diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-03-12 14:51:45 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-03-12 14:51:45 +0000 |
commit | 4f2fc3c2ddf6289daf9fc1d57e48a0f6ec4e772a (patch) | |
tree | d363d0d0d7a1648958e9cba47a0895deeee166e5 /CHANGES | |
parent | 48819f4d545a16fbfd45a0eb22fb93e08a3a6096 (diff) |
Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key and
continue with symmetric decryption process to avoid leaking timing
information to an attacker.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -4,6 +4,17 @@ Changes between 0.9.8t and 0.9.8u [xx XXX xxxx] + *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness + in CMS and PKCS7 code. When RSA decryption fails use a random key for + content decryption and always return the same error. Note: this attack + needs on average 2^20 messages so it only affects automated senders. The + old behaviour can be reenabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where + an MMA defence is not necessary. + Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering + this issue. (CVE-2012-0884) + [Steve Henson] + *) Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. |