OpenSSL CHANGES
_______________
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia Käóper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia Käóper (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
[Steve Henson]
*) Fixed J-PAKE implementation error, originally discovered by
Sebastien Martini, further info and confirmation from Stefan
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
[Ben Laurie]
This version extends the log messages to show why a blacklist is
matched. It also fixes a few minor bugs.
Added a filter to sendrecv so input containing "\r\n" will be
translated into CRLF without being interpreted as a line
terminator (so multiple commands can be sent in a single "packet")
and input containing "\0" will be translated into NULL bytes
so NULL characters don't have to be embedded in the test scripts.
Added support for the RSET command to smtpdummy.
Added a "priority" field to the input file for dnsdummy to force
some responses to be sent after others, no matter what order
they were received.
Fixed nihdns_mx() to query names for A records using the query
types configured for MX queries, not A queries. Thanks to Eric
Shubert for reporting this one.
Changed smtp_filter() and middleman() to discard any buffered
input after TLS is started. This prevents the injection of
commands into a secure session by sending extra input in the
same packet as the "STARTTLS" command. Not really a security
problem but good practice anyway. Thanks to Eric Shubert for
reporting this one.
Fixed a bug in examine_entry() that was cutting off 1-3 characters
from the end of target_entry every time it was called.
Changed check_ip_in_rdns_keyword() to return the line number of
the matching file as its return value and the name of the
matchine file in a reference variable.
Added reject_reason and strlen_reject_reason to struct rejection_data
to allow the triggered filter to return some text to indicate
why it triggered.
Changed set_rejection() to accept new parameters to set reason
text within the rejection structure if available.
Changed set_rejection() to accept a new parameter to append to
the rejection text if available.
Added reset_rejection() to change either the rejection text or
the reason text within an existing rejection_data structure
without erasing previously-set values.
Changed nihdns_rbl(), check_dnsrbl() and check_rhsbl() not to
accept a format string or build part of the rejection message.
That job belongs to the caller(s).
Changed filter_rdns_blacklist(), filter_rdns_blacklist_file(),
filter_rdns_blacklist_dir(), filter_ip_blacklist(),
filter_ip_in_rdns_blacklist(), filter_dns_rbl(), filter_dns_rhsbl(),
filter_sender_blacklist(), filter_sender_rhsbl() and
filter_recipient_blacklist() to save the reason for their
rejection in the reject_reason variable in rejection_data.
Changed the log messages showing ALLOWED/DENIED to always output
the "reason:" field and fill it with the text returned by the
triggered filter so the sysadmin can figure out what happened
or "(empty)" if no text was saved. Thanks to Eric Shubert for
suggesting this one.
Changed the way DNS timeout values are read from the configuration
file, the command line, /etc/resolv.conf and the environment
so that values given in the config file or on the command line
are not overridden by values in /etc/resolv.conf or the
environment. Thanks to Teodor Milkov for reporting this one.
Changed the reject-empty-rdns filter, the IP-related black/whitelist
filters and the IP-related RBL filters to skip their tests if
the incoming IP address is 0.0.0.0. This is for connections
from IPv6 hosts -- those filters can be skipped until full IPv6
support can be added. Thanks to Daniel Anliker for suggesting
this.
Changed the way the flag FILTER_DECISION_TRANSIENT_DO_NOT_FILTER
is handled by smtp_filter() and middleman() so a transient
non-rejection (e.g a recipient whitelist) isn't held over to
later recipients. The interaction between the recipient whitelist
and the graylist filter was fixed in version 4.0.0 but an issue
still remained between recipient whitelists and other non-transient
rejections like the missing rDNS filter. Thanks to bischowski
for reporting this one.
Changed smtpdummy to use memchr() instead of strchr() so testing
input with NULL bytes will work correctly.
