[ALSA-2023:3722] openssl security and bug fix update
Severity
Moderate
Affected Packages
10
CVEs
5
openssl security and bug fix update
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
- openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)
- openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)
- openssl: Certificate policy check not enabled (CVE-2023-0466)
- openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- In FIPS mode, openssl KDFs should only allow selected hash algorithms (BZ#2175860)
- In FIPS mode, openssl should reject short KDF input or output keys or provide an indicator (BZ#2175864)
- In FIPS mode, openssl should provide an indicator for AES-GCM to query whether the IV was generated internally or provided externally (BZ#2175868)
- openssl FIPS mode self-test should zeroize
outinverify_integrityin providers/fips/self_test.c (BZ#2175873) - In FIPS mode, openssl should not support RSA encryption or decryption without padding (outside of RSASVE) or provide an indicator (BZ#2178029)
- In FIPS mode, openssl should reject EVP_PKEY_fromdata() for short DHX keys, or provide an indicator (BZ#2178030)
- In FIPS mode, openssl should not use the legacy ECDSA_do_sign(), RSA_public_encrypt(), RSA_private_decrypt() functions for pairwise consistency tests (BZ#2178034)
- In FIPS mode, openssl should enter error state when DH PCT fails (BZ#2178039)
- In FIPS mode, openssl should always run the PBKDF2 lower bounds checks or provide an indicator when the pkcs5 parameter is set to 1 (BZ#2178137)
- Support requiring EMS in TLS 1.2, default to it when in FIPS mode (BZ#2188046)
- OpenSSL rsa_verify_recover doesn't use the same key checks as rsa_verify in FIPS mode (BZ#2188052)
- AlmaLinux9.0 - sshd dumps core when ibmca engine is configured with default_algorithms = CIPHERS or ALL (openssl) (BZ#2211396)
| Package | Affected Version |
|---|---|
 pkg:rpm/almalinux/openssl?arch=x86_64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl?arch=aarch64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-perl?arch=x86_64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-perl?arch=aarch64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-libs?arch=x86_64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-libs?arch=i686&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-libs?arch=aarch64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-devel?arch=x86_64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-devel?arch=i686&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
|
pkg:rpm/almalinux/openssl-devel?arch=aarch64&distro=almalinux-9.2
|
< 3.0.7-16.el9_2 |
- ID
- ALSA-2023:3722
- Severity
- moderate
- URL
- https://errata.almalinux.org/ALSA-2023:3722.html
- Published
-
2023-06-21T00:00:00
(15 months ago) - Modified
-
2023-06-23T14:32:26
(15 months ago) - Rights
- Copyright 2023 AlmaLinux OS
- Other Advisories
-
-
ALAS-2023-1762
-
ALAS2-2023-2039
-
ALAS2-2023-2073
-
ALAS2-2023-2097
-
ALAS2-2024-2502
-
ALPINE:CVE-2023-0464
-
ALPINE:CVE-2023-0465
-
ALPINE:CVE-2023-0466
-
ALPINE:CVE-2023-1255
-
ALPINE:CVE-2023-2650
-
ALSA-2023:6330
-
DSA-5417-1
-
ELSA-2023-12768
-
ELSA-2023-3722
-
ELSA-2023-6330
-
FEDORA-2023-026c8ba371
-
FEDORA-2023-964eb00fc6
-
FREEBSD:1BA034FB-CA38-11ED-B242-D4C9EF517024
-
FREEBSD:22DF5074-71CD-11EE-85EB-84A93843EB75
-
FREEBSD:425B9538-CE5F-11ED-ADE3-D4C9EF517024
-
FREEBSD:D86BECFE-05A4-11EE-9D4A-080027EDA32C
-
FREEBSD:EB9A3C57-FF9E-11ED-A0D1-84A93843EB75
-
GLSA-202402-08
-
MS:CVE-2023-0465
-
MS:CVE-2023-0466
-
MS:CVE-2023-2650
-
RHSA-2023:3722
-
RHSA-2023:6330
-
SSA:2023-150-01
-
SUSE-SU-2023:1703-1
-
SUSE-SU-2023:1704-1
-
SUSE-SU-2023:1737-1
-
SUSE-SU-2023:1738-1
-
SUSE-SU-2023:1745-1
-
SUSE-SU-2023:1746-1
-
SUSE-SU-2023:1747-1
-
SUSE-SU-2023:1748-1
-
SUSE-SU-2023:1754-1
-
SUSE-SU-2023:1764-1
-
SUSE-SU-2023:1790-1
-
SUSE-SU-2023:1794-1
-
SUSE-SU-2023:1898-1
-
SUSE-SU-2023:1907-1
-
SUSE-SU-2023:1908-1
-
SUSE-SU-2023:1911-1
-
SUSE-SU-2023:1912-1
-
SUSE-SU-2023:1914-1
-
SUSE-SU-2023:1922-1
-
SUSE-SU-2023:1926-1
-
SUSE-SU-2023:1960-1
-
SUSE-SU-2023:2327-1
-
SUSE-SU-2023:2328-1
-
SUSE-SU-2023:2329-1
-
SUSE-SU-2023:2330-1
-
SUSE-SU-2023:2331-1
-
SUSE-SU-2023:2332-1
-
SUSE-SU-2023:2342-1
-
SUSE-SU-2023:2343-1
-
SUSE-SU-2023:2469-1
-
SUSE-SU-2023:2470-1
-
SUSE-SU-2023:2471-1
-
SUSE-SU-2023:2620-1
-
USN-6039-1
-
USN-6119-1
-
USN-6188-1
-
USN-6672-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| RHSA | RHSA-2023:3722 |
|
|
| CVE | CVE-2023-0464 |
|
|
| CVE | CVE-2023-0465 |
|
|
| CVE | CVE-2023-0466 |
|
|
| CVE | CVE-2023-1255 |
|
|
| CVE | CVE-2023-2650 |
|
|
| Bugzilla | 2181082 |
|
|
| Bugzilla | 2182561 |
|
|
| Bugzilla | 2182565 |
|
|
| Bugzilla | 2188461 |
|
|
| Bugzilla | 2207947 |
|
|
| Self | ALSA-2023:3722 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/almalinux/openssl?arch=x86_64&distro=almalinux-9.2 | almalinux |
openssl
|
< 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
| Affected | pkg:rpm/almalinux/openssl?arch=aarch64&distro=almalinux-9.2 | almalinux |
openssl
|
< 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 | |
| Affected | pkg:rpm/almalinux/openssl-perl?arch=x86_64&distro=almalinux-9.2 | almalinux |
openssl-perl
|
< 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
| Affected | pkg:rpm/almalinux/openssl-perl?arch=aarch64&distro=almalinux-9.2 | almalinux |
openssl-perl
|
< 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 | |
| Affected | pkg:rpm/almalinux/openssl-libs?arch=x86_64&distro=almalinux-9.2 | almalinux |
openssl-libs
|
< 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
| Affected | pkg:rpm/almalinux/openssl-libs?arch=i686&distro=almalinux-9.2 | almalinux |
openssl-libs
|
< 3.0.7-16.el9_2 | almalinux-9.2 | i686 | |
| Affected | pkg:rpm/almalinux/openssl-libs?arch=aarch64&distro=almalinux-9.2 | almalinux |
openssl-libs
|
< 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 | |
| Affected | pkg:rpm/almalinux/openssl-devel?arch=x86_64&distro=almalinux-9.2 | almalinux |
openssl-devel
|
< 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
| Affected | pkg:rpm/almalinux/openssl-devel?arch=i686&distro=almalinux-9.2 | almalinux |
openssl-devel
|
< 3.0.7-16.el9_2 | almalinux-9.2 | i686 | |
| Affected | pkg:rpm/almalinux/openssl-devel?arch=aarch64&distro=almalinux-9.2 | almalinux |
openssl-devel
|
< 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |