CVS commit: [pkgsrc-2014Q4] pkgsrc/security/openssl

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2014Q4] pkgsrc/security/openssl
From: "Matthias Scheler" <tron%netbsd.org@localhost>
Date: Sun, 11 Jan 2015 19:52:04 +0000
Module Name:    pkgsrc
Committed By:   tron
Date:           Sun Jan 11 19:52:04 UTC 2015

Modified Files:
        pkgsrc/security/openssl [pkgsrc-2014Q4]: Makefile distinfo
Removed Files:
        pkgsrc/security/openssl/patches [pkgsrc-2014Q4]:
            patch-crypto_dso_dso__dlfcn.c

Log Message:
Pullup ticket #4586 - requested by wiz
security/openssl: security update

Revisions pulled up:
- security/openssl/Makefile                                     1.201
- security/openssl/distinfo                                     1.110
- security/openssl/patches/patch-crypto_dso_dso__dlfcn.c        deleted

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Thu Jan  8 16:58:25 UTC 2015

   Modified Files:
        pkgsrc/security/openssl: Makefile distinfo
   Removed Files:
        pkgsrc/security/openssl/patches: patch-crypto_dso_dso__dlfcn.c

   Log Message:
   Update to 1.0.1k:

    Changes between 1.0.1j and 1.0.1k [8 Jan 2015]

     *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
        message can cause a segmentation fault in OpenSSL due to a NULL pointer
        dereference. This could lead to a Denial Of Service attack. Thanks to
        Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
        (CVE-2014-3571)
        [Steve Henson]

     *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
        dtls1_buffer_record function under certain conditions. In particular this
        could occur if an attacker sent repeated DTLS records with the same
        sequence number but for the next epoch. The memory leak could be exploited
        by an attacker in a Denial of Service attack through memory exhaustion.
        Thanks to Chris Mueller for reporting this issue.
        (CVE-2015-0206)
        [Matt Caswell]

     *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
        built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
        method would be set to NULL which could later result in a NULL pointer
        dereference. Thanks to Frank Schmirler for reporting this issue.
        (CVE-2014-3569)
        [Kurt Roeckx]

     *) Abort handshake if server key exchange message is omitted for ephemeral
        ECDH ciphersuites.

        Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
        reporting this issue.
        (CVE-2014-3572)
        [Steve Henson]

     *) Remove non-export ephemeral RSA code on client and server. This code
        violated the TLS standard by allowing the use of temporary RSA keys in
        non-export ciphersuites and could be used by a server to effectively
        downgrade the RSA key length used to a value smaller than the server
        certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
        INRIA or reporting this issue.
        (CVE-2015-0204)
        [Steve Henson]

     *) Fixed issue where DH client certificates are accepted without verification.
        An OpenSSL server will accept a DH certificate for client authentication
        without the certificate verify message. This effectively allows a client to
        authenticate without the use of a private key. This only affects servers
        which trust a client certificate authority which issues certificates
        containing DH keys: these are extremely rare and hardly ever encountered.
        Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
        this issue.
        (CVE-2015-0205)
        [Steve Henson]

     *) Ensure that the session ID context of an SSL is updated when its
        SSL_CTX is updated via SSL_set_SSL_CTX.

        The session ID context is typically set from the parent SSL_CTX,
        and can vary with the CTX.
        [Adam Langley]

     *) Fix various certificate fingerprint issues.

        By using non-DER or invalid encodings outside the signed portion of a
        certificate the fingerprint can be changed without breaking the signature.
        Although no details of the signed portion of the certificate can be changed
        this can cause problems with some applications: e.g. those using the
        certificate fingerprint for blacklists.

        1. Reject signatures with non zero unused bits.

        If the BIT STRING containing the signature has non zero unused bits reject
        the signature. All current signature algorithms require zero unused bits.

        2. Check certificate algorithm consistency.

        Check the AlgorithmIdentifier inside TBS matches the one in the
        certificate signature. NB: this will result in signature failure
        errors for some broken certificates.

        Thanks to Konrad Kraszewski from Google for reporting this issue.

        3. Check DSA/ECDSA signatures use DER.

        Reencode DSA/ECDSA signatures and compare with the original received
        signature. Return an error if there is a mismatch.

        This will reject various cases including garbage after signature
        (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
        program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
        (negative or with leading zeroes).

        Further analysis was conducted and fixes were developed by Stephen Henson
        of the OpenSSL core team.

        (CVE-2014-8275)
        [Steve Henson]

      *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
         results on some platforms, including x86_64. This bug occurs at random
         with a very low probability, and is not known to be exploitable in any
         way, though its exact impact is difficult to determine. Thanks to Pieter
         Wuille (Blockstream) who reported this issue and also suggested an initial
         fix. Further analysis was conducted by the OpenSSL development team and
         Adam Langley of Google. The final fix was developed by Andy Polyakov of
         the OpenSSL core team.
         (CVE-2014-3570)
         [Andy Polyakov]

      *) Do not resume sessions on the server if the negotiated protocol
         version does not match the session's version. Resuming with a different
         version, while not strictly forbidden by the RFC, is of questionable
         sanity and breaks all known clients.
         [David Benjamin, Emilia K?sper]

      *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
         early CCS messages during renegotiation. (Note that because
         renegotiation is encrypted, this early CCS was not exploitable.)
         [Emilia K?sper]

      *) Tighten client-side session ticket handling during renegotiation:
         ensure that the client only accepts a session ticket if the server sends
         the extension anew in the ServerHello. Previously, a TLS client would
         reuse the old extension state and thus accept a session ticket if one was
         announced in the initial ServerHello.

         Similarly, ensure that the client requires a session ticket if one
         was advertised in the ServerHello. Previously, a TLS client would
         ignore a missing NewSessionTicket message.
         [Emilia K?sper]


To generate a diff of this commit:
cvs rdiff -u -r1.200 -r1.200.2.1 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.109 -r1.109.2.1 pkgsrc/security/openssl/distinfo
cvs rdiff -u -r1.2 -r0 \
    pkgsrc/security/openssl/patches/patch-crypto_dso_dso__dlfcn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: [pkgsrc-2014Q4] pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: [pkgsrc-2014Q4] pkgsrc/doc
Indexes:
Home | Main Index | Thread Index | Old Index