[ELSA-2022-9751] openssl security update
[3.0.1-41.0.1]
- Replace upstream references [Orabug: 34340177]
[1:3.0.1-41]
- Zeroize public keys as required by FIPS 140-3
Resolves: rhbz#2115861
- Add FIPS indicator for HKDF
Resolves: rhbz#2118388
[1:3.0.1-40]
- Deal with DH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2115856
- Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2115857
- Use signature for RSA pairwise test according FIPS-140-3 requirements
Related: rhbz#2115858
- Reseed all the parent DRBGs in chain on reseeding a DRBG
Related: rhbz#2115859
- Zeroization according to FIPS-140-3 requirements
Related: rhbz#2115861
[1:3.0.1-39]
- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test
- Use Use digest_sign & digest_verify in FIPS signature self test
- Use FFDHE2048 in Diffie-Hellman FIPS self-test
Resolves: rhbz#2112978
[1:3.0.1-38]
- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously
initialized.
Resolves: rhbz#2107530
- Improve AES-GCM performance on Power9 and Power10 ppc64le
Resolves: rhbz#2103044
- Improve ChaCha20 performance on Power10 ppc64le
Resolves: rhbz#2103044
[1:3.0.1-37]
- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097
[1:3.0.1-36]
- Ciphersuites with RSAPSK KX should be filterd in FIPS mode
- Related: rhbz#2091994
- FIPS provider should block RSA encryption for key transport.
- Other RSA encryption options should still be available if key length is enough
- Related: rhbz#2091977
- Improve diagnostics when passing unsupported groups in TLS
- Related: rhbz#2086554
- Fix PPC64 Montgomery multiplication bug
- Related: rhbz#2101346
- Strict certificates validation shouldn't allow explicit EC parameters
- Related: rhbz#2085521
- CVE-2022-2068: the c_rehash script allows command injection
- Related: rhbz#2098276
[1:3.0.1-35]
- Add explicit indicators for signatures in FIPS mode and mark signature
primitives as unapproved.
Resolves: rhbz#2087234
[1:3.0.1-34]
- Some OpenSSL test certificates are expired, updating
- Resolves: rhbz#2095696
[1:3.0.1-33]
- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
- Resolves: rhbz#2089443
- CVE-2022-1343 openssl: Signer certificate verification returned
inaccurate response when using OCSP_NOCHECKS
- Resolves: rhbz#2089439
- CVE-2022-1292 openssl: c_rehash script allows command injection
- Resolves: rhbz#2090361
- Revert 'Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode'
Related: rhbz#2087234
- Use KAT for ECDSA signature tests, s390 arch
- Resolves: rhbz#2086866
[1:3.0.1-32]
- openssl ecparam -list_curves lists only FIPS-approved curves in FIPS mode
- Resolves: rhbz#2091929
- Ciphersuites with RSA KX should be filterd in FIPS mode
- Related: rhbz#2091994
- In FIPS mode, signature verification works with keys of arbitrary size
above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys
below 2048 bits
- Resolves: rhbz#2091938
[1:3.0.1-31]
- Disable SHA-1 signature verification in FIPS mode
- Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode
Resolves: rhbz#2087234
[1:3.0.1-30]
- Use KAT for ECDSA signature tests
- Resolves: rhbz#2086866
[1:3.0.1-29]
- -config argument of openssl app should work properly in FIPS mode
- Resolves: rhbz#2085500
- openssl req defaults on PKCS#8 encryption changed to AES-256-CBC
- Resolves: rhbz#2085499
[1:3.0.1-28]
- OpenSSL should not accept custom elliptic curve parameters
- Resolves rhbz#2085508
- OpenSSL should not accept explicit curve parameters in FIPS mode
- Resolves rhbz#2085521
[1:3.0.1-27]
- Change FIPS module version to include hash of specfile, patches and sources
Resolves: rhbz#2082585
[1:3.0.1-26]
- OpenSSL FIPS module should not build in non-approved algorithms
Resolves: rhbz#2082584
[1:3.0.1-25]
- FIPS provider should block RSA encryption for key transport.
- Other RSA encryption options should still be available
- Resolves: rhbz#2053289
[1:3.0.1-24]
- Fix occasional internal error in TLS when DHE is used
Resolves: rhbz#2080323
Package | Affected Version |
---|---|
pkg:rpm/oraclelinux/openssl?distro=oraclelinux-9.0 | < 3.0.1-41.0.1.ksplice1.el9_0 |
pkg:rpm/oraclelinux/openssl-perl?distro=oraclelinux-9.0 | < 3.0.1-41.0.1.ksplice1.el9_0 |
pkg:rpm/oraclelinux/openssl-libs?distro=oraclelinux-9.0 | < 3.0.1-41.0.1.ksplice1.el9_0 |
pkg:rpm/oraclelinux/openssl-devel?distro=oraclelinux-9.0 | < 3.0.1-41.0.1.ksplice1.el9_0 |
- ID
- ELSA-2022-9751
- Severity
- moderate
- URL
- https://linux.oracle.com/errata/ELSA-2022-9751.html
- Published
-
2022-08-31T00:00:00
(2 years ago) - Modified
-
2022-08-31T00:00:00
(2 years ago) - Rights
- Copyright 2022 Oracle, Inc.
- Other Advisories
-
- ALAS-2022-1605
- ALAS-2022-1626
- ALAS2-2022-1801
- ALAS2-2022-1815
- ALAS2-2022-1831
- ALAS2-2022-1832
- ALAS2-2023-1974
- ALAS2-2024-2502
- ALPINE:CVE-2022-1343
- ALPINE:CVE-2022-1473
- ALPINE:CVE-2022-2097
- ALSA-2022:5818
- ALSA-2022:6224
- DSA-5139-1
- DSA-5169-1
- DSA-5343-1
- ELSA-2022-5818
- ELSA-2022-6224
- ELSA-2022-9683
- FEDORA-2022-3b7d0abd0b
- FEDORA-2022-3fdc2d3047
- FEDORA-2022-41890e9e44
- FEDORA-2022-89a17be281
- FEDORA-2022-b651cb69e6
- FEDORA-2022-c9c02865f6
- FREEBSD:4B9C1C17-587C-11ED-856E-D4C9EF517024
- FREEBSD:4EEB93BF-F204-11EC-8FBD-D4C9EF517024
- FREEBSD:8E150606-08C9-11ED-856E-D4C9EF517024
- FREEBSD:A28E8B7E-FC70-11EC-856E-D4C9EF517024
- FREEBSD:B9210706-FEB0-11EC-81FA-1C697A616631
- FREEBSD:FCEB2B08-CB76-11EC-A06F-D4C9EF517024
- GLSA-202210-02
- MS:CVE-2022-1292
- MS:CVE-2022-2068
- MS:CVE-2022-2097
- openSUSE-SU-2022:2328-1
- RHSA-2022:5818
- RHSA-2022:6224
- RLSA-2022:5818
- RUSTSEC-2022-0025
- RUSTSEC-2022-0027
- RUSTSEC-2022-0032
- SECADV-20220503-1
- SECADV-20220503-2
- SECADV-20220503-4
- SECADV-20220621-1
- SECADV-20220705-1
- SSA:2022-124-02
- SSA:2022-174-01
- SSA:2022-179-03
- SSA:2022-186-01
- SUSE-SU-2022:2068-1
- SUSE-SU-2022:2075-1
- SUSE-SU-2022:2098-1
- SUSE-SU-2022:2106-1
- SUSE-SU-2022:2179-1
- SUSE-SU-2022:2180-1
- SUSE-SU-2022:2181-1
- SUSE-SU-2022:2182-1
- SUSE-SU-2022:2197-1
- SUSE-SU-2022:2251-1
- SUSE-SU-2022:2251-2
- SUSE-SU-2022:2306-1
- SUSE-SU-2022:2308-1
- SUSE-SU-2022:2309-1
- SUSE-SU-2022:2311-1
- SUSE-SU-2022:2312-1
- SUSE-SU-2022:2321-1
- SUSE-SU-2022:2328-1
- SUSE-SU-2022:2417-1
- USN-5402-1
- USN-5402-2
- USN-5488-1
- USN-5488-2
- USN-5502-1
- USN-6457-1
- USN-7018-1
Source | # ID | Name | URL |
---|---|---|---|
elsa | ELSA-2022-9751 | https://linux.oracle.com/errata/ELSA-2022-9751.html | |
CVE | CVE-2022-1292 | https://linux.oracle.com/cve/CVE-2022-1292.html | |
CVE | CVE-2022-2068 | https://linux.oracle.com/cve/CVE-2022-2068.html | |
CVE | CVE-2022-2097 | https://linux.oracle.com/cve/CVE-2022-2097.html | |
CVE | CVE-2022-1343 | https://linux.oracle.com/cve/CVE-2022-1343.html | |
CVE | CVE-2022-1473 | https://linux.oracle.com/cve/CVE-2022-1473.html |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/oraclelinux/openssl?distro=oraclelinux-9.0 | oraclelinux | openssl | < 3.0.1-41.0.1.ksplice1.el9_0 | oraclelinux-9.0 | ||
Affected | pkg:rpm/oraclelinux/openssl-perl?distro=oraclelinux-9.0 | oraclelinux | openssl-perl | < 3.0.1-41.0.1.ksplice1.el9_0 | oraclelinux-9.0 | ||
Affected | pkg:rpm/oraclelinux/openssl-libs?distro=oraclelinux-9.0 | oraclelinux | openssl-libs | < 3.0.1-41.0.1.ksplice1.el9_0 | oraclelinux-9.0 | ||
Affected | pkg:rpm/oraclelinux/openssl-devel?distro=oraclelinux-9.0 | oraclelinux | openssl-devel | < 3.0.1-41.0.1.ksplice1.el9_0 | oraclelinux-9.0 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |