diff options
author | Matt Caswell <matt@openssl.org> | 2019-02-26 10:21:24 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-02-26 14:13:05 +0000 |
commit | 28c43df9288c50be6e03ee5b52dfc0e261d9eb60 (patch) | |
tree | cd675d4995b9593cafe1136d1f3b6832dc202833 | |
parent | 48c8bcf5bca0ce7751f49599381e143de1b61786 (diff) |
Updates CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | CHANGES | 22 | ||||
-rw-r--r-- | NEWS | 2 |
2 files changed, 23 insertions, 1 deletions
@@ -9,6 +9,28 @@ Changes between 1.0.2q and 1.0.2r [xx XXX xxxx] + *) 0-byte record padding oracle + + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) + then OpenSSL can respond differently to the calling application if a 0 byte + record is received with invalid padding compared to if a 0 byte record is + received with an invalid MAC. If the application then behaves differently + based on that in a way that is detectable to the remote peer, then this + amounts to a padding oracle that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in + use. Stitched ciphersuites are optimised implementations of certain + commonly used ciphersuites. Also the application must call SSL_shutdown() + twice even if a protocol error has occurred (applications should not do + this but some do anyway). + + This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod + Aviram, with additional investigation by Steven Collison and Andrew + Hourselt. It was reported to OpenSSL on 10th December 2018. + (CVE-2019-1559) + [Matt Caswell] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [under development] - o + o 0-byte record padding oracle (CVE-2019-1559) Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] |