path: root/CHANGES
diff options
Diffstat (limited to 'CHANGES')
1 files changed, 97 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 7578f7eb7ace..4a557652d5a5 100644
@@ -2,6 +2,103 @@
+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
+ *) Prevent padding oracle in AES-NI CBC MAC check
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
+ *) Fix EVP_EncodeUpdate overflow
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
+ *) Fix EVP_EncryptUpdate overflow
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2106)
+ [Matt Caswell]
+ *) Prevent ASN.1 BIO excessive memory allocation
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+ This issue was reported by Brian Carpenter.
+ (CVE-2016-2109)
+ [Stephen Henson]
+ *) EBCDIC overread
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2176)
+ [Matt Caswell]
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ [Kurt Roeckx]
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.