Revision
8594 -
Directory Listing
-
[select for diffs]
Modified
Fri Sep 23 17:48:06 2016 UTC
(7 years, 8 months ago)
by
laffer1
Diff to
previous 7583
,
to
selected 6469
OpenSSL security patch
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. [CVE-2016-6304]
An overflow can occur in MDC2_Update() either if called directly or through
the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply
very large amounts of input data after a previous call to EVP_EncryptUpdate()
with a partial block then a length check can overflow resulting in a heap
corruption. [CVE-2016-6303]
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash. [CVE-2016-6302]
The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.
[CVE-2016-2182]
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
the total length the OID text representation would use and not the amount
of data written. This will result in OOB reads when large OIDs are presented.
[CVE-2016-2180]
Some calculations of limits in OpenSSL have used undefined pointer arithmetic.
This could cause problems with some malloc implementations. [CVE-2016-2177]
Operations in the DSA signing algorithm should run in constant time in order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
a non-constant time codepath is followed for certain operations. [CVE-2016-2178]
In a DTLS connection where handshake messages are delivered out-of-order those
messages that OpenSSL is not yet ready to process will be buffered for later
use. Under certain circumstances, a flaw in the logic means that those messages
do not get removed from the buffer even though the handshake has been completed.
An attacker could force up to approx. 15 messages to remain in the buffer when
they are no longer required. These messages will be cleared when the DTLS
connection is closed. The default maximum size for a message is 100k. Therefore
the attacker could force an additional 1500k to be consumed per connection.
[CVE-2016-2179]
A flaw in the DTLS replay attack protection mechanism means that records that
arrive for future epochs update the replay protection "window" before the MAC
for the record has been validated. This could be exploited by an attacker by
sending a record for the next epoch (which does not have to decrypt or have a
valid MAC), with a very large sequence number. This means that all subsequent
legitimate packets are dropped causing a denial of service for a specific
DTLS connection. [CVE-2016-2181]
In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.
[CVE-2016-6306]
Revision
7547 -
Directory Listing
-
[select for diffs]
Modified
Thu May 5 07:54:23 2016 UTC
(8 years, 1 month ago)
by
laffer1
Diff to
previous 7467
,
to
selected 6469
OpenSSL security patch
The padding check in AES-NI CBC MAC was rewritten to be in constant time
by making sure that always the same bytes are read and compared against
either the MAC or padding bytes. But it no longer checked that there was
enough data to have both the MAC and padding bytes. [CVE-2016-2107]
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. [CVE-2016-2105]
An overflow can occur in the EVP_EncryptUpdate() function, however it is
believed that there can be no overflows in internal code due to this problem.
[CVE-2016-2106]
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
[CVE-2016-2109]
Revision
7467 -
Directory Listing
-
[select for diffs]
Modified
Thu Mar 17 12:34:11 2016 UTC
(8 years, 2 months ago)
by
laffer1
Diff to
previous 7462
,
to
selected 6469
OpenSSH doesn't have the luck of the Irish.
Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
run shell commands on the call to xauth.
Revision
7462 -
Directory Listing
-
[select for diffs]
Modified
Thu Mar 10 14:08:20 2016 UTC
(8 years, 3 months ago)
by
laffer1
Diff to
previous 7438
,
to
selected 6469
Security patch OpenSSL for DROWN
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP
or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability
is known as DROWN. [CVE-2016-0800]
A double free bug was discovered when OpenSSL parses malformed DSA private
keys and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare. [CVE-2016-0705]
The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory
management semantics; the returned pointer was sometimes newly allocated, and
sometimes owned by the callee. The calling code has no way of distinguishing
these two cases. [CVE-2016-0798]
In the BN_hex2bn function, the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large
values of |i| this can result in |bn_expand| not allocating any memory because
|i * 4| is negative. This can leave the internal BIGNUM data field as NULL
leading to a subsequent NULL pointer dereference. For very large values of
|i|, the calculation |i * 4| could be a positive value smaller than |i|. In
this case memory is allocated to the internal BIGNUM data field, but it is
insufficiently sized leading to heap corruption. A similar issue exists in
BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is
ever called by user applications with very large untrusted hex/dec data. This
is anticipated to be a rare occurrence. [CVE-2016-0797]
The internal |fmtstr| function used in processing a "%s" formatted string in
the BIO_*printf functions could overflow while calculating the length of
a string and cause an out-of-bounds read when printing very long strings.
[CVE-2016-0799]
A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys. [CVE-2016-0702]
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers.
If clear-key bytes are present for these ciphers, they displace encrypted-key
bytes. [CVE-2016-0703]
s2_srvr.c overwrites the wrong bytes in the master key when applying
Bleichenbacher protection for export cipher suites. [CVE-2016-0704]
Obtained from: OpenSSL & FreeBSD
Revision
7438 -
Directory Listing
-
[select for diffs]
Modified
Sat Jan 30 17:58:54 2016 UTC
(8 years, 4 months ago)
by
laffer1
Diff to
previous 7433
,
to
selected 6469
OpenSSL CVE-2015-3197
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
Revision
7273 -
Directory Listing
-
[select for diffs]
Modified
Tue Aug 25 22:08:49 2015 UTC
(8 years, 9 months ago)
by
laffer1
Diff to
previous 7261
,
to
selected 6469
A programming error in the privileged monitor process of the sshd(8)
service may allow the username of an already-authenticated user to be
overwritten by the unprivileged child process.
A use-after-free error in the privileged monitor process of he sshd(8)
service may be deterministically triggered by the actions of a
compromised unprivileged child process.
A use-after-free error in the session multiplexing code in the sshd(8)
service may result in unintended termination of the connection.
Revision
7194 -
Directory Listing
-
[select for diffs]
Modified
Wed Jul 29 00:35:21 2015 UTC
(8 years, 10 months ago)
by
laffer1
Diff to
previous 7186
,
to
selected 6469
Fix two OpenSSH security issues:
CVE-2014-2653 and CVE-2015-5600
Attackers can bypass MaxAuthTries and brute force passwords. Clients will
not properly validate DNS SSHFP records that offer a certificate. (rarely used)
Revision
6754 -
Directory Listing
-
[select for diffs]
Modified
Tue Sep 9 23:14:38 2014 UTC
(9 years, 9 months ago)
by
laffer1
Diff to
previous 6659
,
to
selected 6469
Security update for openssl.
The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]
The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]
A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]
Revision
4884 -
Directory Listing
-
[select for diffs]
Modified
Thu May 3 17:40:43 2012 UTC
(12 years, 1 month ago)
by
laffer1
Diff to
previous 4464
,
to
selected 6469
OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]
OpenSSL support for handshake restarts for server gated cryptograpy (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]
If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]
A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]
The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]
Revision
3204 -
Directory Listing
-
[select for diffs]
Modified
Sat Dec 5 15:29:50 2009 UTC
(14 years, 6 months ago)
by
laffer1
Diff to
previous 3182
,
to
selected 6469
The SSL version 3 and TLS protocols support session renegotiation without
cryptographically tying the new session parameters to the old parameters.
Disable renegotiation of session parameters. This can break some software
packages, but it's rarely used.
Revision
3026 -
Directory Listing
-
[select for diffs]
Modified
Thu Jun 11 03:50:29 2009 UTC
(15 years ago)
by
laffer1
Diff to
previous 3003
,
to
selected 6469
Fix the illegal instructions with libcrytpo stuff linking to openssl. (sendmail, dovecot, or anything else...)
This is a "feature" of gcc4 that adds illegal instructions to discourage casting certain ways. How nice.
Revision
2841 -
Directory Listing
-
[select for diffs]
Modified
Wed Apr 22 18:06:36 2009 UTC
(15 years, 1 month ago)
by
laffer1
Diff to
previous 2511
,
to
selected 6469
The function ASN1_STRING_print_ex does not properly validate the lengths
of BMPString or UniversalString objects before attempting to print them.
Remotely exploitable bug in openssl
Revision
1267 -
Directory Listing
-
[select for diffs]
Modified
Wed Oct 3 23:57:10 2007 UTC
(16 years, 8 months ago)
by
laffer1
Diff to
previous 1108
,
to
selected 6469
Fix a security issue with openssl.
For applications using the SSL_get_shared_ciphers() function, the
buffer overflow could allow an attacker to crash or potentially
execute arbitrary code with the permissions of the user running the
application. (freebsd advisory text).