神刀安全网

OpenSSL 1.0.2h is now available, including bug and security fixes

The major changes and known issues for the 1.0.2 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in theChangeLog.

Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]

  • Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
  • Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
  • Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
  • Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
  • EBCDIC overread (CVE-2016-2176)
  • Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN.
  • Remove LOW from the DEFAULT cipher list. This removes singles DES from the default.
  • Only remove the SSLv2 methods with the no-ssl2-method option.

Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]

  • Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
  • Disable SSLv2 default build, default negotiation and weak ciphers (CVE-2016-0800)
  • Fix a double-free in DSA code (CVE-2016-0705)
  • Disable SRP fake user seed to address a server memory leak (CVE-2016-0798)
  • Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
  • Fix memory issues in BIO_*printf functions (CVE-2016-0799)
  • Fix side channel attack on modular exponentiation (CVE-2016-0702)

Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]

  • DH small subgroups (CVE-2016-0701)
  • SSLv2 doesn’t block disabled ciphers (CVE-2015-3197)

Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]

  • BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
  • Certificate verify crash with missing PSS parameter (CVE-2015-3194)
  • X509_ATTRIBUTE memory leak (CVE-2015-3195)
  • Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
  • In DSA_generate_parameters_ex, if the provided seed is too short, return an error

Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]

  • Alternate chains certificate forgery (CVE-2015-1793)
  • Race condition handling PSK identify hint (CVE-2015-3196)

Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]

  • Fix HMAC ABI incompatibility

Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]

  • Malformed ECParameters causes infinite loop (CVE-2015-1788)
  • Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
  • PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
  • CMS verify infinite loop with unknown hash function (CVE-2015-1792)
  • Race condition handling NewSessionTicket (CVE-2015-1791)

Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]

  • OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
  • Multiblock corrupted pointer fix (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
  • Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
  • Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
  • ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
  • DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
  • Empty CKE with client auth and DHE fix (CVE-2015-1787)
  • Handshake with unseeded PRNG fix (CVE-2015-0285)
  • Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
  • Removed the export ciphers from the DEFAULT ciphers

Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:

  • Suite B support for TLS 1.2 and DTLS 1.2
  • Support for DTLS 1.2
  • TLS automatic EC curve selection.
  • API to set TLS supported signature algorithms and curves
  • SSL_CONF configuration API.
  • TLS Brainpool support.
  • ALPN support.
  • CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » OpenSSL 1.0.2h is now available, including bug and security fixes

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址