SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/https://github.com/stefanesser/suhosin
OpenSSL CHANGES
_______________
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
* Stop to treat NetBSD's sed as GNU sed, not full compatible.
* Then, no need to reset TOOLS_PLATFORM.gsed for NetBSD if USE_TOOLS+=gsed and
real GNU sed is required.
* In addition, convert simple USE_TOOLS+=gsed to conditionally, without NetBSD.
* convert {BUILD_,}DEPENDS+=gsed to USE_TOOLS, all tools from gsed are real gsed.
Change from previous:
---------------------
20111025
- Do not add CA's only trusted for email and/or code signing (RT#70967)
(if you need that, please let us know and we can see about putting it
in as an option)
versions of libcrypto in sshd. This can happen if OpenSSH is linked with
pkgsrc's OpenSSL and if using nss_ldap, which pulls base-system OpenSSL
through kerberos libraries. One needs to disable the krb5 of nss_ldap
in order to fix that.
OpenSSL CHANGES
_______________
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia Käóper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia Käóper (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
[Steve Henson]
*) Fixed J-PAKE implementation error, originally discovered by
Sebastien Martini, further info and confirmation from Stefan
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
[Ben Laurie]
When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.
This is a remote root exploit that is being actively exploited in the wild.
1) Update two configuration files to include DragonFly, which results in
additional generated files.
2) Update PLIST.DragonFly (it was wrong in any case)
Drop ${PHP_BASE_VARS} from PKGVERSION by default.
It used to be required to support multiple php version.
But after PHP version based ${PHP_PKG_PREFIX} was introduced,
such trick is not required anymore.
In addition to this, such version name schme invokes unwanted version bump
when base php version is bumped, plus, such version scheme is hard to
use for DEPENDS pattern.
To avoid downgrading of package using such legacy version scheme,
PECL_LEGACY_VERSION_SCHEME is introduced.
If it is defined, current version scheme is still used for currently
supported PHP version (5 and 53), but instead of ${PHP_BASE_VARS},
current fixed PHP base version in pkgsrc is used to avoid unwanted version bump
from update of PHP base package.
With newer PHP (54, or so on), new version scheme will be used if
it is defined.
This trick will not be required and should be removed after php5 and php53 will
be gone away from pkgsrc.
DragonFly in on OpenSSL 1.0 and this package wasn't building due to the
missing MD5 digest that no longer builds by default on the latest versions
of OpenSSL. FreeBSD already ran into this and patched qca-ossl, and this
ports their fix to pkgsrc.
* liboath: Fix build so that OATH_VERSION_NUMBER is actually defined.
It was an empty value in the last release due to a bug in the build
scripts.
Version 1.10.3
* liboath: Allow strcmp callback to return negative to signal errors.
* Fix bugs in build scripts for generating version numbers.
* Update gnulib files.
Bugfixes:
* Signer: Use debug instead of warning for drudgers queue being full,
also sleep 10 ms if it is full to not hog CPU. This increased signing speed
on single core machines by a factor of 2.
Version 4.50, 2011.12.03, urgency: MEDIUM:
New features
Added Android port.
Updated INSTALL.FIPS.
Bugfixes
Fixed internal memory allocation problem in inetd mode.
Fixed FIPS mode on Microsoft Vista, Server 2008, and Windows 7. This fix required to compile OpenSSL FIPS-compliant DLLs with MSVC 9.0, instead of MSVC 10.0. msvcr100.dll was replaced with msvcr90.dll. GPL compatibility issues are explained in the GPL FAQ: http://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL
POP3 server-side protocol negotiation updated to report STLS capability (thx to Anthony Morgan).
Version 4.49, 2011.11.28, urgency: MEDIUM:
Bugfixes
Missing Microsoft Visual C++ Redistributable (msvcr100.dll) required by FIPS-compliant OpenSSL library was added to the Windows installer.
A bug was fixed causing crashes on MacOS X and some other platforms.
Version 4.48, 2011.11.26, urgency: MEDIUM:
New features
FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs based on FIPS 1.2.3 canister are included with this version of stunnel. FIPS mode can be disabled with "fips = no" configuration file option.
Bugfixes
Fixed canary initialization problem on Win32 platform.
Version 4.47, 2011.11.21, urgency: MEDIUM:
Internal improvements
CVE-2010-3864 workaround improved to check runtime version of OpenSSL rather than compiled version, and to allow OpenSSL 0.x.x >= 0.9.8p.
Encoding of man page sources changed to UTF-8.
Bugfixes
Handling of socket/SSL close in transfer() function was fixed.
Logging was modified to save and restore system error codes.
Option "service" was restricted to Unix, as since stunnel 4.42 it wasn't doing anything useful on Windows platform.
platform files except Darwin. Also add the *_sse2 entries to Darwin.
Note that both *_amd64 and *_sse2 are conditional on x86_64, so this
division of files per platform is easier to do by PLIST tweaks than by
further Makefile conditionals.
This fixes the build of botan under OS X Lion with ABI=64 and should be
a no-op for all other platforms.
