The branch master has been updated
via 497e8bf4a455aa2adc495777e49ad32e133a7d34 (commit)
from b221da5e00d3e9304664f605c132a18674a343e5 (commit)
- Log -----------------------------------------------------------------
commit 497e8bf4a455aa2adc495777e49ad32e133a7d34
Author: Matt Caswell <m...@openssl.org>
Date: Wed Mar 6 15:12:07 2019 +0000
Website updates for CVE-2019-1543
Reviewed-by: Mark J. Cox <m...@awe.com>
(Merged from https://github.com/openssl/web/pull/125)
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 1 +
news/secadv/20190306.txt | 61 ++++++++++++++++++++++++++++++++++++++++++++++++
news/vulnerabilities.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 119 insertions(+), 1 deletion(-)
create mode 100644 news/secadv/20190306.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index b458dc4..1346f6e 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
# Format is two fields, colon-separated; the first line is the column
# headings. URL paths must all be absolute.
Date: Item
+06-Mar-2019: <a href="/news/secadv/20190306.txt">Security Advisory</a>: one
low severity fix in ChaCha20-Poly1305
26-Feb-2019: OpenSSL 1.1.1b is now available, including bug fixes
26-Feb-2019: OpenSSL 1.0.2r is now available, including bug and security fixes
11-Feb-2019: <a href="/docs/OpenSSL300Design.html">3.0.0 Design (draft)</a> is
now available
diff --git a/news/secadv/20190306.txt b/news/secadv/20190306.txt
new file mode 100644
index 0000000..50b2744
--- /dev/null
+++ b/news/secadv/20190306.txt
@@ -0,0 +1,61 @@
+OpenSSL Security Advisory [6 March 2019]
+========================================
+
+ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
+==================================================
+
+Severity: Low
+
+ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every
+encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96
+bits (12 bytes). OpenSSL allows a variable nonce length and front pads the
nonce
+with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a
+nonce to be set of up to 16 bytes. In this case only the last 12 bytes are
+significant and any additional leading bytes are ignored.
+
+It is a requirement of using this cipher that nonce values are unique. Messages
+encrypted using a reused nonce value are susceptible to serious confidentiality
+and integrity attacks. If an application changes the default nonce length to be
+longer than 12 bytes and then makes a change to the leading bytes of the nonce
+expecting the new value to be a new unique nonce then such an application could
+inadvertently encrypt messages with a reused nonce.
+
+Additionally the ignored bytes in a long nonce are not covered by the integrity
+guarantee of this cipher. Any application that relies on the integrity of these
+ignored leading bytes of a long nonce may be further affected.
+
+Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because
+no such use sets such a long nonce value. However user applications that use
+this cipher directly and set a non-default nonce length to be longer than 12
+bytes may be vulnerable.
+
+OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited
+scope of affected deployments this has been assessed as low severity and
+therefore we are not creating new releases at this time. The 1.1.1 mitigation
+for this issue can be found in commit f426625b6a. The 1.1.0 mitigation for this
+issue can be found in commit ee22257b14.
+
+This issue does not impact OpenSSL 1.0.2.
+
+This issue was discovered by Joran Dirk Greef of Ronomon. The fix was developed
+by Matt Caswell from the OpenSSL development team. It was reported to OpenSSL
on
+26th February 2019.
+
+Note
+====
+
+OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
+for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
+September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20190306.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 5286f54..00518fb 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7,7 +7,63 @@
<!-- The updated attribute should be the same as the first public issue,
unless an old entry was updated. -->
-<security updated="20190226">
+<security updated="20190306">
+ <issue public="20190306">
+ <impact severity="Low"/>
+ <cve name="2019-1543"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.1.0" version="1.1.0h"/>
+ <affects base="1.1.0" version="1.1.0i"/>
+ <affects base="1.1.0" version="1.1.0j"/>
+ <fixed base="1.1.1" version="1.1.1c-dev" date="20190306">
+ <git hash="f426625b6ae9a7831010750490a5f0ad689c5ba3"/>
+ </fixed>
+ <fixed base="1.1.0" version="1.1.0k-dev" date="20190306">
+ <git hash="ee22257b1418438ebaf54df98af4e24f494d1809"/>
+ </fixed>
+ <problemtype>Nonce Reuse</problemtype>
+ <title>ChaCha20-Poly1305 with long nonces</title>
+ <description>
+ ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
for every
+ encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96
+ bits (12 bytes). OpenSSL allows a variable nonce length and front pads
the nonce
+ with 0 bytes if it is less than 12 bytes. However it also incorrectly
allows a
+ nonce to be set of up to 16 bytes. In this case only the last 12 bytes
are
+ significant and any additional leading bytes are ignored.
+
+ It is a requirement of using this cipher that nonce values are unique.
Messages
+ encrypted using a reused nonce value are susceptible to serious
confidentiality
+ and integrity attacks. If an application changes the default nonce
length to be
+ longer than 12 bytes and then makes a change to the leading bytes of the
nonce
+ expecting the new value to be a new unique nonce then such an
application could
+ inadvertently encrypt messages with a reused nonce.
+
+ Additionally the ignored bytes in a long nonce are not covered by the
integrity
+ guarantee of this cipher. Any application that relies on the integrity
of these
+ ignored leading bytes of a long nonce may be further affected.
+
+ Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because
+ no such use sets such a long nonce value. However user applications that
use
+ this cipher directly and set a non-default nonce length to be longer
than 12
+ bytes may be vulnerable.
+
+ OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the
limited
+ scope of affected deployments this has been assessed as low severity and
+ therefore we are not creating new releases at this time.
+ </description>
+ <advisory url="/news/secadv/20190306.txt"/>
+ <reported source="Joran Dirk Greef of Ronomon"/>
+ </issue>
<issue public="20190226">
<impact severity="Moderate"/>
<cve name="2019-1559"/>
