[ALSA-2023:3722] openssl security and bug fix update
Severity
Moderate
Affected Packages
10
CVEs
5
openssl security and bug fix update
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
- openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)
- openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)
- openssl: Certificate policy check not enabled (CVE-2023-0466)
- openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- In FIPS mode, openssl KDFs should only allow selected hash algorithms (BZ#2175860)
- In FIPS mode, openssl should reject short KDF input or output keys or provide an indicator (BZ#2175864)
- In FIPS mode, openssl should provide an indicator for AES-GCM to query whether the IV was generated internally or provided externally (BZ#2175868)
- openssl FIPS mode self-test should zeroize
out
inverify_integrity
in providers/fips/self_test.c (BZ#2175873) - In FIPS mode, openssl should not support RSA encryption or decryption without padding (outside of RSASVE) or provide an indicator (BZ#2178029)
- In FIPS mode, openssl should reject EVP_PKEY_fromdata() for short DHX keys, or provide an indicator (BZ#2178030)
- In FIPS mode, openssl should not use the legacy ECDSA_do_sign(), RSA_public_encrypt(), RSA_private_decrypt() functions for pairwise consistency tests (BZ#2178034)
- In FIPS mode, openssl should enter error state when DH PCT fails (BZ#2178039)
- In FIPS mode, openssl should always run the PBKDF2 lower bounds checks or provide an indicator when the pkcs5 parameter is set to 1 (BZ#2178137)
- Support requiring EMS in TLS 1.2, default to it when in FIPS mode (BZ#2188046)
- OpenSSL rsa_verify_recover doesn't use the same key checks as rsa_verify in FIPS mode (BZ#2188052)
- AlmaLinux9.0 - sshd dumps core when ibmca engine is configured with default_algorithms = CIPHERS or ALL (openssl) (BZ#2211396)
Package | Affected Version |
---|---|
pkg:rpm/almalinux/openssl?arch=x86_64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl?arch=aarch64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-perl?arch=x86_64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-perl?arch=aarch64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-libs?arch=x86_64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-libs?arch=i686&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-libs?arch=aarch64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-devel?arch=x86_64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-devel?arch=i686&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
pkg:rpm/almalinux/openssl-devel?arch=aarch64&distro=almalinux-9.2 | < 3.0.7-16.el9_2 |
- ID
- ALSA-2023:3722
- Severity
- moderate
- URL
- https://errata.almalinux.org/ALSA-2023:3722.html
- Published
-
2023-06-21T00:00:00
(15 months ago) - Modified
-
2023-06-23T14:32:26
(15 months ago) - Rights
- Copyright 2023 AlmaLinux OS
- Other Advisories
-
- ALAS-2023-1762
- ALAS2-2023-2039
- ALAS2-2023-2073
- ALAS2-2023-2097
- ALAS2-2024-2502
- ALPINE:CVE-2023-0464
- ALPINE:CVE-2023-0465
- ALPINE:CVE-2023-0466
- ALPINE:CVE-2023-1255
- ALPINE:CVE-2023-2650
- ALSA-2023:6330
- DSA-5417-1
- ELSA-2023-12768
- ELSA-2023-3722
- ELSA-2023-6330
- FEDORA-2023-026c8ba371
- FEDORA-2023-964eb00fc6
- FREEBSD:1BA034FB-CA38-11ED-B242-D4C9EF517024
- FREEBSD:22DF5074-71CD-11EE-85EB-84A93843EB75
- FREEBSD:425B9538-CE5F-11ED-ADE3-D4C9EF517024
- FREEBSD:D86BECFE-05A4-11EE-9D4A-080027EDA32C
- FREEBSD:EB9A3C57-FF9E-11ED-A0D1-84A93843EB75
- GLSA-202402-08
- MS:CVE-2023-0465
- MS:CVE-2023-0466
- MS:CVE-2023-2650
- RHSA-2023:3722
- RHSA-2023:6330
- SSA:2023-150-01
- SUSE-SU-2023:1703-1
- SUSE-SU-2023:1704-1
- SUSE-SU-2023:1737-1
- SUSE-SU-2023:1738-1
- SUSE-SU-2023:1745-1
- SUSE-SU-2023:1746-1
- SUSE-SU-2023:1747-1
- SUSE-SU-2023:1748-1
- SUSE-SU-2023:1754-1
- SUSE-SU-2023:1764-1
- SUSE-SU-2023:1790-1
- SUSE-SU-2023:1794-1
- SUSE-SU-2023:1898-1
- SUSE-SU-2023:1907-1
- SUSE-SU-2023:1908-1
- SUSE-SU-2023:1911-1
- SUSE-SU-2023:1912-1
- SUSE-SU-2023:1914-1
- SUSE-SU-2023:1922-1
- SUSE-SU-2023:1926-1
- SUSE-SU-2023:1960-1
- SUSE-SU-2023:2327-1
- SUSE-SU-2023:2328-1
- SUSE-SU-2023:2329-1
- SUSE-SU-2023:2330-1
- SUSE-SU-2023:2331-1
- SUSE-SU-2023:2332-1
- SUSE-SU-2023:2342-1
- SUSE-SU-2023:2343-1
- SUSE-SU-2023:2469-1
- SUSE-SU-2023:2470-1
- SUSE-SU-2023:2471-1
- SUSE-SU-2023:2620-1
- USN-6039-1
- USN-6119-1
- USN-6188-1
- USN-6672-1
Source | # ID | Name | URL |
---|---|---|---|
RHSA | RHSA-2023:3722 | https://access.redhat.com/errata/RHSA-2023:3722 | |
CVE | CVE-2023-0464 | https://access.redhat.com/security/cve/CVE-2023-0464 | |
CVE | CVE-2023-0465 | https://access.redhat.com/security/cve/CVE-2023-0465 | |
CVE | CVE-2023-0466 | https://access.redhat.com/security/cve/CVE-2023-0466 | |
CVE | CVE-2023-1255 | https://access.redhat.com/security/cve/CVE-2023-1255 | |
CVE | CVE-2023-2650 | https://access.redhat.com/security/cve/CVE-2023-2650 | |
Bugzilla | 2181082 | https://bugzilla.redhat.com/2181082 | |
Bugzilla | 2182561 | https://bugzilla.redhat.com/2182561 | |
Bugzilla | 2182565 | https://bugzilla.redhat.com/2182565 | |
Bugzilla | 2188461 | https://bugzilla.redhat.com/2188461 | |
Bugzilla | 2207947 | https://bugzilla.redhat.com/2207947 | |
Self | ALSA-2023:3722 | https://errata.almalinux.org/9/ALSA-2023-3722.html |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/almalinux/openssl?arch=x86_64&distro=almalinux-9.2 | almalinux | openssl | < 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
Affected | pkg:rpm/almalinux/openssl?arch=aarch64&distro=almalinux-9.2 | almalinux | openssl | < 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 | |
Affected | pkg:rpm/almalinux/openssl-perl?arch=x86_64&distro=almalinux-9.2 | almalinux | openssl-perl | < 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
Affected | pkg:rpm/almalinux/openssl-perl?arch=aarch64&distro=almalinux-9.2 | almalinux | openssl-perl | < 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 | |
Affected | pkg:rpm/almalinux/openssl-libs?arch=x86_64&distro=almalinux-9.2 | almalinux | openssl-libs | < 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
Affected | pkg:rpm/almalinux/openssl-libs?arch=i686&distro=almalinux-9.2 | almalinux | openssl-libs | < 3.0.7-16.el9_2 | almalinux-9.2 | i686 | |
Affected | pkg:rpm/almalinux/openssl-libs?arch=aarch64&distro=almalinux-9.2 | almalinux | openssl-libs | < 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 | |
Affected | pkg:rpm/almalinux/openssl-devel?arch=x86_64&distro=almalinux-9.2 | almalinux | openssl-devel | < 3.0.7-16.el9_2 | almalinux-9.2 | x86_64 | |
Affected | pkg:rpm/almalinux/openssl-devel?arch=i686&distro=almalinux-9.2 | almalinux | openssl-devel | < 3.0.7-16.el9_2 | almalinux-9.2 | i686 | |
Affected | pkg:rpm/almalinux/openssl-devel?arch=aarch64&distro=almalinux-9.2 | almalinux | openssl-devel | < 3.0.7-16.el9_2 | almalinux-9.2 | aarch64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |