diff options
author | Matt Caswell <matt@openssl.org> | 2016-11-10 12:49:06 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-11-10 14:04:11 +0100 |
commit | 6a69e8694af23dae1d1927813932f4296d133416 (patch) | |
tree | 009a9b7299ccfe59e5fca0a5899ef8d57350d7bb | |
parent | Fix the no-tls option (diff) | |
download | openssl-6a69e8694af23dae1d1927813932f4296d133416.tar.xz openssl-6a69e8694af23dae1d1927813932f4296d133416.zip |
Update CHANGES and NEWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | CHANGES | 46 | ||||
-rw-r--r-- | NEWS | 3 |
2 files changed, 49 insertions, 0 deletions
@@ -17,6 +17,52 @@ Changes between 1.1.0b and 1.1.0c [xx XXX xxxx] + *) ChaCha20/Poly1305 heap-buffer-overflow + + TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to + a DoS attack by corrupting larger payloads. This can result in an OpenSSL + crash. This issue is not considered to be exploitable beyond a DoS. + + This issue was reported to OpenSSL by Robert Święcki (Google Security Team) + (CVE-2016-7054) + [Richard Levitte] + + *) CMS Null dereference + + Applications parsing invalid CMS structures can crash with a NULL pointer + dereference. This is caused by a bug in the handling of the ASN.1 CHOICE + type in OpenSSL 1.1.0 which can result in a NULL value being passed to the + structure callback if an attempt is made to free certain invalid encodings. + Only CHOICE structures using a callback which do not handle NULL value are + affected. + + This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure. + (CVE-2016-7053) + [Stephen Henson] + + *) Montgomery multiplication may produce incorrect results + + There is a carry propagating bug in the Broadwell-specific Montgomery + multiplication procedure that handles input lengths divisible by, but + longer than 256 bits. Analysis suggests that attacks against RSA, DSA + and DH private keys are impossible. This is because the subroutine in + question is not used in operations with the private key itself and an input + of the attacker's direct choice. Otherwise the bug can manifest itself as + transient authentication and key negotiation failures or reproducible + erroneous outcome of public-key operations with specially crafted input. + Among EC algorithms only Brainpool P-512 curves are affected and one + presumably can attack ECDH key negotiation. Impact was not analyzed in + detail, because pre-requisites for attack are considered unlikely. Namely + multiple clients have to choose the curve in question and the server has to + share the private key among them, neither of which is default behaviour. + Even then only clients that chose the curve will be affected. + + This issue was publicly reported as transient failures and was not + initially recognized as a security issue. Thanks to Richard Morgan for + providing reproducible case. + (CVE-2016-7055) + [Andy Polyakov] + *) Removed automatic addition of RPATH in shared libraries and executables, as this was a remainder from OpenSSL 1.0.x and isn't needed any more. [Richard Levitte] @@ -11,6 +11,9 @@ Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016] + o ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054) + o CMS Null dereference (CVE-2016-7053) + o Montgomery multiplication may produce incorrect results (CVE-2016-7055) o Fix Use After Free for large message sizes (CVE-2016-6309) Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016] |