logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: OpenSSL version 1.1.1i released
Author
Jan-E



Joined: 09 Mar 2012
Posts: 1265
Location: Amsterdam, NL, EU

PostPosted: Tue 08 Dec '20 19:10    Post subject: OpenSSL version 1.1.1i released Reply with quote

OpenSSL version 1.1.1i released
===============================

OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/

The OpenSSL project team is pleased to announce the release of version 1.1.1i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

OpenSSL 1.1.1i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under
https://www.openssl.org/source/mirror.html):

* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/

The distribution file name is:

openssl-1.1.1i.tar.gz
Size: 9808346
SHA1 checksum: eb684ba4ed31fe2c48062aead75233ecd36882a6
SHA256 checksum: e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242

The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1i.tar.gz
openssl sha256 openssl-1.1.1i.tar.gz

Yours,

The OpenSSL Project Team.

OpenSSL Security Advisory [08 December 2020]
============================================

EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
======================================================

Severity: High

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)

If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools.

Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack.

All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked.

OpenSSL 1.1.1 users should upgrade to 1.1.1i.

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users should upgrade to OpenSSL 1.1.1i.

This issue was reported to OpenSSL on 9th November 2020 by David Benjamin (Google). Initial analysis was performed by David Benjamin with additional analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell.

Note
====

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20201208.txt

Note: the online version of the advisory may be updated with additional details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Wed 09 Dec '20 11:39    Post subject: Reply with quote

Does this affects Apache ?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Thu 10 Dec '20 10:01    Post subject: Reply with quote

Steffen wrote:
Does this affects Apache ?


Well I can't build mod_security with it correctly.

Error while compiling

Code:

/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcurl.so: undefined reference to `DES_set_odd_parity@OPENSSL_1_1_0'
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcurl.so: undefined reference to `DES_ecb_encrypt@OPENSSL_1_1_0'
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcurl.so: undefined reference to `DES_set_key@OPENSSL_1_1_0'



Trying to load the module
Code:

Cannot load modules/mod_security2.so into server: /usr/lib/x86_64-linux-gnu/libcurl.so.4: symbol DES_set_key version OPENSSL_1_1_0 not defined in file libcrypto.so.1.1 with link time reference


I didn't had that issue with the previous version of OpenSSL.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 10 Dec '20 10:10    Post subject: Reply with quote

Looks the libcurl
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1265
Location: Amsterdam, NL, EU

PostPosted: Thu 10 Dec '20 15:46    Post subject: Reply with quote

Steffen wrote:
Looks the libcurl

Is there any reason why the new Apache build did not update to Curl 7.74? That was released yesterday and also had 3 security advisories.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 10 Dec '20 16:04    Post subject: Reply with quote

Looks not necessary to me. Only mod_ md uses it simple, cve’s are not for this usage.
Back to top


Reply to topic   Topic: OpenSSL version 1.1.1i released View previous topic :: View next topic
Post new topic   Forum Index -> Other Software