The branch master has been updated via 6f4edf054e16bec8cb590de4b77c523334ebfe28 (commit) from 604491061a61f0e554cdd38354df341f57ee9fc1 (commit)
- Log ----------------------------------------------------------------- commit 6f4edf054e16bec8cb590de4b77c523334ebfe28 Author: Matt Caswell <m...@openssl.org> Date: Tue Feb 26 14:31:17 2019 +0000 Updates for new releases Reviewed-by: Richard Levitte <levi...@openssl.org> ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 2 ++ news/secadv/20190226.txt | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ news/vulnerabilities.xml | 46 +++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20190226.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 5ded4d4..b458dc4 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,8 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +26-Feb-2019: OpenSSL 1.1.1b is now available, including bug fixes +26-Feb-2019: OpenSSL 1.0.2r is now available, including bug and security fixes 11-Feb-2019: <a href="/docs/OpenSSL300Design.html">3.0.0 Design (draft)</a> is now available 11-Feb-2019: <a href="/docs/OpenSSLStrategicArchitecture.html">Strategic Architecture</a> for OpenSSL 3.0.0 and beyond is now available 20-Nov-2018: OpenSSL 1.1.1a is now available, including bug and security fixes diff --git a/news/secadv/20190226.txt b/news/secadv/20190226.txt new file mode 100644 index 0000000..8a4a6dd --- /dev/null +++ b/news/secadv/20190226.txt @@ -0,0 +1,48 @@ +OpenSSL Security Advisory [26 February 2019] +============================================ + +0-byte record padding oracle (CVE-2019-1559) +============================================ + +Severity: Moderate + +If an application encounters a fatal protocol error and then calls +SSL_shutdown() twice (once to send a close_notify, and once to receive one) then +OpenSSL can respond differently to the calling application if a 0 byte record is +received with invalid padding compared to if a 0 byte record is received with an +invalid MAC. If the application then behaves differently based on that in a way +that is detectable to the remote peer, then this amounts to a padding oracle +that could be used to decrypt data. + +In order for this to be exploitable "non-stitched" ciphersuites must be in use. +Stitched ciphersuites are optimised implementations of certain commonly used +ciphersuites. Also the application must call SSL_shutdown() twice even if a +protocol error has occurred (applications should not do this but some do +anyway). + +This issue does not impact OpenSSL 1.1.1 or 1.1.0. + +OpenSSL 1.0.2 users should upgrade to 1.0.2r. + +This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, +with additional investigation by Steven Collison and Andrew Hourselt. It was +reported to OpenSSL on 10th December 2018. + +Note +==== + +OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support +for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th +September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. + +References +========== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20190226.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index d9b42bd..1732db5 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,51 @@ <!-- The updated attribute should be the same as the first public issue, unless an old entry was updated. --> -<security updated="20181112"> +<security updated="20190226"> + <issue public="20190226"> + <impact severity="Moderate"/> + <cve name="2019-1559"/> + <affects base="1.0.2" version="1.0.2"/> + <affects base="1.0.2" version="1.0.2a"/> + <affects base="1.0.2" version="1.0.2b"/> + <affects base="1.0.2" version="1.0.2c"/> + <affects base="1.0.2" version="1.0.2d"/> + <affects base="1.0.2" version="1.0.2e"/> + <affects base="1.0.2" version="1.0.2f"/> + <affects base="1.0.2" version="1.0.2g"/> + <affects base="1.0.2" version="1.0.2h"/> + <affects base="1.0.2" version="1.0.2i"/> + <affects base="1.0.2" version="1.0.2j"/> + <affects base="1.0.2" version="1.0.2k"/> + <affects base="1.0.2" version="1.0.2l"/> + <affects base="1.0.2" version="1.0.2m"/> + <affects base="1.0.2" version="1.0.2n"/> + <affects base="1.0.2" version="1.0.2o"/> + <affects base="1.0.2" version="1.0.2p"/> + <affects base="1.0.2" version="1.0.2q"/> + <fixed base="1.0.2" version="1.0.2r" date="20190226"> + <git hash="e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"/> + </fixed> + <problemtype>Padding Oracle</problemtype> + <title>0-byte record padding oracle</title> + <description> + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) then + OpenSSL can respond differently to the calling application if a 0 byte record is + received with invalid padding compared to if a 0 byte record is received with an + invalid MAC. If the application then behaves differently based on that in a way + that is detectable to the remote peer, then this amounts to a padding oracle + that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in use. + Stitched ciphersuites are optimised implementations of certain commonly used + ciphersuites. Also the application must call SSL_shutdown() twice even if a + protocol error has occurred (applications should not do this but some do + anyway). + </description> + <advisory url="/news/secadv/20190226.txt"/> + <reported source="Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"/> + </issue> <issue public="20181102"> <impact severity="Low"/> <cve name="2018-5407"/>