The branch master has been updated
via e6ce68d75408edac4a22e85dc3af43444bc7fefc (commit)
from e784301605e11bb68c60d0f8c8e0c0ce5520eb17 (commit)
- Log -----------------------------------------------------------------
commit e6ce68d75408edac4a22e85dc3af43444bc7fefc
Author: Richard Levitte <levi...@openssl.org>
Date: Tue Jul 30 15:20:38 2019 +0200
CVE-2019-1552 security advisory
Reviewed-by: Mark J. Cox <m...@awe.com>
Reviewed-by: Matt Caswell <m...@openssl.org>
(Merged from https://github.com/openssl/web/pull/134)
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 1 +
news/secadv/20190730.txt | 68 +++++++++++++++++++++++++++++++++++++++
news/vulnerabilities.xml | 83 +++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 151 insertions(+), 1 deletion(-)
create mode 100644 news/secadv/20190730.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 7a47756..491bee5 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
# Format is two fields, colon-separated; the first line is the column
# headings. URL paths must all be absolute.
Date: Item
+30-Jul-2019: <a href="/news/secadv/20190730.txt">Security Advisory</a>: one
low severity fix in Windows builds
28-May-2019: OpenSSL 1.1.1c is now available, including bug and security fixes
28-May-2019: OpenSSL 1.1.0k is now available, including bug and security fixes
28-May-2019: OpenSSL 1.0.2s is now available, including bug fixes
diff --git a/news/secadv/20190730.txt b/news/secadv/20190730.txt
new file mode 100644
index 0000000..0714a04
--- /dev/null
+++ b/news/secadv/20190730.txt
@@ -0,0 +1,68 @@
+OpenSSL Security Advisory [30 July 2019]
+========================================
+
+Windows builds with insecure path defaults (CVE-2019-1552)
+==========================================================
+
+Severity: Low
+
+OpenSSL has internal defaults for a directory tree where it can find a
+configuration file as well as certificates used for verification in
+TLS. This directory is most commonly referred to as OPENSSLDIR, and
+is configurable with the --prefix / --openssldir configuration options.
+
+For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets
+assume that resulting programs and libraries are installed in a
+Unix-like environment and the default prefix for program installation
+as well as for OPENSSLDIR should be '/usr/local'.
+
+However, mingw programs are Windows programs, and as such, find
+themselves looking at sub-directories of 'C:/usr/local', which may be
+world writable, which enables untrusted users to modify OpenSSL's
+default configuration, insert CA certificates, modify (or even
+replace) existing engine modules, etc.
+
+For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR
+on all Unix and Windows targets, including Visual C builds. However,
+some build instructions for the diverse Windows targets on 1.0.2
+encourage you to specify your own --prefix.
+
+OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
+Due to the limited scope of affected deployments this has been
+assessed as low severity and therefore we are not creating new
+releases at this time.
+
+The mitigations are found in these commits:
+- For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e
+- For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and
+ b15a19c148384e73338aa7c5b12652138e35ed28
+- For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd
+
+The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for
+mingw, while the 1.0.2 mitigation documents the issue and provides
+enhanced examples.
+
+This issue was reported by Rich Mirth. The fix was developed by
+Richard Levitte from the OpenSSL development team. It was reported to
+OpenSSL on 9th Jun 2019.
+
+Note
+=====
+
+OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates.
+Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0
+will end on 11th September 2019. Users of these versions should
+upgrade to OpenSSL 1.1.1.
+
+
+Referenses
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20190730.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index f9949ce..e66f6d8 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7,7 +7,88 @@
<!-- The updated attribute should be the same as the first public issue,
unless an old entry was updated. -->
-<security updated="20190528">
+<security updated="20190730">
+ <issue public="20190730">
+ <impact severity="Low"/>
+ <cve name="2019-1552"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.1" version="1.1.1c"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.1.0" version="1.1.0h"/>
+ <affects base="1.1.0" version="1.1.0i"/>
+ <affects base="1.1.0" version="1.1.0j"/>
+ <affects base="1.1.0" version="1.1.0k"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <affects base="1.0.2" version="1.0.2n"/>
+ <affects base="1.0.2" version="1.0.2o"/>
+ <affects base="1.0.2" version="1.0.2p"/>
+ <affects base="1.0.2" version="1.0.2q"/>
+ <affects base="1.0.2" version="1.0.2r"/>
+ <affects base="1.0.2" version="1.0.2s"/>
+ <fixed base="1.1.1" version="1.1.1d" date="20190706">
+ <git hash="54aa9d51b09d67e90db443f682cface795f5af9e"/>
+ </fixed>
+ <fixed base="1.1.0" version="1.1.0l" date="20190727">
+ <git hash="e32bc855a81a2d48d215c506bdeb4f598045f7e9"/>
+ <git hash="b15a19c148384e73338aa7c5b12652138e35ed28"/>
+ </fixed>
+ <fixed base="1.0.2" version="1.0.2t" date="20190725">
+ <git hash="d333ebaf9c77332754a9d5e111e2f53e1de54fdd"/>
+ </fixed>
+ <problemtype>Insecure defaults</problemtype>
+ <title>Windows builds with insecure path defaults</title>
+ <description>
+ OpenSSL has internal defaults for a directory tree where it can find a
+ configuration file as well as certificates used for verification in
+ TLS. This directory is most commonly referred to as OPENSSLDIR, and
+ is configurable with the --prefix / --openssldir configuration options.
+
+ For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets
+ assume that resulting programs and libraries are installed in a
+ Unix-like environment and the default prefix for program installation
+ as well as for OPENSSLDIR should be '/usr/local'.
+
+ However, mingw programs are Windows programs, and as such, find
+ themselves looking at sub-directories of 'C:/usr/local', which may be
+ world writable, which enables untrusted users to modify OpenSSL's
+ default configuration, insert CA certificates, modify (or even
+ replace) existing engine modules, etc.
+
+ For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR
+ on all Unix and Windows targets, including Visual C builds. However,
+ some build instructions for the diverse Windows targets on 1.0.2
+ encourage you to specify your own --prefix.
+
+ OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
+ Due to the limited scope of affected deployments this has been
+ assessed as low severity and therefore we are not creating new
+ releases at this time.
+ </description>
+ <advisory url="/news/secadv/20190730.txt"/>
+ <reported source="Rich Mirch"/>
+ </issue>
<issue public="20190306">
<impact severity="Low"/>
<cve name="2019-1543"/>
