|
7 | 7 | https://github.com/openssl/openssl/commits/ and pick the appropriate |
8 | 8 | release branch. |
9 | 9 |
|
| 10 | + Changes between 1.1.1t and 1.1.1u [30 May 2023] |
| 11 | + |
| 12 | + *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic |
| 13 | + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. |
| 14 | + |
| 15 | + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical |
| 16 | + numeric text form. For gigantic sub-identifiers, this would take a very |
| 17 | + long time, the time complexity being O(n^2) where n is the size of that |
| 18 | + sub-identifier. (CVE-2023-2650) |
| 19 | + |
| 20 | + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT |
| 21 | + IDENTIFIER to canonical numeric text form if the size of that OBJECT |
| 22 | + IDENTIFIER is 586 bytes or less, and fail otherwise. |
| 23 | + |
| 24 | + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT |
| 25 | + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at |
| 26 | + most 128 sub-identifiers, and that the maximum value that each sub- |
| 27 | + identifier may have is 2^32-1 (4294967295 decimal). |
| 28 | + |
| 29 | + For each byte of every sub-identifier, only the 7 lower bits are part of |
| 30 | + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with |
| 31 | + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 |
| 32 | + bytes. |
| 33 | + |
| 34 | + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 |
| 35 | + |
| 36 | + [Richard Levitte] |
| 37 | + |
| 38 | + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). |
| 39 | + The previous fix for this timing side channel turned out to cause |
| 40 | + a severe 2-3x performance regression in the typical use case |
| 41 | + compared to 1.1.1s. The new fix uses existing constant time |
| 42 | + code paths, and restores the previous performance level while |
| 43 | + fully eliminating all existing timing side channels. |
| 44 | + The fix was developed by Bernd Edlinger with testing support |
| 45 | + by Hubert Kario. |
| 46 | + [Bernd Edlinger] |
| 47 | + |
| 48 | + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention |
| 49 | + that it does not enable policy checking. Thanks to |
| 50 | + David Benjamin for discovering this issue. (CVE-2023-0466) |
| 51 | + [Tomas Mraz] |
| 52 | + |
| 53 | + *) Fixed an issue where invalid certificate policies in leaf certificates are |
| 54 | + silently ignored by OpenSSL and other certificate policy checks are skipped |
| 55 | + for that certificate. A malicious CA could use this to deliberately assert |
| 56 | + invalid certificate policies in order to circumvent policy checking on the |
| 57 | + certificate altogether. (CVE-2023-0465) |
| 58 | + [Matt Caswell] |
| 59 | + |
| 60 | + *) Limited the number of nodes created in a policy tree to mitigate |
| 61 | + against CVE-2023-0464. The default limit is set to 1000 nodes, which |
| 62 | + should be sufficient for most installations. If required, the limit |
| 63 | + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build |
| 64 | + time define to a desired maximum number of nodes or zero to allow |
| 65 | + unlimited growth. (CVE-2023-0464) |
| 66 | + [Paul Dale] |
| 67 | + |
10 | 68 | Changes between 1.1.1s and 1.1.1t [7 Feb 2023] |
11 | 69 |
|
12 | 70 | *) Fixed X.400 address type confusion in X.509 GeneralName. |
|
0 commit comments