oss-sec mailing list archives
Re: OpenSSL Security Advisory [3rd May 2016]
From: Gsunde Orangen <gsunde.orangen () gmail com>
Date: Tue, 3 May 2016 18:52:43 +0200
My current view on three of the issues: * Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) The advisory says: "This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169)". So the following versions should be affected (ref. https://openssl.org/news/vulnerabilities.html#y2013): - 1.0.2 through 1.02g - 1.0.1d through 1.0.1s - 1.0.0k and all later versions - 0.9.8y and all later versions * ASN.1 BIO excessive memory allocation (CVE-2016-2109) The OpenSSL code history tells that the vulnerable code is also in the 0.9.8 and 1.0.0 lines --> affected * EBCDIC overread (CVE-2016-2176) The OpenSS code history tells that the vulnerable code is also in the 0.9.8 and 1.0.0 lines --> affected (btw: curious about where there are still EBCDIC systems that use OpenSSL and are interested in fixing vulnerabilities...?) Gsunde On 03.05.2016, 17:21 Solar Designer wrote:
Now we need to figure out which of these affect latest OpenSSL 1.0.0, even if unsupported. I guess "Memory corruption in the ASN.1 encoder (CVE-2016-2108)" was fixed in 1.0.0 branch in 2015 as well? I guess "Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)" doesn't affect 1.0.0 since it lacks AES-NI support? (I haven't confirmed either yet.) ----- Forwarded message from OpenSSL <openssl () openssl org> ----- Date: Tue, 3 May 2016 14:04:55 +0000 From: OpenSSL <openssl () openssl org> To: OpenSSL Developer ML <openssl-dev () openssl org>, OpenSSL User Support ML <openssl-users () openssl org>, OpenSSL Announce ML <openssl-announce () openssl org> Subject: [openssl-announce] OpenSSL Security Advisory OpenSSL Security Advisory [3rd May 2016] ========================================
Current thread:
- OpenSSL Security Advisory [3rd May 2016] Solar Designer (May 03)
- Re: OpenSSL Security Advisory [3rd May 2016] Gsunde Orangen (May 03)
- Re: OpenSSL Security Advisory [3rd May 2016] Solar Designer (May 03)
- Re: OpenSSL Security Advisory [3rd May 2016] Gsunde Orangen (May 03)
- Re: OpenSSL Security Advisory [3rd May 2016] Albert Veli (May 03)
- Re: OpenSSL Security Advisory [3rd May 2016] Alan J. Wylie (May 04)
- Re: OpenSSL Security Advisory [3rd May 2016] Albert Veli (May 04)
- Re: OpenSSL Security Advisory [3rd May 2016] Solar Designer (May 03)
- Re: OpenSSL Security Advisory [3rd May 2016] Gsunde Orangen (May 03)