search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

Does CVE-2016-7054 affect the ChaCha20-Poly1305 patch? #54

Closed biergaizi closed 7 years ago

biergaizi commented 7 years ago

CVE-2016-7054 (OpenSSL advisory) [High severity] 10th November 2016: TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS. Reported by Robert Święcki (Google Security Team) on 25th September 2016.

Fixed in OpenSSL 1.1.0c (Affected 1.1.0b, 1.1.0a, 1.1.0)

In OpenSSL 1.1.0, there is a bug that causes memory corruption allows a DoS attack. I have reviewed the CloudFlare's patch for OpenSSL 1.0.1, but I didn't see any similar code. But I still want an statement whether CF's patch has the same issue.

cnluzhang commented 7 years ago

https://github.com/cloudflare/sslconfig/issues/52

biergaizi commented 7 years ago

Sorry, didn't see the duplicate...