Date: Tue, 3 May 2016 18:52:43 +0200 From: Gsunde Orangen <gsunde.orangen@...il.com> To: oss-security@...ts.openwall.com Subject: Re: OpenSSL Security Advisory [3rd May 2016] My current view on three of the issues: * Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) The advisory says: "This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169)". So the following versions should be affected (ref. https://openssl.org/news/vulnerabilities.html#y2013): - 1.0.2 through 1.02g - 1.0.1d through 1.0.1s - 1.0.0k and all later versions - 0.9.8y and all later versions * ASN.1 BIO excessive memory allocation (CVE-2016-2109) The OpenSSL code history tells that the vulnerable code is also in the 0.9.8 and 1.0.0 lines --> affected * EBCDIC overread (CVE-2016-2176) The OpenSS code history tells that the vulnerable code is also in the 0.9.8 and 1.0.0 lines --> affected (btw: curious about where there are still EBCDIC systems that use OpenSSL and are interested in fixing vulnerabilities...?) Gsunde On 03.05.2016, 17:21 Solar Designer wrote: > Now we need to figure out which of these affect latest OpenSSL 1.0.0, > even if unsupported. I guess "Memory corruption in the ASN.1 encoder > (CVE-2016-2108)" was fixed in 1.0.0 branch in 2015 as well? I guess > "Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)" doesn't affect > 1.0.0 since it lacks AES-NI support? (I haven't confirmed either yet.) > > ----- Forwarded message from OpenSSL <openssl@...nssl.org> ----- > > Date: Tue, 3 May 2016 14:04:55 +0000 > From: OpenSSL <openssl@...nssl.org> > To: OpenSSL Developer ML <openssl-dev@...nssl.org>, > OpenSSL User Support ML <openssl-users@...nssl.org>, > OpenSSL Announce ML <openssl-announce@...nssl.org> > Subject: [openssl-announce] OpenSSL Security Advisory > > > OpenSSL Security Advisory [3rd May 2016] > ========================================
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ