[web] master update
Matt Caswell
matt at openssl.org
Tue Sep 10 14:07:46 UTC 2019
The branch master has been updated
via 81c6d01b55625c3071296caced494d5d61866083 (commit)
from b9cdda6cdbe4e87b1e2db37b23cddaca5fb7da9a (commit)
- Log -----------------------------------------------------------------
commit 81c6d01b55625c3071296caced494d5d61866083
Author: Matt Caswell <matt at openssl.org>
Date: Tue Sep 10 12:05:36 2019 +0100
Website updates for new releases
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/web/pull/136)
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 4 ++
news/secadv/20190910.txt | 107 +++++++++++++++++++++++++++++++
news/vulnerabilities.xml | 164 ++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 274 insertions(+), 1 deletion(-)
create mode 100644 news/secadv/20190910.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 491bee5..3671610 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,10 @@
# Format is two fields, colon-separated; the first line is the column
# headings. URL paths must all be absolute.
Date: Item
+10-Sep-2019: <a href="/news/secadv/20190910.txt">Security Advisory</a>: three low severity fixes
+10-Sep-2019: OpenSSL 1.1.1d is now available, including bug and security fixes
+10-Sep-2019: OpenSSL 1.1.0l is now available, including security fixes
+10-Sep-2019: OpenSSL 1.0.2t is now available, including security fixes
30-Jul-2019: <a href="/news/secadv/20190730.txt">Security Advisory</a>: one low severity fix in Windows builds
28-May-2019: OpenSSL 1.1.1c is now available, including bug and security fixes
28-May-2019: OpenSSL 1.1.0k is now available, including bug and security fixes
diff --git a/news/secadv/20190910.txt b/news/secadv/20190910.txt
new file mode 100644
index 0000000..0358352
--- /dev/null
+++ b/news/secadv/20190910.txt
@@ -0,0 +1,107 @@
+OpenSSL Security Advisory [10 September 2019]
+=============================================
+
+ECDSA remote timing attack (CVE-2019-1547)
+==========================================
+
+Severity: Low
+
+Normally in OpenSSL EC groups always have a co-factor present and this is used
+in side channel resistant code paths. However, in some cases, it is possible to
+construct a group using explicit parameters (instead of using a named curve). In
+those cases it is possible that such a group does not have the cofactor present.
+This can occur even where all the parameters match a known named curve.
+
+If such a curve is used then OpenSSL falls back to non-side channel resistant
+code paths which may result in full key recovery during an ECDSA signature
+operation.
+
+In order to be vulnerable an attacker would have to have the ability to time
+the creation of a large number of signatures where explicit parameters with no
+co-factor present are in use by an application using libcrypto.
+
+For the avoidance of doubt libssl is not vulnerable because explicit parameters
+are never used.
+
+OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
+
+OpenSSL 1.1.1 users should upgrade to 1.1.1d
+OpenSSL 1.1.0 users should upgrade to 1.1.0l
+OpenSSL 1.0.2 users should upgrade to 1.0.2t
+
+This issue was reported by Cesar Pereida García, Sohaib ul Hassan,
+Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley. The
+fix was developed by Billy Brumley. It was reported to OpenSSL on 5th August
+2019.
+
+
+Fork Protection (CVE-2019-1549)
+===============================
+
+Severity: Low
+
+OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
+intended to include protection in the event of a fork() system call in order to
+ensure that the parent and child processes did not share the same RNG state.
+However this protection was not being used in the default case.
+
+A partial mitigation for this issue is that the output from a high precision
+timer is mixed into the RNG state so the likelihood of a parent and child
+process sharing state is significantly reduced.
+
+If an application already calls OPENSSL_init_crypto() explicitly using
+OPENSSL_INIT_ATFORK then this problem does not occur at all.
+
+OpenSSL version 1.1.1 is affected by this issue.
+
+OpenSSL 1.1.1 users should upgrade to 1.1.1d
+
+This issue was reported by Matt Caswell. The fix was developed by Matthias
+St. Pierre. It was reported to OpenSSL on 27th May 2019.
+
+
+Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
+============================================================================
+
+Severity: Low
+
+In situations where an attacker receives automated notification of the success
+or failure of a decryption attempt an attacker, after sending a very large
+number of messages to be decrypted, can recover a CMS/PKCS7 transported
+encryption key or decrypt any RSA encrypted message that was encrypted with the
+public RSA key, using a Bleichenbacher padding oracle attack. Applications are
+not affected if they use a certificate together with the private RSA key to the
+CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to
+decrypt.
+
+OpenSSL 1.1.1 users should upgrade to 1.1.1d
+OpenSSL 1.1.0 users should upgrade to 1.1.0l
+OpenSSL 1.0.2 users should upgrade to 1.0.2t
+
+This issue was reported by and the fix developed by Bernd Edlinger. It was
+reported to OpenSSL on 21st August 2019.
+
+
+Note
+=====
+
+OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
+will end on 31st December 2019.
+
+Support for 1.1.0 ends on 11th September 2019 so 1.1.0l is expected to be the
+last 1.1.0 release.
+
+Users of these versions should upgrade to OpenSSL 1.1.1.
+
+
+Referenses
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20190910.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index e66f6d8..c3532a5 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7,7 +7,169 @@
<!-- The updated attribute should be the same as the first public issue,
unless an old entry was updated. -->
-<security updated="20190730">
+<security updated="20190910">
+ <issue public="20190910">
+ <impact severity="Low"/>
+ <cve name="2019-1547"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.1" version="1.1.1c"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.1.0" version="1.1.0h"/>
+ <affects base="1.1.0" version="1.1.0i"/>
+ <affects base="1.1.0" version="1.1.0j"/>
+ <affects base="1.1.0" version="1.1.0k"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <affects base="1.0.2" version="1.0.2n"/>
+ <affects base="1.0.2" version="1.0.2o"/>
+ <affects base="1.0.2" version="1.0.2p"/>
+ <affects base="1.0.2" version="1.0.2q"/>
+ <affects base="1.0.2" version="1.0.2r"/>
+ <affects base="1.0.2" version="1.0.2s"/>
+ <fixed base="1.1.1" version="1.1.1d" date="20190910">
+ <git hash="30c22fa8b1d840036b8e203585738df62a03cec8"/>
+ </fixed>
+ <fixed base="1.1.0" version="1.1.0l" date="20190910">
+ <git hash="7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"/>
+ </fixed>
+ <fixed base="1.0.2" version="1.0.2t" date="20190910">
+ <git hash="21c856b75d81eff61aa63b4f036bb64a85bf6d46"/>
+ </fixed>
+ <problemtype>Timing side channel</problemtype>
+ <title>ECDSA remote timing attack</title>
+ <description>
+ Normally in OpenSSL EC groups always have a co-factor present and this is used
+ in side channel resistant code paths. However, in some cases, it is possible to
+ construct a group using explicit parameters (instead of using a named curve). In
+ those cases it is possible that such a group does not have the cofactor present.
+ This can occur even where all the parameters match a known named curve.
+
+ If such a curve is used then OpenSSL falls back to non-side channel resistant
+ code paths which may result in full key recovery during an ECDSA signature
+ operation.
+
+ In order to be vulnerable an attacker would have to have the ability to time
+ the creation of a large number of signatures where explicit parameters with no
+ co-factor present are in use by an application using libcrypto.
+
+ For the avoidance of doubt libssl is not vulnerable because explicit parameters
+ are never used.
+ </description>
+ <advisory url="/news/secadv/20190910.txt"/>
+ <reported source="Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"/>
+ </issue>
+ <issue public="20190910">
+ <impact severity="Low"/>
+ <cve name="2019-1549"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.1" version="1.1.1c"/>
+ <fixed base="1.1.1" version="1.1.1d" date="20190910">
+ <git hash="1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"/>
+ </fixed>
+ <problemtype>Random Number Generation</problemtype>
+ <title>Fork Protection</title>
+ <description>
+ OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
+ intended to include protection in the event of a fork() system call in order to
+ ensure that the parent and child processes did not share the same RNG state.
+ However this protection was not being used in the default case.
+
+ A partial mitigation for this issue is that the output from a high precision
+ timer is mixed into the RNG state so the likelihood of a parent and child
+ process sharing state is significantly reduced.
+
+ If an application already calls OPENSSL_init_crypto() explicitly using
+ OPENSSL_INIT_ATFORK then this problem does not occur at all.
+ </description>
+ <advisory url="/news/secadv/20190910.txt"/>
+ <reported source="Matt Caswell"/>
+ </issue>
+ <issue public="20190910">
+ <impact severity="Low"/>
+ <cve name="2019-1563"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.1" version="1.1.1c"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.1.0" version="1.1.0h"/>
+ <affects base="1.1.0" version="1.1.0i"/>
+ <affects base="1.1.0" version="1.1.0j"/>
+ <affects base="1.1.0" version="1.1.0k"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <affects base="1.0.2" version="1.0.2n"/>
+ <affects base="1.0.2" version="1.0.2o"/>
+ <affects base="1.0.2" version="1.0.2p"/>
+ <affects base="1.0.2" version="1.0.2q"/>
+ <affects base="1.0.2" version="1.0.2r"/>
+ <affects base="1.0.2" version="1.0.2s"/>
+ <fixed base="1.1.1" version="1.1.1d" date="20190910">
+ <git hash="08229ad838c50f644d7e928e2eef147b4308ad64"/>
+ </fixed>
+ <fixed base="1.1.0" version="1.1.0l" date="20190910">
+ <git hash="631f94db0065c78181ca9ba5546ebc8bb3884b97"/>
+ </fixed>
+ <fixed base="1.0.2" version="1.0.2t" date="20190910">
+ <git hash="e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"/>
+ </fixed>
+ <problemtype>Padding Oracle</problemtype>
+ <title>Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey</title>
+ <description>
+ In situations where an attacker receives automated notification of the success
+ or failure of a decryption attempt an attacker, after sending a very large
+ number of messages to be decrypted, can recover a CMS/PKCS7 transported
+ encryption key or decrypt any RSA encrypted message that was encrypted with the
+ public RSA key, using a Bleichenbacher padding oracle attack. Applications are
+ not affected if they use a certificate together with the private RSA key to the
+ CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to
+ decrypt.
+ </description>
+ <advisory url="/news/secadv/20190910.txt"/>
+ <reported source="Bernd Edlinger"/>
+ </issue>
<issue public="20190730">
<impact severity="Low"/>
<cve name="2019-1552"/>
More information about the openssl-commits
mailing list