summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2016-11-10 12:49:06 +0100
committerMatt Caswell <matt@openssl.org>2016-11-10 14:04:11 +0100
commit6a69e8694af23dae1d1927813932f4296d133416 (patch)
tree009a9b7299ccfe59e5fca0a5899ef8d57350d7bb
parentFix the no-tls option (diff)
downloadopenssl-6a69e8694af23dae1d1927813932f4296d133416.tar.xz
openssl-6a69e8694af23dae1d1927813932f4296d133416.zip
Update CHANGES and NEWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r--CHANGES46
-rw-r--r--NEWS3
2 files changed, 49 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index ba661db638..518a70b6c5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,6 +17,52 @@
Changes between 1.1.0b and 1.1.0c [xx XXX xxxx]
+ *) ChaCha20/Poly1305 heap-buffer-overflow
+
+ TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+ crash. This issue is not considered to be exploitable beyond a DoS.
+
+ This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
+ (CVE-2016-7054)
+ [Richard Levitte]
+
+ *) CMS Null dereference
+
+ Applications parsing invalid CMS structures can crash with a NULL pointer
+ dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
+ type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
+ structure callback if an attempt is made to free certain invalid encodings.
+ Only CHOICE structures using a callback which do not handle NULL value are
+ affected.
+
+ This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
+ (CVE-2016-7053)
+ [Stephen Henson]
+
+ *) Montgomery multiplication may produce incorrect results
+
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
+
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ (CVE-2016-7055)
+ [Andy Polyakov]
+
*) Removed automatic addition of RPATH in shared libraries and executables,
as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
[Richard Levitte]
diff --git a/NEWS b/NEWS
index 82d1cb18b9..e88c5f470b 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@
Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
+ o ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
+ o CMS Null dereference (CVE-2016-7053)
+ o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
o Fix Use After Free for large message sizes (CVE-2016-6309)
Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]