[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Thu Nov 10 14:17:49 UTC 2016 

The branch master has been updated
       via  1a14f11cca34636357f9c5e5b5c249257285ac99 (commit)
      from  183632aa1c25411177778fe7b465c05db7d364b0 (commit)


- Log -----------------------------------------------------------------
commit 1a14f11cca34636357f9c5e5b5c249257285ac99
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Nov 10 14:08:54 2016 +0000

    Updates for new release

-----------------------------------------------------------------------

Summary of changes:
 news/newsflash.txt       |  2 +
 news/secadv/20161110.txt | 96 ++++++++++++++++++++++++++++++++++++++++++++++++
 news/vulnerabilities.xml | 74 ++++++++++++++++++++++++++++++++++++-
 3 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20161110.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 7cdd7aa..545bf1d 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,8 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+10-Nov-2016: <a href="/news/secadv/20161110.txt">Security Advisory</a>: several security fixes
+10-Nov-2016: OpenSSL 1.1.0c is now available, including bug and security fixes
 07-Nov-2016: OpenSSL 1.1.0c <a href="https://mta.openssl.org/pipermail/openssl-announce/2016-November/000085.html">security release due on 10th November 2016</a>
 12-Oct-2016: New Blog post: <a href="https://www.openssl.org/blog/blog/2016/10/12/f2f-rt-github/">Face to Face: Goodbye RT, Hello GitHub</a>
 26-Sep-2016: <a href="/news/secadv/20160926.txt">Security Advisory</a>: Two security fixes
diff --git a/news/secadv/20161110.txt b/news/secadv/20161110.txt
new file mode 100644
index 0000000..50c8203
--- /dev/null
+++ b/news/secadv/20161110.txt
@@ -0,0 +1,96 @@
+
+OpenSSL Security Advisory [10 Nov 2016]
+========================================
+
+ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
+======================================================
+
+Severity: High
+
+TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
+attack by corrupting larger payloads. This can result in an OpenSSL crash. This
+issue is not considered to be exploitable beyond a DoS.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0c
+
+This issue does not affect OpenSSL versions prior to 1.1.0
+
+This issue was reported to OpenSSL on 25th September 2016 by Robert
+Święcki (Google Security Team), and was found using honggfuzz. The fix
+was developed by Richard Levitte of the OpenSSL development team.
+
+CMS Null dereference (CVE-2016-7053)
+====================================
+
+Severity: Moderate
+
+Applications parsing invalid CMS structures can crash with a NULL pointer
+dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
+in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
+callback if an attempt is made to free certain invalid encodings. Only CHOICE
+structures using a callback which do not handle NULL value are affected.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0c
+
+This issue does not affect OpenSSL versions prior to 1.1.0
+
+This issue was reported to OpenSSL on 12th October 2016 by Tyler Nighswander of
+ForAllSecure. The fix was developed by Stephen Henson of the OpenSSL
+development team.
+
+Montgomery multiplication may produce incorrect results (CVE-2016-7055)
+=======================================================================
+
+Severity: Low
+
+There is a carry propagating bug in the Broadwell-specific Montgomery
+multiplication procedure that handles input lengths divisible by, but
+longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+and DH private keys are impossible. This is because the subroutine in
+question is not used in operations with the private key itself and an input
+of the attacker's direct choice. Otherwise the bug can manifest itself as
+transient authentication and key negotiation failures or reproducible
+erroneous outcome of public-key operations with specially crafted input.
+Among EC algorithms only Brainpool P-512 curves are affected and one
+presumably can attack ECDH key negotiation. Impact was not analyzed in
+detail, because pre-requisites for attack are considered unlikely. Namely
+multiple clients have to choose the curve in question and the server has to
+share the private key among them, neither of which is default behaviour.
+Even then only clients that chose the curve will be affected.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0c
+
+This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low
+severity of this defect we are not issuing a new 1.0.2 release at this time.
+We recommend that 1.0.2 users wait for the next 1.0.2 release for the fix to
+become available. The fix is also available in the OpenSSL git repository in
+commit 57c4b9f6a2.
+
+This issue was publicly reported as transient failures and was not
+initially recognized as a security issue. Thanks to Richard Morgan for
+providing reproducible case. The fix was developed by Andy Polyakov of
+the OpenSSL development team.
+
+Note
+====
+
+As per our previous announcements and our Release Strategy
+(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
+version 1.0.1 will cease on 31st December 2016. No security updates for that
+version will be provided after that date. Users of 1.0.1 are advised to
+upgrade.
+
+Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
+versions are no longer receiving security updates.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20161110.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 392128c..1f716ff 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -5,7 +5,79 @@
      1.0.0 on 20100329
 -->
 
-<security updated="20160926">
+<security updated="20161110">
+  <issue public="20161110">
+    <impact severity="High"/>
+    <cve name="2016-7054"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+    <description>
+      TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+      a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+      crash. This issue is not considered to be exploitable beyond a DoS.
+    </description>
+    <advisory url="/news/secadv/20161110.txt"/>
+    <reported source="Robert Święcki (Google Security Team)" date="20160925"/>
+  </issue>
+  <issue public="20161110">
+    <impact severity="Moderate"/>
+    <cve name="2016-7053"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+    <description>
+      Applications parsing invalid CMS structures can crash with a NULL pointer
+      dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
+      type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
+      structure callback if an attempt is made to free certain invalid
+      encodings. Only CHOICE structures using a callback which do not handle
+      NULL value are affected.
+    </description>
+    <advisory url="/news/secadv/20161110.txt"/>
+    <reported source="Tyler Nighswander (ForAllSecure)" date="20161012"/>
+  </issue>
+  <issue public="20161110">
+    <impact severity="Low"/>
+    <cve name="2016-7055"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <affects base="1.0.2" version="1.0.2"/>
+    <affects base="1.0.2" version="1.0.2a"/>
+    <affects base="1.0.2" version="1.0.2b"/>
+    <affects base="1.0.2" version="1.0.2c"/>
+    <affects base="1.0.2" version="1.0.2d"/>
+    <affects base="1.0.2" version="1.0.2e"/>
+    <affects base="1.0.2" version="1.0.2f"/>
+    <affects base="1.0.2" version="1.0.2g"/>
+    <affects base="1.0.2" version="1.0.2h"/>
+    <affects base="1.0.2" version="1.0.2i"/>
+    <affects base="1.0.2" version="1.0.2j"/>
+    <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+    <description>
+      There is a carry propagating bug in the Broadwell-specific Montgomery
+      multiplication procedure that handles input lengths divisible by, but
+      longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+      and DH private keys are impossible. This is because the subroutine in
+      question is not used in operations with the private key itself and an
+      input of the attacker's direct choice. Otherwise the bug can manifest
+      itself as transient authentication and key negotiation failures or
+      reproducible erroneous outcome of public-key operations with specially
+      crafted input. Among EC algorithms only Brainpool P-512 curves are
+      affected and one presumably can attack ECDH key negotiation. Impact was
+      not analyzed in detail, because pre-requisites for attack are considered
+      unlikely. Namely multiple clients have to choose the curve in question and
+      the server has to share the private key among them, neither of which is
+      default behaviour. Even then only clients that chose the curve will be
+      affected.ctures using a callback which do not handle NULL value are
+      affected.
+    </description>
+    <advisory url="/news/secadv/20161110.txt"/>
+    <reported source="Publicly reported" />
+  </issue>
   <issue public="20160926">
     <impact severity="Critical"/>
     <cve name="2016-6309"/>

More information about the openssl-commits mailing list