Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 18:52:43 +0200
From: Gsunde Orangen <gsunde.orangen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSL Security Advisory [3rd May 2016]

My current view on three of the issues:

* Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
The advisory says: "This issue was introduced as part of the fix for
Lucky 13 padding attack (CVE-2013-0169)".
So the following versions should be affected (ref.
https://openssl.org/news/vulnerabilities.html#y2013):
 - 1.0.2 through 1.02g
 - 1.0.1d through 1.0.1s
 - 1.0.0k and all later versions
 - 0.9.8y and all later versions

* ASN.1 BIO excessive memory allocation (CVE-2016-2109)
The OpenSSL code history tells that the vulnerable code is also in the
0.9.8 and 1.0.0 lines --> affected

* EBCDIC overread (CVE-2016-2176)
The OpenSS code history tells that the vulnerable code is also in the
0.9.8 and 1.0.0 lines --> affected
(btw: curious about where there are still EBCDIC systems that use
OpenSSL and are interested in fixing vulnerabilities...?)

Gsunde



On 03.05.2016, 17:21 Solar Designer wrote:
> Now we need to figure out which of these affect latest OpenSSL 1.0.0,
> even if unsupported.  I guess "Memory corruption in the ASN.1 encoder
> (CVE-2016-2108)" was fixed in 1.0.0 branch in 2015 as well?  I guess
> "Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)" doesn't affect
> 1.0.0 since it lacks AES-NI support?  (I haven't confirmed either yet.)
> 
> ----- Forwarded message from OpenSSL <openssl@...nssl.org> -----
> 
> Date: Tue, 3 May 2016 14:04:55 +0000
> From: OpenSSL <openssl@...nssl.org>
> To: OpenSSL Developer ML <openssl-dev@...nssl.org>,
>  OpenSSL User Support ML <openssl-users@...nssl.org>,
>  OpenSSL Announce ML <openssl-announce@...nssl.org>
> Subject: [openssl-announce] OpenSSL Security Advisory
> 
> 
> OpenSSL Security Advisory [3rd May 2016]
> ========================================

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ