zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CHANGES.md and NEWS.md entries for CVE-2023-6129

Browse Source 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
This commit is contained in:
Tomas Mraz 2024-01-04 10:32:32 +01:00
parent 8d847a3ffd
commit 858c7bc210
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
CHANGES.md
View File

@ -75,6 +75,26 @@ OpenSSL 3.2
### Changes between 3.2.0 and 3.2.1 [xx XXX xxxx]
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
@ -20380,6 +20400,7 @@ ndif
<!-- Links -->
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807

5
NEWS.md
View File

@ -31,7 +31,9 @@ OpenSSL 3.2
### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [under development]
* none
* Fix POLY1305 MAC implementation corrupting vector registers on PowerPC
CPUs which support PowerISA 2.07
([CVE-2023-6129])
### Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023]
@ -1580,6 +1582,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807