• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Aucun tag

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

TLS/SSL and crypto library


Commit MetaInfo

Révision6545372c249d287687bbb8dec80ee76b0e7cac43 (tree)
l'heure2011-02-09 02:10:53
AuteurBodo Möller <bodo@open...>
CommiterBodo Möller

Message de Log

OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)

Submitted by: Neel Mehta, Adam Langley, Bodo Moeller

Change Summary

Modification

--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,10 @@
22 OpenSSL CHANGES
33 _______________
44
5- Changes between 1.0.0c and 1.0.0d [xx XXX xxxx]
5+ Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
6+
7+ *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
8+ [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
69
710 *) Fix bug in string printing code: if *any* escaping is enabled we must
811 escape the escape character (backslash) or the resulting string is
@@ -879,11 +882,34 @@
879882 *) Change 'Configure' script to enable Camellia by default.
880883 [NTT]
881884
882- Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
885+ Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
886+
887+ *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
888+ [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
889+
890+ *) Fix bug in string printing code: if *any* escaping is enabled we must
891+ escape the escape character (backslash) or the resulting string is
892+ ambiguous.
893+ [Steve Henson]
894+
895+ Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
896+
897+ *) Disable code workaround for ancient and obsolete Netscape browsers
898+ and servers: an attacker can use it in a ciphersuite downgrade attack.
899+ Thanks to Martin Rex for discovering this bug. CVE-2010-4180
900+ [Steve Henson]
901+
902+ *) Fixed J-PAKE implementation error, originally discovered by
903+ Sebastien Martini, further info and confirmation from Stefan
904+ Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
905+ [Ben Laurie]
906+
907+ Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
883908
884909 *) Fix extension code to avoid race conditions which can result in a buffer
885910 overrun vulnerability: resumed sessions must not be modified as they can
886911 be shared by multiple threads. CVE-2010-3864
912+ [Steve Henson]
887913
888914 *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
889915 [Steve Henson]
--- a/FAQ
+++ b/FAQ
@@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions
8282 * Which is the current version of OpenSSL?
8383
8484 The current version is available from <URL: http://www.openssl.org>.
85-OpenSSL 1.0.0c was released on Dec 2nd, 2010.
85+OpenSSL 1.0.0d was released on Feb 8th, 2011.
8686
8787 In addition to the current stable release, you can also access daily
8888 snapshots of the OpenSSL development version at <URL:
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@
1212 ---------------
1313
1414 /* ====================================================================
15- * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
15+ * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
1616 *
1717 * Redistribution and use in source and binary forms, with or without
1818 * modification, are permitted provided that the following conditions
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@
55 This file gives a brief overview of the major changes between each OpenSSL
66 release. For more details please read the CHANGES file.
77
8+ Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
9+
10+ o Fix for security issue CVE-2011-0014
11+
812 Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
913
1014 o Fix for security issue CVE-2010-4180
@@ -47,6 +51,10 @@
4751 o Opaque PRF Input TLS extension support.
4852 o Updated time routines to avoid OS limitations.
4953
54+ Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
55+
56+ o Fix for security issue CVE-2011-0014
57+
5058 Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
5159
5260 o Fix for security issue CVE-2010-4180
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
11
2- OpenSSL 1.0.0d-dev
2+ OpenSSL 1.0.0d
33
4- Copyright (c) 1998-2010 The OpenSSL Project
4+ Copyright (c) 1998-2011 The OpenSSL Project
55 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
66 All rights reserved.
77
--- a/STATUS
+++ b/STATUS
@@ -1,14 +1,20 @@
11
22 OpenSSL STATUS Last modified at
3- ______________ $Date: 2010/12/02 18:29:03 $
3+ ______________ $Date: 2011/02/08 17:10:52 $
44
55 DEVELOPMENT STATE
66
77 o OpenSSL 1.1.0: Under development...
8+ o OpenSSL 1.0.1: Under development...
9+ o OpenSSL 1.0.0d: Released on February 8nd, 2011
810 o OpenSSL 1.0.0c: Released on December 2nd, 2010
911 o OpenSSL 1.0.0b: Released on November 16th, 2010
1012 o OpenSSL 1.0.0a: Released on June 1st, 2010
1113 o OpenSSL 1.0.0: Released on March 29th, 2010
14+ o OpenSSL 0.9.8r: Released on February 8nd, 2011
15+ o OpenSSL 0.9.8q: Released on December 2nd, 2010
16+ o OpenSSL 0.9.8p: Released on November 16th, 2010
17+ o OpenSSL 0.9.8o: Released on June 1st, 2010
1218 o OpenSSL 0.9.8n: Released on March 24th, 2010
1319 o OpenSSL 0.9.8m: Released on February 25th, 2010
1420 o OpenSSL 0.9.8l: Released on November 5th, 2009
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
2525 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
2626 * major minor fix final patch/beta)
2727 */
28-#define OPENSSL_VERSION_NUMBER 0x10000040L
28+#define OPENSSL_VERSION_NUMBER 0x1000004fL
2929 #ifdef OPENSSL_FIPS
30-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips-dev xx XXX xxxx"
30+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips 8 Feb 2011"
3131 #else
32-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-dev xx XXX xxxx"
32+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d 8 Feb 2011"
3333 #endif
3434 #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
3535
--- a/openssl.spec
+++ b/openssl.spec
@@ -9,8 +9,8 @@ Release: 1
99
1010 Summary: Secure Sockets Layer and cryptography libraries and tools
1111 Name: openssl
12-Version: %{libmaj}.%{libmin}.%{librel}
13-#Version: %{libmaj}.%{libmin}.%{librel}%{librev}
12+#Version: %{libmaj}.%{libmin}.%{librel}
13+Version: %{libmaj}.%{libmin}.%{librel}%{librev}
1414 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
1515 Copyright: Freely distributable
1616 Group: System Environment/Libraries
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
917917 }
918918 n2s(data, idsize);
919919 dsize -= 2 + idsize;
920+ size -= 2 + idsize;
920921 if (dsize < 0)
921922 {
922923 *al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
955956 }
956957
957958 /* Read in request_extensions */
959+ if (size < 2)
960+ {
961+ *al = SSL_AD_DECODE_ERROR;
962+ return 0;
963+ }
958964 n2s(data,dsize);
959965 size -= 2;
960- if (dsize > size)
966+ if (dsize != size)
961967 {
962968 *al = SSL_AD_DECODE_ERROR;
963969 return 0;
--- a/util/mkerr.pl
+++ b/util/mkerr.pl
@@ -391,7 +391,7 @@ foreach $lib (keys %csrc)
391391 } else {
392392 push @out,
393393 "/* ====================================================================\n",
394-" * Copyright (c) 2001-2010 The OpenSSL Project. All rights reserved.\n",
394+" * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.\n",
395395 " *\n",
396396 " * Redistribution and use in source and binary forms, with or without\n",
397397 " * modification, are permitted provided that the following conditions\n",