key for DHE ciphers suites if:
- - SSL_OP_SINGLE_DH_USE is set
- - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
  callback does not provide the key, only the parameters. The callback is
  almost always used like this.

Non-safe primes are generated by OpenSSL when using:
- - genpkey with the dh_rfc5114 option. This will write an X9.42 style file
  including the prime-order subgroup size "q". This is supported since the 1.0.2
  version. Older versions can't read files generated in this way.
- - dhparam with the -dsaparam option. This has always been documented as
  requiring the single use.

The fix for this issue adds an additional check where a "q" parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH ciphersuites.
This could have some performance impact.

Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
and cannot be disabled. This could have some performance impact.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2f

OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42
based parameters. It is possible to generate parameters using non "safe" primes,
but this option has always been documented as requiring single use and is not
the default or believed to be common. However, as a precaution, the
SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r.

This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe).
The fix was developed by Matt Caswell of the OpenSSL development team
(incorporating some work originally written by Stephen Henson of the OpenSSL
core team).

SSLv2 doesn't block disabled ciphers (CVE-2015-3197)


Severity: Low

A malicious client can negotiate SSLv2 ciphers that have been disabled on the
server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Nimrod Aviram with further
development by Viktor Dukhovni of the OpenSSL development team.


An update on DHE man-in-the-middle protection (Logjam)


A previously published vulnerability in the TLS protocol allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections
using ephemeral Diffie-Hellman key exchange to 512-bit export-grade
cryptography. This vulnerability is known as Logjam
(CVE-2015-4000). OpenSSL added Logjam mitigation for TLS 

[openssl-announce] Updated OpenSSL Security Advisory

2015-12-04 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=

[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
included in the released packages but was missed from the advisory text.

NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2e

This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===

Severity: Moderate

The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q

This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.

X509_ATTRIBUTE memory leak (CVE-2015-3195)
==

Severity: Moderate

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.

This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh

This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.

Race condition handling PSK identify hint (CVE-2015-3196)
=

Severity: Low

If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.

This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.

OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t

The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).

The fix was developed by Dr. Stephen Henson of the OpenSSL development team.

Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)


Severity: Low

If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
the value of p set to 0 then a seg fault can occur leading to a possible denial
of service attack.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to

[openssl-announce] OpenSSL Security Advisory

2015-12-03 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [3 Dec 2015]
===

NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2e

This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===

Severity: Moderate

The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q

This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.

X509_ATTRIBUTE memory leak (CVE-2015-3195)
==

Severity: Moderate

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.

This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh

This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.

Race condition handling PSK identify hint (CVE-2015-3196)
=

Severity: Low

If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.

This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.

OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t

The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).

The fix was developed by Dr. Stephen Henson of the OpenSSL development team.

Note


As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.


References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt

Note: the online version of the advisory may be updated with additional
details over time.

For

[openssl-announce] OpenSSL Security Advisory

2015-07-09 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [9 Jul 2015]
===

Alternative chains certificate forgery (CVE-2015-1793)
==

Severity: High

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.

Note


As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150709.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJVnml8AAoJENnE0m0OYESRlcYH/iUe62/m2oZiuBHkKQvLBUbH
VrLDp7xEXEg6ozByLyxughAFwY9XD2r9WkXehxw66af2pmNHphXH3Gbfpcebki0r
HuZJ3CbGD/RSomWdAqkzRfV8MjNxmN4Pyi+sTsf7F+nKv80Ts51iUN1pPjkddAR8
ooKw0VMIENeMboWQ9SyQ3r7TYYywK+lXUG71Ekva9ByzABBwC/1CzZeSLJmuewnJ
+9TjwQ4otH/mUJ/klvw+G2eTSn64AnA6UEFR+sBL4aNpIgdrtjonJRt2ko05Z92N
HN/ibu5okd3iUbtkM0dTMGAr2NCrNYPr2dYLMPemwkAq1cRlhjGouRDDeb6TUYk=
=oUAa
-END PGP SIGNATURE-
___
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce


[openssl-announce] OpenSSL Security Advisory

2015-06-11 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [11 Jun 2015]
===

DHE man-in-the-middle protection (Logjam)


A vulnerability in the TLS protocol allows a man-in-the-middle
attacker to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade cryptography. This
vulnerability is known as Logjam (CVE-2015-4000).

OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release.

OpenSSL 1.0.2 users should upgrade to 1.0.2b
OpenSSL 1.0.1 users should upgrade to 1.0.1n

Fixes for this issue were developed by Emilia Käsper and Kurt Roeckx
of the OpenSSL development team.

Malformed ECParameters causes infinite loop (CVE-2015-1788)
===

Severity: Moderate

When processing an ECParameters structure OpenSSL enters an infinite loop if
the curve specified is over a specially malformed binary polynomial field.

This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates.  This includes TLS clients and TLS servers with
client authentication enabled.

This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent
1.0.0 and 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.

OpenSSL 1.0.2 users should upgrade to 1.0.2b
OpenSSL 1.0.1 users should upgrade to 1.0.1n
OpenSSL 1.0.0d (and below) users should upgrade to 1.0.0s
OpenSSL 0.9.8r (and below) users should upgrade to 0.9.8zg

This issue was reported to OpenSSL on 6th April 2015 by Joseph Birr-Pixton. The
fix was developed by Andy Polyakov of the OpenSSL development team.

Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
===

Severity: Moderate

X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.

An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2b
OpenSSL 1.0.1 users should upgrade to 1.0.1n
OpenSSL 1.0.0 users should upgrade to 1.0.0s
OpenSSL 0.9.8 users should upgrade to 0.9.8zg

This issue was reported to OpenSSL on 8th April 2015 by Robert Swiecki
(Google), and independently on 11th April 2015 by Hanno Böck. The fix
was developed by Emilia Käsper of the OpenSSL development team.

PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
=

Severity: Moderate

The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.

Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2b
OpenSSL 1.0.1 users should upgrade to 1.0.1n
OpenSSL 1.0.0 users should upgrade to 1.0.0s
OpenSSL 0.9.8 users should upgrade to 0.9.8zg

This issue was reported to OpenSSL on 18th April 2015 by  Michal
Zalewski (Google). The fix was developed by Emilia Käsper of the
OpenSSL development team.

CMS verify infinite loop with unknown hash function (CVE-2015-1792)
===

Severity: Moderate

When verifying a signedData message the CMS code can enter an infinite loop
if presented with an unknown hash function OID.

This can be used to perform denial of service against any system which
verifies signedData messages using the CMS code.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2b
OpenSSL 1.0.1 users should upgrade to 1.0.1n
OpenSSL 1.0.0 users should upgrade to 1.0.0s
OpenSSL 0.9.8 users should upgrade to 0.9.8zg

This issue was reported to OpenSSL on 31st March 2015 by Johannes Bauer. The
fix was developed by Dr. Stephen Henson of the OpenSSL development team.

Race condition handling NewSessionTicket (CVE-2015-1791)


Severity: Low

If a NewSessionTicket is received by a multi-threaded client

[openssl-announce] OpenSSL Security Advisory

2015-03-19 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [19 Mar 2015]
===

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
=

Severity: High

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)


Severity: High

This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".

This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.

Multiblock corrupted pointer (CVE-2015-0290)


Severity: Moderate

OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
only applies on 64 bit x86 architecture platforms that support AES NI
instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
internal write buffer to become incorrectly set to NULL when using non-blocking
IO. Typically, when the user application is using a socket BIO for writing, this
will only result in a failed connection. However if some other BIO is used then
it is likely that a segmentation fault will be triggered, thus enabling a
potential DoS attack.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and
Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development
team.

Segmentation fault in DTLSv1_listen (CVE-2015-0207)
===

Severity: Moderate

The DTLSv1_listen function is intended to be stateless and processes the initial
ClientHello from many peers. It is common for user code to loop over the call to
DTLSv1_listen until a valid ClientHello is received with an associated cookie. A
defect in the implementation of DTLSv1_listen means that state is preserved in
the SSL object from one invocation to the next that can lead to a segmentation
fault. Errors processing the initial ClientHello can trigger this scenario. An
example of such an error could be that a DTLS1.0 only client is attempting to
connect to a DTLS1.2 only server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a.

This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The
fix was developed by Matt Caswell of the OpenSSL development team.

Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
===

Severity: Moderate

The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered and fixed by Stephen Henson of the OpenSSL
development team.

Segmentation fault for invalid PSS parameters (CVE-2015-0208)
=

Severity: Moderate

The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and invalid parame

[openssl-announce] OpenSSL Security Advisory

2015-01-08 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [08 Jan 2015]
===

DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===

Severity: Moderate

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference. This could lead to a Denial Of Service attack.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of
Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL
core team.

DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
===

Severity: Moderate

A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.

This issue affects OpenSSL versions: 1.0.1 and 1.0.0.

OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.

This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also
provided an initial patch. Further analysis was performed by Matt Caswell of the
OpenSSL development team, who also developed the final patch.

no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=

Severity: Low

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.


ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
==

Severity: Low

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite
using an ECDSA certificate if the server key exchange message is omitted. This
effectively removes forward secrecy from the ciphersuite.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.


RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==

Severity: Low

An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.


DH client certificates accepted without verification [Server] (CVE-2015-0205)
=

Severity: Low

An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.

This issue affects OpenSSL versions: 1.0.1 and 1.0.0.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.


Certificate fingerprints can be modified (CVE-2014-8275)


Severity: Low

OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the

OpenSSL Security Advisory

2014-10-15 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [15 Oct 2014]
===

SRTP Memory Leak (CVE-2014-3513)


Severity: High

A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.

OpenSSL 1.0.1 users should upgrade to 1.0.1j.

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.


Session Ticket Memory Leak (CVE-2014-3567)
==

Severity: Medium

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc. 

This issue was reported to OpenSSL on 8th October 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.


SSL 3.0 Fallback protection
===

Severity: Medium

OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade.

Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc. 

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf

Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.


Build option no-ssl3 is incomplete (CVE-2014-3568)
==

Severity: Low

When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc. 

This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.

The fix was developed by Akamai and the OpenSSL team.


References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv_20141015.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUPnPYAAoJENnE0m0OYESRaBsH/Au+URgDVRsG/LJT89adeBnA
jPEdxf2CV2M4aH5bs2FRES43iWQNQUtDHkmSfOfyICLHYN8no2/78QqMhPr1/euA
bRGB7+P+Epac8LRjXGR9+CJx46Oc0LqDgXdU/7nGe2qB8qo0oR6S3M+ZUsuSB6IU
XbQC0wTeDRXZKJ0dLXLj1ro7JaFd2F692XKilUVdg4cLUuK5IbxdXWzp2ttgoQGB
EbBNHSbbSbbNODUyr/oyna+c+FImAbcTOee0PuGOukEmsDQh/wofbRDb9tn0JdZw
/ZJDJtU1VVeIl+j+uU9fQ0aG/TTjPBMeT5uelA9P/t4SPh+7JDneHbuhY5GCfnI=
=ic92
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2014-08-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [6 Aug 2014]


Information leak in pretty printing functions (CVE-2014-3508)
=

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from the
stack. Applications may be affected if they echo pretty printing output to the
attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.

OpenSSL 0.9.8 users should upgrade to 0.9.8zb
OpenSSL 1.0.0 users should upgrade to 1.0.0n.
OpenSSL 1.0.1 users should upgrade to 1.0.1i.

Thanks to Ivan Fratric (Google) for discovering this issue. This issue
was reported to OpenSSL on 19th June 2014.

The fix was developed by Emilia Käsper and Stephen Henson of the OpenSSL
development team.


Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
==

The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This can
be exploited through a Denial of Service attack.

OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.

Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering 
and
researching this issue. This issue was reported to OpenSSL on 2nd July 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.


Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
==

If a multithreaded client connects to a malicious server using a resumed session
and the server sends an ec point format extension it could write up to 255 bytes
to freed memory.

OpenSSL 1.0.0 SSL/TLS client users should upgrade to 1.0.0n.
OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.

Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue. This issue was reported to OpenSSL on 8th July 2014.

The fix was developed by Gabor Tyukasz.


Double Free when processing DTLS packets (CVE-2014-3505)


An attacker can force an error condition which causes openssl to crash whilst
processing DTLS packets due to memory being freed twice. This can be exploited
through a Denial of Service attack.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

Thanks to Adam Langley and Wan-Teh Chang (Google) for discovering and
researching this issue. This issue was reported to OpenSSL on 6th June
2014.

The fix was developed by Adam Langley.


DTLS memory exhaustion (CVE-2014-3506)
==

An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a Denial of
Service attack.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

Thanks to Adam Langley (Google) for discovering and researching this
issue. This issue was reported to OpenSSL on 6th June 2014.

The fix was developed by Adam Langley.


DTLS memory leak from zero-length fragments (CVE-2014-3507)
===

By sending carefully crafted DTLS packets an attacker could cause openssl to
leak memory. This can be exploited through a Denial of Service attack.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

Thanks to Adam Langley (Google) for discovering and researching this
issue. This issue was reported to OpenSSL on 6th June 2014.

The fix was developed by Adam Langley.

OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
===

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
denial of service attack. A malicious server can crash the client with a null
pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
sending carefully crafted handshake messages.

OpenSSL 0.9.8 DTLS client users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS client users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS client users should upgrade to 1.0.1i.

Thanks to Felix Gröbert (Google) for discovering and researching this issue.
This issue was reported to OpenSSL on 18th July 2014.

The fix was developed by Emilia Käsper of the OpenSSL development team.


OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
=

A flaw in the OpenSSL SSL/TLS server code causes the server to

OpenSSL Security Advisory

2014-06-05 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [05 Jun 2014]


Resend: first version contained characters which could cause signature failure.

SSL/TLS MITM vulnerability (CVE-2014-0224)
===

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.

DTLS recursion flaw (CVE-2014-0221)


By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
issue was reported to OpenSSL on 9th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

DTLS invalid fragment vulnerability (CVE-2014-0195)


A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Juri Aedla for reporting this issue.  This issue was
reported to OpenSSL on 23rd April 2014 via HP ZDI.

The fix was developed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  The fix was developed by
Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===
 
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  

Anonymous ECDH denial of service (CVE-2014-3470)


OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Thanks to Felix Grobert and Ivan Fratric at Google for discovering this
issue.  This issue was reported to OpenSSL on 28th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Other issues


OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for
CVE-2014-0076: Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.  This issue was previously
fixed in OpenSSL 1.0.1g.


References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140605.txt

Note: the online version of the advisory may be updated with additional
details over time.
-BEGIN PGP SIGNATURE-
Vers

OpenSSL Security Advisory

2014-06-05 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [05 Jun 2014]


SSL/TLS MITM vulnerability (CVE-2014-0224)
===

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.

DTLS recursion flaw (CVE-2014-0221)


By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
issue was reported to OpenSSL on 9th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

DTLS invalid fragment vulnerability (CVE-2014-0195)


A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Jüri Aedla for reporting this issue.  This issue was
reported to OpenSSL on 23rd April 2014 via HP ZDI.

The fix was developed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  The fix was developed by
Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===
 
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  

Anonymous ECDH denial of service (CVE-2014-3470)


OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this
issue.  This issue was reported to OpenSSL on 28th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Other issues


OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for
CVE-2014-0076: Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.  This issue was previously
fixed in OpenSSL 1.0.1g.


References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140605.txt

Note: the online version of the advisory may be updated with additional
details over time.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJTkEfyAAoJENNXdQf6QOnimv

OpenSSL Security Advisory

2014-04-07 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [07 Apr 2014]


TLS heartbeat read overrun (CVE-2014-0160)
==

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley  and Bodo Moeller  for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV
sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/
QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn
zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC
LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg
GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/
OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF
Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty
zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG
aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za
S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd
J37YgDNuefzrsA+B5/o7
=szjb
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2013-02-05 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [05 Feb 2013]


SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)


Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/

All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x

Note: this vulnerability is only partially mitigated when OpenSSL is used
in conjuction with the OpenSSL FIPS Object Module and the FIPS mode of
operation is enabled.

Thanks go to Nadhem J. AlFardan and Kenneth G. Paterson of the Information
Security Group Royal Holloway, University of London for discovering this flaw.

An initial fix was prepared by Adam Langley  and Emilia
Käsper  of Google. Additional refinements were added by
Ben Laurie, Andy Polyakov and Stephen Henson of the OpenSSL group.

Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y

TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686)
=

A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on
AES-NI supporting platforms can be exploited in a DoS attack. If you are
unsure if you are using AES-NI see "References" below.

Anyone using an AES-NI platform for TLS 1.2 or TLS 1.1 on OpenSSL 1.0.1c is
affected. Platforms which do not support AES-NI or versions of OpenSSL which
do not implement TLS 1.2 or 1.1 (for example OpenSSL 0.9.8 and 1.0.0) are
not affected.

Thanks go to Adam Langley  for initially discovering the
bug and developing a fix and to Wolfgang Ettlingers
  for independently discovering this issue.

Affected users should upgrade to OpenSSL 1.0.1d

OCSP invalid key DoS issue (CVE-2013-0166)


A flaw in the OpenSSL handling of OCSP response verification can be exploitedin 
a denial of service attack.

All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x

This flaw was discovered and fixed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y.

References
==
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20130204.txt
Wikipedia AES-NI description:
http://en.wikipedia.org/wiki/AES-NI

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBURETXqLSm3vylcdZAQLE2QgAuHTRN3khjkmt/NRS4hg/mT+YRD+aJMsU
mhCoqYvVuW0GVJHCY4yiBUoj0bgTfwWyazQRaWSFX8ewc/mHqNKYoVBSczb9nxqZ
Kh41maLcKGMHtDNQlb5bINa95+9Ix9+J9Izdd7dWycpApN/azCV+r/kkXVArAq8J
jYZ5Wl7PtSELArAtN5R56TgmSpcZvnIkqm7dV9rkJZGE9PBXskiLJjozWqPHgvQC
HcAXNuAgrWJjuCKimictGoC0gP+tmF7tMIqYKT8/16qAqWs4vBk/Z0rxpQ4wV6pU
6jWjcFL+dVQm/59RKtYwsnBPmXgH9zg7kS2y0xcHTWJG3EKucxe8zQ==
=BgHn
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2012-05-10 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [10 May 2012]
===

Invalid TLS/DTLS record attack (CVE-2012-2333)
===

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.

DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x

References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120510.txt


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBT6w226LSm3vylcdZAQKTzgf/cksRhBmKkc5BWGXHxRuNEpr7SplMvM1k
5HcyLrlUKE4E2tredaylgYhbpy9+50e8euv8cWdD5ErBklJ9SGso2YKl/FVOSO0e
T5MyGgOeQ4jAeyLlBahw6O74bUYrO3WntVyLJDrH6gRGN1dDjenMPErPUKUQGUMw
8Yy0JXbxIVhw731ymL6Iv2DuleFZvGCdSgPXbX39qXrAe5mD5wd5jGP50f7S0mEO
mj6/3zPxAHLrn5H9XXwqgebEylQkCHWdMIxSqYihea865/BShT5lXJdLief7YDlh
YEJVquVjGlRgTJZeq6YZab5c1Lg+Jlc9cxtniQv1QaAgfryEJ5biPQ==
=/mgW
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2012-04-24 Thread Mark J Cox
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [24 Apr 2012]
===

ASN1 BIO incomplete fix (CVE-2012-2131)
===

It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 was not sufficient to correct the issue for OpenSSL 0.9.8.

Please see http://www.openssl.org/news/secadv_20120419.txt for details
of that vulnerability.

This issue only affects OpenSSL 0.9.8v.  OpenSSL 1.0.1a and 1.0.0i
already contain a patch sufficient to correct CVE-2012-2110.

Thanks to Red Hat for discovering and fixing this issue.

Affected users should upgrade to 0.9.8w.

References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120424.txt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQCVAwUBT5ZV8+6tTP1JpWPZAQIQHwQAvrWr3lRsvFkskFR1apYn/xf0l7cUABGX
HUUtmDRQJuYFyK0UMdInvcrZ7W82FhzzuGNLwnwI5b8Ttn4oOwcntM335WMf8d10
O4S7OjJmjpNEM1Lb0Ik9ZQdxJTepuWgG4iNKXtZIMdY8amCC+a0jPcwDzji2RfHP
OKUh7LxTI5E=
=HggZ
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2012-04-19 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [19 Apr 2012]
===

ASN1 BIO vulnerability (CVE-2012-2110)
===

A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.

Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.

Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc)
are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected.

Applications only using the PEM routines are not affected.

S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or
SMIME_read_CMS *are* affected.

The OpenSSL command line utility is also affected if used to process untrusted
data in DER format.

Note: although an application using the SSL/TLS portions of OpenSSL is not
automatically affected it might still call a function such as d2i_X509_bio on
untrusted data and be vulnerable.

Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley  for fixing it.

Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.

References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120419.txt


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBT5AJh6LSm3vylcdZAQII+Af/dPNEQrJZ6YHlytaMW6zvkG64pvYBLuoO
BdJQnFBR3oWolOIQDyFD7byECly/czVHA5mTifsG+XyHeLHB5Zr2PsnLBLj3d6Su
verXPt8JU/XQb+Rhn1P9F32qTMwhZkgNcjV3eOprpUBD7qNz+nQd1pJtlKX3asmK
wtVYyX6Dbbe61GQ6nDxT4fLpAL6Yk/YJH3jRA/R4MW/0vyJzYCALKiCsFuAzp2Fl
Ov5n3Gkn+Y+1jaaGpqNxdWv1F3OI8vieC4lN4CfbaDDkQxNCNBRwcucK/tBBKAxK
3gravlQDuqnGn3M6GOpVJ89hZaPscMvsKx80jUKZtn2kPBaC7NxYeQ==
=91XR
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL security advisory

2012-03-12 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [12 Mar 2012]
===

CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)


A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).

Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A
successful attack needs on average 2^20 messages. In practice only automated
systems will be affected as humans will not be willing to process this many
messages.

SSL/TLS applications are *NOT* affected by this problem since the 
SSL/TLS code does not use the PKCS#7 or CMS decryption code. 

Thanks to Ivan Nestlerode  for discovering
this weakness.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u.

References
==

RFC3218

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120312.txt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBT14b4aLSm3vylcdZAQLNTAf9GZmm+2oCVvpOx1DPv/byirbrVgKzxGUe
bE+KDVFbRFt0t/MkC/CoWAQDZs7ef2E9YZ8R8jy7cEriUTbipuBIetBah2+oTZnM
j3g1LeUth8gYBy//9epcVRTtpjkZ/oZVKYsjbdWnQIgW1hTvpgaqtPRFX3aDWIZv
ArpUSG5YmX+Zg4NYwB3ZMa+je4d2jTQmItqNsTUYv6jdxYYn8LwUQfa3r3f5mkMt
usI7YP2QFaR3q0iTknMM+BmzzxNOcs/3Y4VfXASWiVVVd4i0jltSxgqsvTB2lH3G
woUBIL+tF6KylHGfu9TMdvwj17eD5Q47y94Bg/rxf+hUn/AlPjsWRw==
=aUDu
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2012-01-19 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [18 Jan 2011]
===

DTLS DoS attack (CVE-2012-0050)


A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
service attack. Only DTLS applications using OpenSSL 1.0.0f and
0.9.8s are affected.


Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix.

Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t.

References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120118.txt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBTxbTZqLSm3vylcdZAQIVsgf/b+bSo2XrK9aWx1MCvgcz9Y1rJS8mOfLS
c1E9ZpIp2uXcHai9PNhtJ8MRW3pVpyHMxqNQ/9ULXYBjRwVl9YT2ipDBN4iZda9M
3Rh3g6vuWwbpNDNnd9xiuTVq8y7cVk1U0VXoOZ9tXIkkKgEITXiAqH1qmo9nthkT
Rv/5cgWmfplnhz0gMANHreRh3cZr/BhQaKHZAZ8Fsa2EqRHdyZagGlwspGqQab85
dT8jiNYABnQDWju28tjpMT/W8vnW0/zTXll21hbNj/R+D/L3lhLY8XNhYsoQrCZo
UIY+quRAsdggLWrFizDA3vxsEdtU1z/5yE+4bs5hzaJhTe0RJUieNw==
=Dkux
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2012-01-04 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [04 Jan 2012]
===

Six security flaws have been fixed in OpenSSL 1.0.0f and 0.9.8s.

DTLS Plaintext Recovery Attack (CVE-2011-4108)
==

Nadhem Alfardan and Kenny Paterson have discovered an extension of the 
Vaudenay padding oracle attack on CBC mode encryption which enables an 
efficient plaintext recovery attack against the OpenSSL implementation
of DTLS. Their attack exploits timing differences arising during
decryption processing. A research paper describing this attack can be
found at http://www.isg.rhul.ac.uk/~kp/dtls.pdf

Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
 and Michael Tuexen 
for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s.

Double-free in Policy Checks (CVE-2011-4109)


If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy
check failure can lead to a double-free. The bug does not occur 
unless this flag is set. Users of OpenSSL 1.0.0 are not affected.

This flaw was discovered by Ben Laurie and a fix provided by Emilia
Kasper  of Google.

Affected users should upgrade to OpenSSL 0.9.8s.

Uninitialized SSL 3.0 Padding (CVE-2011-4576)
=

OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as
block cipher padding in SSL 3.0 records. This affects both clients and
servers that accept SSL 3.0 handshakes: those that call SSL_CTX_new with
SSLv3_{server|client}_method or SSLv23_{server|client}_method. It does
not affect TLS.

As a result, in each record, up to 15 bytes of uninitialized memory
may be sent, encrypted, to the SSL peer. This could include sensitive
contents of previously freed memory.

However, in practice, most deployments do not use
SSL_MODE_RELEASE_BUFFERS and therefore have a single write buffer per
connection. That write buffer is partially filled with non-sensitive,
handshake data at the beginning of the connection and, thereafter,
only records which are longer any any previously sent record leak any
non-encrypted data. This, combined with the small number of bytes
leaked per record, serves to limit to severity of this issue.

Thanks to Adam Langley  for identifying and fixing
this issue.

Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s.

Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)


RFC 3779 data can be included in certificates, and if it is malformed,
may trigger an assertion failure. This could be used in a
denial-of-service attack.

Note, however, that in the standard release of OpenSSL, RFC 3779
support is disabled by default, and in this case OpenSSL is not
vulnerable. Builds of OpenSSL are vulnerable if configured with 
"enable-rfc3779".

Thanks to Andrew Chi, BBN Technologies, for discovering the flaw, and
Rob Austein  for fixing it.

Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s.

SGC Restart DoS Attack (CVE-2011-4619)
==

Support for handshake restarts for server gated cryptograpy (SGC) can
be used in a denial-of-service attack.

Thanks to Adam Langley  for identifying and fixing
this issue.

Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s.

Invalid GOST parameters DoS Attack (CVE-2012-0027)
===

A malicious TLS client can send an invalid set of GOST parameters
which will cause the server to crash due to lack of error checking.
This could be used in a denial-of-service attack.

Only users of the OpenSSL GOST ENGINE are affected by this bug.

Thanks to Andrey Kulikov  for identifying and fixing
this issue.

Affected users should upgrade to OpenSSL 1.0.0f.

References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120104.txt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBTwSwVqLSm3vylcdZAQL8nwgAtNob9cIjI0SlNW1sLrlzP9bLPpNV9o6p
+sD9jIMBKsoMZcB9ANMMgcu6bMAz5Hm+7//ff35WJP9oDN4vYnw/cAzXuj8+dclm
qQLs9jR+qkyDtjh4Oiyabvjsq7uAgEp7D88pgFK+PF+0TRaH/2hyZgGNlg1JOrNR
SoFN5rVwNhIybkMhd3kNjU8cIkA2lI0vjNqmGOafZ5xTyWhViHuvN014hRyffiNS
JE4icLuQV25DidcZkvxjuiaHiJz70DZgerSOds5H8kNeoNlIevPxPzWEaZ7HMsuL
loK+hqE/nMMaL3lk29+a7k1lcqNvljt3M5dX/CVbevvV0NCV62bojA==
=56UI
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2011-09-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [6 September 2011]

Two security flaws have been fixed in OpenSSL 1.0.0e

CRL verification vulnerability in OpenSSL
=

Under certain circumstances OpenSSL's internal certificate verification
routines can incorrectly accept a CRL whose nextUpdate field is in the past.
(CVE-2011-3207)

This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of
OpenSSL before 1.0.0 are not affected.

Users of affected versions of OpenSSL should update to the OpenSSL 1.0.0e
release, which contains a patch to correct this issue.

Thanks to Kaspar Brand  for identifying this bug and 
suggesting a fix.


TLS ephemeral ECDH crashes in OpenSSL
=

OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and
furthermore can crash if a client violates the protocol by sending handshake
messages in incorrect order. (CVE-2011-3210)

This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft"
ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d.

Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which
contains a patch to correct this issue. If you cannot immediately upgrade,
we recommend that you disable ephemeral ECDH ciphersuites if you have enabled
them.

Thanks to Adam Langley  for identifying and fixing this
issue.

Which applications are affected
===

Applications are only affected by the CRL checking vulnerability if they enable
OpenSSL's internal CRL checking which is off by default. For example by setting
the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL.
Applications which use their own custom CRL checking (such as Apache) are not
affected.

Only server-side applications that specifically support ephemeral ECDH
ciphersuites are affected by the ephemeral ECDH crash bug and only if
ephemeral ECDH ciphersuites are enabled in the configuration. You can check
to see if application supports ephemeral ECDH ciphersuites by looking for
SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH,
SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback,
SSL_CTRL_SET_TMP_ECDH_CB in the source code.

References
==

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20110906.txt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBTmYhWqLSm3vylcdZAQKsnQgAsD+GwbfpXuZyhLNcHrJjTiHgfVWQLiFq
6RupYmgfxPiCrGdSEvp6Uh3Y+bcOOoDXTXujk7T6RTRU4iYiARFkXo8bUtH47dWO
AfwOyMxiM88G9TYj69RUjKNP70j1rEATIz+m4kpnDgmmsodDNsPj56k4gptsoELc
S4Cb4+97uCBv1mkVFgvu71RVXbIwqOMt/vveHUttQQLEcdu2XcUylbMarDaOcZui
e9AjYX3LoqdhPRl2v01tuJf3c8wmNTE+GtsO8hwda6eo8Mu/BAnqtFsiFRVjmJ2M
vgj1Ot/SPQHcpDu7N3V3GY4tdY8iDHWZ5FfbyaoXvzM6guS+o4cDww==
=xfeL
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory: OCSP stapling vulnerability

2011-02-08 Thread Bodo Moeller
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [8 February 2011]

OCSP stapling vulnerability in OpenSSL
==

Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message.

This issue applies to the following versions:
  1) OpenSSL 0.9.8h through 0.9.8q
  2) OpenSSL 1.0.0 through 1.0.0c

The parsing function in question is already used on arbitary data so no
additional vulnerabilities are expected to be uncovered by this.
However, an attacker may be able to cause a crash (denial of service) by
triggering invalid memory accesses.

The results of the parse are only availible to the application using
OpenSSL so do not directly cause an information leak. However, some
applications may expose the contents of parsed OCSP extensions,
specifically an OCSP nonce extension. An attacker could use this to read
the contents of memory following the ClientHello.

Users of OpenSSL should update to the OpenSSL 1.0.0d (or 0.9.8r) release,
which contains a patch to correct this issue. If upgrading is not
immediately possible, the source code patch provided in this advisory
should be applied.

Neel Mehta (Google) identified the vulnerability. Adam Langley and
Bodo Moeller (Google) prepared the fix.

Which applications are affected
- ---

Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3.

Patch
- -

- --- ssl/t1_lib.c  25 Nov 2010 12:28:28 -  1.64.2.17
+++ ssl/t1_lib.c8 Feb 2011 00:00:00 -
@@ -917,6 +917,7 @@
}
n2s(data, idsize);
dsize -= 2 + idsize;
+   size -= 2 + idsize;
if (dsize < 0)
{
*al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@
}
 
/* Read in request_extensions */
+   if (size < 2)
+   {
+   *al = SSL_AD_DECODE_ERROR;
+   return 0;
+   }
n2s(data,dsize);
size -= 2;
- - if (dsize > size) 
+   if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;

References
- --

This vulnerability is tracked as CVE-2011-0014.

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20110208.txt

OCSP stapling is defined in RFC 2560.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQCVAgUBTVGA/qpYnaxaapuFAQJSqAQAo3zal2kp+/ZcBcdhXnn98kuDDJaUhCqz
tG+IpnKRqQsGqprz72cOsdlB6C1pzlaLt5tofkxVlXBiAtx1Vn8YeJwQIXAj2CEi
6edgg/w+ni1hBASZBbCQUGLfAmW5tsOxp1ShxCovwh/I+7eetzuSeDfIbB+NYpz7
p3xrSBAVwTY=
=zV3P
-END PGP SIGNATURE-



--
Bodo Moellerb...@openssl.org
OpenSSL Project http://www.openssl.org/
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory: OCSP stapling vulnerability

2011-02-08 Thread Bodo Moeller
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [8 February 2011]

OCSP stapling vulnerability in OpenSSL
==

Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message.

This issue applies to the following versions:
  1) OpenSSL 0.9.8h through 0.9.8q
  2) OpenSSL 1.0.0 through 1.0.0c

The parsing function in question is already used on arbitary data so no
additional vulnerabilities are expected to be uncovered by this.
However, an attacker may be able to cause a crash (denial of service) by
triggering invalid memory accesses.

The results of the parse are only availible to the application using
OpenSSL so do not directly cause an information leak. However, some
applications may expose the contents of parsed OCSP extensions,
specifically an OCSP nonce extension. An attacker could use this to read
the contents of memory following the ClientHello.

Users of OpenSSL should update to the OpenSSL 1.0.0d (or 0.9.8r) release,
which contains a patch to correct this issue. If upgrading is not
immediately possible, the source code patch provided in this advisory
should be applied.

Neel Mehta (Google) identified the vulnerability. Adam Langley and
Bodo Moeller (Google) prepared the fix.

Which applications are affected
- ---

Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3.

Patch
- -

- --- ssl/t1_lib.c  25 Nov 2010 12:28:28 -  1.64.2.17
+++ ssl/t1_lib.c8 Feb 2011 00:00:00 -
@@ -917,6 +917,7 @@
}
n2s(data, idsize);
dsize -= 2 + idsize;
+   size -= 2 + idsize;
if (dsize < 0)
{
*al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@
}
 
/* Read in request_extensions */
+   if (size < 2)
+   {
+   *al = SSL_AD_DECODE_ERROR;
+   return 0;
+   }
n2s(data,dsize);
size -= 2;
- - if (dsize > size) 
+   if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;

References
- --

This vulnerability is tracked as CVE-2011-0014.

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20110208.txt

OCSP stapling is defined in RFC 2560.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQCVAgUBTVGA/qpYnaxaapuFAQJSqAQAo3zal2kp+/ZcBcdhXnn98kuDDJaUhCqz
tG+IpnKRqQsGqprz72cOsdlB6C1pzlaLt5tofkxVlXBiAtx1Vn8YeJwQIXAj2CEi
6edgg/w+ni1hBASZBbCQUGLfAmW5tsOxp1ShxCovwh/I+7eetzuSeDfIbB+NYpz7
p3xrSBAVwTY=
=zV3P
-END PGP SIGNATURE-


-- 
Bodo Moellerb...@openssl.org
OpenSSL Project http://www.openssl.org/
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL security advisory

2010-12-02 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [2 December 2010]

OpenSSL Ciphersuite Downgrade Attack
=

A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections.

The OpenSSL security team would like to thank Martin Rex for reporting this
issue.

This vulnerability is tracked as CVE-2010-4180

OpenSSL JPAKE validation error
===

Sebastian Martini found an error in OpenSSL's J-PAKE implementation
which could lead to successful validation by someone with no knowledge
of the shared secret. This error is fixed in 1.0.0c. Details of the
problem can be found here:

http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

Note that the OpenSSL Team still consider our implementation of J-PAKE
to be experimental and is not compiled by default.

This issue is tracked as CVE-2010-4252 

Who is affected?
=

All versions of OpenSSL contain the ciphersuite downgrade vulnerability.

Any OpenSSL based SSL/TLS server is vulnerable if it uses
OpenSSL's internal caching mechanisms and the
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this
by using the SSL_OP_ALL option).

Users of OpenSSL 0.9.8j or later who do not enable weak ciphersuites are
still vulnerable but the bug has no security implications as the attacker can
only change from one strong ciphersuite to another.

All users of OpenSSL's experimental J-PAKE implementation are vulnerable
to the J-PAKE validation error.

Recommendations for users of OpenSSL
=

Users of all OpenSSL 0.9.8 releases including 0.9.8p should update
to the OpenSSL 0.9.8q release which contains a patch to correct this issue.

Alternatively do not set the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
and/or SSL_OP_ALL flags.

Users of OpenSSL 1.0.0 releases should update to the OpenSSL 1.0.0c release
which contains a patch to correct this issue and also contains a corrected
version of the CVE-2010-3864 vulnerability fix.

If upgrading is not immediately possible, the relevant source code patch
provided in this advisory should be applied.

Any user of OpenSSL's J-PAKE implementaion (which is not compiled in by 
default) should upgrade to OpenSSL 1.0.0c.

Patch
=

Index: ssl/s3_clnt.c
===
RCS file: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v
retrieving revision 1.129.2.16
diff -u -r1.129.2.16 s3_clnt.c
- --- ssl/s3_clnt.c 10 Oct 2010 12:33:10 -  1.129.2.16
+++ ssl/s3_clnt.c   24 Nov 2010 14:32:37 -
@@ -866,8 +866,11 @@
s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != c->id))
{
+/* Workaround is now obsolete */
+#if 0
if (!(s->options &
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
{
al=SSL_AD_ILLEGAL_PARAMETER;

SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
Index: ssl/s3_srvr.c
===
RCS file: /v/openssl/cvs/openssl/ssl/s3_srvr.c,v
retrieving revision 1.171.2.22
diff -u -r1.171.2.22 s3_srvr.c
- --- ssl/s3_srvr.c 14 Nov 2010 13:50:29 -  1.171.2.22
+++ ssl/s3_srvr.c   24 Nov 2010 14:34:28 -
@@ -985,6 +985,10 @@
break;
}
}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
if (j == 0 && (s->options & 
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
{
/* Special case as client bug workaround: the 
previously used cipher may
@@ -999,6 +1003,7 @@
j = 1;
}
}
+#endif
if (j == 0)
{
/* we need to have the cipher in the cipher



References
===

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20101202.txt

URL for updated CVS-2010-3864 Security Advisory:
http://www.openssl.org/news/secadv_20101116-2.txt


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBTPfvZ6LSm3vylcdZAQI9Lwf+JT3pzOySPkeMKS+OY19d/teHObhwxeI/
z/gS303F+CUmhQhmi0ueYno6gYfmpzYG/xNA+7dLwVinOjKpwTHNqZVHtLhFgwQm
wZS+vqiPBjzakjTGz0YXrA1uPQG/1ASbVV3C0a9s7nKCsDzYiWJkzFrZiVTzkVat
Y39Z5hTBCwUxssCyJU4VSRGNF4kcHzvbuDeNJDnK0shdz+hgNx2mNb8EFgYDRqbx
ahIMGAKEtpVIn3WgeHL0r6VjG2RFaV1QLPyehAPvU/YjBnbph++PyXq

OpenSSL Security Advisory

2010-11-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [16 November 2010]

TLS extension parsing race condition.
=

A flaw has been found in the OpenSSL TLS server extension code parsing which
on affected servers can be exploited in a buffer overrun attack.

The OpenSSL security team would like to thank Rob Hulswit for reporting this
issue.

The fix was developed by Dr Stephen Henson of the OpenSSL core team.

This vulnerability is tracked as CVE-2010-3864

Who is affected?
=

All versions of OpenSSL supporting TLS extensions contain this vulnerability
including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases.

Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses
OpenSSL's internal caching mechanism. Servers that are multi-process and/or
disable internal session caching are NOT affected.

In particular the Apache HTTP server (which never uses OpenSSL internal
caching) and Stunnel (which includes its own workaround) are NOT affected.

Recommendations for users of OpenSSL
=

Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should update
to the OpenSSL 0.9.8p release which contains a patch to correct this issue.

Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release
which contains a patch to correct this issue.

If upgrading is not immediately possible, the relevant source code patch
provided in this advisory should be applied.

Patch for OpenSSL 0.9.8 releases


Index: ssl/t1_lib.c
===
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.13.2.27
diff -u -r1.13.2.27 t1_lib.c
- --- ssl/t1_lib.c  12 Jun 2010 13:18:58 -  1.13.2.27
+++ ssl/t1_lib.c15 Nov 2010 15:20:14 -
@@ -432,14 +432,23 @@
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- - if (s->session->tlsext_hostname == NULL)
+   if (!s->hit)
{
- - if (len > 
TLSEXT_MAXLEN_host_name || 
- - 
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+   if(s->session->tlsext_hostname)
+   {
+   *al = 
SSL_AD_DECODE_ERROR;
+   return 0;
+   }
+   if (len > 
TLSEXT_MAXLEN_host_name)
{
*al = 
TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+   if 
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+   {
+   *al = 
TLS1_AD_INTERNAL_ERROR;
+   return 0;
+   }

memcpy(s->session->tlsext_hostname, sdata, len);

s->session->tlsext_hostname[len]='\0';
if 
(strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@
 
}
else 
- - s->servername_done = 
strlen(s->session->tlsext_hostname) == len 
+   s->servername_done = 
s->session->tlsext_hostname
+   && 
strlen(s->session->tlsext_hostname) == len 
&& 
strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;

break;

Patch for OpenSSL 1.0.0 releases


Index: ssl/t1_lib.c
===
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.64.2.14
diff -u -r1.64.2.14 t1_lib.c
- --- ssl/t1_lib.c  15 Jun 2010 17:25:15 -  1.64.2.14
+++ ssl/t1_lib

OpenSSL Security Advisory

2009-03-25 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [25-Mar-2009]

Three moderate severity security flaws have been fixed in OpenSSL 0.9.8k.

ASN1 printing crash
===

The function ASN1_STRING_print_ex() when used to print a BMPString or
UniversalString will crash with an invalid memory access if the encoded length
of the string is illegal. (CVE-2009-0590)

Any OpenSSL application which prints out the contents of a certificate could
be affected by this bug, including SSL servers, clients and S/MIME software.

Users of OpenSSL 0.9.8j or earlier should update to 0.9.8k which contains a
patch to correct this issue.

Incorrect Error Checking During CMS verification.
=

The function CMS_verify() does not correctly handle an error condition
involving malformed signed attributes. This will cause an invalid set
of signed attributes to appear valid and content digests will not be
checked. (CVE-2009-0591)

These malformed attributes cannot be generated without access to he signer's
private key so an attacker cannot forge signatures. A valid signer could
however generate an invalid signature which appears valid and later repudiate
the signature.

The older PKCS#7 code is not affected.

This issue only affects CMS users: CMS is only present in OpenSSL 0.9.8h and
later where it is disabled by default and 0.9.9-dev.

Users of OpenSSL CMS code should update to 0.9.8k which contains a patch
to correct this issue.

Thanks to Ivan Nestlerode of IBM for reporting this issue.

Invalid ASN1 clearing check
===

When a malformed ASN1 structure is received it's contents are freed up and
zeroed and an error condition returned. On a small number of platforms where
sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid
memory access later resulting in a crash when some invalid structures are
read, for example RSA public keys (CVE-2009-0789).

Any OpenSSL application which uses the public key of an untrusted certificate
could be crashed by a malformed structure. Including SSL servers, clients,
CA and S/MIME software.

Users of OpenSSL 0.9.8j or earlier on affected platforms should update to
0.9.8k which contains a patch to correct this issue.

Thanks to Paolo Ganci for reporting this issue.

References
===

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20090325.txt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iQEVAwUBSconRqLSm3vylcdZAQJbiQf/U5sG7gUyWfN3P9/v4OkjSogaQmaiEv68
kQa6fCCuI3vz+fpVIV8xIrcm8n670i3OdBWzfVmJcgK1gzzAaOc+IYod/EQtB0IR
E3Y4UOdNeBvgOP3a5PxrLPaAcFDDO8eUOeZ7s+VGhlbwPb5SrJwnozzt43BIsKD0
SAX7VC7nAnq9aYdfJme16NHwinsfPPIPZNRNTMMQFOpRGPy1OPJCivuzrfOQvgE+
d68lGzHpZrFpSwhZ2izk6dOKxuWkJnBNSMDqKofp8dknwRsd9ObVvYyrLpRpe+FC
mxzFMh3EtL0TiICos89KXfAfuXwxjmPgfLCdM139y/X2yCgCdZkSKw==
=F7S6
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   majord...@openssl.org


OpenSSL Security Advisory

2009-01-07 Thread Dr. Stephen Henson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

OpenSSL Security Advisory [07-Jan-2009]

Incorrect checks for malformed signatures
===

Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error.  This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.

This vulnerability is tracked as CVE-2008-5077.

The OpenSSL security team would like to thank the Google Security Team
for reporting this issue.

Who is affected?
=

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
=

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source.

Recommendations for projects using OpenSSL
===

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations


Any server that has clients using OpenSSL verifying DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or stop using DSA/ECDSA
certificates. Note that unless certificates are revoked (and clients
check for revocation) impersonation will still be possible until the
certificate expires.

References
===

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20090107.txt


diff -ur openssl-0.9.8i-ORIG/apps/speed.c openssl-0.9.8i/apps/speed.c
- --- openssl-0.9.8i/apps/speed.c   2007-11-15 13:33:47.0 +
+++ openssl-0.9.8i/apps/speed-new.c 2008-12-04 00:00:00.0 +
@@ -2132,7 +2132,7 @@
{
ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
rsa_num, rsa_key[j]);
- - if (ret == 0)
+   if (ret <= 0)
{
BIO_printf(bio_err,
"RSA verify failure\n");
diff -ur openssl-0.9.8i-ORIG/apps/spkac.c openssl-0.9.8i/apps/spkac.c
- --- openssl-0.9.8i-ORIG/apps/spkac.c  2005-04-05 19:11:18.0 +
+++ openssl-0.9.8i/apps/spkac.c 2008-12-04 00:00:00.0 +
@@ -285,7 +285,7 @@
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if(verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
- - if(i) BIO_printf(bio_err, "Signature OK\n");
+   if (i > 0) BIO_printf(bio_err, "Signature OK\n");
else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
diff -ur openssl-0.9.8i-ORIG/apps/verify.c openssl-0.9.8i/apps/verify.c
- --- openssl-0.9.8i-ORIG/apps/verify.c 2004-11-29 11:28:07.0 +
+++ openssl-0.9.8i/apps/verify.c2008-12-04 00:00:00.6 +
@@ -266,7 +266,7 @@
 
ret=0;
 end:
- - if (i)
+   if (i > 0)
{
fprintf(stdout,"OK\n");
ret=1;
@@ -367,4 +367,3 @@
ERR_clear_error();
return(ok);
}
- -
diff -ur openssl-0.9.8i-ORIG/apps/x509.c openssl-0.9.8i/apps/x509.c
- --- openssl-0.9.8i-ORIG/apps/x509.c   2007-10-12 00:00:10.0 +
+++ openssl-0.9.8i/apps/x509.c  2008-12-04 00:00:00.4 +
@@ -1151,7 +1151,7 @@
/* NOTE: this certificate can/should be self signed, unless it was
 * a certificate request in which case it is not. */
X509_STORE_CTX_set_cert(&xsc,x);
- - if (!reqfile && !X509_verify_cert(&xsc))
+   if (!reqfile && X509_verify_cert(&xsc) <= 0)
goto end;
 
if (!X509_check_private_key(xca,pkey))
diff -ur openssl-0.9.8i-ORIG/crypto/cms/cms_sd.c 
openssl-0.9.8i/crypto/cms/cms_s

OpenSSL Security Advisory

2007-10-19 Thread Ben Laurie
-BEGIN PGP SIGNED MESSAGE-

OpenSSL Security Advisory [12-Oct-2007]

OpenSSL Vulnerabilities
- ---

Vulnerability A
- ---

Andy Polyakov discovered a flaw in OpenSSL's DTLS implementation which
could lead to the compromise of clients and servers with DTLS enabled.

DTLS is a datagram variant of TLS specified in RFC 4347 first
supported in OpenSSL version 0.9.8. Note that the vulnerabilities do
not affect SSL and TLS so only clients and servers explicitly using
DTLS are affected.

We believe this flaw will permit remote code execution.

This vulnerability is tracked as CVE-2007-4995.

Versions Affected
- -

All releases of 0.9.8 prior to 0.9.8f.

Recommendation
- --

Either

a) Upgrade to the latest version of OpenSSL (0.9.8f) and rebuild all
packages using OpenSSL for DTLS.

or,

b) Disable DTLS.

Vulnerability B
- ---

Moritz Jodeit found an off-by-one error in SSL_get_shared_ciphers(), a
function that should normally only be used for logging or debugging.

The impact of this overflow is unclear.

This vulnerability is tracked as CVE-2007-5135.

Versions Affected
- -

All releases of 0.9.8 prior to 0.9.8f. All releases of 0.9.7 prior to
0.9.7m.

(Note that versions prior to 0.9.8d and 0.9.7l actually had a worse
problem in the same function).

Recommendation
- --

a) Don't use SSL_get_shared_ciphers().

OR

b) Upgrade to 0.9.8f.

- --
http://www.apache-ssl.org/ben.html   http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRw9VDBsIDEUnGa81AQEgFAP+MBSAb2CYGHXe0eicqsn3CRVE3R384PoC
01odYyJIdzjXrmgUxKZ0zaKst2Ud2BbNZff1WUDj3oymjc5wbylE2tQLK7KsetRv
hpfFwKmwbiLmhYtei+CVXOQiO+inOPeS9KbDbOqE40wrD9yMShJfpJXE7OG/Mf5t
8+l8pKLYag0=
=mVOD
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-announce@openssl.org
Automated List Manager   [EMAIL PROTECTED]


OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

2003-02-20 Thread Bodo Moeller
OpenSSL Security Advisory [19 February 2003]

Timing-based attacks on SSL/TLS with CBC encryption
===

CONTENTS

 - Vulnerability
 - Source code patch [*]
 - Acknowledgement
 - References

[*] OpenSSL 0.9.6i and OpenSSL 0.9.7a do not require this patch.

The source code of OpenSSL 0.9.6i and OpenSSL 0.9.7a is available as
files openssl-0.9.6i.tar.gz and openssl-0.9.7a.tar.gz from

 ftp://ftp.openssl.org/source;type=d

(If you were previously using an OpenSSL 0.9.6* "engine" release and
cannot upgrade to OpenSSL 0.9.7a, obtain file
openssl-engine-0.9.6i.tar.gz instead.  With OpenSSL 0.9.7, the
"engine" framework has become part of the standard distribution.)

If you are using a pre-compiled OpenSSL package, please look for update
information from the respective software distributor.  The OpenSSL
group itself does not distribute OpenSSL binaries.


Vulnerability
-

In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge
Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and
demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.

The attack assumes that multiple SSL or TLS connections involve a
common fixed plaintext block, such as a password.  An active attacker
can substitute specifically made-up ciphertext blocks for blocks sent
by legitimate SSL/TLS parties and measure the time until a response
arrives: SSL/TLS includes data authentication to ensure that such
modified ciphertext blocks will be rejected by the peer (and the
connection aborted), but the attacker may be able to use timing
observations to distinguish between two different error cases, namely
block cipher padding errors and MAC verification errors.  This is
sufficient for an adaptive attack that finally can obtain the complete
plaintext block.

OpenSSL version since 0.9.6c supposedly treat block cipher padding
errors like MAC verification errors during record decryption
(see http://www.openssl.org/~bodo/tls-cbc.txt), but MAC verification
was still skipped after detection of a padding error, which allowed
the timing attack.  (Note that it is likely that other SSL/TLS
implementations will have similar problems.)

OpenSSL 0.9.6i and 0.9.7a perform a MAC computation even if incorrrect
block cipher padding has been found to minimize information leaked via
timing.  For earlier versions starting with 0.9.6e, the enclosed
security patch can be used.


Source code patch
-

If upgrading to OpenSSL 0.9.7a (the recommended version) or to OpenSSL
0.9.6i is not immediately possible, the following patch should be
applied to the OpenSSL source code tree.  The patch is compatible
with OpenSSL 0.9.6e and later.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
--- ../openssl-0.9.6h/CHANGES   Thu Dec  5 22:40:48 2002
+++ ./CHANGES   Tue Feb 19 00:00:00 2003
@@ -1,3 +1,19 @@
+ Change from security patch  [19 Feb 2003]
+
+ (Please consider installing OpenSSL 0.9.7a or OpenSSL 0.9.6i.
+ These versions already include this change; do not try to apply
+ the patch to them!)
+
+  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
+ via timing by performing a MAC computation even if incorrrect
+ block cipher padding has been found.  This is a countermeasure
+ against active attacks where the attacker has to distinguish
+ between bad padding and a MAC verification error. (CAN-2003-0078)
+
+ [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
+ Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
+ Martin Vuagnoux (EPFL, Ilion)]
+
 
  OpenSSL CHANGES
  ___
--- ../openssl-0.9.6h/ssl/s3_pkt.c  Mon May  6 12:42:56 2002
+++ ./ssl/s3_pkt.c  Wed Feb 18 00:00:00 2003
@@ -238,6 +238,8 @@
unsigned int mac_size;
int clear=0;
size_t extra;
+   int decryption_failed_or_bad_record_mac = 0;
+   unsigned char *mac = NULL;
 
rr= &(s->s3->rrec);
sess=s->session;
@@ -353,8 +355,11 @@
/* SSLerr() and ssl3_send_alert() have been called */
goto err;
 
-   /* otherwise enc_err == -1 */
-   goto decryption_failed_or_bad_record_mac;
+   /* Otherwise enc_err == -1, which indicates bad padding
+* (rec->length has not been changed in this case).
+* To minimize information leaked via timing, we will perform
+* the MAC computation anyway. */
+   decryption_failed_or_bad_record_mac = 1;
}
 
 #ifdef TLS_DEBUG
@@ -380,28 +385,46 @@
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
 

OpenSSL Security Advisory: PRNG weakness in versions up to 0.9.6a

2001-07-11 Thread Bodo Moeller

OpenSSL Security Advisory [10 July 2001]

WEAKNESS OF THE OpenSSL PRNG IN VERSIONS UP TO OpenSSL 0.9.6a
-

CONTENTS:
 - Synopsis
 - Detailed problem description
 - Solution
 - Impact
 - Source code patch [*]
 - Acknowledgement

[*] OpenSSL 0.9.6b has been corrected and does not require this patch.

The source code of OpenSSL 0.9.6b is available as file openssl-0.9.6b.tar.gz
from ftp://ftp.openssl.org/source;type=d>.
If you were previously using the "engine" release of OpenSSL 0.9.6 or
0.9.6a, obtain file openssl-engine-0.9.6b.tar.gz instead.

MD5 checksums:
 openssl-0.9.6b.tar.gz  bd8c4d8c5bafc7a4d55d152989fdb327
 openssl-engine-0.9.6b.tar.gz   ab5ca5b157459c49bdab06a7db8a5a47

OpenSSL source code can also be obtained from a number of mirror sites.
For a list, see http://www.openssl.org/source/mirror.html>.

If you are using a pre-compiled OpenSSL package, please look for update
information from the respective software distributor.  The OpenSSL
group itself does not distribute OpenSSL binaries.


SYNOPSIS


The pseudo-random number generator (PRNG) in SSLeay/OpenSSL versions
up to 0.9.6a is weakened by a design error.  Knowing the output of
specific PRNG requests (including a number of consecutive very short
PRNG requests) would allow an attacker to determine the PRNG's
internal state and thus to predict future PRNG output.

Typical applications (including applications using OpenSSL's SSL/TLS
library) are not vulnerable to this attack because PRNG requests
usually happen in larger chunks.  However, we strongly recommend
upgrading to OpenSSL 0.9.6b, which includes a fixed PRNG.
If upgrading to 0.9.6b is not immediately possible, the source
code patch contained at the end of this advisory should be applied.



DETAILED PROBLEM DESCRIPTION


Recently a cryptographic flaw in OpenSSL's built-in pseudo-random
number generator (PRNG) was pointed out to us by Markku-Juhani
O. Saarinen <[EMAIL PROTECTED]>, who showed how
an attacker could reconstruct the PRNG's internal state from
the output of a couple of hundred 1-byte PRNG requests.  This problem
dates back to SSLeay, which OpenSSL is based on, and was found in other
SSLeay-based toolkits as well.  While a number of enhancements have
been done to the original PRNG during the development of OpenSSL, this
design error was overlooked so far.

The PRNG (implemented in source code file crypto/md_rand.c) uses a
hash function, by default SHA-1, to update its internal secret state
and to generate output.  The secret state consists of two components:
A chaining variable 'md', sized according to the hash function's
output (160 bits for SHA-1), and a large buffer 'state'.  'md' is
always replaced by a hash function output during the PRNG's operation.
'state' is accessed circularly and is used for storing additional
entropy.

When generating output bytes, OpenSSL versions up to 0.9.6a set 'md'
to the hash of one half of its previous value and some other data,
including bytes from 'state'.  The design error was that the half of
'md' input to the hash function was the same half that was also used
as PRNG output, meaning that it in general cannot be considered
secret.  Also the number of bytes used from 'state' depended on the
number of bytes requested as PRNG output and could be as small as one,
allowing for easy brute-force analysis of all possible cases.
The combination of these effects made it possible to reconstruct
the complete internal PRNG state from the output of one PRNG request
appropriately sized to gain knowledge on 'md' followed by enough
consecutive 1-byte PRNG requests to traverse all of 'state'.


SOLUTION


OpenSSL 0.9.6b changes the PRNG implementation as follows to give the
PRNG its intended strength:

1. When updating 'md' during PRNG output generation, all of the
   previous 'md' value is hashed, including the secret half.

2. Also, the number of bytes from 'state' included into the hash is
   now independent from the number of PRNG bytes requested.

The first measure alone would be sufficient to solve the problem.  The
second measure makes sure that additional data from 'state' is never
mixed in in small portions; this heuristically further strengthens the
PRNG.


IMPACT
--

It is unlikely for applications to request PRNG bytes in a pattern
allowing for the attack against the OpenSSL PRNG.  Typically,
applications will request PRNG bytes in larger chunks.
No applications is known to us which is actually vulnerable.

However, the PRNG design flaw is a significant weakness: The PRNG does
not provide the intended strength under all circumstances.  Therefore,
we strongly recommend that all users upgrade to OpenSSL 0.9.6b as soon
as possible.