diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-04-06 00:51:06 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-04-07 19:44:38 +0100 |
commit | 731f431497f463f3a2a97236fe0187b11c44aead (patch) | |
tree | 1740eb9099bdb2e120c6d9fbfd10572d58a6f436 /CHANGES | |
parent | 4e6c12f3088d3ee5747ec9e16d03fc671b8f40be (diff) |
Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
(cherry picked from commit 96db9023b881d7cd9f379b0c154650d6c108e9a3)
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 9 |
1 files changed, 9 insertions, 0 deletions
@@ -4,6 +4,15 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) A missing bounds check in the handling of the TLS heartbeat extension + can be used to reveal up to 64k of memory to a connected client or + server. + + Thanks for Neel Mehta of Google Security for discovering this bug and to + Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for + preparing the fix (CVE-2014-0160) + [Adam Langley, Bodo Moeller] + *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: |