As per Upstream advisory: The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currently not carried out in constant time. (1.0.1 might omit the new API). This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 23rd 2016 by Emily Käsper. The fix was developed by Emily Käsper of the OpenSSL development team. Statement: This issue does not affect the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 6 and 7, since these packages are compiled without SRP support.
Public via: Upstream patch: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=380f18ed5f140e0ae1b68f3ab8f4f7c395658d9e
Acknowledgments: Name: the OpenSSL project Upstream: Emilia Käsper