All Versions
126
Latest Version
Avg Release Cycle
101 days
Latest Release
2240 days ago

Changelog History
Page 3

  • v1.1.0.d Changes

    February 16, 2017
    • Encrypt-Then-Mac renegotiation crash

    During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependant on ciphersuite). Both clients and servers are affected.

    This issue was reported to OpenSSL by Joe Orton (Red Hat). [CVE-2017-3733][]

    Matt Caswell

  • v1.1.0.c Changes

    January 26, 2017
    • Truncated packet could crash via OOB read

    If one side of an SSL/TLS path is running on a 32-bit host and a specific cipher is being used, then a truncated packet can cause that host to perform an out-of-bounds read, usually resulting in a crash.

    This issue was reported to OpenSSL by Robert Święcki of Google. [CVE-2017-3731][]

    Andy Polyakov

    • Bad (EC)DHE parameters cause a client crash

    If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.

    This issue was reported to OpenSSL by Guido Vranken. [CVE-2017-3730][]

    Matt Caswell

    • BN_mod_exp may produce incorrect results on x86_64

    There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.

    This issue was reported to OpenSSL by the OSS-Fuzz project. [CVE-2017-3732][]

    Andy Polyakov

  • v1.1.0.b Changes

    November 10, 2016
    • ChaCha20/Poly1305 heap-buffer-overflow

    TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.

    This issue was reported to OpenSSL by Robert Święcki (Google Security Team) [CVE-2016-7054][]

    Richard Levitte

    • CMS Null dereference

    Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.

    This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure. [CVE-2016-7053][]

    Stephen Henson

    • Montgomery multiplication may produce incorrect results

    There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.

    This issue was publicly reported as transient failures and was not initially recognized as a security issue. Thanks to Richard Morgan for providing reproducible case. [CVE-2016-7055][]

    Andy Polyakov

    • Removed automatic addition of RPATH in shared libraries and executables, as this was a remainder from OpenSSL 1.0.x and isn't needed any more.

    Richard Levitte

  • v1.1.0.a Changes

    September 26, 2016
    • Fix Use After Free for large message sizes

    The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.

    This issue only affects OpenSSL 1.1.0a.

    This issue was reported to OpenSSL by Robert Święcki. [CVE-2016-6309][]

    Matt Caswell

  • v1.0.2.s Changes

    September 10, 2019
    • For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling EC_GROUP_new_from_ecpkparameters()/ EC_GROUP_new_from_ecparameters(). This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation.

    Nicola Tuveri

    • Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. [CVE-2019-1547][]

    Billy Bob Brumley

    • Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. [CVE-2019-1563][]

    Bernd Edlinger

    • Document issue with installation paths in diverse Windows builds

    '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL binaries and run-time config file. [CVE-2019-1552][]

    Richard Levitte

  • v1.0.2.r Changes

    May 28, 2019
    • Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey command when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation commands to use 2048 bits by default.

    Kurt Roeckx

    • Add FIPS support for Android Arm 64-bit

    Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in Version 2.0.10. For some reason, the corresponding target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on Android Arm 64-bit. This omission has been fixed.

    Matthias St. Pierre

  • v1.0.2.q Changes

    February 26, 2019
    • 0-byte record padding oracle

    If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.

    In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

    This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. [CVE-2019-1559][]

    Matt Caswell

    • Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().

    Richard Levitte

  • v1.0.2.p Changes

    November 20, 2018
    • Microarchitecture timing vulnerability in ECC scalar multiplication

    OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.

    This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. [CVE-2018-5407][]

    Billy Brumley

    • Timing vulnerability in DSA signature generation

    The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.

    This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. [CVE-2018-0734][]

    Paul Dale

    • Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode.

    Nicola Tuveri

  • v1.0.2.o Changes

    August 14, 2018
    • Client DoS due to large DH parameter

    During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

    This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken [CVE-2018-0732][]

    Guido Vranken

    • Cache timing vulnerability in RSA Key Generation

    The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

    This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. [CVE-2018-0737][]

    Billy Brumley

    • Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only.

    Richard Levitte

    • Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication.

    Andy Polyakov

    • Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2-128.

    Kurt Roeckx, Annie Yousar

    • Increase the number of Miller-Rabin rounds for DSA key generating to 64.

    Kurt Roeckx

    • Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group).

    Matt Caswell

    • When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases.

    Richard Levitte

    • Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed.

    Emilia Käsper

  • v1.0.2.n Changes

    March 27, 2018
    • Constructed ASN.1 types with a recursive definition could exceed the stack

    Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.

    This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. [CVE-2018-0739][]

    Matt Caswell