openssl-1.0.2e

[Fernando de Oliveira]

This is a Secutity Release

CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196 (the last one was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously listed in an OpenSSL security advisory.

​https://www.openssl.org/source/openssl-1.0.2e.tar.gz

​https://www.openssl.org/source/openssl-1.0.2e.tar.gz.asc

​https://www.openssl.org/source/openssl-1.0.1q.tar.gz.sha1

3ff71636bea85a99f4d76a10d119c09bda0421e3

Downloads:

​https://www.openssl.org/source/

Vulnerabilities

​https://www.openssl.org/news/secadv/20151203.txt

OpenSSL Security Advisory [3 Dec 2015]
=======================================

NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES
FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE
PROVIDED (AS PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE
TO LATER VERSIONS.

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult
to perform and are not believed likely. Attacks against DH are
considered just feasible (although very difficult) because most of the
work necessary to deduce information about a private key may be
performed offline. The amount of resources required for such an attack
would be very significant and likely only accessible to a limited number
of attackers. An attacker would additionally need online access to an
unpatched system using the target private key in a scenario with
persistent DH parameters and a private key that is shared between
multiple clients. For example this can occur by default in OpenSSL DHE
based SSL/TLS ciphersuites.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2e

This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================

Severity: Moderate

The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and absent mask generation function parameter. Since these
routines are used to verify certificate signature algorithms this can be
used to crash any certificate verification operation and exploited in a
DoS attack. Any application which performs certificate verification is
vulnerable including OpenSSL clients and servers which enable client
authentication.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q

This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas
Etienne (Qnective AG). The fix was developed by Dr. Stephen Henson of
the OpenSSL development team.

X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================

Severity: Moderate

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will
leak memory. This structure is used by the PKCS#7 and CMS routines so
any application which reads PKCS#7 or CMS data from untrusted sources is
affected.  SSL/TLS is not affected.

This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh

This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.

Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================

Severity: Low

If PSK identity hints are received by a multi-threaded client then the
values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.

This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been
previously listed in an OpenSSL security advisory. This issue also
affects OpenSSL 1.0.0 and has not been previously fixed in an OpenSSL
1.0.0 release.

OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t

The fix for this issue can be identified in the OpenSSL git repository
by commit ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and
1392c238657e (1.0.0).

The fix was developed by Dr. Stephen Henson of the OpenSSL development
team.

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL
versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security
updates for these versions will be provided after that date. In the
absence of significant security issues being identified prior to that
date, the 1.0.0t and 0.9.8zh releases will be the last for those
versions. Users of these versions are advised to upgrade.


References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html

Changelog:

​https://www.openssl.org/news/cl102.txt

Changes between 1.0.2d and 1.0.2e [3 Dec 2015]

  *) BN_mod_exp may produce incorrect results on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that
     attacks against RSA and DSA as a result of this defect would be
     very difficult to perform and are not believed likely. Attacks
     against DH are considered just feasible (although very difficult)
     because most of the work necessary to deduce information about a
     private key may be performed offline. The amount of resources
     required for such an attack would be very significant and likely
     only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the
     target private key in a scenario with persistent DH parameters and
     a private key that is shared between multiple clients. For example
     this can occur by default in OpenSSL DHE based SSL/TLS
     ciphersuites.

     This issue was reported to OpenSSL by Hanno Böck.
     (CVE-2015-3193)
     [Andy Polyakov]

  *) Certificate verify crash with missing PSS parameter

     The signature verification routines will crash with a NULL pointer
     dereference if presented with an ASN.1 signature using the RSA PSS
     algorithm and absent mask generation function parameter. Since
     these routines are used to verify certificate signature algorithms
     this can be used to crash any certificate verification operation
     and exploited in a DoS attack. Any application which performs
     certificate verification is vulnerable including OpenSSL clients
     and servers which enable client authentication.

     This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective
     AG).
     (CVE-2015-3194)
     [Stephen Henson]

  *) X509_ATTRIBUTE memory leak

     When presented with a malformed X509_ATTRIBUTE structure OpenSSL
     will leak memory. This structure is used by the PKCS#7 and CMS
     routines so any application which reads PKCS#7 or CMS data from
     untrusted sources is affected. SSL/TLS is not affected.

     This issue was reported to OpenSSL by Adam Langley
     (Google/BoringSSL) using
     libFuzzer.
     (CVE-2015-3195)
     [Stephen Henson]

  *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
     This changes the decoding behaviour for some invalid messages,
     though the change is mostly in the more lenient direction, and
     legacy behaviour is preserved as much as possible.
     [Emilia Käsper]

  *) In DSA_generate_parameters_ex, if the provided seed is too short,
     return an error
     [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]

[Fernando de Oliveira]

Fixed at r16708.