BEGIN\r
DEFPUSHBUTTON "OK",IDOK,133,294,50,14\r
ICON ffftp,-1,7,4,20,20\r
- CTEXT "FFFTP Ver 1.99-20160423",-1,113,11,90,8\r
+ CTEXT "FFFTP Ver 1.99-20160504",-1,113,11,90,8\r
CTEXT "FFFTP\82Ífreeware\82Å\82·",-1,7,279,305,8\r
CTEXT "Copyright(C) 1997-2010 Sota & \82²\8b¦\97Í\82¢\82½\82¾\82¢\82½\95û\81X\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, \82¤\82È\81[, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, \82Ó\82¤\82¹\82ñ)",-1,7,25,305,44,SS_NOPREFIX\r
CTEXT "",ABOUT_JRE,7,96,305,8\r
BEGIN\r
DEFPUSHBUTTON "OK",IDOK,132,296,50,14\r
ICON ffftp,-1,7,4,20,20\r
- CTEXT "FFFTP Ver 1.99-20160423",-1,110,11,90,8\r
+ CTEXT "FFFTP Ver 1.99-20160504",-1,110,11,90,8\r
CTEXT "FFFTP is freeware",-1,7,281,301,8\r
CTEXT "Copyright(C) 1997-2010 Sota && cooperators\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, unarist, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, Fu-sen)",-1,7,25,301,44\r
CTEXT "",ABOUT_JRE,7,93,301,8\r
//#define PROGRAM_VERSION_NUM 1972 /* バージョン */\r
// 64ビット対応\r
#ifdef _WIN64\r
-#define VER_STR "1.99-20160423 64bit"\r
+#define VER_STR "1.99-20160504 64bit"\r
#else\r
-#define VER_STR "1.99-20160423"\r
+#define VER_STR "1.99-20160504"\r
#endif\r
#define VER_NUM 1990 /* 設定バージョン */\r
#define PROGRAM_VERSION_NUM 1990 /* バージョン */\r
// ソフトウェア自動更新\r
// リリースバージョンはリリース予定年(10進数4桁)+月(2桁)+日(2桁)+通し番号(0スタート2桁)とする\r
// 2014年7月31日中の30個目のリリースは2014073129\r
-#define RELEASE_VERSION_NUM 2016042300 /* リリースバージョン */\r
+#define RELEASE_VERSION_NUM 2016050400 /* リリースバージョン */\r
\r
\r
// SourceForge.JPによるフォーク\r
OpenSSL CHANGES
_______________
+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
+
+ *) Prevent padding oracle in AES-NI CBC MAC check
+
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
+
+ *) Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
+
+ *) Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2106)
+ [Matt Caswell]
+
+ *) Prevent ASN.1 BIO excessive memory allocation
+
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+
+ This issue was reported by Brian Carpenter.
+ (CVE-2016-2109)
+ [Stephen Henson]
+
+ *) EBCDIC overread
+
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2176)
+ [Matt Caswell]
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+
+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ [Kurt Roeckx]
+
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
+
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
+
+ o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+ o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+ o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+ o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+ o EBCDIC overread (CVE-2016-2176)
+ o Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ o Remove LOW from the DEFAULT cipher list. This removes singles DES from
+ the default.
+ o Only remove the SSLv2 methods with the no-ssl2-method option.
+
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
- OpenSSL 1.0.2g 1 Mar 2016
+ OpenSSL 1.0.2h 3 May 2016
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
# include <openssl/crypto.h>
+# ifdef OPENSSL_NO_COMP
+# error COMP is disabled.
+# endif
+
#ifdef __cplusplus
extern "C" {
#endif
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1000207fL
+# define OPENSSL_VERSION_NUMBER 0x1000208fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g-fips 1 Mar 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h-fips 3 May 2016"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g 1 Mar 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h 3 May 2016"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
# define X509_R_LOADING_CERT_DIR 103
# define X509_R_LOADING_DEFAULTS 104
# define X509_R_METHOD_NOT_SUPPORTED 124
+# define X509_R_NAME_TOO_LONG 134
# define X509_R_NEWER_CRL_NOT_NEWER 132
# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
# define X509_R_NO_CRL_NUMBER 130
#ifdef ENABLE_PROCESS_PROTECTION\r
// 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること\r
#if defined(_M_IX86)\r
- // ssleay32.dll 1.0.2g\r
- RegisterTrustedModuleSHA1Hash("\x96\x60\x94\xD8\x35\xB8\xAC\x1B\xEC\xCB\x45\xAD\x1B\x3E\x4C\x9F\xDC\x78\xA9\xDC");\r
- // libeay32.dll 1.0.2g\r
- RegisterTrustedModuleSHA1Hash("\xBD\x91\xB9\x36\xC1\xC5\x65\x6D\x8F\xAA\xCF\x6F\x84\x8B\xC7\x77\x23\x8D\xE6\x2B");\r
+ // ssleay32.dll 1.0.2h\r
+ RegisterTrustedModuleSHA1Hash("\x7E\x40\xBE\x64\xDC\x67\xAC\x54\x5E\x27\x62\x02\x80\x41\x08\x0A\xA7\xB4\xD9\x3C");\r
+ // libeay32.dll 1.0.2h\r
+ RegisterTrustedModuleSHA1Hash("\xE5\x35\x05\x1B\xEC\x5A\xF1\xC9\xE5\xAA\x3D\x85\x3B\xCE\xBB\x9A\xCA\xC8\x6A\x17");\r
#elif defined(_M_AMD64)\r
- // ssleay32.dll 1.0.2g\r
- RegisterTrustedModuleSHA1Hash("\xF8\x88\xEB\xC1\x2B\xE6\xE4\xFD\xFA\xCA\x9F\xAB\x2F\x46\x47\xC4\x56\x11\xF8\x21");\r
- // libeay32.dll 1.0.2g\r
- RegisterTrustedModuleSHA1Hash("\x70\xAD\x36\x15\xB1\x2C\x82\xAF\xD4\x93\x17\xD4\x82\xC7\x15\x4B\x89\x86\xE3\xE6");\r
+ // ssleay32.dll 1.0.2h\r
+ RegisterTrustedModuleSHA1Hash("\x32\x2E\x8A\x61\xCF\x64\xC0\xB4\xFF\x98\x93\x88\x8D\x16\xC8\x7B\xA3\x4D\x90\x78");\r
+ // libeay32.dll 1.0.2h\r
+ RegisterTrustedModuleSHA1Hash("\x27\x5F\x56\x01\xDC\xE5\xBA\xF8\x3E\x0E\x32\xB6\xCF\x6C\xF4\x1A\x08\x1E\x49\x16");\r
#endif\r
#endif\r
g_hOpenSSL = LoadLibrary("ssleay32.dll");\r