Source-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [netbsd-5-2] src/crypto/dist/openssl

Module Name:    src
Committed By:   msaitoh
Date:           Fri Jun  6 06:42:08 UTC 2014

Modified Files:
        src/crypto/dist/openssl/crypto/bn [netbsd-5-2]: bn.h bn_lib.c
        src/crypto/dist/openssl/crypto/ec [netbsd-5-2]: ec2_mult.c
        src/crypto/dist/openssl/ssl [netbsd-5-2]: d1_both.c s3_clnt.c s3_pkt.c
            s3_srvr.c ssl3.h

Log Message:
Pull up following revision(s) (requested by spz in ticket #1908):
crypto/dist/openssl/crypto/bn/bn.h              patch
crypto/dist/openssl/crypto/bn/bn_lib.c          patch
crypto/dist/openssl/crypto/ec/ec2_mult.c        patch
crypto/dist/openssl/ssl/d1_both.c               patch
crypto/dist/openssl/ssl/s3_clnt.c               patch
crypto/dist/openssl/ssl/s3_pkt.c                patch
crypto/dist/openssl/ssl/s3_srvr.c               patch
crypto/dist/openssl/ssl/ssl3.h                  patch

  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
     handshake can force the use of weak keying material in OpenSSL
     SSL/TLS clients and servers.

     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
     researching this issue. (CVE-2014-0224)
     [KIKUCHI Masashi, Steve Henson]

  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
     OpenSSL DTLS client the code can be made to recurse eventually crashing
     in a DoS attack.

     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
     (CVE-2014-0221)
     [Imre Rad, Steve Henson]

  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
     client or server. This is potentially exploitable to run arbitrary
     code on a vulnerable client or server.

     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
     [Jüri Aedla, Steve Henson]

  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
     are subject to a denial of service attack.

     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
     this issue. (CVE-2014-3470)
     [Felix Gröbert, Ivan Fratric, Steve Henson]


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.2.1 src/crypto/dist/openssl/crypto/bn/bn.h
cvs rdiff -u -r1.7 -r1.7.2.1 src/crypto/dist/openssl/crypto/bn/bn_lib.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.2.1 \
    src/crypto/dist/openssl/crypto/ec/ec2_mult.c
cvs rdiff -u -r1.3.4.2 -r1.3.4.2.6.1 src/crypto/dist/openssl/ssl/d1_both.c
cvs rdiff -u -r1.12.4.3 -r1.12.4.3.4.1 src/crypto/dist/openssl/ssl/s3_clnt.c
cvs rdiff -u -r1.9.4.3 -r1.9.4.3.6.1 src/crypto/dist/openssl/ssl/s3_pkt.c
cvs rdiff -u -r1.15.4.4 -r1.15.4.4.4.1 src/crypto/dist/openssl/ssl/s3_srvr.c
cvs rdiff -u -r1.8 -r1.8.2.1 src/crypto/dist/openssl/ssl/ssl3.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home | Main Index | Thread Index | Old Index