|
2 | 2 | OpenSSL CHANGES |
3 | 3 | _______________ |
4 | 4 |
|
| 5 | + Changes between 1.0.2g and 1.0.2h [3 May 2016] |
| 6 | + |
| 7 | + *) Prevent padding oracle in AES-NI CBC MAC check |
| 8 | + |
| 9 | + A MITM attacker can use a padding oracle attack to decrypt traffic |
| 10 | + when the connection uses an AES CBC cipher and the server support |
| 11 | + AES-NI. |
| 12 | + |
| 13 | + This issue was introduced as part of the fix for Lucky 13 padding |
| 14 | + attack (CVE-2013-0169). The padding check was rewritten to be in |
| 15 | + constant time by making sure that always the same bytes are read and |
| 16 | + compared against either the MAC or padding bytes. But it no longer |
| 17 | + checked that there was enough data to have both the MAC and padding |
| 18 | + bytes. |
| 19 | + |
| 20 | + This issue was reported by Juraj Somorovsky using TLS-Attacker. |
| 21 | + (CVE-2016-2107) |
| 22 | + [Kurt Roeckx] |
| 23 | + |
| 24 | + *) Fix EVP_EncodeUpdate overflow |
| 25 | + |
| 26 | + An overflow can occur in the EVP_EncodeUpdate() function which is used for |
| 27 | + Base64 encoding of binary data. If an attacker is able to supply very large |
| 28 | + amounts of input data then a length check can overflow resulting in a heap |
| 29 | + corruption. |
| 30 | + |
| 31 | + Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by |
| 32 | + the PEM_write_bio* family of functions. These are mainly used within the |
| 33 | + OpenSSL command line applications, so any application which processes data |
| 34 | + from an untrusted source and outputs it as a PEM file should be considered |
| 35 | + vulnerable to this issue. User applications that call these APIs directly |
| 36 | + with large amounts of untrusted data may also be vulnerable. |
| 37 | + |
| 38 | + This issue was reported by Guido Vranken. |
| 39 | + (CVE-2016-2105) |
| 40 | + [Matt Caswell] |
| 41 | + |
| 42 | + *) Fix EVP_EncryptUpdate overflow |
| 43 | + |
| 44 | + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker |
| 45 | + is able to supply very large amounts of input data after a previous call to |
| 46 | + EVP_EncryptUpdate() with a partial block then a length check can overflow |
| 47 | + resulting in a heap corruption. Following an analysis of all OpenSSL |
| 48 | + internal usage of the EVP_EncryptUpdate() function all usage is one of two |
| 49 | + forms. The first form is where the EVP_EncryptUpdate() call is known to be |
| 50 | + the first called function after an EVP_EncryptInit(), and therefore that |
| 51 | + specific call must be safe. The second form is where the length passed to |
| 52 | + EVP_EncryptUpdate() can be seen from the code to be some small value and |
| 53 | + therefore there is no possibility of an overflow. Since all instances are |
| 54 | + one of these two forms, it is believed that there can be no overflows in |
| 55 | + internal code due to this problem. It should be noted that |
| 56 | + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. |
| 57 | + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances |
| 58 | + of these calls have also been analysed too and it is believed there are no |
| 59 | + instances in internal usage where an overflow could occur. |
| 60 | + |
| 61 | + This issue was reported by Guido Vranken. |
| 62 | + (CVE-2016-2106) |
| 63 | + [Matt Caswell] |
| 64 | + |
| 65 | + *) Prevent ASN.1 BIO excessive memory allocation |
| 66 | + |
| 67 | + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() |
| 68 | + a short invalid encoding can casuse allocation of large amounts of memory |
| 69 | + potentially consuming excessive resources or exhausting memory. |
| 70 | + |
| 71 | + Any application parsing untrusted data through d2i BIO functions is |
| 72 | + affected. The memory based functions such as d2i_X509() are *not* affected. |
| 73 | + Since the memory based functions are used by the TLS library, TLS |
| 74 | + applications are not affected. |
| 75 | + |
| 76 | + This issue was reported by Brian Carpenter. |
| 77 | + (CVE-2016-2109) |
| 78 | + [Stephen Henson] |
| 79 | + |
| 80 | + *) EBCDIC overread |
| 81 | + |
| 82 | + ASN1 Strings that are over 1024 bytes can cause an overread in applications |
| 83 | + using the X509_NAME_oneline() function on EBCDIC systems. This could result |
| 84 | + in arbitrary stack data being returned in the buffer. |
| 85 | + |
| 86 | + This issue was reported by Guido Vranken. |
| 87 | + (CVE-2016-2176) |
| 88 | + [Matt Caswell] |
| 89 | + |
| 90 | + *) Modify behavior of ALPN to invoke callback after SNI/servername |
| 91 | + callback, such that updates to the SSL_CTX affect ALPN. |
| 92 | + [Todd Short] |
| 93 | + |
| 94 | + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the |
| 95 | + default. |
| 96 | + [Kurt Roeckx] |
| 97 | + |
| 98 | + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the |
| 99 | + methods are enabled and ssl2 is disabled the methods return NULL. |
| 100 | + [Kurt Roeckx] |
| 101 | + |
5 | 102 | Changes between 1.0.2f and 1.0.2g [1 Mar 2016] |
6 | 103 |
|
7 | 104 | * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. |
|
0 commit comments