[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Thu Jan 26 13:48:56 UTC 2017 

The branch master has been updated
       via  895849e51989857491d7a0f817585b52d55f5fa7 (commit)
       via  ccce450786377de0859518403f22be655bc48687 (commit)
       via  e280d47ec748c8386e2cd88460b6b5235954a1fe (commit)
      from  8962398f72a4c4c04caf80069dcc59cb7a544c48 (commit)


- Log -----------------------------------------------------------------
commit 895849e51989857491d7a0f817585b52d55f5fa7
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jan 26 13:44:13 2017 +0000

    Update vulnerabilities.xml for new release

commit ccce450786377de0859518403f22be655bc48687
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jan 26 13:33:26 2017 +0000

    Add security advisory for new release

commit e280d47ec748c8386e2cd88460b6b5235954a1fe
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jan 26 13:32:33 2017 +0000

    Update newsflash for new release

-----------------------------------------------------------------------

Summary of changes:
 news/newsflash.txt       |  2 +
 news/secadv/20170126.txt | 97 ++++++++++++++++++++++++++++++++++++++++++++++++
 news/vulnerabilities.xml | 93 +++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 191 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20170126.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 525a960..35c30de 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,8 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+26-Sep-2017: OpenSSL 1.1.0d is now available, including bug and security fixes
+26-Sep-2017: OpenSSL 1.0.2k is now available, including bug and security fixes
 23-Jan-2017: OpenSSL 1.1.0d, 1.0.2k <a href="https://mta.openssl.org/pipermail/openssl-announce/2017-January/000091.html">security release due on 26th January 2017</a>
 02-Jan-2017: The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2.
 10-Nov-2016: <a href="/news/secadv/20161110.txt">Security Advisory</a>: several security fixes
diff --git a/news/secadv/20170126.txt b/news/secadv/20170126.txt
new file mode 100644
index 0000000..5f69359
--- /dev/null
+++ b/news/secadv/20170126.txt
@@ -0,0 +1,97 @@
+
+OpenSSL Security Advisory [26 Jan 2017]
+========================================
+
+Truncated packet could crash via OOB read (CVE-2017-3731)
+=========================================================
+
+Severity: Moderate
+
+If an SSL/TLS server or client is running on a 32-bit host, and a specific
+cipher is being used, then a truncated packet can cause that server or client
+to perform an out-of-bounds read, usually resulting in a crash.
+
+For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305;
+users should upgrade to 1.1.0d
+
+For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have
+not disabled that algorithm should update to 1.0.2k
+
+This issue was reported to OpenSSL on 13th November 2016 by Robert Święcki of
+Google. The fix was developed by Andy Polyakov of the OpenSSL development team.
+
+Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
+===========================================================
+
+Severity: Moderate
+
+If a malicious server supplies bad parameters for a DHE or ECDHE key exchange
+then this can result in the client attempting to dereference a NULL pointer
+leading to a client crash. This could be exploited in a Denial of Service
+attack.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0d
+
+This issue does not affect OpenSSL version 1.0.2.
+
+Note that this issue was fixed prior to it being recognised as a security
+concern. This means the git commit with the fix does not contain the CVE
+identifier. The relevant fix commit can be identified by commit hash efbe126e3.
+
+This issue was reported to OpenSSL on 14th January 2017 by Guido Vranken. The
+fix was developed by Matt Caswell of the OpenSSL development team.
+
+BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
+==================================================================
+
+Severity: Moderate
+
+There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
+EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
+as a result of this defect would be very difficult to perform and are not
+believed likely. Attacks against DH are considered just feasible (although very
+difficult) because most of the work necessary to deduce information
+about a private key may be performed offline. The amount of resources
+required for such an attack would be very significant and likely only
+accessible to a limited number of attackers. An attacker would
+additionally need online access to an unpatched system using the target
+private key in a scenario with persistent DH parameters and a private
+key that is shared between multiple clients. For example this can occur by
+default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+similar to CVE-2015-3193 but must be treated as a separate problem.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0d
+OpenSSL 1.0.2 users should upgrade to 1.0.2k
+
+This issue was reported to OpenSSL on 15th January 2017 by the OSS-Fuzz project.
+The fix was developed by Andy Polyakov of the OpenSSL development team.
+
+Montgomery multiplication may produce incorrect results (CVE-2016-7055)
+=======================================================================
+
+Severity: Low
+
+This issue was previously fixed in 1.1.0c and covered in security advisory
+https://www.openssl.org/news/secadv/20161110.txt
+
+OpenSSL 1.0.2k users should upgrade to 1.0.2k
+
+
+Note
+====
+
+Support for version 1.0.1 ended on 31st December 2016. Support for versions
+0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
+receiving security updates.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20170126.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 1f716ff..6c32b4c 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -5,7 +5,97 @@
      1.0.0 on 20100329
 -->
 
-<security updated="20161110">
+<security updated="20170126">
+  <issue public="20170126">
+    <impact severity="Moderate"/>
+    <cve name="2017-3731"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <affects base="1.1.0" version="1.1.0c"/>
+    <affects base="1.0.2" version="1.0.2"/>
+    <affects base="1.0.2" version="1.0.2a"/>
+    <affects base="1.0.2" version="1.0.2b"/>
+    <affects base="1.0.2" version="1.0.2c"/>
+    <affects base="1.0.2" version="1.0.2d"/>
+    <affects base="1.0.2" version="1.0.2e"/>
+    <affects base="1.0.2" version="1.0.2f"/>
+    <affects base="1.0.2" version="1.0.2g"/>
+    <affects base="1.0.2" version="1.0.2h"/>
+    <affects base="1.0.2" version="1.0.2i"/>
+    <affects base="1.0.2" version="1.0.2j"/>
+    <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
+    <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
+    <description>
+      If an SSL/TLS server or client is running on a 32-bit host, and a specific
+      cipher is being used, then a truncated packet can cause that server or
+      client to perform an out-of-bounds read, usually resulting in a crash.
+
+      For OpenSSL 1.1.0, the crash can be triggered when using
+      CHACHA20/POLY1305; users should upgrade to 1.1.0d.
+
+      For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users
+      who have not disabled that algorithm should update to 1.0.2k
+    </description>
+    <advisory url="/news/secadv/20170126.txt"/>
+    <reported source="Robert Święcki of Google" />
+  </issue>
+  <issue public="20170126">
+    <impact severity="Moderate"/>
+    <cve name="2017-3730"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <affects base="1.1.0" version="1.1.0c"/>
+    <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
+    <description>
+      If a malicious server supplies bad parameters for a DHE or ECDHE key
+      exchange then this can result in the client attempting to dereference a
+      NULL pointer leading to a client crash. This could be exploited in a
+      Denial of Service attack.
+    </description>
+    <advisory url="/news/secadv/20170126.txt"/>
+    <reported source="Guido Vranken" />
+  </issue>
+  <issue public="20170126">
+    <impact severity="Moderate"/>
+    <cve name="2017-3732"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <affects base="1.1.0" version="1.1.0c"/>
+    <affects base="1.0.2" version="1.0.2"/>
+    <affects base="1.0.2" version="1.0.2a"/>
+    <affects base="1.0.2" version="1.0.2b"/>
+    <affects base="1.0.2" version="1.0.2c"/>
+    <affects base="1.0.2" version="1.0.2d"/>
+    <affects base="1.0.2" version="1.0.2e"/>
+    <affects base="1.0.2" version="1.0.2f"/>
+    <affects base="1.0.2" version="1.0.2g"/>
+    <affects base="1.0.2" version="1.0.2h"/>
+    <affects base="1.0.2" version="1.0.2i"/>
+    <affects base="1.0.2" version="1.0.2j"/>
+    <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
+    <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
+    <description>
+      There is a carry propagating bug in the x86_64 Montgomery squaring
+      procedure. No EC algorithms are affected. Analysis suggests that attacks
+      against RSA and DSA as a result of this defect would be very difficult to
+      perform and are not believed likely. Attacks against DH are considered
+      just feasible (although very difficult) because most of the work necessary
+      to deduce information about a private key may be performed offline. The
+      amount of resources required for such an attack would be very significant
+      and likely only accessible to a limited number of attackers. An attacker
+      would additionally need online access to an unpatched system using the
+      target private key in a scenario with persistent DH parameters and a
+      private key that is shared between multiple clients. For example this can
+      occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This
+      issue is very similar to CVE-2015-3193 but must be treated as a separate
+      problem.
+    </description>
+    <advisory url="/news/secadv/20170126.txt"/>
+    <reported source="OSS-Fuzz project" />
+  </issue>
   <issue public="20161110">
     <impact severity="High"/>
     <cve name="2016-7054"/>
@@ -57,6 +147,7 @@
     <affects base="1.0.2" version="1.0.2i"/>
     <affects base="1.0.2" version="1.0.2j"/>
     <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+    <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
     <description>
       There is a carry propagating bug in the Broadwell-specific Montgomery
       multiplication procedure that handles input lengths divisible by, but

More information about the openssl-commits mailing list