From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by yocto-www.yoctoproject.org (Postfix, from userid 118) id 5D868E00C6E; Tue, 27 Sep 2016 23:22:48 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on yocto-www.yoctoproject.org X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,HTML_MESSAGE, HTTP_ESCAPED_HOST,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-HAM-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low * trust * [185.38.180.43 listed in list.dnswl.org] * 1.1 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.43]) by yocto-www.yoctoproject.org (Postfix) with ESMTP id 683ACE00C45 for ; Tue, 27 Sep 2016 23:22:41 -0700 (PDT) Received: from 1bp8GN-0007HJ-W2 by out10c.electric.net with emc1-ok (Exim 4.87) (envelope-from ) id 1bp8GO-0007IE-Tj; Tue, 27 Sep 2016 23:22:40 -0700 Received: by emcmailer; Tue, 27 Sep 2016 23:22:40 -0700 Received: from [192.36.1.72] (helo=mx-3.enea.com) by out10c.electric.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.87) (envelope-from ) id 1bp8GN-0007HJ-W2; Tue, 27 Sep 2016 23:22:39 -0700 Received: from SESTOEX04.enea.se ([fe80::bc2d:9299:d6b2:d0b7]) by SESTOEX08.enea.se ([fe80::1c3:4003:dc47:23c0%11]) with mapi id 14.03.0294.000; Wed, 28 Sep 2016 08:22:39 +0200 From: Sona Sarmadi To: Zhenhua Luo Thread-Topic: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i). Thread-Index: AdIYhboMvtWnmv3MRqCEkFxjYbZOYQAITeSQACoe2xA= Date: Wed, 28 Sep 2016 06:22:39 +0000 Message-ID: <3230301C09DEF9499B442BBE162C5E48ABE4346C@SESTOEX04.enea.se> References: <3230301C09DEF9499B442BBE162C5E48ABE4297B@SESTOEX04.enea.se> In-Reply-To: Accept-Language: sv-SE, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.142.231] MIME-Version: 1.0 X-Outbound-IP: 192.36.1.72 X-Env-From: sona.sarmadi@enea.com X-Proto: esmtps X-Revdns: mx-3.enea.com X-HELO: mx-3.enea.com X-TLS: TLSv1:AES128-SHA:128 X-Authenticated_ID: X-PolicySMART: 6551647 X-Virus-Status: Scanned by VirusSMART (c) X-Virus-Status: Scanned by VirusSMART (s) Cc: "meta-freescale@yoctoproject.org" Subject: Re: meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i). X-BeenThere: meta-freescale@yoctoproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Usage and development list for the meta-fsl-* layers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2016 06:22:48 -0000 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_3230301C09DEF9499B442BBE162C5E48ABE4346CSESTOEX04enease_" --_000_3230301C09DEF9499B442BBE162C5E48ABE4346CSESTOEX04enease_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > Hi Sona, > > Is it possible to backport the vulnerability patches for openssl_1.0.1i d= irectly? This version is fully verified by our testing. > > Best Regards, > > Zhenhua Hi Zhenhua, I tried to backport some critical patches but all failed. Looking at the Op= enSSL changelog you see that there are quite many changes between 1.0.1i an= d the latest version 1.0.1.u. There are many security fixes so I think it w= ould be good to upgrade. Please let me know if I can help with upgrade and regression tests in case = you would consider an upgrade. Best regards //Sona https://www.openssl.org/news/cl101.txt OpenSSL CHANGES _______________ Changes between 1.0.1u and 1.0.1v [xx XXX xxxx] *) Changes between 1.0.1t and 1.0.1u [22 Sep 2016] *) OCSP Status Request extension unbounded memory growth A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending = a large OCSP Status Request extension each time, then there will be unbo= unded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds = using the "no-ocsp" build time option are not affected. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 In= c.) (CVE-2016-6304) [Matt Caswell] *) In order to mitigate the SWEET32 attack, the DES ciphers were moved fr= om HIGH to MEDIUM. This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan Leurent (INRIA) (CVE-2016-2183) [Rich Salz] *) OOB write in MDC2_Update() An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractic= al on most platforms. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 In= c.) (CVE-2016-6303) [Stephen Henson] *) Malformed SHA512 ticket DoS If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to= a DoS attack where a malformed ticket will result in an OOB read which w= ill ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it r= equires a custom server callback and ticket lookup mechanism. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 In= c.) (CVE-2016-6302) [Stephen Henson] *) OOB write in BN_bn2dec() The function BN_bn2dec() does not check the return value of BN_div_wor= d(). This can cause an OOB write if an application uses this function with = an overly large BIGNUM. This could be a problem if an overly large certif= icate or CRL is printed out from an untrusted source. TLS is not affected be= cause record limits will reject an oversized certificate before it is parsed= . This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 In= c.) (CVE-2016-2182) [Stephen Henson] *) OOB read in TS_OBJ_print_bio() The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return valu= e is the total length the OID text representation would use and not the amo= unt of data written. This will result in OOB reads when large OIDs are presented. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 In= c.) (CVE-2016-2180) [Stephen Henson] *) Pointer arithmetic undefined behaviour Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following man= ner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit =3D=3D p + SIZE "len" here could be from some externally supplied data (e.g. from a TL= S message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <=3D SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. This issue was reported to OpenSSL by Guido Vranken (CVE-2016-2177) [Matt Caswell] *) Constant time flag not preserved in DSA signing Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key= . This issue was reported by C=E9sar Pereida (Aalto University), Billy B= rumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). (CVE-2016-2178) [C=E9sar Pereida] *) DTLS buffered message DoS In a DTLS connection where handshake messages are delivered out-of-ord= er those messages that OpenSSL is not yet ready to process will be buffer= ed for later use. Under certain circumstances, a flaw in the logic means = that those messages do not get removed from the buffer even though the hand= shake has been completed. An attacker could force up to approx. 15 messages = to remain in the buffer when they are no longer required. These messages = will be cleared when the DTLS connection is closed. The default maximum siz= e for a message is 100k. Therefore the attacker could force an additional 15= 00k to be consumed per connection. By opening many simulataneous connectio= ns an attacker could cause a DoS attack through memory exhaustion. This issue was reported to OpenSSL by Quan Luo. (CVE-2016-2179) [Matt Caswell] *) DTLS replay protection DoS A flaw in the DTLS replay attack protection mechanism means that recor= ds that arrive for future epochs update the replay protection "window" be= fore the MAC for the record has been validated. This could be exploited by = an attacker by sending a record for the next epoch (which does not have t= o decrypt or have a valid MAC), with a very large sequence number. This = means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. This issue was reported to OpenSSL by the OCAP audit team. (CVE-2016-2181) [Matt Caswell] *) Certificate message OOB reads In OpenSSL 1.0.2 and earlier some missing message length checks can re= sult in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on com= mon platforms. The messages affected are client certificate, client certificate reque= st and server certificate. As a result the attack can only be performed against a client or a server which enables client authentication. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 In= c.) (CVE-2016-6306) [Stephen Henson] Changes between 1.0.1s and 1.0.1t [3 May 2016] *) Prevent padding oracle in AES-NI CBC MAC check A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. This issue was reported by Juraj Somorovsky using TLS-Attacker. (CVE-2016-2107) [Kurt Roeckx] *) Fix EVP_EncodeUpdate overflow An overflow can occur in the EVP_EncodeUpdate() function which is used= for Base64 encoding of binary data. If an attacker is able to supply very = large amounts of input data then a length check can overflow resulting in a = heap corruption. Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used= by the PEM_write_bio* family of functions. These are mainly used within t= he OpenSSL command line applications, so any application which processes = data from an untrusted source and outputs it as a PEM file should be consid= ered vulnerable to this issue. User applications that call these APIs direc= tly with large amounts of untrusted data may also be vulnerable. This issue was reported by Guido Vranken. (CVE-2016-2105) [Matt Caswell] *) Fix EVP_EncryptUpdate overflow An overflow can occur in the EVP_EncryptUpdate() function. If an attac= ker is able to supply very large amounts of input data after a previous ca= ll to EVP_EncryptUpdate() with a partial block then a length check can overf= low resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is one of= two forms. The first form is where the EVP_EncryptUpdate() call is known t= o be the first called function after an EVP_EncryptInit(), and therefore th= at specific call must be safe. The second form is where the length passed= to EVP_EncryptUpdate() can be seen from the code to be some small value a= nd therefore there is no possibility of an overflow. Since all instances = are one of these two forms, it is believed that there can be no overflows = in internal code due to this problem. It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths= . Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All inst= ances of these calls have also been analysed too and it is believed there ar= e no instances in internal usage where an overflow could occur. This issue was reported by Guido Vranken. (CVE-2016-2106) [Matt Caswell] *) Prevent ASN.1 BIO excessive memory allocation When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio= () a short invalid encoding can casuse allocation of large amounts of mem= ory potentially consuming excessive resources or exhausting memory. Any application parsing untrusted data through d2i BIO functions is affected. The memory based functions such as d2i_X509() are *not* affe= cted. Since the memory based functions are used by the TLS library, TLS applications are not affected. This issue was reported by Brian Carpenter. (CVE-2016-2109) [Stephen Henson] *) EBCDIC overread ASN1 Strings that are over 1024 bytes can cause an overread in applica= tions using the X509_NAME_oneline() function on EBCDIC systems. This could r= esult in arbitrary stack data being returned in the buffer. This issue was reported by Guido Vranken. (CVE-2016-2176) [Matt Caswell] *) Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. [Todd Short] *) Remove LOW from the DEFAULT cipher list. This removes singles DES fro= m the default. [Kurt Roeckx] *) Only remove the SSLv2 methods with the no-ssl2-method option. When the methods are enabled and ssl2 is disabled the methods return NULL. [Kurt Roeckx] Changes between 1.0.1r and 1.0.1s [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers. [Viktor Dukhovni] * Disable SSLv2 default build, default negotiation and weak ciphers. SSL= v2 is by default disabled at build-time. Builds that are not configured w= ith "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_metho= d() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. (CVE-2016-0800) [Viktor Dukhovni] *) Fix a double-free in DSA code A double free bug was discovered when OpenSSL parses malformed DSA pri= vate keys and could lead to a DoS attack or memory corruption for applicati= ons that receive DSA private keys from untrusted sources. This scenario i= s considered rare. This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) u= sing libFuzzer. (CVE-2016-0705) [Stephen Henson] *) Disable SRP fake user seed to address a server memory leak. Add a new method SRP_VBASE_get1_by_user that handles the seed properly= . SRP_VBASE_get_by_user had inconsistent memory management behaviour. In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP seed, even if the seed is configured. Users should use SRP_VBASE_get1_by_user instead. Note that in SRP_VBASE_get1_by_user, caller must free the returned value. Note also that even though configuring the SRP seed attempts to hide invalid usernames by continuing the handshake with fake credentials, this behaviour is not constant time and no strong guarantees are made that the handshake is indistinguishable from that of a valid user. (CVE-2016-0798) [Emilia K=E4sper] *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption In the BN_hex2bn function the number of hex digits is calculated using= an int value |i|. Later |bn_expand| is called with a value of |i * 4|. Fo= r large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM= data field as NULL leading to a subsequent NULL ptr deref. For very large v= alues of |i|, the calculation |i * 4| could be a positive value smaller than= |i|. In this case memory is allocated to the internal BIGNUM data field, bu= t it is insufficiently sized leading to heap corruption. A similar issue ex= ists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_de= c2bn is ever called by user applications with very large untrusted hex/dec = data. This is anticipated to be a rare occurrence. All OpenSSL internal usage of these functions use data that is not exp= ected to be untrusted, e.g. config file data or application command line arguments. If user developed applications generate config file data ba= sed on untrusted data then it is possible that this could also lead to sec= urity consequences. This is also anticipated to be rare. This issue was reported to OpenSSL by Guido Vranken. (CVE-2016-0797) [Matt Caswell] *) Fix memory issues in BIO_*printf functions The internal |fmtstr| function used in processing a "%s" format string= in the BIO_*printf functions could overflow while calculating the length = of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write = to an OOB memory location (at an offset from the NULL pointer) in the event = of a memory allocation failure. In 1.0.2 and below this could be caused whe= re the size of a buffer to be allocated is greater than INT_MAX. E.g. thi= s could be in processing a very long "%s" format string. Memory leaks ca= n also occur. The first issue may mask the second issue dependent on compiler behavi= our. These problems could enable attacks where large amounts of untrusted d= ata is passed to the BIO_*printf functions. If applications use these func= tions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Theref= ore applications that print this data could be vulnerable if the data is f= rom untrusted sources. OpenSSL command line applications could also be vulnerable where they print out ASN.1 data, or if untrusted data is pa= ssed as command line arguments. Libssl is not considered directly vulnerable. Additionally certificate= s etc received via remote connections via libssl are also unlikely to be abl= e to trigger these issues because of message size limits enforced within li= bssl. This issue was reported to OpenSSL Guido Vranken. (CVE-2016-0799) [Matt Caswell] *) Side channel attack on modular exponentiation A side-channel attack was found which makes use of cache-bank conflict= s on the Intel Sandy-Bridge microarchitecture which could lead to the recov= ery of RSA keys. The ability to exploit this issue is limited as it relie= s on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptio= ns. This issue was reported to OpenSSL by Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, a= nd Nadia Heninger, University of Pennsylvania with more information at http://cachebleed.info. (CVE-2016-0702) [Andy Polyakov] *) Change the req app to generate a 2048-bit RSA/DSA key by default, if no keysize is specified with default_bits. This fixes an omission in an earlier change that changed all RSA/DSA key generation apps to use 2048 bits by default. [Emilia K=E4sper] Changes between 1.0.1q and 1.0.1r [28 Jan 2016] *) Protection for DH small subgroup attacks As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact. [Matt Caswell] *) SSLv2 doesn't block disabled ciphers A malicious client can negotiate SSLv2 ciphers that have been disabled= on the server and complete SSLv2 handshakes even if all SSLv2 ciphers hav= e been disabled, provided that the SSLv2 protocol was not also disabled = via SSL_OP_NO_SSLv2. This issue was reported to OpenSSL on 26th December 2015 by Nimrod Avi= ram and Sebastian Schinzel. (CVE-2015-3197) [Viktor Dukhovni] *) Reject DH handshakes with parameters shorter than 1024 bits. [Kurt Roeckx] Changes between 1.0.1p and 1.0.1q [3 Dec 2015] *) Certificate verify crash with missing PSS parameter The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can = be used to crash any certificate verification operation and exploited in = a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue was reported to OpenSSL by Lo=EFc Jonas Etienne (Qnective A= G). (CVE-2015-3194) [Stephen Henson] *) X509_ATTRIBUTE memory leak When presented with a malformed X509_ATTRIBUTE structure OpenSSL will = leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) = using libFuzzer. (CVE-2015-3195) [Stephen Henson] *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. This changes the decoding behaviour for some invalid messages, though the change is mostly in the more lenient direction, and legacy behaviour is preserved as much as possible. [Emilia K=E4sper] *) In DSA_generate_parameters_ex, if the provided seed is too short, use a random seed, as already documented. [Rich Salz and Ismo Puustinen ] Changes between 1.0.1o and 1.0.1p [9 Jul 2015] *) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a cha= in fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL). (CVE-2015-1793) [Matt Caswell] *) Race condition handling PSK identify hint If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This c= an result in a race condition potentially leading to a double free of the identify hint data. (CVE-2015-3196) [Stephen Henson] Changes between 1.0.1n and 1.0.1o [12 Jun 2015] *) Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been restored. Changes between 1.0.1m and 1.0.1n [11 Jun 2015] *) Malformed ECParameters causes infinite loop When processing an ECParameters structure OpenSSL enters an infinite l= oop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. This issue was reported to OpenSSL by Joseph Barr-Pixton. (CVE-2015-1788) [Andy Polyakov] *) Exploitable out-of-bounds read in X509_cmp_time X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. This issue was reported to OpenSSL by Robert Swiecki (Google), and independently by Hanno B=F6ck. (CVE-2015-1789) [Emilia K=E4sper] *) PKCS7 crash with missing EnvelopedContent The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing= . Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-1790) [Emilia K=E4sper] *) CMS verify infinite loop with unknown hash function When verifying a signedData message the CMS code can enter an infinite= loop if presented with an unknown hash function OID. This can be used to pe= rform denial of service against any system which verifies signedData message= s using the CMS code. This issue was reported to OpenSSL by Johannes Bauer. (CVE-2015-1792) [Stephen Henson] *) Race condition handling NewSessionTicket If a NewSessionTicket is received by a multi-threaded client when atte= mpting to reuse a previous ticket then a race condition can occur potentially le= ading to a double free of the ticket data. (CVE-2015-1791) [Matt Caswell] *) Reject DH handshakes with parameters shorter than 768 bits. [Kurt Roeckx and Emilia Kasper] *) dhparam: generate 2048-bit parameters by default. [Kurt Roeckx and Emilia Kasper] Changes between 1.0.1l and 1.0.1m [19 Mar 2015] *) Segmentation fault in ASN1_TYPE_cmp fix The function ASN1_TYPE_cmp will crash with an invalid read if an attem= pt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to ch= eck certificate signature algorithm consistency this can be used to crash a= ny certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable incl= uding OpenSSL clients and servers which enable client authentication. (CVE-2015-0286) [Stephen Henson] *) ASN.1 structure reuse memory corruption fix Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. Certificate parsing (d2i_X509 and related functions) are however not affected. OpenSSL clients and servers are not affected. (CVE-2015-0287) [Stephen Henson] *) PKCS7 NULL pointer dereferences fix The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs = with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-0289) [Emilia K=E4sper] *) DoS via reachable assert in SSLv2 servers fix A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sen= ding a specially crafted SSLv2 CLIENT-MASTER-KEY message. This issue was discovered by Sean Burford (Google) and Emilia K=E4sper (OpenSSL development team). (CVE-2015-0293) [Emilia K=E4sper] *) Use After Free following d2i_ECPrivatekey error fix A malformed EC private key file consumed via the d2i_ECPrivateKey func= tion could cause a use after free condition. This, in turn, could cause a d= ouble free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare. This issue was discovered by the BoringSSL project and fixed in their commit 517073cd4b. (CVE-2015-0209) [Matt Caswell] *) X509_to_X509_REQ NULL pointer deref fix The function X509_to_X509_REQ will crash with a NULL pointer dereferen= ce if the certificate key is invalid. This function is rarely used in practi= ce. This issue was discovered by Brian Carpenter. (CVE-2015-0288) [Stephen Henson] *) Removed the export ciphers from the DEFAULT ciphers [Kurt Roeckx] Changes between 1.0.1k and 1.0.1l [15 Jan 2015] *) Build fixes for the Windows and OpenVMS platforms [Matt Caswell and Richard Levitte] Changes between 1.0.1j and 1.0.1k [8 Jan 2015] *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted D= TLS message can cause a segmentation fault in OpenSSL due to a NULL pointe= r dereference. This could lead to a Denial Of Service attack. Thanks to Markus Stenberg of Cisco Systems, Inc. for reporting this issue. (CVE-2014-3571) [Steve Henson] *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur i= n the dtls1_buffer_record function under certain conditions. In particular t= his could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be explo= ited by an attacker in a Denial of Service attack through memory exhaustion= . Thanks to Chris Mueller for reporting this issue. (CVE-2015-0206) [Matt Caswell] *) Fix issue where no-ssl3 configuration sets method to NULL. When openss= l is built with the no-ssl3 option and a SSL v3 ClientHello is received the= ssl method would be set to NULL which could later result in a NULL pointer dereference. Thanks to Frank Schmirler for reporting this issue. (CVE-2014-3569) [Kurt Roeckx] *) Abort handshake if server key exchange message is omitted for ephemera= l ECDH ciphersuites. Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for reporting this issue. (CVE-2014-3572) [Steve Henson] *) Remove non-export ephemeral RSA code on client and server. This code violated the TLS standard by allowing the use of temporary RSA keys in non-export ciphersuites and could be used by a server to effectively downgrade the RSA key length used to a value smaller than the server certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. (CVE-2015-0204) [Steve Henson] *) Fixed issue where DH client certificates are accepted without verifica= tion. An OpenSSL server will accept a DH certificate for client authenticati= on without the certificate verify message. This effectively allows a clie= nt to authenticate without the use of a private key. This only affects serve= rs which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encounter= ed. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or repo= rting this issue. (CVE-2015-0205) [Steve Henson] *) Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. The session ID context is typically set from the parent SSL_CTX, and can vary with the CTX. [Adam Langley] *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signat= ure. Although no details of the signed portion of the certificate can be ch= anged this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits re= ject the signature. All current signature algorithms require zero unused bi= ts. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. Thanks to Konrad Kraszewski from Google for reporting this issue. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CR= OSS program for discovering this case) and use of BER or invalid ASN.1 INT= EGERs (negative or with leading zeroes). Further analysis was conducted and fixes were developed by Stephen Hen= son of the OpenSSL core team. (CVE-2014-8275) [Steve Henson] *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorre= ct results on some platforms, including x86_64. This bug occurs at rando= m with a very low probability, and is not known to be exploitable in an= y way, though its exact impact is difficult to determine. Thanks to Pie= ter Wuille (Blockstream) who reported this issue and also suggested an in= itial fix. Further analysis was conducted by the OpenSSL development team a= nd Adam Langley of Google. The final fix was developed by Andy Polyakov = of the OpenSSL core team. (CVE-2014-3570) [Andy Polyakov] *) Do not resume sessions on the server if the negotiated protocol version does not match the session's version. Resuming with a differe= nt version, while not strictly forbidden by the RFC, is of questionable sanity and breaks all known clients. [David Benjamin, Emilia K=E4sper] *) Tighten handling of the ChangeCipherSpec (CCS) message: reject early CCS messages during renegotiation. (Note that because renegotiation is encrypted, this early CCS was not exploitable.) [Emilia K=E4sper] *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server se= nds the extension anew in the ServerHello. Previously, a TLS client would reuse the old extension state and thus accept a session ticket if one= was announced in the initial ServerHello. Similarly, ensure that the client requires a session ticket if one was advertised in the ServerHello. Previously, a TLS client would ignore a missing NewSessionTicket message. [Emilia K=E4sper] Changes between 1.0.1i and 1.0.1j [15 Oct 2014] *) SRTP Memory Leak. A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. The fix was developed by the OpenSSL team. (CVE-2014-3513) [OpenSSL team] *) Session Ticket Memory Leak. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. (CVE-2014-3567) [Steve Henson] *) Build option no-ssl3 is incomplete. When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. (CVE-2014-3568) [Akamai and the OpenSSL team] *) Add support for TLS_FALLBACK_SCSV. Client applications doing fallback retries should call SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). (CVE-2014-3566) [Adam Langley, Bodo Moeller] *) Add additional DigestInfo checks. Reencode DigestInto in DER and check against the original when verifying RSA signature: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure and no attacks are currently kno= wn. [Steve Henson] Summary: (CVE-2016-6304) (CVE-2016-2183) (CVE-2016-6303) (CVE-2016-6302) (CVE-2016-2182) (CVE-2016-2180) (CVE-2016-2177) (CVE-2016-2178) (CVE-2016-2179) (CVE-2016-2181) (CVE-2016-6306) This issue was introduced as part of the fix for Lucky 13 padding atta= ck (CVE-2013-0169). (CVE-2016-2107) (CVE-2016-2105) (CVE-2016-2106) (CVE-2016-2109) (CVE-2016-2176) (CVE-2016-0800) (CVE-2016-0705) (CVE-2016-0798) (CVE-2016-0797) (CVE-2016-0799) (CVE-2016-0702) (CVE-2015-3197) (CVE-2015-3194) (CVE-2015-3195) (CVE-2015-1793) (CVE-2015-3196) (CVE-2015-1788) (CVE-2015-1789) (CVE-2015-1790) (CVE-2015-1792) (CVE-2015-1791) (CVE-2015-0286) (CVE-2015-0287) (CVE-2015-0289) (CVE-2015-0293) (CVE-2015-0209) (CVE-2015-0288) (CVE-2014-3571) (CVE-2015-0206) (CVE-2014-3569) (CVE-2014-3572) (CVE-2015-0204) (CVE-2015-0205) (CVE-2014-8275) (CVE-2014-3570) (CVE-2014-3513) (CVE-2014-3567) (CVE-2014-3568) (CVE-2014-3566) From: Zhenhua Luo [mailto:zhenhua.luo@nxp.com] Sent: den 27 september 2016 12:10 To: Sona Sarmadi Cc: meta-freescale@yoctoproject.org Subject: RE: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vul= nerable version of OpenSSL (openssl_1.0.1i). Hi Sona, Is it possible to backport the vulnerability patches for openssl_1.0.1i dir= ectly? This version is fully verified by our testing. Best Regards, Zhenhua From: meta-freescale-bounces@yoctoproject.org [mailto:meta-freescale-bounces@yoctoproject.org] On Beha= lf Of Sona Sarmadi Sent: Tuesday, September 27, 2016 2:10 PM To: meta-freescale@yoctoproject.org Subject: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnera= ble version of OpenSSL (openssl_1.0.1i). Hi guys meta-fsl-ppc/recipes-connectivity/openssl in krogoth is using a vulnerable = version of OpenSSL (openssl_1.0.1i). OpenSSL recommends 1.0.1 users to upgrade to 1.0.1u version: https://www.openssl.org/news/secadv/20160922.txt Can we upgrade openssl version or do you prefer to keep this version? In th= is case I can try to backport individual patches if possible. Regards //Sona --------------------------------------- Sona Sarmadi Security Responsible for Enea Linux/ GPG Fingerprint: 444F A5E9 CDC6 4620 85C7 2CA9 60FF AF33 15BD 5928 Enea Software AB Jan Stenbecks Torg 17 P.O Box 1033 SE-164 26 Kista, Sweden Phone +46 70 971 4475 www.enea.com This message, including attachments, is CONFIDENTIAL. It may also be privil= eged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should= not copy it or disclose its contents to anyone. All messages sent to and f= rom Enea may be monitored to ensure compliance with internal policies and to p= rotect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, a mended, lost or destroyed, or cont= ain viruses. The sender therefore does not accept liability for any errors = or omissions in the contents of this message, which arise as a result of email= transmission. Anyone who communicates with us by email accepts these risk= s. --_000_3230301C09DEF9499B442BBE162C5E48ABE4346CSESTOEX04enease_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

> Hi Sona,

> 

> Is it possible to backport the v= ulnerability patches for openssl_1.0.1i directly? This version is fully ver= ified by our testing.

> 

> Best Regards,

> 

> Zhenhua

 

Hi Zhenhua,

 

I tried to backport some critical pat= ches but all failed. Looking at the OpenSSL changelog you see that there ar= e quite many changes between 1.0.1i and the latest version 1.0.1.u. There are many security fixes so I think it would be good= to upgrade.

Please let me know if I can help with= upgrade and regression tests in case you would consider an upgrade.=

 

Best regards

//Sona

 

https://www.openssl.org/news/cl101.tx= t

OpenSSL CHANGES

_______________

 

Changes between 1.0.1u and 1.0.1v [xx XXX xxxx]=

 

  *)

 

Changes between 1.0.1t and 1.0.1u [22 Sep 2016]=

 

  *) OCSP Status Request extension unbounded memory g= rowth

 

     A malicious client can send an ex= cessively large OCSP Status Request

     extension. If that client continu= ally requests renegotiation, sending a

     large OCSP Status Request extensi= on each time, then there will be unbounded

     memory growth on the server. This= will eventually lead to a Denial Of

     Service attack through memory exh= austion. Servers with a default

     configuration are vulnerable even= if they do not support OCSP. Builds using

     the "no-ocsp" build tim= e option are not affected.

 

     This issue was reported to OpenSS= L by Shi Lei (Gear Team, Qihoo 360 Inc.)

     (CVE-2016-6304)=

     [Matt Caswell]<= /p>

 

  *) In order to mitigate the SWEET32 attack, the DES= ciphers were moved from

     HIGH to MEDIUM.=

 

     This issue was reported to OpenSS= L Karthikeyan Bhargavan and Gaetan

     Leurent (INRIA)=

     (CVE-2016-2183)=

     [Rich Salz]

 

  *) OOB write in MDC2_Update()

 

     An overflow can occur in MDC2_Upd= ate() either if called directly or

     through the EVP_DigestUpdate() fu= nction using MDC2. If an attacker

     is able to supply very large amou= nts of input data after a previous

     call to EVP_EncryptUpdate() with = a partial block then a length check

     can overflow resulting in a heap = corruption.

 

     The amount of data needed is comp= arable to SIZE_MAX which is impractical

     on most platforms.

 

     This issue was reported to OpenSS= L by Shi Lei (Gear Team, Qihoo 360 Inc.)

     (CVE-2016-6303)=

     [Stephen Henson]

 

  *) Malformed SHA512 ticket DoS

 

    If a server uses SHA512 for TLS se= ssion ticket HMAC it is vulnerable to a

     DoS attack where a malformed tick= et will result in an OOB read which will

     ultimately crash.

 

     The use of SHA512 in TLS session = tickets is comparatively rare as it requires

     a custom server callback and tick= et lookup mechanism.

 

     This issue was reported to OpenSS= L by Shi Lei (Gear Team, Qihoo 360 Inc.)

     (CVE-2016-6302)=

     [Stephen Henson]

 

  *) OOB write in BN_bn2dec()

 

     The function BN_bn2dec() does not= check the return value of BN_div_word().

     This can cause an OOB write if an= application uses this function with an

     overly large BIGNUM. This could b= e a problem if an overly large certificate

     or CRL is printed out from an unt= rusted source. TLS is not affected because

     record limits will reject an over= sized certificate before it is parsed.

 

     This issue was reported to OpenSS= L by Shi Lei (Gear Team, Qihoo 360 Inc.)

     (CVE-2016-2182)=

     [Stephen Henson]

 

  *) OOB read in TS_OBJ_print_bio()=

 

     The function TS_OBJ_print_bio() m= isuses OBJ_obj2txt(): the return value is

     the total length the OID text rep= resentation would use and not the amount

     of data written. This will result= in OOB reads when large OIDs are

     presented.

 

     This issue was reported to OpenSS= L by Shi Lei (Gear Team, Qihoo 360 Inc.)

     (CVE-2016-2180)=

     [Stephen Henson]

 

  *) Pointer arithmetic undefined behaviour

 

     Avoid some undefined pointer arit= hmetic

 

     A common idiom in the codebase is= to check limits in the following manner:

     "p + len > limit"= ;

 

     Where "p" points to som= e malloc'd data of SIZE bytes and

     limit =3D=3D p + SIZE

 

     "len" here could be fro= m some externally supplied data (e.g. from a TLS

     message).

 

     The rules of C pointer arithmetic= are such that "p + len" is only well

     defined where len <=3D SIZE. T= herefore the above idiom is actually

     undefined behaviour.

 

     For example this could cause prob= lems if some malloc implementation

     provides an address for "p&q= uot; such that "p + len" actually overflows for

     values of len that are too big an= d therefore p + len < limit.

 

     This issue was reported to OpenSS= L by Guido Vranken

     (CVE-2016-2177)=

     [Matt Caswell]<= /p>

 

  *) Constant time flag not preserved in DSA signing<= o:p>

 

     Operations in the DSA signing alg= orithm should run in constant time in

     order to avoid side channel attac= ks. A flaw in the OpenSSL DSA

     implementation means that a non-c= onstant time codepath is followed for

     certain operations. This has been= demonstrated through a cache-timing

     attack to be sufficient for an at= tacker to recover the private DSA key.

 

     This issue was reported by C=E9sa= r Pereida (Aalto University), Billy Brumley

     (Tampere University of Technology= ), and Yuval Yarom (The University of

     Adelaide and NICTA).

     (CVE-2016-2178)=

     [C=E9sar Pereida]

 

  *) DTLS buffered message DoS

 

     In a DTLS connection where handsh= ake messages are delivered out-of-order

     those messages that OpenSSL is no= t yet ready to process will be buffered

     for later use. Under certain circ= umstances, a flaw in the logic means that

     those messages do not get removed= from the buffer even though the handshake

     has been completed. An attacker c= ould force up to approx. 15 messages to

     remain in the buffer when they ar= e no longer required. These messages will

     be cleared when the DTLS connecti= on is closed. The default maximum size for

     a message is 100k. Therefore the = attacker could force an additional 1500k

     to be consumed per connection. By= opening many simulataneous connections an

     attacker could cause a DoS attack= through memory exhaustion.

 

     This issue was reported to OpenSS= L by Quan Luo.

     (CVE-2016-2179)=

     [Matt Caswell]<= /p>

 

  *) DTLS replay protection DoS

 

     A flaw in the DTLS replay attack = protection mechanism means that records

     that arrive for future epochs upd= ate the replay protection "window" before

     the MAC for the record has been v= alidated. This could be exploited by an

     attacker by sending a record for = the next epoch (which does not have to

     decrypt or have a valid MAC), wit= h a very large sequence number. This means

     that all subsequent legitimate pa= ckets are dropped causing a denial of

     service for a specific DTLS conne= ction.

 

     This issue was reported to OpenSS= L by the OCAP audit team.

     (CVE-2016-2181)=

     [Matt Caswell]<= /p>

 

  *) Certificate message OOB reads<= /p>

 

     In OpenSSL 1.0.2 and earlier some= missing message length checks can result

     in OOB reads of up to 2 bytes bey= ond an allocated buffer. There is a

     theoretical DoS risk but this has= not been observed in practice on common

     platforms.

 

     The messages affected are client = certificate, client certificate request

     and server certificate. As a resu= lt the attack can only be performed

     against a client or a server whic= h enables client authentication.

 

     This issue was reported to OpenSS= L by Shi Lei (Gear Team, Qihoo 360 Inc.)

     (CVE-2016-6306)=

     [Stephen Henson]

 

Changes between 1.0.1s and 1.0.1t [3 May 2016]<= /span>

 

  *) Prevent padding oracle in AES-NI CBC MAC check

 

     A MITM attacker can use a padding= oracle attack to decrypt traffic

     when the connection uses an AES C= BC cipher and the server support

     AES-NI.

 

     This issue was introduced as part= of the fix for Lucky 13 padding

     attack (CVE-2013-0169). The paddi= ng check was rewritten to be in

     constant time by making sure that= always the same bytes are read and

     compared against either the MAC o= r padding bytes. But it no longer

     checked that there was enough dat= a to have both the MAC and padding

     bytes.

 

     This issue was reported by Juraj = Somorovsky using TLS-Attacker.

     (CVE-2016-2107)=

     [Kurt Roeckx]

 

  *) Fix EVP_EncodeUpdate overflow<= /p>

 

     An overflow can occur in the EVP_= EncodeUpdate() function which is used for

     Base64 encoding of binary data. I= f an attacker is able to supply very large

     amounts of input data then a leng= th check can overflow resulting in a heap

     corruption.

 

     Internally to OpenSSL the EVP_Enc= odeUpdate() function is primarly used by

     the PEM_write_bio* family of func= tions. These are mainly used within the

     OpenSSL command line applications= , so any application which processes data

     from an untrusted source and outp= uts it as a PEM file should be considered

     vulnerable to this issue. User ap= plications that call these APIs directly

     with large amounts of untrusted d= ata may also be vulnerable.

 

     This issue was reported by Guido = Vranken.

     (CVE-2016-2105)=

     [Matt Caswell]<= /p>

 

  *) Fix EVP_EncryptUpdate overflow=

 

     An overflow can occur in the EVP_= EncryptUpdate() function. If an attacker

     is able to supply very large amou= nts of input data after a previous call to

     EVP_EncryptUpdate() with a partia= l block then a length check can overflow

     resulting in a heap corruption. F= ollowing an analysis of all OpenSSL

     internal usage of the EVP_Encrypt= Update() function all usage is one of two

     forms. The first form is where th= e EVP_EncryptUpdate() call is known to be

     the first called function after a= n EVP_EncryptInit(), and therefore that

     specific call must be safe. The s= econd form is where the length passed to

     EVP_EncryptUpdate() can be seen f= rom the code to be some small value and

     therefore there is no possibility= of an overflow. Since all instances are

     one of these two forms, it is bel= ieved that there can be no overflows in

     internal code due to this problem= . It should be noted that

     EVP_DecryptUpdate() can call EVP_= EncryptUpdate() in certain code paths.

     Also EVP_CipherUpdate() is a syno= nym for EVP_EncryptUpdate(). All instances

     of these calls have also been ana= lysed too and it is believed there are no

     instances in internal usage where= an overflow could occur.

 

     This issue was reported by Guido = Vranken.

     (CVE-2016-2106)=

     [Matt Caswell]<= /p>

 

  *) Prevent ASN.1 BIO excessive memory allocation

 

     When ASN.1 data is read from a BI= O using functions such as d2i_CMS_bio()

     a short invalid encoding can casu= se allocation of large amounts of memory

     potentially consuming excessive r= esources or exhausting memory.

 

     Any application parsing untrusted= data through d2i BIO functions is

     affected. The memory based functi= ons such as d2i_X509() are *not* affected.

     Since the memory based functions = are used by the TLS library, TLS

     applications are not affected.

 

     This issue was reported by Brian = Carpenter.

     (CVE-2016-2109)=

     [Stephen Henson]

 

  *) EBCDIC overread

 

     ASN1 Strings that are over 1024 b= ytes can cause an overread in applications

     using the X509_NAME_oneline() fun= ction on EBCDIC systems. This could result

     in arbitrary stack data being ret= urned in the buffer.

 

     This issue was reported by Guido = Vranken.

     (CVE-2016-2176)=

     [Matt Caswell]<= /p>

 

  *) Modify behavior of ALPN to invoke callback after= SNI/servername

     callback, such that updates to th= e SSL_CTX affect ALPN.

     [Todd Short]

 

  *) Remove LOW from the DEFAULT cipher list.  T= his removes singles DES from the

     default.

     [Kurt Roeckx]

 

  *) Only remove the SSLv2 methods with the no-ssl2-m= ethod option. When the

     methods are enabled and ssl2 is d= isabled the methods return NULL.

     [Kurt Roeckx]

 

Changes between 1.0.1r and 1.0.1s [1 Mar 2016]<= /span>

 

  * Disable weak ciphers in SSLv3 and up in default b= uilds of OpenSSL.

    Builds that are not configured with &qu= ot;enable-weak-ssl-ciphers" will not

    provide any "EXPORT" or "= ;LOW" strength ciphers.

    [Viktor Dukhovni]

 

  * Disable SSLv2 default build, default negotiation = and weak ciphers.  SSLv2

    is by default disabled at build-time.&n= bsp; Builds that are not configured with

    "enable-ssl2" will not suppor= t SSLv2.  Even if "enable-ssl2" is used,

    users who want to negotiate SSLv2 via t= he version-flexible SSLv23_method()

    will need to explicitly call either of:=

 

        SSL_CTX_clear_o= ptions(ctx, SSL_OP_NO_SSLv2);

    or

        SSL_clear_optio= ns(ssl, SSL_OP_NO_SSLv2);

 

    as appropriate.  Even if either of= those is used, or the application

    explicitly uses the version-specific SS= Lv2_method() or its client and

    server variants, SSLv2 ciphers vulnerab= le to exhaustive search key

    recovery have been removed.  Speci= fically, the SSLv2 40-bit EXPORT

    ciphers, and SSLv2 56-bit DES are no lo= nger available.

    (CVE-2016-0800)

    [Viktor Dukhovni]

 

  *) Fix a double-free in DSA code<= /p>

 

     A double free bug was discovered = when OpenSSL parses malformed DSA private

     keys and could lead to a DoS atta= ck or memory corruption for applications

     that receive DSA private keys fro= m untrusted sources.  This scenario is

     considered rare.

 

     This issue was reported to OpenSS= L by Adam Langley(Google/BoringSSL) using

     libFuzzer.

     (CVE-2016-0705)=

     [Stephen Henson]

 

  *) Disable SRP fake user seed to address a server m= emory leak.

 

     Add a new method SRP_VBASE_get1_b= y_user that handles the seed properly.

 

     SRP_VBASE_get_by_user had inconsi= stent memory management behaviour.

     In order to fix an unavoidable me= mory leak, SRP_VBASE_get_by_user

     was changed to ignore the "f= ake user" SRP seed, even if the seed

     is configured.<= /p>

 

     Users should use SRP_VBASE_get1_b= y_user instead. Note that in

     SRP_VBASE_get1_by_user, caller mu= st free the returned value. Note

     also that even though configuring= the SRP seed attempts to hide

     invalid usernames by continuing t= he handshake with fake

     credentials, this behaviour is no= t constant time and no strong

     guarantees are made that the hand= shake is indistinguishable from

     that of a valid user.<= /span>

     (CVE-2016-0798)=

     [Emilia K=E4sper]

 

  *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap = corruption

 

     In the BN_hex2bn function the num= ber of hex digits is calculated using an

     int value |i|. Later |bn_expand| = is called with a value of |i * 4|. For

     large values of |i| this can resu= lt in |bn_expand| not allocating any

     memory because |i * 4| is negativ= e. This can leave the internal BIGNUM data

     field as NULL leading to a subseq= uent NULL ptr deref. For very large values

     of |i|, the calculation |i * 4| c= ould be a positive value smaller than |i|.

     In this case memory is allocated = to the internal BIGNUM data field, but it

     is insufficiently sized leading t= o heap corruption. A similar issue exists

     in BN_dec2bn. This could have sec= urity consequences if BN_hex2bn/BN_dec2bn

     is ever called by user applicatio= ns with very large untrusted hex/dec data.

     This is anticipated to be a rare = occurrence.

 

     All OpenSSL internal usage of the= se functions use data that is not expected

     to be untrusted, e.g. config file= data or application command line

     arguments. If user developed appl= ications generate config file data based

     on untrusted data then it is poss= ible that this could also lead to security

     consequences. This is also antici= pated to be rare.

 

     This issue was reported to OpenSS= L by Guido Vranken.

     (CVE-2016-0797)=

     [Matt Caswell]<= /p>

 

  *) Fix memory issues in BIO_*printf functions<= /o:p>

 

     The internal |fmtstr| function us= ed in processing a "%s" format string in

     the BIO_*printf functions could o= verflow while calculating the length of a

     string and cause an OOB read when= printing very long strings.

 

     Additionally the internal |doapr_= outch| function can attempt to write to an

     OOB memory location (at an offset= from the NULL pointer) in the event of a

     memory allocation failure. In 1.0= .2 and below this could be caused where

     the size of a buffer to be alloca= ted is greater than INT_MAX. E.g. this

     could be in processing a very lon= g "%s" format string. Memory leaks can

     also occur.

 

     The first issue may mask the seco= nd issue dependent on compiler behaviour.

     These problems could enable attac= ks where large amounts of untrusted data

     is passed to the BIO_*printf func= tions. If applications use these functions

     in this way then they could be vu= lnerable. OpenSSL itself uses these

     functions when printing out human= -readable dumps of ASN.1 data. Therefore

     applications that print this data= could be vulnerable if the data is from

     untrusted sources. OpenSSL comman= d line applications could also be

     vulnerable where they print out A= SN.1 data, or if untrusted data is passed

     as command line arguments.

 

     Libssl is not considered directly= vulnerable. Additionally certificates etc

     received via remote connections v= ia libssl are also unlikely to be able to

     trigger these issues because of m= essage size limits enforced within libssl.

 

     This issue was reported to OpenSS= L Guido Vranken.

     (CVE-2016-0799)=

     [Matt Caswell]<= /p>

 

  *) Side channel attack on modular exponentiation

 

     A side-channel attack was found w= hich makes use of cache-bank conflicts on

     the Intel Sandy-Bridge microarchi= tecture which could lead to the recovery

     of RSA keys.  The ability to= exploit this issue is limited as it relies on

     an attacker who has control of co= de in a thread running on the same

     hyper-threaded core as the victim= thread which is performing decryptions.

 

     This issue was reported to OpenSS= L by Yuval Yarom, The University of

     Adelaide and NICTA, Daniel Genkin= , Technion and Tel Aviv University, and

     Nadia Heninger, University of Pen= nsylvania with more information at

     http://cachebleed.info.

     (CVE-2016-0702)=

     [Andy Polyakov]=

 

  *) Change the req app to generate a 2048-bit RSA/DS= A key by default,

     if no keysize is specified with d= efault_bits. This fixes an

     omission in an earlier change tha= t changed all RSA/DSA key generation

     apps to use 2048 bits by default.=

     [Emilia K=E4sper]

 

Changes between 1.0.1q and 1.0.1r [28 Jan 2016]=

 

  *) Protection for DH small subgroup attacks

 

     As a precautionary measure the SS= L_OP_SINGLE_DH_USE option has been

     switched on by default and cannot= be disabled. This could have some

     performance impact.

     [Matt Caswell]<= /p>

 

  *) SSLv2 doesn't block disabled ciphers<= /span>

 

     A malicious client can negotiate = SSLv2 ciphers that have been disabled on

     the server and complete SSLv2 han= dshakes even if all SSLv2 ciphers have

     been disabled, provided that the = SSLv2 protocol was not also disabled via

     SSL_OP_NO_SSLv2.

 

     This issue was reported to OpenSS= L on 26th December 2015 by Nimrod Aviram

     and Sebastian Schinzel.

     (CVE-2015-3197)=

     [Viktor Dukhovni]

 

  *) Reject DH handshakes with parameters shorter tha= n 1024 bits.

     [Kurt Roeckx]

 

Changes between 1.0.1p and 1.0.1q [3 Dec 2015]<= /span>

 

  *) Certificate verify crash with missing PSS parame= ter

 

     The signature verification routin= es will crash with a NULL pointer

     dereference if presented with an = ASN.1 signature using the RSA PSS

     algorithm and absent mask generat= ion function parameter. Since these

     routines are used to verify certi= ficate signature algorithms this can be

     used to crash any certificate ver= ification operation and exploited in a

     DoS attack. Any application which= performs certificate verification is

     vulnerable including OpenSSL clie= nts and servers which enable client

     authentication.=

 

     This issue was reported to OpenSS= L by Lo=EFc Jonas Etienne (Qnective AG).

     (CVE-2015-3194)=

     [Stephen Henson]

 

  *) X509_ATTRIBUTE memory leak

 

     When presented with a malformed X= 509_ATTRIBUTE structure OpenSSL will leak

     memory. This structure is used by= the PKCS#7 and CMS routines so any

     application which reads PKCS#7 or= CMS data from untrusted sources is

     affected. SSL/TLS is not affected= .

 

     This issue was reported to OpenSS= L by Adam Langley (Google/BoringSSL) using

     libFuzzer.

     (CVE-2015-3195)=

     [Stephen Henson]

 

  *) Rewrite EVP_DecodeUpdate (base64 decoding) to fi= x several bugs.

     This changes the decoding behavio= ur for some invalid messages,

     though the change is mostly in th= e more lenient direction, and

     legacy behaviour is preserved as = much as possible.

     [Emilia K=E4sper]

 

  *) In DSA_generate_parameters_ex, if the provided s= eed is too short,

     use a random seed, as already doc= umented.

     [Rich Salz and Ismo Puustinen <= ;ismo.puustinen@intel.com>]

 

Changes between 1.0.1o and 1.0.1p [9 Jul 2015]<= /span>

 

  *) Alternate chains certificate forgery<= /span>

 

     During certificate verfification,= OpenSSL will attempt to find an

     alternative certificate chain if = the first attempt to build such a chain

     fails. An error in the implementa= tion of this logic can mean that an

     attacker could cause certain chec= ks on untrusted certificates to be

     bypassed, such as the CA flag, en= abling them to use a valid leaf

     certificate to act as a CA and &q= uot;issue" an invalid certificate.

 

     This issue was reported to OpenSS= L by Adam Langley/David Benjamin

     (Google/BoringSSL).

     (CVE-2015-1793)=

     [Matt Caswell]<= /p>

 

  *) Race condition handling PSK identify hint

 

     If PSK identity hints are receive= d by a multi-threaded client then

     the values are wrongly updated in= the parent SSL_CTX structure. This can

     result in a race condition potent= ially leading to a double free of the

     identify hint data.

     (CVE-2015-3196)=

     [Stephen Henson]

 

Changes between 1.0.1n and 1.0.1o [12 Jun 2015]=

  *) Fix HMAC ABI incompatibility. The previous versi= on introduced an ABI

     incompatibility in the handling o= f HMAC. The previous ABI has now been

     restored.

 

Changes between 1.0.1m and 1.0.1n [11 Jun 2015]=

 

  *) Malformed ECParameters causes infinite loop=

 

     When processing an ECParameters s= tructure OpenSSL enters an infinite loop

     if the curve specified is over a = specially malformed binary polynomial

     field.

 

     This can be used to perform denia= l of service against any

     system which processes public key= s, certificate requests or

     certificates.  This includes= TLS clients and TLS servers with

     client authentication enabled.

 

     This issue was reported to OpenSS= L by Joseph Barr-Pixton.

     (CVE-2015-1788)=

     [Andy Polyakov]=

 

  *) Exploitable out-of-bounds read in X509_cmp_time<= o:p>

 

     X509_cmp_time does not properly c= heck the length of the ASN1_TIME

     string and can read a few bytes o= ut of bounds. In addition,

     X509_cmp_time accepts an arbitrar= y number of fractional seconds in the

     time string.

 

     An attacker can use this to craft= malformed certificates and CRLs of

     various sizes and potentially cau= se a segmentation fault, resulting in

     a DoS on applications that verify= certificates or CRLs. TLS clients

     that verify CRLs are affected. TL= S clients and servers with client

     authentication enabled may be aff= ected if they use custom verification

     callbacks.

 

     This issue was reported to OpenSS= L by Robert Swiecki (Google), and

     independently by Hanno B=F6ck.

     (CVE-2015-1789)=

     [Emilia K=E4sper]

 

  *) PKCS7 crash with missing EnvelopedContent

 

     The PKCS#7 parsing code does not = handle missing inner EncryptedContent

     correctly. An attacker can craft = malformed ASN.1-encoded PKCS#7 blobs

     with missing content and trigger = a NULL pointer dereference on parsing.

 

     Applications that decrypt PKCS#7 = data or otherwise parse PKCS#7

     structures from untrusted sources= are affected. OpenSSL clients and

     servers are not affected.

 

     This issue was reported to OpenSS= L by Michal Zalewski (Google).

     (CVE-2015-1790)=

     [Emilia K=E4sper]

 

  *) CMS verify infinite loop with unknown hash funct= ion

 

     When verifying a signedData messa= ge the CMS code can enter an infinite loop

     if presented with an unknown hash= function OID. This can be used to perform

     denial of service against any sys= tem which verifies signedData messages using

     the CMS code.

     This issue was reported to OpenSS= L by Johannes Bauer.

     (CVE-2015-1792)=

     [Stephen Henson]

 

  *) Race condition handling NewSessionTicket

 

     If a NewSessionTicket is received= by a multi-threaded client when attempting to

     reuse a previous ticket then a ra= ce condition can occur potentially leading to

     a double free of the ticket data.=

     (CVE-2015-1791)=

     [Matt Caswell]<= /p>

 

  *) Reject DH handshakes with parameters shorter tha= n 768 bits.

     [Kurt Roeckx and Emilia Kasper]

 

  *) dhparam: generate 2048-bit parameters by default= .

     [Kurt Roeckx and Emilia Kasper]

 

Changes between 1.0.1l and 1.0.1m [19 Mar 2015]=

 

  *) Segmentation fault in ASN1_TYPE_cmp fix

 

     The function ASN1_TYPE_cmp will c= rash with an invalid read if an attempt is

     made to compare ASN.1 boolean typ= es. Since ASN1_TYPE_cmp is used to check

    certificate signature algorithm co= nsistency this can be used to crash any

     certificate verification operatio= n and exploited in a DoS attack. Any

     application which performs certif= icate verification is vulnerable including

     OpenSSL clients and servers which= enable client authentication.

     (CVE-2015-0286)=

     [Stephen Henson]

 

  *) ASN.1 structure reuse memory corruption fix=

 

     Reusing a structure in ASN.1 pars= ing may allow an attacker to cause

     memory corruption via an invalid = write. Such reuse is and has been

     strongly discouraged and is belie= ved to be rare.

 

     Applications that parse structure= s containing CHOICE or ANY DEFINED BY

     components may be affected. Certi= ficate parsing (d2i_X509 and related

     functions) are however not affect= ed. OpenSSL clients and servers are

     not affected.

     (CVE-2015-0287)=

     [Stephen Henson]

 

  *) PKCS7 NULL pointer dereferences fix

 

     The PKCS#7 parsing code does not = handle missing outer ContentInfo

     correctly. An attacker can craft = malformed ASN.1-encoded PKCS#7 blobs with

     missing content and trigger a NUL= L pointer dereference on parsing.

 

     Applications that verify PKCS#7 s= ignatures, decrypt PKCS#7 data or

     otherwise parse PKCS#7 structures= from untrusted sources are

     affected. OpenSSL clients and ser= vers are not affected.

 

     This issue was reported to OpenSS= L by Michal Zalewski (Google).

     (CVE-2015-0289)=

     [Emilia K=E4sper]

 

  *) DoS via reachable assert in SSLv2 servers fix

 

     A malicious client can trigger an= OPENSSL_assert (i.e., an abort) in

     servers that both support SSLv2 a= nd enable export cipher suites by sending

     a specially crafted SSLv2 CLIENT-= MASTER-KEY message.

 

     This issue was discovered by Sean= Burford (Google) and Emilia K=E4sper

     (OpenSSL development team).<= /o:p>

     (CVE-2015-0293)=

     [Emilia K=E4sper]

 

  *) Use After Free following d2i_ECPrivatekey error = fix

 

     A malformed EC private key file c= onsumed via the d2i_ECPrivateKey function

     could cause a use after free cond= ition. This, in turn, could cause a double

     free in several private key parsi= ng functions (such as d2i_PrivateKey

     or EVP_PKCS82PKEY) and could lead= to a DoS attack or memory corruption

     for applications that receive EC = private keys from untrusted

     sources. This scenario is conside= red rare.

 

     This issue was discovered by the = BoringSSL project and fixed in their

     commit 517073cd4b.

     (CVE-2015-0209)=

     [Matt Caswell]<= /p>

 

  *) X509_to_X509_REQ NULL pointer deref fix

 

     The function X509_to_X509_REQ wil= l crash with a NULL pointer dereference if

     the certificate key is invalid. T= his function is rarely used in practice.

 

     This issue was discovered by Bria= n Carpenter.

     (CVE-2015-0288)=

     [Stephen Henson]

 

  *) Removed the export ciphers from the DEFAULT ciph= ers

     [Kurt Roeckx]

 

Changes between 1.0.1k and 1.0.1l [15 Jan 2015]=

 

  *) Build fixes for the Windows and OpenVMS platform= s

     [Matt Caswell and Richard Levitte= ]

 

Changes between 1.0.1j and 1.0.1k [8 Jan 2015]<= /span>

 

  *) Fix DTLS segmentation fault in dtls1_get_record.= A carefully crafted DTLS

     message can cause a segmentation = fault in OpenSSL due to a NULL pointer

     dereference. This could lead to a= Denial Of Service attack. Thanks to

     Markus Stenberg of Cisco Systems,= Inc. for reporting this issue.

     (CVE-2014-3571)=

     [Steve Henson]<= /p>

 

  *) Fix DTLS memory leak in dtls1_buffer_record. A m= emory leak can occur in the

     dtls1_buffer_record function unde= r certain conditions. In particular this

     could occur if an attacker sent r= epeated DTLS records with the same

     sequence number but for the next = epoch. The memory leak could be exploited

     by an attacker in a Denial of Ser= vice attack through memory exhaustion.

     Thanks to Chris Mueller for repor= ting this issue.

     (CVE-2015-0206)=

     [Matt Caswell]<= /p>

 

  *) Fix issue where no-ssl3 configuration sets metho= d to NULL. When openssl is

     built with the no-ssl3 option and= a SSL v3 ClientHello is received the ssl

     method would be set to NULL which= could later result in a NULL pointer

     dereference. Thanks to Frank Schm= irler for reporting this issue.

     (CVE-2014-3569)=

     [Kurt Roeckx]

 

  *) Abort handshake if server key exchange message i= s omitted for ephemeral

     ECDH ciphersuites.

 

     Thanks to Karthikeyan Bhargavan o= f the PROSECCO team at INRIA for

     reporting this issue.<= /span>

     (CVE-2014-3572)=

     [Steve Henson]<= /p>

 

  *) Remove non-export ephemeral RSA code on client a= nd server. This code

     violated the TLS standard by allo= wing the use of temporary RSA keys in

     non-export ciphersuites and could= be used by a server to effectively

     downgrade the RSA key length used= to a value smaller than the server

     certificate. Thanks for Karthikey= an Bhargavan of the PROSECCO team at

     INRIA or reporting this issue.

     (CVE-2015-0204)=

     [Steve Henson]<= /p>

 

  *) Fixed issue where DH client certificates are acc= epted without verification.

     An OpenSSL server will accept a D= H certificate for client authentication

     without the certificate verify me= ssage. This effectively allows a client to

     authenticate without the use of a= private key. This only affects servers

    which trust a client certificate a= uthority which issues certificates

     containing DH keys: these are ext= remely rare and hardly ever encountered.

     Thanks for Karthikeyan Bhargavan = of the PROSECCO team at INRIA or reporting

     this issue.

     (CVE-2015-0205)=

     [Steve Henson]<= /p>

 

  *) Ensure that the session ID context of an SSL is = updated when its

     SSL_CTX is updated via SSL_set_SS= L_CTX.

 

     The session ID context is typical= ly set from the parent SSL_CTX,

     and can vary with the CTX.

     [Adam Langley]<= /p>

 

  *) Fix various certificate fingerprint issues.=

 

     By using non-DER or invalid encod= ings outside the signed portion of a

     certificate the fingerprint can b= e changed without breaking the signature.

     Although no details of the signed= portion of the certificate can be changed

     this can cause problems with some= applications: e.g. those using the

     certificate fingerprint for black= lists.

 

     1. Reject signatures with non zer= o unused bits.

 

     If the BIT STRING containing the = signature has non zero unused bits reject

     the signature. All current signat= ure algorithms require zero unused bits.

 

     2. Check certificate algorithm co= nsistency.

 

     Check the AlgorithmIdentifier ins= ide TBS matches the one in the

     certificate signature. NB: this w= ill result in signature failure

     errors for some broken certificat= es.

 

     Thanks to Konrad Kraszewski from = Google for reporting this issue.

 

     3. Check DSA/ECDSA signatures use= DER.

 

     Reencode DSA/ECDSA signatures and= compare with the original received

     signature. Return an error if the= re is a mismatch.

 

     This will reject various cases in= cluding garbage after signature

     (thanks to Antti Karjalainen and = Tuomo Untinen from the Codenomicon CROSS

     program for discovering this case= ) and use of BER or invalid ASN.1 INTEGERs

     (negative or with leading zeroes)= .

 

     Further analysis was conducted an= d fixes were developed by Stephen Henson

     of the OpenSSL core team.

 

     (CVE-2014-8275)=

     [Steve Henson]<= /p>

 

   *) Correct Bignum squaring. Bignum squaring (= BN_sqr) may produce incorrect

      results on some platforms, = including x86_64. This bug occurs at random

      with a very low probability= , and is not known to be exploitable in any

      way, though its exact impac= t is difficult to determine. Thanks to Pieter

      Wuille (Blockstream) who re= ported this issue and also suggested an initial

      fix. Further analysis was c= onducted by the OpenSSL development team and

      Adam Langley of Google. The= final fix was developed by Andy Polyakov of

      the OpenSSL core team.=

      (CVE-2014-3570)<= /span>

      [Andy Polyakov]<= /span>

 

   *) Do not resume sessions on the server if th= e negotiated protocol

      version does not match the = session's version. Resuming with a different

      version, while not strictly= forbidden by the RFC, is of questionable

      sanity and breaks all known= clients.

      [David Benjamin, Emilia K= =E4sper]

 

   *) Tighten handling of the ChangeCipherSpec (= CCS) message: reject

      early CCS messages during r= enegotiation. (Note that because

      renegotiation is encrypted,= this early CCS was not exploitable.)

      [Emilia K=E4sper]

 

   *) Tighten client-side session ticket handlin= g during renegotiation:

      ensure that the client only= accepts a session ticket if the server sends

      the extension anew in the S= erverHello. Previously, a TLS client would

      reuse the old extension sta= te and thus accept a session ticket if one was

      announced in the initial Se= rverHello.

 

      Similarly, ensure that the = client requires a session ticket if one

      was advertised in the Serve= rHello. Previously, a TLS client would

      ignore a missing NewSession= Ticket message.

      [Emilia K=E4sper]

 

Changes between 1.0.1i and 1.0.1j [15 Oct 2014]=

 

  *) SRTP Memory Leak.

 

     A flaw in the DTLS SRTP extension= parsing code allows an attacker, who

     sends a carefully crafted handsha= ke message, to cause OpenSSL to fail

     to free up to 64k of memory causi= ng a memory leak. This could be

     exploited in a Denial Of Service = attack. This issue affects OpenSSL

     1.0.1 server implementations for = both SSL/TLS and DTLS regardless of

     whether SRTP is used or configure= d. Implementations of OpenSSL that

     have been compiled with OPENSSL_N= O_SRTP defined are not affected.

 

     The fix was developed by the Open= SSL team.

     (CVE-2014-3513)=

     [OpenSSL team]<= /p>

 

  *) Session Ticket Memory Leak.

 

     When an OpenSSL SSL/TLS/DTLS serv= er receives a session ticket the

     integrity of that ticket is first= verified. In the event of a session

     ticket integrity check failing, O= penSSL will fail to free memory

     causing a memory leak. By sending= a large number of invalid session

     tickets an attacker could exploit= this issue in a Denial Of Service

     attack.

     (CVE-2014-3567)=

     [Steve Henson]<= /p>

 

  *) Build option no-ssl3 is incomplete.

 

     When OpenSSL is configured with &= quot;no-ssl3" as a build option, servers

     could accept and complete a SSL 3= .0 handshake, and clients could be

     configured to send them.

     (CVE-2014-3568)=

     [Akamai and the OpenSSL team]

 

  *) Add support for TLS_FALLBACK_SCSV.

     Client applications doing fallbac= k retries should call

     SSL_set_mode(s, SSL_MODE_SEND_FAL= LBACK_SCSV).

     (CVE-2014-3566)=

     [Adam Langley, Bodo Moeller]=

 

  *) Add additional DigestInfo checks.

     Reencode DigestInto in DER a= nd check against the original when

     verifying RSA signature: this wil= l reject any improperly encoded

     DigestInfo structures.=

 

     Note: this is a precautionary mea= sure and no attacks are currently known.

 

     [Steve Henson]<= /p>

 

Summary:

 

     (CVE-2016-6304)<= /p>

     (CVE-2016-2183)<= /p>

     (CVE-2016-6303)<= /p>

     (CVE-2016-6302)<= /p>

     (CVE-2016-2182)<= /p>

     (CVE-2016-2180)<= /p>

     (CVE-2016-2177)<= /p>

     (CVE-2016-2178)<= /p>

     (CVE-2016-2179)<= /p>

     (CVE-2016-2181)<= /p>

     (CVE-2016-6306)<= /p>

     This issue was introduced a= s part of the fix for Lucky 13 padding attack (CVE-2013-0169).

     (CVE-2016-2107)<= /p>

     (CVE-2016-2105)<= /p>

     (CVE-2016-2106)<= /p>

     (CVE-2016-2109)<= /p>

     (CVE-2016-2176)<= /p>

     (CVE-2016-0800)<= /p>

     (CVE-2016-0705)<= /p>

     (CVE-2016-0798)<= /p>

     (CVE-2016-0797)<= /p>

     (CVE-2016-0799)<= /p>

     (CVE-2016-0702)<= /p>

     (CVE-2015-3197)<= /p>

     (CVE-2015-3194)<= /p>

     (CVE-2015-3195)<= /p>

     (CVE-2015-1793)<= /p>

     (CVE-2015-3196)<= /p>

     (CVE-2015-1788)<= /p>

     (CVE-2015-1789)<= /p>

     (CVE-2015-1790)<= /p>

     (CVE-2015-1792)<= /p>

     (CVE-2015-1791)<= /p>

     (CVE-2015-0286)<= /p>

     (CVE-2015-0287)<= /p>

     (CVE-2015-0289)<= /p>

     (CVE-2015-0293)<= /p>

     (CVE-2015-0209)<= /p>

     (CVE-2015-0288)<= /p>

     (CVE-2014-3571)<= /p>

     (CVE-2015-0206)<= /p>

     (CVE-2014-3569)<= /p>

     (CVE-2014-3572)<= /p>

     (CVE-2015-0204)<= /p>

     (CVE-2015-0205)<= /p>

     (CVE-2014-8275)<= /p>

     (CVE-2014-3570)<= /p>

     (CVE-2014-3513)<= /p>

     (CVE-2014-3567)<= /p>

     (CVE-2014-3568)<= /p>

     (CVE-2014-3566)<= /p>

 

 

From: Zhenhua Luo [mailto:zhenhua.lu= o@nxp.com]
Sent: den 27 september 2016 12:10
To: Sona Sarmadi <sona.sarmadi@enea.com>
Cc: meta-freescale@yoctoproject.org
Subject: RE: [meta-freescale] meta-fsl-ppc in krogoth branch is usin= g a vulnerable version of OpenSSL (openssl_1.0.1i).

 

Hi Sona,

 

Is it possible to backport the vulner= ability patches for openssl_1.0.1i directly? This version is fully verified= by our testing.

 

 

Best Regards,

 

Zhenhua

 

From: meta-freescale-b= ounces@yoctoproject.org [mailto:meta-freescale-bounces@yoctoproject.org] On Behalf Of Sona Sarmadi
Sent: Tuesday, September 27, 2016 2:10 PM
To: meta-freescal= e@yoctoproject.org
Subject: [meta-freescale] meta-fsl-ppc in krogoth branch is using a = vulnerable version of OpenSSL (openssl_1.0.1i).

 

Hi guys

 

meta-fsl-ppc/recipes-connectivity/openssl in krogoth= is using a vulnerable version of OpenSSL (openssl_1.0.1i).

OpenSSL recommends 1.0.1 users to upgrade to 1.0.1u = version:

 

 

Can we upgrade openssl version or do you prefer to k= eep this version? In this case I can try to backport individual patches if = possible.

 

Regards

//Sona

---------------------------------------=

Sona Sarmadi

Security Responsible= for Enea Linux/

GPG Fingerprint:= 444F A5E9 CDC6 4620 85C7  2CA9 60FF AF33 15BD 5928

 <= /o:p>

Enea Software AB

Jan Stenbecks Torg 1= 7

P.O Box 1033<= o:p>

SE-164 26 Kista, Swe= den

Phone  +46= 70 971 4475

 <= /o:p>

 <= /o:p>

This message, includ= ing attachments, is CONFIDENTIAL. It may also be privileged or otherwise pr= otected by law. If you received this email by mistake

please let us know b= y reply and then delete it from your system; you should not copy it or disc= lose its contents to anyone. All messages sent to and from

Enea  may be mo= nitored to ensure compliance with internal policies and to protect our busi= ness. Emails are not secure and cannot be guaranteed to be

error free as they c= an be intercepted, a mended, lost or destroyed, or contain viruses. The sen= der therefore does not accept liability for any errors or

omissions in the con= tents of this message, which arise as a result of email  transmission.= Anyone who communicates with us by email accepts these risks.<= /o:p>

 

 

 

--_000_3230301C09DEF9499B442BBE162C5E48ABE4346CSESTOEX04enease_--