All Versions
126
Latest Version
Avg Release Cycle
101 days
Latest Release
1138 days ago

Changelog History
Page 7

  • v1.0.1.c Changes

    February 05, 2013
    • Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

    This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/

    Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and Emilia Käsper for the initial patch. [CVE-2013-0169][]

    Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson

    • Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode ciphersuites which can be exploited in a denial of service attack. Thanks go to and to Adam Langley [email protected] for discovering and detecting this bug and to Wolfgang Ettlinger [email protected] for independently discovering this issue. [CVE-2012-2686][]

    Adam Langley

    • Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. [CVE-2013-0166][]

    Steve Henson

    • Make openssl verify return errors.

    Chris Palmer [email protected] and Ben Laurie

    Rob Stradling [email protected]

    • Fix possible deadlock when decoding public keys.

    Steve Henson

    • Don't use TLS 1.0 record version number in initial client hello if renegotiating.

    Steve Henson

  • v1.0.1.b Changes

    May 10, 2012
    • Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and DTLS to fix DoS attack.

    Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. [CVE-2012-2333][]

    Steve Henson

    • Initialise tkeylen properly when encrypting CMS messages. Thanks to Solar Designer of Openwall for reporting this issue.

    Steve Henson

    • In FIPS mode don't try to use composite ciphers as they are not approved.

    Steve Henson

  • v1.0.1.a Changes

    April 26, 2012
    • OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately mean any application compiled against OpenSSL 1.0.0 headers setting SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 0x10000000L Any application which was previously compiled against OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 will need to be recompiled as a result. Letting be results in inability to disable specifically TLS 1.1 and in client context, in unlike event, limit maximum offered version to TLS 1.0 [see below].

    Steve Henson

    • In order to ensure interoperability SSL_OP_NO_protocolX does not disable just protocol X, but all protocols above X if there are protocols below X still enabled. In more practical terms it means that if application wants to disable TLS1.0 in favor of TLS1.1 and above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to client side.

    Andy Polyakov

  • v1.0.0.s Changes

    December 03, 2015
    • X509_ATTRIBUTE memory leak

    When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected.

    This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using libFuzzer. [CVE-2015-3195][]

    Stephen Henson

    • Race condition handling PSK identify hint

    If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data. [CVE-2015-3196][]

    Stephen Henson

  • v1.0.0.r Changes

    June 11, 2015
    • Malformed ECParameters causes infinite loop

    When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field.

    This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled.

    This issue was reported to OpenSSL by Joseph Barr-Pixton. [CVE-2015-1788][]

    Andy Polyakov

    • Exploitable out-of-bounds read in X509_cmp_time

    X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string.

    An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks.

    This issue was reported to OpenSSL by Robert Swiecki (Google), and independently by Hanno Böck. [CVE-2015-1789][]

    Emilia Käsper

    • PKCS7 crash with missing EnvelopedContent

    The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.

    Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.

    This issue was reported to OpenSSL by Michal Zalewski (Google). [CVE-2015-1790][]

    Emilia Käsper

    • CMS verify infinite loop with unknown hash function

    When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. This issue was reported to OpenSSL by Johannes Bauer. [CVE-2015-1792][]

    Stephen Henson

    • Race condition handling NewSessionTicket

    If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. [CVE-2015-1791][]

    Matt Caswell

  • v1.0.0.q Changes

    March 19, 2015
    • Segmentation fault in ASN1_TYPE_cmp fix

    The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. [CVE-2015-0286][]

    Stephen Henson

    • ASN.1 structure reuse memory corruption fix

    Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare.

    Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. Certificate parsing (d2i_X509 and related functions) are however not affected. OpenSSL clients and servers are not affected. [CVE-2015-0287][]

    Stephen Henson

    • PKCS7 NULL pointer dereferences fix

    The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.

    Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.

    This issue was reported to OpenSSL by Michal Zalewski (Google). [CVE-2015-0289][]

    Emilia Käsper

    • DoS via reachable assert in SSLv2 servers fix

    A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.

    This issue was discovered by Sean Burford (Google) and Emilia Käsper (OpenSSL development team). [CVE-2015-0293][]

    Emilia Käsper

    • Use After Free following d2i_ECPrivatekey error fix

    A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare.

    This issue was discovered by the BoringSSL project and fixed in their commit 517073cd4b. [CVE-2015-0209][]

    Matt Caswell

    • X509_to_X509_REQ NULL pointer deref fix

    The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice.

    This issue was discovered by Brian Carpenter. [CVE-2015-0288][]

    Stephen Henson

    • Removed the export ciphers from the DEFAULT ciphers

    Kurt Roeckx

  • v1.0.0.p Changes

    January 15, 2015
    • Build fixes for the Windows and OpenVMS platforms

    Matt Caswell and Richard Levitte

  • v1.0.0.o Changes

    January 08, 2015
    • Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. Thanks to Markus Stenberg of Cisco Systems, Inc. for reporting this issue. [CVE-2014-3571][]

    Steve Henson

    • Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion. Thanks to Chris Mueller for reporting this issue. [CVE-2015-0206][]

    Matt Caswell

    • Fix issue where no-ssl3 configuration sets method to NULL. When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. Thanks to Frank Schmirler for reporting this issue. [CVE-2014-3569][]

    Kurt Roeckx

    • Abort handshake if server key exchange message is omitted for ephemeral ECDH ciphersuites.

    Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for reporting this issue. [CVE-2014-3572][]

    Steve Henson

    • Remove non-export ephemeral RSA code on client and server. This code violated the TLS standard by allowing the use of temporary RSA keys in non-export ciphersuites and could be used by a server to effectively downgrade the RSA key length used to a value smaller than the server certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. [CVE-2015-0204][]

    Steve Henson

    • Fixed issue where DH client certificates are accepted without verification. An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. [CVE-2015-0205][]

    Steve Henson

    *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. Thanks to Pieter Wuille (Blockstream) who reported this issue and also suggested an initial fix. Further analysis was conducted by the OpenSSL development team and Adam Langley of Google. The final fix was developed by Andy Polyakov of the OpenSSL core team. [CVE-2014-3570][]

    *Andy Polyakov*

    *) Fix various certificate fingerprint issues.

    By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists.

    1. Reject signatures with non zero unused bits.

    If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits.

    1. Check certificate algorithm consistency.

    Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates.

    Thanks to Konrad Kraszewski from Google for reporting this issue.

    1. Check DSA/ECDSA signatures use DER.

    Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch.

    This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes).

    Further analysis was conducted and fixes were developed by Stephen Henson of the OpenSSL core team.

    [CVE-2014-8275][]

    Steve Henson

  • v1.0.0.n Changes

    October 15, 2014
    • Session Ticket Memory Leak.

    When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. [CVE-2014-3567][]

    Steve Henson

    • Build option no-ssl3 is incomplete.

    When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. [CVE-2014-3568][]

    Akamai and the OpenSSL team

    • Add support for TLS_FALLBACK_SCSV. Client applications doing fallback retries should call SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). [CVE-2014-3566][]

    Adam Langley, Bodo Moeller

    • Add additional DigestInfo checks.

    Reencode DigestInto in DER and check against the original when verifying RSA signature: this will reject any improperly encoded DigestInfo structures.

    Note: this is a precautionary measure and no attacks are currently known.

    Steve Henson

  • v1.0.0.m Changes

    August 06, 2014
    • OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages.

    Thanks to Felix Gröbert (Google) for discovering and researching this issue. [CVE-2014-3510][]

    Emilia Käsper

    • By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. Thanks to Adam Langley for discovering and researching this issue. [CVE-2014-3507][]

    Adam Langley

    • An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. Thanks to Adam Langley for discovering and researching this issue. [CVE-2014-3506][]

    Adam Langley

    • An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. Thanks to Adam Langley and Wan-Teh Chang for discovering and researching this issue. [CVE-2014-3505][]

    Adam Langley

    • If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory.

    Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this issue. [CVE-2014-3509][]

    Gabor Tyukasz

    • A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker.

    Thanks to Ivan Fratric (Google) for discovering this issue. [CVE-2014-3508][]

    Emilia Käsper, and Steve Henson

    • Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to bogus results, with non-infinity inputs mapped to infinity too.)

    Bodo Moeller