[openssl-commits] [web] master update
Matt Caswell
matt at openssl.org
Thu Jan 28 14:58:10 UTC 2016
The branch master has been updated
via 61bead2a571724dab0540bcd2b390a559f1fd515 (commit)
from e7fa3cd70c15cfc026bb84142e39b3202f1e2526 (commit)
- Log -----------------------------------------------------------------
commit 61bead2a571724dab0540bcd2b390a559f1fd515
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jan 28 14:37:36 2016 +0000
Updates for the new release
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 2 +
news/secadv/20160128.txt | 138 +++++++++++++++++++++++++++++++++++++++++++++++
news/vulnerabilities.xml | 103 ++++++++++++++++++++++++++++++++++-
3 files changed, 242 insertions(+), 1 deletion(-)
create mode 100644 news/secadv/20160128.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 4ec145d..0a9c18b 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,8 @@
# Format is two fields, colon-separated; the first line is the column
# headings. URL paths must all be absolute.
Date: Item
+28-Jan-2016: OpenSSL 1.0.2f is now available, including bug and security fixes
+28-Jan-2016: OpenSSL 1.0.1r is now available, including bug and security fixes
25-Jan-2016: OpenSSL 1.0.2f and 1.0.1r <a href="https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html">security releases due 28th Jan 2016</a>
14-Jan-2016: Alpha 2 of OpenSSL 1.1.0 is now available: please download and test it
10-Dec-2015: Alpha 1 of OpenSSL 1.1.0 is now available: please download and test it
diff --git a/news/secadv/20160128.txt b/news/secadv/20160128.txt
new file mode 100644
index 0000000..43a8933
--- /dev/null
+++ b/news/secadv/20160128.txt
@@ -0,0 +1,138 @@
+OpenSSL Security Advisory [28th Jan 2016]
+=========================================
+
+NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO
+SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES
+ONLY ARE BEING APPLIED.
+
+DH small subgroups (CVE-2016-0701)
+==================================
+
+Severity: High
+
+Historically OpenSSL usually only ever generated DH parameters based on "safe"
+primes. More recently (in version 1.0.2) support was provided for generating
+X9.42 style parameter files such as those required for RFC 5114 support. The
+primes used in such files may not be "safe". Where an application is using DH
+configured with parameters based on primes that are not "safe" then an attacker
+could use this fact to find a peer's private DH exponent. This attack requires
+that the attacker complete multiple handshakes in which the peer uses the same
+private DH exponent. For example this could be used to discover a TLS server's
+private DH exponent if it's reusing the private DH exponent or it's using a
+static DH ciphersuite.
+
+OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
+It is not on by default. If the option is not set then the server reuses the
+same private DH exponent for the life of the server process and would be
+vulnerable to this attack. It is believed that many popular applications do set
+this option and would therefore not be at risk.
+
+OpenSSL before 1.0.2f will reuse the key if:
+- SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
+ set.
+- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
+ parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
+ an undocumted feature and parameter files don't contain the key.
+- Static DH ciphersuites are used. The key is part of the certificate and
+ so it will always reuse it. This is only supported in 1.0.2.
+
+It will not reuse the key for DHE ciphers suites if:
+- SSL_OP_SINGLE_DH_USE is set
+- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
+ callback does not provide the key, only the parameters. The callback is
+ almost always used like this.
+
+Non-safe primes are generated by OpenSSL when using:
+- genpkey with the dh_rfc5114 option. This will write an X9.42 style file
+ including the prime-order subgroup size "q". This is supported since the 1.0.2
+ version. Older versions can't read files generated in this way.
+- dhparam with the -dsaparam option. This has always been documented as
+ requiring the single use.
+
+The fix for this issue adds an additional check where a "q" parameter is
+available (as is the case in X9.42 based parameters). This detects the
+only known attack, and is the only possible defense for static DH ciphersuites.
+This could have some performance impact.
+
+Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
+and cannot be disabled. This could have some performance impact.
+
+This issue affects OpenSSL version 1.0.2.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2f
+
+OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42
+based parameters. It is possible to generate parameters using non "safe" primes,
+but this option has always been documented as requiring single use and is not
+the default or believed to be common. However, as a precaution, the
+SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r.
+
+This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe).
+The fix was developed by Matt Caswell of the OpenSSL development team
+(incorporating some work originally written by Stephen Henson of the OpenSSL
+core team).
+
+SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
+====================================================
+
+Severity: Low
+
+A malicious client can negotiate SSLv2 ciphers that have been disabled on the
+server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
+disabled, provided that the SSLv2 protocol was not also disabled via
+SSL_OP_NO_SSLv2.
+
+This issue affects OpenSSL versions 1.0.2 and 1.0.1.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2f
+OpenSSL 1.0.1 users should upgrade to 1.0.1r
+
+This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and
+Sebastian Schinzel. The fix was developed by Nimrod Aviram with further
+development by Viktor Dukhovni of the OpenSSL development team.
+
+
+An update on DHE man-in-the-middle protection (Logjam)
+====================================================================
+
+A previously published vulnerability in the TLS protocol allows a
+man-in-the-middle attacker to downgrade vulnerable TLS connections
+using ephemeral Diffie-Hellman key exchange to 512-bit export-grade
+cryptography. This vulnerability is known as Logjam
+(CVE-2015-4000). OpenSSL added Logjam mitigation for TLS clients by
+rejecting handshakes with DH parameters shorter than 768 bits in
+releases 1.0.2b and 1.0.1n.
+
+This limit has been increased to 1024 bits in this release, to offer
+stronger cryptographic assurance for all TLS connections using
+ephemeral Diffie-Hellman key exchange.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2f
+OpenSSL 1.0.1 users should upgrade to 1.0.1r
+
+The fix was developed by Kurt Roeckx of the OpenSSL development team.
+
+Note
+====
+
+As per our previous announcements and our Release Strategy
+(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
+version 1.0.1 will cease on 31st December 2016. No security updates for that
+version will be provided after that date. Users of 1.0.1 are
+advised to upgrade.
+
+Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions
+are no longer receiving security updates.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20160128.txt
+
+Note: the online version of the advisory may be updated with additional
+details over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
+
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index e7b720e..fb59f52 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -5,7 +5,108 @@
1.0.0 on 20100329
-->
-<security updated="20151203">
+<security updated="20160128">
+ <issue public="20160128">
+ <impact severity="High"/>
+ <cve name="2016-0701"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <fixed base="1.0.2" version="1.0.2f" date="2016-0701"/>
+
+ <description>
+ Historically OpenSSL usually only ever generated DH parameters based on "safe"
+ primes. More recently (in version 1.0.2) support was provided for generating
+ X9.42 style parameter files such as those required for RFC 5114 support. The
+ primes used in such files may not be "safe". Where an application is using DH
+ configured with parameters based on primes that are not "safe" then an attacker
+ could use this fact to find a peer's private DH exponent. This attack requires
+ that the attacker complete multiple handshakes in which the peer uses the same
+ private DH exponent. For example this could be used to discover a TLS server's
+ private DH exponent if it's reusing the private DH exponent or it's using a
+ static DH ciphersuite.
+
+ OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
+ It is not on by default. If the option is not set then the server reuses the
+ same private DH exponent for the life of the server process and would be
+ vulnerable to this attack. It is believed that many popular applications do set
+ this option and would therefore not be at risk.
+
+ OpenSSL before 1.0.2f will reuse the key if:
+ - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
+ set.
+ - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
+ parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
+ an undocumted feature and parameter files don't contain the key.
+ - Static DH ciphersuites are used. The key is part of the certificate and
+ so it will always reuse it. This is only supported in 1.0.2.
+
+ It will not reuse the key for DHE ciphers suites if:
+ - SSL_OP_SINGLE_DH_USE is set
+ - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
+ callback does not provide the key, only the parameters. The callback is
+ almost always used like this.
+
+ Non-safe primes are generated by OpenSSL when using:
+ - genpkey with the dh_rfc5114 option. This will write an X9.42 style file
+ including the prime-order subgroup size "q". This is supported since the 1.0.2
+ version. Older versions can't read files generated in this way.
+ - dhparam with the -dsaparam option. This has always been documented as
+ requiring the single use.
+
+ The fix for this issue adds an additional check where a "q" parameter is
+ available (as is the case in X9.42 based parameters). This detects the
+ only known attack, and is the only possible defense for static DH ciphersuites.
+ This could have some performance impact.
+
+ Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
+ and cannot be disabled. This could have some performance impact.
+ </description>
+ <advisory url="/news/secadv/20160128.txt"/>
+ <reported source="Antonio Sanso (Adobe)"/>
+ </issue>
+ <issue public="20160128">
+ <impact severity="Low"/>
+ <cve name="2015-3197"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
+ <affects base="1.0.1" version="1.0.1j"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.1" version="1.0.1m"/>
+ <affects base="1.0.1" version="1.0.1n"/>
+ <affects base="1.0.1" version="1.0.1o"/>
+ <affects base="1.0.1" version="1.0.1p"/>
+ <affects base="1.0.1" version="1.0.1q"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <fixed base="1.0.1" version="1.0.1r" date="20160128"/>
+ <fixed base="1.0.2" version="1.0.2f" date="20160128"/>
+
+ <description>
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on the
+ server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
+ disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+ </description>
+ <advisory url="/news/secadv/20160128.txt"/>
+ <reported source="Nimrod Aviram and Sebastian Schinzel"/>
+ </issue>
<issue public="20150811">
<impact severity="Low"/>
<cve name="2015-1794"/>
More information about the openssl-commits
mailing list