Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: OpenSSL version 1.1.1i released |
|
Author |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Tue 08 Dec '20 19:10 Post subject: OpenSSL version 1.1.1i released |
|
|
OpenSSL version 1.1.1i released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of version 1.1.1i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at:
https://www.openssl.org/news/openssl-1.1.1-notes.html
OpenSSL 1.1.1i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under
https://www.openssl.org/source/mirror.html):
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
The distribution file name is:
openssl-1.1.1i.tar.gz
Size: 9808346
SHA1 checksum: eb684ba4ed31fe2c48062aead75233ecd36882a6
SHA256 checksum: e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242
The checksums were calculated using the following commands:
openssl sha1 openssl-1.1.1i.tar.gz
openssl sha256 openssl-1.1.1i.tar.gz
Yours,
The OpenSSL Project Team.
OpenSSL Security Advisory [08 December 2020]
============================================
EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
======================================================
Severity: High
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.
OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)
If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools.
Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack.
All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked.
OpenSSL 1.1.1 users should upgrade to 1.1.1i.
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users should upgrade to OpenSSL 1.1.1i.
This issue was reported to OpenSSL on 9th November 2020 by David Benjamin (Google). Initial analysis was performed by David Benjamin with additional analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of this issue on OpenSSL 1.1.0 has not been analysed.
Users of these versions should upgrade to OpenSSL 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20201208.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Wed 09 Dec '20 11:39 Post subject: |
|
|
Does this affects Apache ? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Thu 10 Dec '20 10:01 Post subject: |
|
|
Steffen wrote: | Does this affects Apache ? |
Well I can't build mod_security with it correctly.
Error while compiling
Code: |
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcurl.so: undefined reference to `DES_set_odd_parity@OPENSSL_1_1_0'
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcurl.so: undefined reference to `DES_ecb_encrypt@OPENSSL_1_1_0'
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcurl.so: undefined reference to `DES_set_key@OPENSSL_1_1_0'
|
Trying to load the module
Code: |
Cannot load modules/mod_security2.so into server: /usr/lib/x86_64-linux-gnu/libcurl.so.4: symbol DES_set_key version OPENSSL_1_1_0 not defined in file libcrypto.so.1.1 with link time reference
|
I didn't had that issue with the previous version of OpenSSL. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 10 Dec '20 10:10 Post subject: |
|
|
Looks the libcurl |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Thu 10 Dec '20 15:46 Post subject: |
|
|
Steffen wrote: | Looks the libcurl |
Is there any reason why the new Apache build did not update to Curl 7.74? That was released yesterday and also had 3 security advisories. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 10 Dec '20 16:04 Post subject: |
|
|
Looks not necessary to me. Only mod_ md uses it simple, cve’s are not for this usage. |
|
Back to top |
|
|
|
|
|
|