Dave Thompson
2014-09-20 13:50:27 UTC
Sent: Wednesday, September 17, 2014 18:28
I just tracked down an obscure bug in our certificate authentication
code to a change in in the global mask for ASN.1 strings in
crypto/asn1/a_strnid.c.
(https://github.com/openssl/openssl/commit/3009244da47b989c4cc59ba02c
f81a4e9d8f8431)
1. Was this change made for a security related reason?
That is, by changing global_mask back to the 1.0.1g initialized value,
are we introducing a security vulnerability?
Going back (probably, depending on the actual string values you use)I just tracked down an obscure bug in our certificate authentication
code to a change in in the global mask for ASN.1 strings in
crypto/asn1/a_strnid.c.
(https://github.com/openssl/openssl/commit/3009244da47b989c4cc59ba02c
f81a4e9d8f8431)
1. Was this change made for a security related reason?
That is, by changing global_mask back to the 1.0.1g initialized value,
are we introducing a security vulnerability?
may encode differently than standards call for. AFAICS there is no direct
security impact, but if and to the extent it causes compliance or
interop problems, those may indirectly affect security. (Canonical
example: browser displays a dialog box about "this certificate may
be invalid because $technical_details. 99.999% of users click on
the box that says "I don't want this computer gibberish, just
connect me to the website even if it is run by thieves so that
I can have my money and personal data stolen QUICKLY.)
2. Is there a changelist somewhere in the source tarball that lists
the 1.0.1g to 1.0.1h revisions? Or a list that outlines changes in the
default settings?
This would be extremely helpful to incorporating newly released 1.0.1
subversions. The file CHANGES appears to only list security
vulnerabilities.
IME CHANGES generally lists visible (i.e. commandline or API) changes,the 1.0.1g to 1.0.1h revisions? Or a list that outlines changes in the
default settings?
This would be extremely helpful to incorporating newly released 1.0.1
subversions. The file CHANGES appears to only list security
vulnerabilities.
and internal ones (like refactoring) if they are considered important.
You are not the only one visibly unhappy this change was made unlisted.
It was apparently made for http://rt.openssl.org/Ticket/Display.html?id=3371
then affirmed by http://rt.openssl.org/Ticket/Display.html?id=3402
and http://rt.openssl.org/Ticket/Display.html?id=3469 .
AFAICT rt ticket creations are "published" on openssl-dev,
and these two were definitely discussed there.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org