The branch master has been updated via dd5f38e589cf996a273ab78b9ef741e7d78f2eb7 (commit) from 15064d72540a2d5405d749acd74caeb8683ae886 (commit)
- Log ----------------------------------------------------------------- commit dd5f38e589cf996a273ab78b9ef741e7d78f2eb7 Author: Matt Caswell <m...@openssl.org> Date: Thu Mar 25 10:53:37 2021 +0000 Updates for the 1.1.1k release Reviewed-by: Tim Hudson <t...@openssl.org> ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + news/secadv/20210325.txt | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ news/vulnerabilities.xml | 86 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 176 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20210325.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 1bbcaf2..648a68a 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +25-Mar-2021: OpenSSL 1.1.1k is now available, including bug and security fixes 11-Mar-2021: Alpha 13 of OpenSSL 3.0 is now available: please download and test it 18-Feb-2021: Alpha 12 of OpenSSL 3.0 is now available: please download and test it 16-Feb-2021: OpenSSL 1.1.1j is now available, including bug and security fixes diff --git a/news/secadv/20210325.txt b/news/secadv/20210325.txt new file mode 100644 index 0000000..2ffb50c --- /dev/null +++ b/news/secadv/20210325.txt @@ -0,0 +1,90 @@ +OpenSSL Security Advisory [25 March 2021] +========================================= + +CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) +======================================================================== + +Severity: High + +The X509_V_FLAG_X509_STRICT flag enables additional security checks of the +certificates present in a certificate chain. It is not set by default. + +Starting from OpenSSL version 1.1.1h a check to disallow certificates in +the chain that have explicitly encoded elliptic curve parameters was added +as an additional strict check. + +An error in the implementation of this check meant that the result of a +previous check to confirm that certificates in the chain are valid CA +certificates was overwritten. This effectively bypasses the check +that non-CA certificates must not be able to issue other certificates. + +If a "purpose" has been configured then there is a subsequent opportunity +for checks that the certificate is a valid CA. All of the named "purpose" +values implemented in libcrypto perform this check. Therefore, where +a purpose is set the certificate chain will still be rejected even when the +strict flag has been used. A purpose is set by default in libssl client and +server certificate verification routines, but it can be overridden or +removed by an application. + +In order to be affected, an application must explicitly set the +X509_V_FLAG_X509_STRICT verification flag and either not set a purpose +for the certificate verification or, in the case of TLS client or server +applications, override the default purpose. + +OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1k. + +OpenSSL 1.0.2 is not impacted by this issue. + +This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk +from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was +developed by Tomáš Mráz. + + +NULL pointer deref in signature_algorithms processing (CVE-2021-3449) +===================================================================== + +Severity: High + +An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation +ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits +the signature_algorithms extension (where it was present in the initial +ClientHello), but includes a signature_algorithms_cert extension then a NULL +pointer dereference will result, leading to a crash and a denial of service +attack. + +A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which +is the default configuration). OpenSSL TLS clients are not impacted by this +issue. + +All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions +should upgrade to OpenSSL 1.1.1k. + +OpenSSL 1.0.2 is not impacted by this issue. + +This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was +developed by Peter Kästle and Samuel Sapalski from Nokia. + +Note +==== + +OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended +support is available for premium support customers: +https://www.openssl.org/support/contracts.html + +OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. +The impact of these issues on OpenSSL 1.1.0 has not been analysed. + +Users of these versions should upgrade to OpenSSL 1.1.1. + +References +========== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20210325.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 255c8e2..c1b47e2 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,91 @@ <!-- The updated attribute should be the same as the first public issue, unless an old entry was updated. --> -<security updated="20210216"> +<security updated="20210325"> + <issue public="20210325"> + <impact severity="High"/> + <cve name="2021-3450"/> + <affects base="1.1.1" version="1.1.1h"/> + <affects base="1.1.1" version="1.1.1i"/> + <affects base="1.1.1" version="1.1.1j"/> + <fixed base="1.1.1" version="1.1.1k" date="20210325"> + <git hash="2a40b7bc7b94dd7de897a74571e7024f0cf0d63b"/> + </fixed> + <problemtype>Invalid Certificate Verification</problemtype> + <title>CA certificate check bypass with X509_V_FLAG_X509_STRICT</title> + <description> +The X509_V_FLAG_X509_STRICT flag enables additional security checks of the +certificates present in a certificate chain. It is not set by default. + +Starting from OpenSSL version 1.1.1h a check to disallow certificates in +the chain that have explicitly encoded elliptic curve parameters was added +as an additional strict check. + +An error in the implementation of this check meant that the result of a +previous check to confirm that certificates in the chain are valid CA +certificates was overwritten. This effectively bypasses the check +that non-CA certificates must not be able to issue other certificates. + +If a "purpose" has been configured then there is a subsequent opportunity +for checks that the certificate is a valid CA. All of the named "purpose" +values implemented in libcrypto perform this check. Therefore, where +a purpose is set the certificate chain will still be rejected even when the +strict flag has been used. A purpose is set by default in libssl client and +server certificate verification routines, but it can be overridden or +removed by an application. + +In order to be affected, an application must explicitly set the +X509_V_FLAG_X509_STRICT verification flag and either not set a purpose +for the certificate verification or, in the case of TLS client or server +applications, override the default purpose. + +OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1k. + +OpenSSL 1.0.2 is not impacted by this issue. + </description> + <advisory url="/news/secadv/20210325.txt"/> + <reported source="Benjamin Kaduk (Akamai), Xiang Ding (Akamai), others at Akamai"/> + </issue> + <issue public="20210325"> + <impact severity="High"/> + <cve name="2021-3449"/> + <affects base="1.1.1" version="1.1.1"/> + <affects base="1.1.1" version="1.1.1a"/> + <affects base="1.1.1" version="1.1.1b"/> + <affects base="1.1.1" version="1.1.1c"/> + <affects base="1.1.1" version="1.1.1d"/> + <affects base="1.1.1" version="1.1.1e"/> + <affects base="1.1.1" version="1.1.1f"/> + <affects base="1.1.1" version="1.1.1g"/> + <affects base="1.1.1" version="1.1.1h"/> + <affects base="1.1.1" version="1.1.1i"/> + <affects base="1.1.1" version="1.1.1j"/> + <fixed base="1.1.1" version="1.1.1k" date="20210325"> + <git hash="fb9fa6b51defd48157eeb207f52181f735d96148"/> + </fixed> + <problemtype>NULL pointer dereference</problemtype> + <title>NULL pointer deref in signature_algorithms processing</title> + <description> +An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation +ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits +the signature_algorithms extension (where it was present in the initial +ClientHello), but includes a signature_algorithms_cert extension then a NULL +pointer dereference will result, leading to a crash and a denial of service +attack. + +A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which +is the default configuration). OpenSSL TLS clients are not impacted by this +issue. + +All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions +should upgrade to OpenSSL 1.1.1k. + +OpenSSL 1.0.2 is not impacted by this issue. + </description> + <advisory url="/news/secadv/20210325.txt"/> + <reported source="Peter Kästle (Nokia) and Samuel Sapalski (Nokia)"/> + </issue> <issue public="20210216"> <impact severity="Moderate"/> <cve name="2021-23841"/>