OpenSSL Security Advisory

2022-06-21 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [21 June 2022] The c_rehash script allows command injection (CVE-2022-2068) Severity: Moderate In addition

OpenSSL Security Advisory

2022-05-03 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [03 May 2022] === The c_rehash script allows command injection (CVE-2022-1292) Severity: Moderate The c_rehash script

OpenSSL Security Advisory

2022-03-15 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [15 March 2022] Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778

OpenSSL Security Advisory

2022-01-28 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [28 January 2022] === BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) Severity: Moderate

OpenSSL Security Advisory

2021-12-14 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [14 December 2021] Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044

OpenSSL Security Advisory

2021-08-24 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [24 August 2021] == SM2 Decryption Buffer Overflow (CVE-2021-3711) == Severity: High In order to decrypt SM2 encrypted data

Re: OpenSSL Security Advisory

2021-03-25 Thread Hubert Kario
On Thursday, 25 March 2021 15:03:24 CET, OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [25 March 2021] = NULL pointer deref in signature_algorithms processing (CVE-2021-3449

OpenSSL Security Advisory

2021-03-25 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [25 March 2021] = CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) Severity: High

OpenSSL Security Advisory

2021-02-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [16 February 2021] Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) Severity: Moderate

OpenSSL Security Advisory

2020-12-08 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [08 December 2020] EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) == Severity: High The X.509 GeneralName type

Re: OpenSSL Security Advisory

2020-09-10 Thread Matt Caswell
On 10/09/2020 16:14, Jakob Bohm via openssl-users wrote: > On 2020-09-10 09:03, Tomas Mraz wrote: >> On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote: >>> Wouldn't a more reasonable response for 1.0.2 users have been to >>> force on >>> SSL_OP_SINGLE_DH_USE rather than

Re: OpenSSL Security Advisory

2020-09-10 Thread Jakob Bohm via openssl-users
On 2020-09-10 09:03, Tomas Mraz wrote: On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote: Wouldn't a more reasonable response for 1.0.2 users have been to force on SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected cipher suites and telling affected people to

Re: OpenSSL Security Advisory

2020-09-10 Thread Tomas Mraz
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote: > Wouldn't a more reasonable response for 1.0.2 users have been to > force on > SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected > cipher > suites > and telling affected people to recompile with the fix off?

Re: OpenSSL Security Advisory

2020-09-09 Thread Jakob Bohm via openssl-users
On 2020-09-09 14:39, OpenSSL wrote: OpenSSL Security Advisory [09 September 2020] = Raccoon Attack (CVE-2020-1968) == Severity: Low The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker

OpenSSL Security Advisory

2020-09-09 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [09 September 2020] = Raccoon Attack (CVE-2020-1968) == Severity: Low The Raccoon attack exploits a flaw in the TLS specification which can lead

Re: OpenSSL Security Advisory

2020-04-21 Thread Sam Roberts
That makes sense, thank you all.

Re: OpenSSL Security Advisory

2020-04-21 Thread Matt Caswell
machine, but with different parameters, so its a > bit hard to see if it is affected or not. > > Thanks, > Sam > > On Tue, Apr 21, 2020 at 6:26 AM OpenSSL wrote: >> > OpenSSL Security Advisory [21 April 2020] > =

Re: OpenSSL Security Advisory

2020-04-21 Thread Benjamin Kaduk via openssl-users
On Tue, Apr 21, 2020 at 12:46:43PM -0700, Sam Roberts wrote: > The announcement claims that this affects SSL_check_chain(). > > Is that an exhaustive list? If an application does NOT call that > function, does this mean the vulnerability is not exploitable? That is correct (speaking only in

Re: OpenSSL Security Advisory

2020-04-21 Thread Sam Roberts
SIGNED MESSAGE- > Hash: SHA256 > > OpenSSL Security Advisory [21 April 2020] > = > > Segmentation fault in SSL_check_chain (CVE-2020-1967) > = > > Severity: High > >

OpenSSL Security Advisory

2020-04-21 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [21 April 2020] = Segmentation fault in SSL_check_chain (CVE-2020-1967) = Severity: High Server or client applications that call

OpenSSL Security Advisory

2019-12-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [6 December 2019] === rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) === Severity: Low There is an overflow bug in the x64_64

OpenSSL Security Advisory

2019-09-11 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [10 September 2019] = ECDSA remote timing attack (CVE-2019-1547) == Severity: Low Normally in OpenSSL EC groups always have a co-factor

Re: OpenSSL Security Advisory

2019-07-30 Thread Jakob Bohm via openssl-users
bove APIs may require their return value to be canonicalized via the GetFullPathNameW() API in corner cases, retaining the result in a global variable is advisable. On 30/07/2019 16:27, OpenSSL wrote: OpenSSL Security Advisory [30 July 2019] ===

OpenSSL Security Advisory

2019-07-30 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [30 July 2019] Windows builds with insecure path defaults (CVE-2019-1552) == Severity: Low OpenSSL has internal defaults

OpenSSL Security Advisory

2019-03-06 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [6 March 2019] ChaCha20-Poly1305 with long nonces (CVE-2019-1543) == Severity: Low ChaCha20-Poly1305 is an AEAD cipher

RE: OpenSSL Security Advisory

2019-02-27 Thread Scott Neugroschl
Thanks. -Original Message- From: openssl-users On Behalf Of Matt Caswell Sent: Wednesday, February 27, 2019 11:18 AM To: openssl-users@openssl.org Subject: Re: OpenSSL Security Advisory On 27/02/2019 18:43, Scott Neugroschl wrote: > Is this a client-side or server-side vulnerabil

Re: OpenSSL Security Advisory

2019-02-27 Thread Matt Caswell
Suite 100 |Simi Valley, CA 93063 | Phone 805 > 583-2874|Fax 805 583-0124 | > > > > > -Original Message- > From: openssl-users On Behalf Of OpenSSL > Sent: Tuesday, February 26, 2019 6:59 AM > To: openssl-proj...@openssl.org; OpenSSL User Support ML > ; Ope

RE: OpenSSL Security Advisory

2019-02-27 Thread Scott Neugroschl
On Behalf Of OpenSSL Sent: Tuesday, February 26, 2019 6:59 AM To: openssl-proj...@openssl.org; OpenSSL User Support ML ; OpenSSL Announce ML Subject: OpenSSL Security Advisory -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [26 February 2019

OpenSSL Security Advisory

2019-02-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [26 February 2019] 0-byte record padding oracle (CVE-2019-1559) Severity: Moderate If an application encounters a fatal protocol

[openssl-users] OpenSSL Security Advisory

2018-11-12 Thread Matt Caswell
OpenSSL Security Advisory [12 November 2018] Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) === Severity: Low OpenSSL ECC scalar

[openssl-users] OpenSSL Security Advisory

2018-06-12 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [12 June 2018] Client DoS due to large DH parameter (CVE-2018-0732) Severity: Low During key agreement in a TLS handshake

[openssl-users] OpenSSL Security Advisory

2018-04-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [16 Apr 2018] Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Severity: Low The OpenSSL RSA Key

[openssl-users] OpenSSL Security Advisory

2018-03-27 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [27 Mar 2018] Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739

[openssl-users] OpenSSL Security Advisory

2017-12-07 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [07 Dec 2017] Read/write after SSL object in error state (CVE-2017-3737) == Severity: Moderate OpenSSL 1.0.2 (starting

[openssl-users] OpenSSL Security Advisory

2017-11-02 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [02 Nov 2017] bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) == Severity: Moderate There is a carry propagating bug

[openssl-users] OpenSSL Security Advisory

2017-02-16 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [16 Feb 2017] Encrypt-Then-Mac renegotiation crash (CVE-2017-3733) Severity: High During a renegotiation handshake

[openssl-users] OpenSSL Security Advisory

2017-01-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [26 Jan 2017] Truncated packet could crash via OOB read (CVE-2017-3731) = Severity: Moderate If an SSL/TLS server

[openssl-users] OpenSSL Security Advisory

2016-11-10 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [10 Nov 2016] ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054) == Severity: High TLS connections using *-CHACHA20

[openssl-users] OpenSSL Security Advisory

2016-09-26 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [26 Sep 2016] This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical

[openssl-users] OpenSSL Security Advisory

2016-09-22 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [22 Sep 2016] OCSP Status Request extension unbounded memory growth (CVE-2016-6304) = Severity: High A malicious

[openssl-users] OpenSSL Security Advisory

2016-05-03 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [3rd May 2016] Memory corruption in the ASN.1 encoder (CVE-2016-2108) == Severity: High This issue affected versions of OpenSSL

[openssl-users] OpenSSL Security Advisory

2016-03-01 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [1st March 2016] = NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of SSLv2

[openssl-users] OpenSSL Security Advisory

2016-01-28 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [28th Jan 2016] = NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES ONLY

[openssl-users] Updated OpenSSL Security Advisory

2015-12-04 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015] = [Updated 4 Dec 2015]: This advisory has been updated to include the details of CVE-2015-1794, a Low severity issue affecting

[openssl-users] OpenSSL Security Advisory

2015-12-03 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [3 Dec 2015] === NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS PER PREVIOUS

Re: [openssl-users] [openssl-announce] OpenSSL Security Advisory

2015-07-12 Thread Jakob Bohm
On 10/07/2015 23:03, Jeffrey Walton wrote: During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an

Re: [openssl-users] [openssl-announce] OpenSSL Security Advisory

2015-07-12 Thread Jeffrey Walton
In fact, I thought that was the reason we all had to wait ages before this long standing shortcoming was fixed. It almost sound like you are complaining you did not have to wait ages :) It's the inconsistency of first insisting this cannot go into a patch and then pushing out a broken

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Salz, Rich
How deep does the certificate chain have to be? It does not matter. If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the problem? Also, is it a condition of the bug that both CA certificates have to have the same subject names and

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Matt Caswell
On 10/07/15 13:09, R C Delgado wrote: Hello, With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. How deep does the certificate chain have to be? If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the

[openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread R C Delgado
Hello, With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. How deep does the certificate chain have to be? If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the problem? Also, is it a condition of the bug that

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread R C Delgado
Thank you very much. It really helps. On Fri, Jul 10, 2015 at 2:32 PM, Matt Caswell m...@openssl.org wrote: On 10/07/15 13:09, R C Delgado wrote: Hello, With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. How deep does the certificate chain have to be? If I

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Lewis Rosenthal
On 07/10/2015 09:32 AM, Matt Caswell wrote: On 10/07/15 13:09, R C Delgado wrote: Hello, With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. How deep does the certificate chain have to be? If I have 2 self-signed CA certificates, and a non-CA certificate is received

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread R C Delgado
Hello, One further question. Can you please confirm that the alternative certificate chain feature is enabled by default? It seems to be implied in all emails regarding this matter, and I'm assuming the Advisory email would have mentioned it otherwise. I've searched the OpenSSL code and seen

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Matt Caswell
On 10/07/15 19:34, R C Delgado wrote: Hello, One further question. Can you please confirm that the alternative certificate chain feature is enabled by default? It seems to be implied in all emails regarding this matter, and I'm assuming the Advisory email would have mentioned it

Re: [openssl-users] [openssl-announce] OpenSSL Security Advisory

2015-07-10 Thread Jeffrey Walton
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on

Re: [openssl-users] [openssl-dev] OpenSSL Security Advisory

2015-07-09 Thread Viktor Dukhovni
On Thu, Jul 09, 2015 at 01:13:30PM +, Salz, Rich wrote: This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. In other words, if you are not using those specific releases -- i.e., the ones that came out less than 30 days ago -- you do not need to upgrade. More

[openssl-users] OpenSSL Security Advisory

2015-07-09 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [9 Jul 2015] === Alternative chains certificate forgery (CVE-2015-1793) == Severity: High During certificate verification, OpenSSL

Re: [openssl-users] [openssl-dev] OpenSSL Security Advisory

2015-07-09 Thread Salz, Rich
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. In other words, if you are not using those specific releases -- i.e., the ones that came out less than 30 days ago -- you do not need to upgrade. ___ openssl-users mailing list

Re: [openssl-users] [openssl-announce] OpenSSL Security Advisory

2015-07-09 Thread Matt Caswell
On 09/07/15 22:46, Jakob Bohm wrote: On 09/07/2015 15:10, OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [9 Jul 2015] === Alternative chains certificate forgery (CVE-2015-1793

Re: [openssl-users] [openssl-announce] OpenSSL Security Advisory

2015-07-09 Thread Jakob Bohm
On 09/07/2015 15:10, OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [9 Jul 2015] === Alternative chains certificate forgery (CVE-2015-1793) == Severity: High During

[openssl-users] OpenSSL Security Advisory

2015-06-11 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [11 Jun 2015] === DHE man-in-the-middle protection (Logjam) A vulnerability in the TLS protocol allows a man

[openssl-users] OpenSSL Security Advisory

2015-03-19 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [19 Mar 2015] === OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) = Severity: High If a client connects to an OpenSSL 1.0.2

[openssl-users] OpenSSL Security Advisory

2015-01-08 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [08 Jan 2015] === DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) === Severity: Moderate A carefully crafted DTLS

OpenSSL Security Advisory

2014-10-15 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [15 Oct 2014] === SRTP Memory Leak (CVE-2014-3513) Severity: High A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends

OpenSSL Security Advisory - CVE-2014-3508

2014-08-08 Thread Simner, John
Hi, Please can I enquire what the actual vulnerability is with... Information leak in pretty printing functions (CVE-2014-3508) = A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline,

Re: OpenSSL Security Advisory

2014-06-06 Thread Geoffrey Thorpe
: SHA256 OpenSSL Security Advisory [05 Jun 2014] Resend: first version contained characters which could cause signature failure. SSL/TLS MITM vulnerability (CVE-2014-0224) === An attacker using

Re: OpenSSL Security Advisory

2014-06-06 Thread Jakob Bohm
On 6/5/2014 11:31 PM, Green, Gatewood wrote: Openssl-0.9.8za will not build in FIPS mode. The openssl-fips-1.2(.4) seems to be missing the symbol BN_consttime_swap. By the way, the BN_consttime_swap implementation in 1.0.1g (still downloading 1.0.1h) doesn't seem to completely match its

Re: OpenSSL Security Advisory

2014-06-06 Thread Jeff Wieland
looked at 1.0.1h as yet. OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] Resend: first version contained characters which could cause signature failure. SSL/TLS MITM vulnerability (CVE-2014-0224

OpenSSL Security Advisory

2014-06-05 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] SSL/TLS MITM vulnerability (CVE-2014-0224) === An attacker using a carefully crafted handshake can force the use of weak

OpenSSL Security Advisory

2014-06-05 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] Resend: first version contained characters which could cause signature failure. SSL/TLS MITM vulnerability (CVE-2014-0224

Re: OpenSSL Security Advisory

2014-06-05 Thread Jeff Wieland
as yet. OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] Resend: first version contained characters which could cause signature failure. SSL/TLS MITM vulnerability (CVE-2014-0224

Re: OpenSSL Security Advisory

2014-06-05 Thread Juha Saarinen
of OpenSSL. Thanks — Juha On 5/06/2014, at 11:54 pm, OpenSSL open...@openssl.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [05 Jun 2014] Resend: first version contained characters which could cause signature

RE: OpenSSL Security Advisory

2014-06-05 Thread Green, Gatewood
: 208.206.7455 -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of OpenSSL Sent: Thursday, June 05, 2014 5:54 AM To: openssl-...@openssl.org; openssl-users@openssl.org; openssl-annou...@openssl.org Subject: OpenSSL Security Advisory

Re: OpenSSL Security Advisory

2014-04-14 Thread Steven Kneizys
Ah, of course! I was so focused on not accessing that routine and not being able to just link in the obj files that the obvious solution of using the library properly escaped me! Thanks. After a Visual Studio 2012 build in directory: E:\usr_local\src\openssl-1.0.1f_32 I then was able put that

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-14 Thread Matthias Apitz
some nice pictures how the bug works: http://www.xkcd.com/1354/ HIH matthias -- Sent from my FreeBSD netbook Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2

Re: OpenSSL Security Advisory

2014-04-14 Thread Tim Hudson
On 11/04/2014 12:58 AM, Viktor Dukhovni wrote: guru@hein:~/openssl-1.0.1f/apps (sleep 3 ; echo B ; sleep 3) | ./openssl s_client -connect www.openssl.org:443 If you are using s_client for testing then you should add the -msg option and see what is being sent. Responding to a correctly formed

the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Matthias Apitz
El día Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez escribió: True. Thanks for the quick reply. On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: https://www.openssl.org/news/changelog.html 1.0.1 introduced the heartbeat support.

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Michael Tuexen
On 12 Apr 2014, at 17:43, Matthias Apitz g...@unixarea.de wrote: El día Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez escribió: True. Thanks for the quick reply. On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Matthias Apitz
El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió: What is the exact bug, can someone show a svn/git diff of the first source version having the bug? http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Hi, Thanks

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Michael Tuexen
On 12 Apr 2014, at 21:30, Matthias Apitz g...@unixarea.de wrote: El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió: What is the exact bug, can someone show a svn/git diff of the first source version having the bug?

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Matthias Apitz
El día Saturday, April 12, 2014 a las 09:30:22PM +0200, Matthias Apitz escribió: El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió: What is the exact bug, can someone show a svn/git diff of the first source version having the bug?

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Michael Smith
On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right? I don't have any direct knowledge of what goes on in the NSA, but if they don't have a

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Jan Danielsson
On 12/04/14 21:30, Matthias Apitz wrote: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Thanks for the git diff (and the other statements). Could you please be so kind and point to the exact place of the offending statement (or missing

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Matthias Apitz
El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió: On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right?

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Matthias Apitz
El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió: On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right?

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Michael Tuexen
On 12 Apr 2014, at 21:43, Michael Smith m...@smithbowen.net wrote: On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right? My statement was

Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)

2014-04-12 Thread Michael Smith
On Apr 12, 2014, at 5:40 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: Introduced with intent vs. known to the NSA -- two different things, right? My statement was referring to the Introduced with intend. Understood. I'm personally quite sure it *wasn't* introduced with

Re: OpenSSL Security Advisory

2014-04-11 Thread Walter H.
On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch

Re: OpenSSL Security Advisory

2014-04-11 Thread Steven Kneizys
The same issue when I tried to port over to windows, the ssl3_write_bytes is not exposed in the library. There doesn't seem to be an easy workaround that I can see. Steve... On Fri, Apr 11, 2014 at 7:40 AM, Walter H. walte...@mathemainzel.infowrote: On 10.04.2014 13:16, Rob Stradling wrote:

RE: OpenSSL Security Advisory

2014-04-11 Thread JAaron Anderson
@openssl.org Subject: Re: OpenSSL Security Advisory On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show

Re: OpenSSL Security Advisory

2014-04-11 Thread Leonardo Secci
In debian I solved linking directly static library. gcc -ansi -pedantic -o heartbleed heartbleed.c -lcrypto \ /usr/lib/x86_64-linux-gnu/libssl.a Regards In data venerdì 11 aprile 2014 08:38:07, Steven Kneizys ha scritto: The same issue when I tried to port over to windows, the

Re: OpenSSL Security Advisory

2014-04-11 Thread Rob Stradling
Thanks Leonardo! On 11/04/14 13:54, Leonardo Secci wrote: In debian I solved linking directly static library. gcc -ansi -pedantic -o heartbleed heartbleed.c -lcrypto \ /usr/lib/x86_64-linux-gnu/libssl.a Regards In data venerdì 11 aprile 2014 08:38:07, Steven Kneizys ha scritto: The

Re: OpenSSL Security Advisory

2014-04-11 Thread Tim Hudson
On 11/04/2014 10:38 PM, Steven Kneizys wrote: The same issue when I tried to port over to windows, the ssl3_write_bytes is not exposed in the library. There doesn't seem to be an easy workaround that I can see. The work around is trivial if you wanted to do that. Change to use the

Re: OpenSSL Security Advisory

2014-04-10 Thread Matthias Apitz
-Original Message- From: Matthias Apitz [mailto:g...@unixarea.de] Sent: Thursday, April 10, 2014 6:41 AM To: Apitz,Matthias Subject: Fwd: RE: OpenSSL Security Advisory - Forwarded message from Salz, Rich rs...@akamai.com - Date: Wed, 9 Apr 2014 15:43:28 -0400

Re: OpenSSL Security Advisory

2014-04-10 Thread Rob Stradling
On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the

Re: OpenSSL Security Advisory

2014-04-10 Thread Viktor Dukhovni
On Thu, Apr 10, 2014 at 10:57:35AM +0200, Matthias Apitz wrote: I have instrumented an openssl 1.0.1f as posted by Victor: guru@hein:~/openssl-1.0.1f diff ssl/t1_lib.c.unpatched ssl/t1_lib.c 2671c2671 s2n(payload, p); --- s2n(0x4000, p); but I still see HEARTBEATING, for

Re: OpenSSL Security Advisory

2014-04-09 Thread Alan Buxey
https://www.openssl.org/news/changelog.html 1.0.1 introduced the heartbeat support. 1.0.0 and earlier are fortunate in that they didnt have it.but then they didnt have things to stop you from being BEASTed so some you win, some you lose. ;) alan

Re: OpenSSL Security Advisory

2014-04-09 Thread monloi perez
True. Thanks for the quick reply. On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: https://www.openssl.org/news/changelog.html 1.0.1 introduced the heartbeat support. 1.0.0 and earlier are fortunate in that they didnt have it.but then they didnt have things

Re: OpenSSL Security Advisory

2014-04-09 Thread Ted Byers
: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [07 Apr 2014] TLS heartbeat read overrun (CVE-2014-0160) == A missing bounds check in the handling of the TLS heartbeat extension can

Re: OpenSSL Security Advisory

2014-04-09 Thread Ali Jawad
be appreciated. Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. On Mon, Apr 7, 2014 at 4:31 PM, OpenSSL open...@openssl.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [07 Apr 2014] TLS heartbeat read overrun (CVE-2014

  1   2   >