Re: OpenSSL Security Advisory

2020-09-09 Thread Dmitry Belyavsky
Many thanks!

On Wed, Sep 9, 2020 at 4:16 PM Mark J Cox  wrote:

> I just spotted it via twitter, https://raccoon-attack.com/
>
> Mark
>
> On Wed, Sep 9, 2020 at 2:08 PM Dmitry Belyavsky  wrote:
> >
> > Could you please let me know when it is available?
> >
> > On Wed, Sep 9, 2020 at 3:51 PM Mark J Cox  wrote:
> >>
> >> They should be releasing their paper very soon (today).
> >>
> >> Regards, Mark
> >>
> >> On Wed, Sep 9, 2020 at 1:45 PM Dmitry Belyavsky 
> wrote:
> >> >
> >> > Is the description of the attack publicly available?
> >> >
> >> > On Wed, Sep 9, 2020 at 3:39 PM OpenSSL  wrote:
> >> >>
> >> >> -BEGIN PGP SIGNED MESSAGE-
> >> >> Hash: SHA512
> >> >>
> >> >> OpenSSL Security Advisory [09 September 2020]
> >> >> =
> >> >>
> >> >> Raccoon Attack (CVE-2020-1968)
> >> >> ==
> >> >>
> >> >> Severity: Low
> >> >>
> >> >> The Raccoon attack exploits a flaw in the TLS specification which
> can lead to
> >> >> an attacker being able to compute the pre-master secret in
> connections which
> >> >> have used a Diffie-Hellman (DH) based ciphersuite. In such a case
> this would
> >> >> result in the attacker being able to eavesdrop on all encrypted
> communications
> >> >> sent over that TLS connection. The attack can only be exploited if an
> >> >> implementation re-uses a DH secret across multiple TLS connections.
> Note that
> >> >> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
> >> >>
> >> >> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH
> secret and
> >> >> does not implement any "static" DH ciphersuites.
> >> >>
> >> >> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> >> >> ciphersuite is used. These static "DH" ciphersuites are ones that
> start with the
> >> >> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA
> names for these
> >> >> ciphersuites all start with "TLS_DH_" but excludes those that start
> with
> >> >> "TLS_DH_anon_".
> >> >>
> >> >> OpenSSL 1.0.2e and below would reuse the DH secret across multiple
> TLS
> >> >> connections in server processes unless the SSL_OP_SINGLE_DH_USE
> option was
> >> >> explicitly configured. Therefore all ciphersuites that use DH in
> servers
> >> >> (including ephemeral DH) are vulnerable in these versions. In
> OpenSSL 1.0.2f
> >> >> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned
> off as a
> >> >> response to CVE-2016-0701.
> >> >>
> >> >> Since the vulnerability lies in the TLS specification, fixing the
> affected
> >> >> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> >> >> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> >> >> "weak-ssl-ciphers" is not compiled in by default. This is unlikely
> to cause
> >> >> interoperability problems in most cases since use of these
> ciphersuites is rare.
> >> >> Support for the "weak-ssl-ciphers" can be added back by configuring
> OpenSSL at
> >> >> compile time with the "enable-weak-ssl-ciphers" option. This is not
> recommended.
> >> >>
> >> >> OpenSSL 1.0.2 is out of support and no longer receiving public
> updates.
> >> >>
> >> >> Premium support customers of OpenSSL 1.0.2 should upgrade to
> 1.0.2w.  If
> >> >> upgrading is not viable then users of OpenSSL 1.0.2v or below should
> ensure
> >> >> that affected ciphersuites are disabled through runtime
> configuration. Also
> >> >> note that the affected ciphersuites are only available on the server
> side if a
> >> >> DH certificate has been configured. These certificates are very
> rarely used and
> >> >> for this reason this issue has been classified as LOW severity.
> >> >>
> >> >> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod
> Aviram and Juraj
> >> >> Somorovsky and report

Re: OpenSSL Security Advisory

2020-09-09 Thread Mark J Cox
I just spotted it via twitter, https://raccoon-attack.com/

Mark

On Wed, Sep 9, 2020 at 2:08 PM Dmitry Belyavsky  wrote:
>
> Could you please let me know when it is available?
>
> On Wed, Sep 9, 2020 at 3:51 PM Mark J Cox  wrote:
>>
>> They should be releasing their paper very soon (today).
>>
>> Regards, Mark
>>
>> On Wed, Sep 9, 2020 at 1:45 PM Dmitry Belyavsky  wrote:
>> >
>> > Is the description of the attack publicly available?
>> >
>> > On Wed, Sep 9, 2020 at 3:39 PM OpenSSL  wrote:
>> >>
>> >> -BEGIN PGP SIGNED MESSAGE-
>> >> Hash: SHA512
>> >>
>> >> OpenSSL Security Advisory [09 September 2020]
>> >> =
>> >>
>> >> Raccoon Attack (CVE-2020-1968)
>> >> ==
>> >>
>> >> Severity: Low
>> >>
>> >> The Raccoon attack exploits a flaw in the TLS specification which can 
>> >> lead to
>> >> an attacker being able to compute the pre-master secret in connections 
>> >> which
>> >> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this 
>> >> would
>> >> result in the attacker being able to eavesdrop on all encrypted 
>> >> communications
>> >> sent over that TLS connection. The attack can only be exploited if an
>> >> implementation re-uses a DH secret across multiple TLS connections. Note 
>> >> that
>> >> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
>> >>
>> >> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH 
>> >> secret and
>> >> does not implement any "static" DH ciphersuites.
>> >>
>> >> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
>> >> ciphersuite is used. These static "DH" ciphersuites are ones that start 
>> >> with the
>> >> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for 
>> >> these
>> >> ciphersuites all start with "TLS_DH_" but excludes those that start with
>> >> "TLS_DH_anon_".
>> >>
>> >> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
>> >> connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
>> >> explicitly configured. Therefore all ciphersuites that use DH in servers
>> >> (including ephemeral DH) are vulnerable in these versions. In OpenSSL 
>> >> 1.0.2f
>> >> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off 
>> >> as a
>> >> response to CVE-2016-0701.
>> >>
>> >> Since the vulnerability lies in the TLS specification, fixing the affected
>> >> ciphersuites is not viable. For this reason 1.0.2w moves the affected
>> >> ciphersuites into the "weak-ssl-ciphers" list. Support for the
>> >> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to 
>> >> cause
>> >> interoperability problems in most cases since use of these ciphersuites 
>> >> is rare.
>> >> Support for the "weak-ssl-ciphers" can be added back by configuring 
>> >> OpenSSL at
>> >> compile time with the "enable-weak-ssl-ciphers" option. This is not 
>> >> recommended.
>> >>
>> >> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
>> >>
>> >> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
>> >> upgrading is not viable then users of OpenSSL 1.0.2v or below should 
>> >> ensure
>> >> that affected ciphersuites are disabled through runtime configuration. 
>> >> Also
>> >> note that the affected ciphersuites are only available on the server side 
>> >> if a
>> >> DH certificate has been configured. These certificates are very rarely 
>> >> used and
>> >> for this reason this issue has been classified as LOW severity.
>> >>
>> >> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram 
>> >> and Juraj
>> >> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in 
>> >> order to
>> >> allow co-ordinated disclosure with other implementations.
>> >>
>> >> Note
>> >> 

Re: OpenSSL Security Advisory

2020-09-09 Thread Dmitry Belyavsky
Could you please let me know when it is available?

On Wed, Sep 9, 2020 at 3:51 PM Mark J Cox  wrote:

> They should be releasing their paper very soon (today).
>
> Regards, Mark
>
> On Wed, Sep 9, 2020 at 1:45 PM Dmitry Belyavsky  wrote:
> >
> > Is the description of the attack publicly available?
> >
> > On Wed, Sep 9, 2020 at 3:39 PM OpenSSL  wrote:
> >>
> >> -BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> OpenSSL Security Advisory [09 September 2020]
> >> =
> >>
> >> Raccoon Attack (CVE-2020-1968)
> >> ==
> >>
> >> Severity: Low
> >>
> >> The Raccoon attack exploits a flaw in the TLS specification which can
> lead to
> >> an attacker being able to compute the pre-master secret in connections
> which
> >> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this
> would
> >> result in the attacker being able to eavesdrop on all encrypted
> communications
> >> sent over that TLS connection. The attack can only be exploited if an
> >> implementation re-uses a DH secret across multiple TLS connections.
> Note that
> >> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
> >>
> >> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH
> secret and
> >> does not implement any "static" DH ciphersuites.
> >>
> >> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> >> ciphersuite is used. These static "DH" ciphersuites are ones that start
> with the
> >> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names
> for these
> >> ciphersuites all start with "TLS_DH_" but excludes those that start with
> >> "TLS_DH_anon_".
> >>
> >> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
> >> connections in server processes unless the SSL_OP_SINGLE_DH_USE option
> was
> >> explicitly configured. Therefore all ciphersuites that use DH in servers
> >> (including ephemeral DH) are vulnerable in these versions. In OpenSSL
> 1.0.2f
> >> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned
> off as a
> >> response to CVE-2016-0701.
> >>
> >> Since the vulnerability lies in the TLS specification, fixing the
> affected
> >> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> >> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> >> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to
> cause
> >> interoperability problems in most cases since use of these ciphersuites
> is rare.
> >> Support for the "weak-ssl-ciphers" can be added back by configuring
> OpenSSL at
> >> compile time with the "enable-weak-ssl-ciphers" option. This is not
> recommended.
> >>
> >> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
> >>
> >> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
> >> upgrading is not viable then users of OpenSSL 1.0.2v or below should
> ensure
> >> that affected ciphersuites are disabled through runtime configuration.
> Also
> >> note that the affected ciphersuites are only available on the server
> side if a
> >> DH certificate has been configured. These certificates are very rarely
> used and
> >> for this reason this issue has been classified as LOW severity.
> >>
> >> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram
> and Juraj
> >> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in
> order to
> >> allow co-ordinated disclosure with other implementations.
> >>
> >> Note
> >> 
> >>
> >> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
> Extended
> >> support is available for premium support customers:
> >> https://www.openssl.org/support/contracts.html
> >>
> >> OpenSSL 1.1.0 is out of support and no longer receiving updates of any
> kind.
> >> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
> >>
> >> Users of these versions should upgrade to OpenSSL 1.1.1.
> >>
> >> References
> >> ==
> >>
> >> URL for this Security Advisory:
> &

Re: OpenSSL Security Advisory

2020-09-09 Thread Mark J Cox
They should be releasing their paper very soon (today).

Regards, Mark

On Wed, Sep 9, 2020 at 1:45 PM Dmitry Belyavsky  wrote:
>
> Is the description of the attack publicly available?
>
> On Wed, Sep 9, 2020 at 3:39 PM OpenSSL  wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> OpenSSL Security Advisory [09 September 2020]
>> =
>>
>> Raccoon Attack (CVE-2020-1968)
>> ==
>>
>> Severity: Low
>>
>> The Raccoon attack exploits a flaw in the TLS specification which can lead to
>> an attacker being able to compute the pre-master secret in connections which
>> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
>> result in the attacker being able to eavesdrop on all encrypted 
>> communications
>> sent over that TLS connection. The attack can only be exploited if an
>> implementation re-uses a DH secret across multiple TLS connections. Note that
>> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
>>
>> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret 
>> and
>> does not implement any "static" DH ciphersuites.
>>
>> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
>> ciphersuite is used. These static "DH" ciphersuites are ones that start with 
>> the
>> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for 
>> these
>> ciphersuites all start with "TLS_DH_" but excludes those that start with
>> "TLS_DH_anon_".
>>
>> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
>> connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
>> explicitly configured. Therefore all ciphersuites that use DH in servers
>> (including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
>> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
>> response to CVE-2016-0701.
>>
>> Since the vulnerability lies in the TLS specification, fixing the affected
>> ciphersuites is not viable. For this reason 1.0.2w moves the affected
>> ciphersuites into the "weak-ssl-ciphers" list. Support for the
>> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
>> interoperability problems in most cases since use of these ciphersuites is 
>> rare.
>> Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL 
>> at
>> compile time with the "enable-weak-ssl-ciphers" option. This is not 
>> recommended.
>>
>> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
>>
>> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
>> upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
>> that affected ciphersuites are disabled through runtime configuration. Also
>> note that the affected ciphersuites are only available on the server side if 
>> a
>> DH certificate has been configured. These certificates are very rarely used 
>> and
>> for this reason this issue has been classified as LOW severity.
>>
>> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and 
>> Juraj
>> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
>> allow co-ordinated disclosure with other implementations.
>>
>> Note
>> 
>>
>> OpenSSL 1.0.2 is out of support and no longer receiving public updates. 
>> Extended
>> support is available for premium support customers:
>> https://www.openssl.org/support/contracts.html
>>
>> OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
>> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
>>
>> Users of these versions should upgrade to OpenSSL 1.1.1.
>>
>> References
>> ==
>>
>> URL for this Security Advisory:
>> https://www.openssl.org/news/secadv/20200909.txt
>>
>> Note: the online version of the advisory may be updated with additional 
>> details
>> over time.
>>
>> For details of OpenSSL severity classifications please see:
>> https://www.openssl.org/policies/secpolicy.html
>> -BEGIN PGP SIGNATURE-
>>
>> iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
>> 7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
>> KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
>> 5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
>> G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
>> QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
>> Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
>> ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
>> dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
>> fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
>> pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
>> RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
>> =U7OO
>> -END PGP SIGNATURE-
>
>
>
> --
> SY, Dmitry Belyavsky


Re: OpenSSL Security Advisory

2020-09-09 Thread Dmitry Belyavsky
Is the description of the attack publicly available?

On Wed, Sep 9, 2020 at 3:39 PM OpenSSL  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> OpenSSL Security Advisory [09 September 2020]
> =
>
> Raccoon Attack (CVE-2020-1968)
> ==
>
> Severity: Low
>
> The Raccoon attack exploits a flaw in the TLS specification which can lead
> to
> an attacker being able to compute the pre-master secret in connections
> which
> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this
> would
> result in the attacker being able to eavesdrop on all encrypted
> communications
> sent over that TLS connection. The attack can only be exploited if an
> implementation re-uses a DH secret across multiple TLS connections. Note
> that
> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
>
> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret
> and
> does not implement any "static" DH ciphersuites.
>
> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> ciphersuite is used. These static "DH" ciphersuites are ones that start
> with the
> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for
> these
> ciphersuites all start with "TLS_DH_" but excludes those that start with
> "TLS_DH_anon_".
>
> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
> connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
> explicitly configured. Therefore all ciphersuites that use DH in servers
> (including ephemeral DH) are vulnerable in these versions. In OpenSSL
> 1.0.2f
> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off
> as a
> response to CVE-2016-0701.
>
> Since the vulnerability lies in the TLS specification, fixing the affected
> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
> interoperability problems in most cases since use of these ciphersuites is
> rare.
> Support for the "weak-ssl-ciphers" can be added back by configuring
> OpenSSL at
> compile time with the "enable-weak-ssl-ciphers" option. This is not
> recommended.
>
> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
>
> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
> upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
> that affected ciphersuites are disabled through runtime configuration. Also
> note that the affected ciphersuites are only available on the server side
> if a
> DH certificate has been configured. These certificates are very rarely
> used and
> for this reason this issue has been classified as LOW severity.
>
> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and
> Juraj
> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order
> to
> allow co-ordinated disclosure with other implementations.
>
> Note
> 
>
> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
> Extended
> support is available for premium support customers:
> https://www.openssl.org/support/contracts.html
>
> OpenSSL 1.1.0 is out of support and no longer receiving updates of any
> kind.
> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
>
> Users of these versions should upgrade to OpenSSL 1.1.1.
>
> References
> ==
>
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv/20200909.txt
>
> Note: the online version of the advisory may be updated with additional
> details
> over time.
>
> For details of OpenSSL severity classifications please see:
> https://www.openssl.org/policies/secpolicy.html
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
> 7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
> KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
> 5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
> G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
> QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
> Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
> ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
> dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
> fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
> pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
> RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
> =U7OO
> -END PGP SIGNATURE-
>


-- 
SY, Dmitry Belyavsky


OpenSSL Security Advisory

2020-09-09 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [09 September 2020]
=

Raccoon Attack (CVE-2020-1968)
==

Severity: Low

The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker being able to compute the pre-master secret in connections which
have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
result in the attacker being able to eavesdrop on all encrypted communications
sent over that TLS connection. The attack can only be exploited if an
implementation re-uses a DH secret across multiple TLS connections. Note that
this issue only impacts DH ciphersuites and not ECDH ciphersuites.

OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
does not implement any "static" DH ciphersuites.

OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used. These static "DH" ciphersuites are ones that start with the
text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
ciphersuites all start with "TLS_DH_" but excludes those that start with
"TLS_DH_anon_".

OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
explicitly configured. Therefore all ciphersuites that use DH in servers
(including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
response to CVE-2016-0701.

Since the vulnerability lies in the TLS specification, fixing the affected
ciphersuites is not viable. For this reason 1.0.2w moves the affected
ciphersuites into the "weak-ssl-ciphers" list. Support for the
"weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
interoperability problems in most cases since use of these ciphersuites is rare.
Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
compile time with the "enable-weak-ssl-ciphers" option. This is not recommended.

OpenSSL 1.0.2 is out of support and no longer receiving public updates.

Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
that affected ciphersuites are disabled through runtime configuration. Also
note that the affected ciphersuites are only available on the server side if a
DH certificate has been configured. These certificates are very rarely used and
for this reason this issue has been classified as LOW severity.

This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj
Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
allow co-ordinated disclosure with other implementations.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200909.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
=U7OO
-END PGP SIGNATURE-


OpenSSL Security Advisory

2020-04-21 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [21 April 2020]
=

Segmentation fault in SSL_check_chain (CVE-2020-1967)
=

Severity: High

Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This
issue did not affect OpenSSL versions prior to 1.1.1d.

Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g

This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.

Note
=

This issue did not affect OpenSSL 1.0.2 however these versions are out of
support and no longer receiving public updates. Extended support is available
for premium support customers: https://www.openssl.org/support/contracts.html

This issue did not affect OpenSSL 1.1.0 however these versions are out of
support and no longer receiving updates.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200421.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g
RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t
vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt
2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis
Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl
aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ
vj2rIjoJHRj0EXqXhHoABqBHedilJQ==
=AXyP
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-12-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

OpenSSL Security Advisory [6 December 2019]
===

rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551)
===

Severity: Low

There is an overflow bug in the x64_64 Montgomery squaring procedure used in
exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
result of this defect would be very difficult to perform and are not believed
likely. Attacks against DH512 are considered just feasible. However, for an
attack the target would have to re-use the DH512 private key, which is not
recommended anyway. Also applications directly using the low level API
BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue. However due to the
low severity of this issue we are not creating new releases at this time. The
1.1.1 mitigation for this issue can be found in commit 419102400. The 1.0.2
mitigation for this issue can be found in commit f1c5eea8a.

This issue was found by OSS-Fuzz and Guido Vranken and reported to OpenSSL on
12th September 2019. The fix was developed by Andy Polyakov with additional
analysis by Bernd Edlinger.

Note
=

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019. Extended support is available for premium
support customers: https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect it.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20191206.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl3qhRUACgkQ2cTSbQ5g
RJHQvwgAhVefbdppxDZbGhiIjc/MLTeZmYC5U57rGMvGQ7WL8+xbkGVYmFPu69kp
dN+kGPVJAZySmbhJZVmbrdxgl/zCvwE1WXPh5ILQCvA8cF0z762TCJpxbDJksy/9
igmavYVMxWLePMz7+HsVo6VCcvmBNGykg8zpJm33v2/wc9dBE+c/sJoep/pcXYNI
fLrcLUnsnJoWhg23VNUXEkW8Ru4jkaXTtg4v4sdxHzPbp0qBbekdhj6GAekyFRjn
Zpv4buJDxohcJw91rBK36tXU/PZARW4tO6TR6CdVuB16T7XMye0wKp3kRNd0QPE9
O/LGrT1Jq8cFTxYHfFYeOrkVJKpgog==
=6Z6t
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-09-11 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [10 September 2019]
=

ECDSA remote timing attack (CVE-2019-1547)
==

Severity: Low

Normally in OpenSSL EC groups always have a co-factor present and this is used
in side channel resistant code paths. However, in some cases, it is possible to
construct a group using explicit parameters (instead of using a named curve). In
those cases it is possible that such a group does not have the cofactor present.
This can occur even where all the parameters match a known named curve.

If such a curve is used then OpenSSL falls back to non-side channel resistant
code paths which may result in full key recovery during an ECDSA signature
operation.

In order to be vulnerable an attacker would have to have the ability to time
the creation of a large number of signatures where explicit parameters with no
co-factor present are in use by an application using libcrypto.

For the avoidance of doubt libssl is not vulnerable because explicit parameters
are never used.

OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.

OpenSSL 1.1.1 users should upgrade to 1.1.1d
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t

This issue was reported by Cesar Pereida GarcĂ­a, Sohaib ul Hassan,
Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley. The
fix was developed by Billy Brumley. It was reported to OpenSSL on 5th August
2019.


Fork Protection (CVE-2019-1549)
===

Severity: Low

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
intended to include protection in the event of a fork() system call in order to
ensure that the parent and child processes did not share the same RNG state.
However this protection was not being used in the default case.

A partial mitigation for this issue is that the output from a high precision
timer is mixed into the RNG state so the likelihood of a parent and child
process sharing state is significantly reduced.

If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.

OpenSSL version 1.1.1 is affected by this issue.

OpenSSL 1.1.1 users should upgrade to 1.1.1d

This issue was reported by Matt Caswell. The fix was developed by Matthias
St. Pierre. It was reported to OpenSSL on 27th May 2019.


Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)


Severity: Low

In situations where an attacker receives automated notification of the success
or failure of a decryption attempt an attacker, after sending a very large
number of messages to be decrypted, can recover a CMS/PKCS7 transported
encryption key or decrypt any RSA encrypted message that was encrypted with the
public RSA key, using a Bleichenbacher padding oracle attack. Applications are
not affected if they use a certificate together with the private RSA key to the
CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to
decrypt.

OpenSSL 1.1.1 users should upgrade to 1.1.1d
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t

This issue was reported by and the fix developed by Bernd Edlinger. It was
reported to OpenSSL on 21st August 2019.


Note
=

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019.

Support for 1.1.0 ends on 11th September 2019 so 1.1.0l is expected to be the
last 1.1.0 release.

Users of these versions should upgrade to OpenSSL 1.1.1.


References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190910.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13vK0ACgkQ2cTSbQ5g
RJGJIgf+Me900bLV9TrVDWvNRQbuRe0tOPPhP59J4tJAJiRZ1GG0JV2YITQynjTP
hrz9mvajgWbkGYlTZmPVFOdJr7LKbrUrxk7shEfXqmiiCLG8tHYiCe3PF+/Cy7gA
X1vY9CDfv//3VSqOLM9RM3CCcWAAv3KeP851X0PgCiMVvGAJbYOu3bmB+KsEKFzm
fWRDabUMbl1KCSgCIvvlNv0bKR/GfpW3cWruUvG0sfjyPWwS+yn8z0T3/ibFJqkb
Cmuqa3/kC9uZg8AhiODR+nz6D1mC2UiNZ2Wa/XO6O68rO/y3ZKbaiMGLze1qJep5
3PnybOw8b3JvpVRFYw09YwgLObBX8w==
=8bP1
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-07-30 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [30 July 2019]


Windows builds with insecure path defaults (CVE-2019-1552)
==

Severity: Low

OpenSSL has internal defaults for a directory tree where it can find a
configuration file as well as certificates used for verification in
TLS.  This directory is most commonly referred to as OPENSSLDIR, and
is configurable with the --prefix / --openssldir configuration options.

For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets
assume that resulting programs and libraries are installed in a
Unix-like environment and the default prefix for program installation
as well as for OPENSSLDIR should be '/usr/local'.

However, mingw programs are Windows programs, and as such, find
themselves looking at sub-directories of 'C:/usr/local', which may be
world writable, which enables untrusted users to modify OpenSSL's
default configuration, insert CA certificates, modify (or even
replace) existing engine modules, etc.

For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR
on all Unix and Windows targets, including Visual C builds.  However,
some build instructions for the diverse Windows targets on 1.0.2
encourage you to specify your own --prefix.

OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
Due to the limited scope of affected deployments this has been
assessed as low severity and therefore we are not creating new
releases at this time.

The mitigations are found in these commits:
- - For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e
- - For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and
  b15a19c148384e73338aa7c5b12652138e35ed28
- - For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd

The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for
mingw, while the 1.0.2 mitigation documents the issue and provides
enhanced examples.

This issue was reported by Rich Mirth.  The fix was developed by
Richard Levitte from the OpenSSL development team.  It was reported to
OpenSSL on 9th Jun 2019.

Note
=

OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates.
Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0
will end on 11th September 2019. Users of these versions should
upgrade to OpenSSL 1.1.1.


Referenses
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190730.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl1AU3sACgkQ1enkP335
7oxnEw//ebb9FK16oXpvW6nifNgSHUBYRaq+3ApvSfGG8Er1M0Zn80iD/WY8wzM7
ZabUUNlOdnOs0iQivMYzy+8QzP9NRaqX2WZk/Q1koNT5WAt9+VDCw6hhbp6FN8B9
9aeRvdawNME9JPysl3KOR6DnYJQnpJgV0yQ2pJM2yMKNuDFkvy6E9ieMoWAGx5Ya
8JZ4KGFubA1vDPj5xowkRDxZo+SLdAaEMQw0YG8DWSK5BViZV+3d4OMAAL1RjnZy
s4OSghqi7wUbgo8XO38/roN4y4BEgmEXU0IpSRNf1xrwCoFM82hEgOO3xWxPtbZk
EtDcMUTtMYa1g5IMdGIkVvS4wnNr2j2BAi8WECkPf5QCzCoaX/Xc9jutslTw20M/
UoZnyGgVoOQCsO6ECwLUnSEp772mhS1056c4OKb62kfhlIcGkWi5vk5wjWVZFxEx
rXJC7xabp29e051mnrJtLr85UWUv5B/ywREPyvbdjWg6lJBxB0dOYXMQLpJi6B5i
/bDX7czP/1EeOg+FDSGOR174JGIyMYmPqpyzGpdds72GfOQqtGHC2z41FlvHMglB
9VobSZnF97MIan4/9H4ge+gUUq0PeIZ+invvgCHzuW4oYBOngwwVD5QXfSQUjA9a
etYHkJx+3t4hPrPKAT/J0jHA7AbWtYK7dL6qTxSwli2Gl/D4ipk=
=gxli
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-03-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [6 March 2019]


ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
==

Severity: Low

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every
encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96
bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce
with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a
nonce to be set of up to 16 bytes. In this case only the last 12 bytes are
significant and any additional leading bytes are ignored.

It is a requirement of using this cipher that nonce values are unique. Messages
encrypted using a reused nonce value are susceptible to serious confidentiality
and integrity attacks. If an application changes the default nonce length to be
longer than 12 bytes and then makes a change to the leading bytes of the nonce
expecting the new value to be a new unique nonce then such an application could
inadvertently encrypt messages with a reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the integrity
guarantee of this cipher. Any application that relies on the integrity of these
ignored leading bytes of a long nonce may be further affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because
no such use sets such a long nonce value. However user applications that use
this cipher directly and set a non-default nonce length to be longer than 12
bytes may be vulnerable.

OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited
scope of affected deployments this has been assessed as low severity and
therefore we are not creating new releases at this time. The 1.1.1 mitigation
for this issue can be found in commit f426625b6a. The 1.1.0 mitigation for this
issue can be found in commit ee22257b14.

This issue does not impact OpenSSL 1.0.2.

This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developed
by Matt Caswell from the OpenSSL development team. It was reported to OpenSSL on
26th February 2019.

Note


OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190306.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx/5b4ACgkQ2cTSbQ5g
RJEXSwgAgHQkb/CyWdubYozRAeUDBT9o6gt/kgsBwPYBxAV75lRo4qwBxzfkeQ6P
6EUFSzEPhabQOhpnTY4QaqphzG2FAl4BbtDalYN+zPOZxppmH7O8Kje+j+onInDI
O4jbjXLgAlgmf5jw5IyhfxQKcaFbdLtcFGzh1t4rMEhT+ehx8ePnGnklPTjfh4ea
bN+BlM1Fm6Au3i/IJB2I6e8ayxFnTx9mAegPvV/RRYma43Ee/Hpvb6eBaTfTZ9yp
lOp0jG4iViB4r3EP3H/l5oVC9fWCAI0Am+vcLq9PsWl632fc39hDREhPrRMfnOds
40ayI4NwoUu4Z89Qdae1iWEUkgjRgA==
=Aub4
-END PGP SIGNATURE-


OpenSSL Security Advisory

2019-02-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [26 February 2019]


0-byte record padding oracle (CVE-2019-1559)


Severity: Moderate

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one) then
OpenSSL can respond differently to the calling application if a 0 byte record is
received with invalid padding compared to if a 0 byte record is received with an
invalid MAC. If the application then behaves differently based on that in a way
that is detectable to the remote peer, then this amounts to a padding oracle
that could be used to decrypt data.

In order for this to be exploitable "non-stitched" ciphersuites must be in use.
Stitched ciphersuites are optimised implementations of certain commonly used
ciphersuites. Also the application must call SSL_shutdown() twice even if a
protocol error has occurred (applications should not do this but some do
anyway).

This issue does not impact OpenSSL 1.1.1 or 1.1.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2r.

This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,
with additional investigation by Steven Collison and Andrew Hourselt. It was
reported to OpenSSL on 10th December 2018.

Note


OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190226.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1U+gACgkQ2cTSbQ5g
RJFnlAf/U9yZtCz59BjgD0Kh7Eya5KxlmUWItdBu1r3DwbY4KDgL/Wwh4UxG3Qim
D7Ht5Xsta4iAywrMRI/iPEdEQct8pcpWjq4/65lEbTYjToEnNWhIeWHH/Lw3Jfza
gcVpIfbWoWc7OL7U4uPQuGWcb/PO8fJXF+HcCdZ+kIuut0peMSgN5sK/wBnmSdsM
+sJXCei+jwVy/9WvCBMOooX7D8oerJ6NX12n2cNAYH/K7e2deiPZ7D/HB7T9MSv/
BgOi1UqFzBxcsNhFpY5NMTHG8pl0bmS0OiZ9bThN0YHwxFVJz6ZsVX/L5cYOAbm/
mJAdDE24XMmUAOlVZrROzCZKXADx/A==
=8h8L
-END PGP SIGNATURE-


[openssl-project] OpenSSL Security Advisory

2018-11-12 Thread Matt Caswell
OpenSSL Security Advisory [12 November 2018]


Microarchitecture timing vulnerability in ECC scalar multiplication 
(CVE-2018-5407)
===

Severity: Low

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown
to be vulnerable to a microarchitecture timing side channel attack. An attacker
with sufficient access to mount local timing attacks during ECDSA signature
generation could recover the private key.

This issue does not impact OpenSSL 1.1.1 and is already fixed in the latest
version of OpenSSL 1.1.0 (1.1.0i). OpenSSL 1.0.2 is affected but due to the low
severity of this issue we are not creating a new release at this time. The 1.0.2
mitigation for this issue can be found in commit b18162a7c.

OpenSSL 1.1.0 users should upgrade to 1.1.0i.

This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri.

Note


OpenSSL 1.1.0 is currently only receiving security updates. Support for this
version will end on 11th September 2019. Users of this version should upgrade to
OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20181112.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html



signature.asc
Description: OpenPGP digital signature
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL Security Advisory

2018-04-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [16 Apr 2018]


Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)


Severity: Low

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.

This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180416.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJa1MKgAAoJENnE0m0OYESRKOoIAKmRnj0YtE1y89WnRiCjMk8l
Z7XAsPk6nkEa8dlrEvEsUhS90CFSf9OcYliAlfjD/+RVZXXeK4AHn8/g7HxAdDcK
62biQiHbxICBqnrE6DCe6GrMXEy3MWuefSWnoTyd/x8W1grjdhkrlmIqe68DP0iv
WItmStRVOpx4mQDcrYqw6ZKhhu1Lv007khyAornJP+S6NSlK6brdNQyRNmp3+HO4
irqPi6xQWGcaAtrdpWi8mDnomld75j5m+G98N/gCqaCAIn7Zau+kAAW1+1dO5S4L
tsQ0CifVnRfUTz0cCL51L8G3a3RWYs34AXRZvSRi3q88AiZ1L6FCF2cHZJu1KuE=
=+TYO
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project