Module Name: src
Committed By: msaitoh
Date: Fri Jun 6 06:44:04 UTC 2014
Modified Files:
src/crypto/dist/openssl/crypto/bn [netbsd-5-1]: bn.h bn_lib.c
src/crypto/dist/openssl/crypto/ec [netbsd-5-1]: ec2_mult.c
src/crypto/dist/openssl/ssl [netbsd-5-1]: d1_both.c s3_clnt.c s3_pkt.c
s3_srvr.c ssl3.h
Log Message:
Pull up following revision(s) (requested by spz in ticket #1908):
crypto/dist/openssl/crypto/bn/bn.h patch
crypto/dist/openssl/crypto/bn/bn_lib.c patch
crypto/dist/openssl/crypto/ec/ec2_mult.c patch
crypto/dist/openssl/ssl/d1_both.c patch
crypto/dist/openssl/ssl/s3_clnt.c patch
crypto/dist/openssl/ssl/s3_pkt.c patch
crypto/dist/openssl/ssl/s3_srvr.c patch
crypto/dist/openssl/ssl/ssl3.h patch
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue. (CVE-2014-0224)
[KIKUCHI Masashi, Steve Henson]
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(CVE-2014-0221)
[Imre Rad, Steve Henson]
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
[Jüri Aedla, Steve Henson]
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
[Felix Gröbert, Ivan Fratric, Steve Henson]
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.12.1 src/crypto/dist/openssl/crypto/bn/bn.h
cvs rdiff -u -r1.7 -r1.7.12.1 src/crypto/dist/openssl/crypto/bn/bn_lib.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.12.1 \
src/crypto/dist/openssl/crypto/ec/ec2_mult.c
cvs rdiff -u -r1.3.4.2 -r1.3.4.2.2.1 src/crypto/dist/openssl/ssl/d1_both.c
cvs rdiff -u -r1.12.4.2.2.1 -r1.12.4.2.2.2 \
src/crypto/dist/openssl/ssl/s3_clnt.c
cvs rdiff -u -r1.9.4.3 -r1.9.4.3.2.1 src/crypto/dist/openssl/ssl/s3_pkt.c
cvs rdiff -u -r1.15.4.3.2.1 -r1.15.4.3.2.2 \
src/crypto/dist/openssl/ssl/s3_srvr.c
cvs rdiff -u -r1.8 -r1.8.12.1 src/crypto/dist/openssl/ssl/ssl3.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
