in the distribution tar file.
- BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193, Aug 13)
- Certificate verify crash with missing PSS parameter (CVE-2015-3194, Aug 27)
- X509_ATTRIBUTE memory leak (CVE-2015-3195, Nov 9)
(plus the advisory mentions an issue fixed in 1.0.2d)
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
In the 'you didnt think openssl was that insane' series, it tries to use
m4 -B 8192 to generate some sparc asm from an m4 file.
Unsurprisingly, our m4 doesn't support -B, it's not even in gm4's manpage,
and gm4 info page says this about -B :
These options are present for compatibility with System V `m4', but
do nothing in this implementation. They may disappear in future
releases, and issue a warning to that effect.
I'm glad openssl can be built with System V m4..
standard paths searched for by third-party software to ensure that it's
not picked up by autoconf-type programs. This is not intended for general
use, but allows us to continue using specific software relying on APIs
which have been removed from LibReSSL, and for test/comparison purposes.
Various feedback from zhuk@ and jca@, earlier version ok zhuk@ (with only
minor file/path shuffling since then).
