We are using 1.0.1j, latest is 1.0.2a.
Summary of CVEs from 1.0.1j to 1.0.2d: DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) no-ssl3 configuration sets method to NULL (CVE-2014-3569) ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) DH client certificates accepted without verification [Server] (CVE-2015-0205) Certificate fingerprints can be modified (CVE-2014-8275) Bignum squaring may produce incorrect results (CVE-2014-3570) OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) Multiblock corrupted pointer (CVE-2015-0290) Segmentation fault in DTLSv1_listen (CVE-2015-0207) Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) Segmentation fault for invalid PSS parameters (CVE-2015-0208) ASN.1 structure reuse memory corruption (CVE-2015-0287) PKCS7 NULL pointer dereferences (CVE-2015-0289) Base64 decode (CVE-2015-0292) DoS via reachable assert in SSLv2 servers (CVE-2015-0293) Empty CKE with client auth and DHE (CVE-2015-1787) Handshake with unseeded PRNG (CVE-2015-0285) Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) DHE man-in-the-middle protection (Logjam) Malformed ECParameters causes infinite loop (CVE-2015-1788) Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) CMS verify infinite loop with unknown hash function (CVE-2015-1792) Race condition handling NewSessionTicket (CVE-2015-1791) Invalid free in DTLS (CVE-2014-8176) Alternative chains certificate forgery (CVE-2015-1793)
Risk analysis. OpenSSL is used in two places, OpenSSH and rdesktop. (In reply to comment #1) > DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) > DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) > Invalid free in DTLS (CVE-2014-8176) > Segmentation fault in DTLSv1_listen (CVE-2015-0207) Safe. We do not use DTLS. > no-ssl3 configuration sets method to NULL (CVE-2014-3569) Safe. We do not use this flag. > Certificate fingerprints can be modified (CVE-2014-8275) Safe. We don't check fingerprints. > Bignum squaring may produce incorrect results (CVE-2014-3570) Low risk. No attacks known, but bug is suspicious enough that exploits might turn up eventually. > OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) > Multiblock corrupted pointer (CVE-2015-0290) Safe. Feature introduced in 1.0.2 so we don't have the bug. > ASN.1 structure reuse memory corruption (CVE-2015-0287) Safe. Not a feature we use. > Base64 decode (CVE-2015-0292) Actually fixed in 1.0.1h, so we already have it. > DH client certificates accepted without verification [Server] (CVE-2015-0205) > DoS via reachable assert in SSLv2 servers (CVE-2015-0293) > Empty CKE with client auth and DHE (CVE-2015-1787) Safe. Only affects servers. > Handshake with unseeded PRNG (CVE-2015-0285) Low risk, possibly safe. Requires fairly special conditions. Probably not possible with an RDP server. > Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) Safe. Only affects untrusted private keys. > X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Safe. Esoteric function that we do not use. > Malformed ECParameters causes infinite loop (CVE-2015-1788) Safe. Apparently only affects client certificate usage, which we do not use. > Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) Safe. Apparently only affects CRL verification and client certificate usage, neither of which we use. > PKCS7 NULL pointer dereferences (CVE-2015-0289) > PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) Safe. We do not use PKCS7. > CMS verify infinite loop with unknown hash function (CVE-2015-1792) Safe. We do not use S/MIME. > Race condition handling NewSessionTicket (CVE-2015-1791) Safe. We do not use tickets. > ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) > RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) > Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) > Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) > Segmentation fault for invalid PSS parameters (CVE-2015-0208) > DHE man-in-the-middle protection (Logjam) > Alternative chains certificate forgery (CVE-2015-1793) Safe. We do not verify certificates so we do not protect ourselves against man-in-the-middle attacks.
Nothing critical at this time. Moving back to next for now.
https://openssl.org/news/newslog.html: > 03-Dec-2015 Security Advisory: four security fixes (https://openssl.org/news/secadv/20151203.txt) > 03-Dec-2015 OpenSSL 1.0.2e is now available, including bug and security fixes > 03-Dec-2015 OpenSSL 1.0.1q is now available, including bug and security fixes > 03-Dec-2015 OpenSSL 1.0.0t is now available, including bug and security fixes > 03-Dec-2015 OpenSSL 0.9.8zh is now available, including bug and security fixes Also, from the advisory: > NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE > 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS > PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
The new CVEs: > BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) Safe. We don't have any private keys. > Certificate verify crash with missing PSS parameter (CVE-2015-3194) May be relevant for rdesktop. But we don't do much verification of the server, so might not be. > X509_ATTRIBUTE memory leak (CVE-2015-3195) Safe. Doesn't affect TLS. > Race condition handling PSK identify hint (CVE-2015-3196) Safe. We don't use PSK. > Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794) Safe. Regression in 1.0.2, which we don't use.
All done. Tested that ssh and rdesktop worked fine.
(In reply to comment #7) > All done. Tested that ssh and rdesktop worked fine. All of OpenSSH (both client and ssh-keyscan), rdesktop and OpenSC seems to work fine. Build 4974.
