aboutsummaryrefslogtreecommitdiffstats
path: root/doc/security.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/security.rst')
-rw-r--r--doc/security.rst67
1 files changed, 63 insertions, 4 deletions
diff --git a/doc/security.rst b/doc/security.rst
index 4b36fa717..192571829 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,7 +19,66 @@ Advisories
2015
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* 2015-08-03 (CVE-2015-5726)
+* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
+
+ A padding oracle attack was possible against TLS CBC ciphersuites because if a
+ certain length check on the packet fields failed, a different alert type than
+ one used for message authentication failure would be returned to the sender.
+ This check triggering would leak information about the value of the padding
+ bytes and could be used to perform iterative decryption.
+
+ As with most such oracle attacks, the danger depends on the underlying
+ protocol - HTTP servers are particularly vulnerable. The current analysis
+ suggests that to exploit it an attacker would first have to guess several
+ bytes of plaintext, but again this is quite possible in many situations
+ including HTTP.
+
+ Found in a review by Sirrix AG and 3curity GmbH.
+
+ Introduced in 1.11.0, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
+
+ When evaluating a certificate path, if a loop in the certificate chain
+ was encountered (for instance where C1 certifies C2, which certifies C1)
+ an infinite loop would occur eventually resulting in memory exhaustion.
+ Found in a review by Sirrix AG and 3curity GmbH.
+
+ Introduced in 1.11.6, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
+
+ RFC 6125 specifies how to match a X.509v3 certificate against a DNS name
+ for application usage.
+
+ Otherwise valid certificates using wildcards would be accepted as matching
+ certain hostnames that should they should not according to RFC 6125. For
+ example a certificate issued for '*.example.com' should match
+ 'foo.example.com' but not 'example.com' or 'bar.foo.example.com'. Previously
+ Botan would accept such a certificate as valid for 'bar.foo.example.com'.
+
+ RFC 6125 also requires that when matching a X.509 certificate against a DNS
+ name, the CN entry is only compared if no subjectAlternativeName entry is
+ available. Previously X509_Certificate::matches_dns_name would always check
+ both names.
+
+ Found in a review by Sirrix AG and 3curity GmbH.
+
+ Introduced in 1.11.0, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
+
+ During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was
+ input dependent. If these differences could be measured by an attacker, it
+ could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5
+ decoding has been rewritten to use a sequence of operations which do not
+ contain any input-dependent indexes or jumps. Notations for checking constant
+ time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS
+ #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
+
+ Fixed in 1.11.22. Affected all previous versions.
+
+* 2015-08-03 (CVE-2015-5726): Crash in BER decoder
The BER decoder would crash due to reading from offset 0 of an empty vector if
it encountered a BIT STRING which did not contain any data at all. This can be
@@ -28,7 +87,7 @@ Advisories
Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
-* 2015-08-03 (CVE-2015-5727)
+* 2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
The BER decoder would allocate a fairly arbitrary amount of memory in a length
field, even if there was no chance the read request would succeed. This might
@@ -39,7 +98,7 @@ Advisories
2014
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* 2014-04-10 (CVE-2014-9742)
+* 2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
A bug in the Miller-Rabin primality test resulted in only a single random base
being used instead of a sequence of such bases. This increased the probability
@@ -48,4 +107,4 @@ Advisories
number being incorrectly classed as prime with a single base is around 2^-40.
Reported by Jeff Marrison.
- Fixed in 1.11.9 and 1.10.8, affected all versions since 1.8.3
+ Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9