Monero GUI and CLI Update: 'Oxygen Orion'
~2 min read | Published on 2020-12-15, tagged General-News using 339 words.
The Monero Project released an update to its CLI and GUI software that updates OpenSSl and provides “P2P network layer improvements.”
The GUI release, aside from containing network layer improvements, is a fairly minor update with 16 commits and 51 lines of code. A list of highlights include:
Ask for writing desktop shortcut on first start (Linux) Fix wallet initialization flag handling Get back “Sending transaction …” splash Disable QML cache Minor bug fixes
The CLI update had 24 commits containing 154 lines of new code. Some of the highlights of the update include:
P2P: include first new block in chain entry response P2P: more restrictive checks on chain entry response Fix syncing with –sync-pruned-blocks flag Update OpenSSL to 1.1.1i to fix its recently disclosed vulnerability
Both updates are available on the getmonero.org download page: getmonero.org/downloads
The recently disclosed OpenSSL vulnerability:<code>EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)======================================================Severity: HighThe X.509 GeneralName type is a generic type for representing different typesof names. One of those name types is known as EDIPartyName. OpenSSL provides afunction GENERAL_NAME_cmp which compares different instances of a GENERAL_NAMEto see if they are equal or not. This function behaves incorrectly when bothGENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crashmay occur leading to a possible denial of service attack.OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)If an attacker can control both items being compared then that attacker couldtrigger a crash. For example if the attacker can trick a client or server intochecking a malicious certificate against a malicious CRL then this may occur.Note that some applications automatically download CRLs based on a URL embeddedin a certificate. This checking happens prior to the signatures on thecertificate and CRL being verified. OpenSSL's s_server, s_client and verifytools have support for the "-crl_download" option which implements automaticCRL downloading and this attack has been demonstrated to work against thosetools.</code>
The GUI release, aside from containing network layer improvements, is a fairly minor update with 16 commits and 51 lines of code. A list of highlights include:
The CLI update had 24 commits containing 154 lines of new code. Some of the highlights of the update include:
Both updates are available on the getmonero.org download page: getmonero.org/downloads
The recently disclosed OpenSSL vulnerability:<code>EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)======================================================Severity: HighThe X.509 GeneralName type is a generic type for representing different typesof names. One of those name types is known as EDIPartyName. OpenSSL provides afunction GENERAL_NAME_cmp which compares different instances of a GENERAL_NAMEto see if they are equal or not. This function behaves incorrectly when bothGENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crashmay occur leading to a possible denial of service attack.OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)If an attacker can control both items being compared then that attacker couldtrigger a crash. For example if the attacker can trick a client or server intochecking a malicious certificate against a malicious CRL then this may occur.Note that some applications automatically download CRLs based on a URL embeddedin a certificate. This checking happens prior to the signatures on thecertificate and CRL being verified. OpenSSL's s_server, s_client and verifytools have support for the "-crl_download" option which implements automaticCRL downloading and this attack has been demonstrated to work against thosetools.</code>
