Описание
ELSA-2024-2447: openssl and openssl-fips-provider security update (LOW)
openssl [1:3.0.7-27.0.3]
- Enable openssl-fips-provider dependency [Orabug: 36504822]
[1:3.0.7-27.0.2]
- Temporary disable openssl-fips-provider dependency [Orabug: 36504822]
[1:3.0.7-27.0.1]
- Replace upstream references [Orabug: 34340177]
[1:3.0.7-27]
- Use certified FIPS module instead of freshly built one in Red Hat distribution Related: RHEL-23474
[1:3.0.7-26]
- Avoid implicit function declaration when building openssl Related: RHEL-1780
- In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails Resolves: RHEL-17104
- Add a directory for OpenSSL providers configuration Resolves: RHEL-17193
- Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context Resolves: RHEL-19515
- POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) Resolves: RHEL-21151
- Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Resolves: RHEL-21654
- SSL ECDHE Kex fails when pkcs11 engine is set in config file Resolves: RHEL-20249
- Denial of service via null dereference in PKCS#12 Resolves: RHEL-22486
- Use certified FIPS module instead of freshly built one in Red Hat distribution Resolves: RHEL-23474
openssl-fips-provider [3.0.7-2.0.1]
- Add bundle with Oracle Linux 9 OpenSSL FIPS Provider module files [Orabug: 36504822]
- Replace upstream references [Orabug: 34340177]
[3.0.7-2]
- Denote conflict with old versions of openssl-libs package Related: RHEL-23474
[3.0.7-1] Initial packaging
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
openssl
3.0.7-27.0.3.el9
openssl-devel
3.0.7-27.0.3.el9
openssl-fips-provider
3.0.7-2.0.1.el9
openssl-libs
3.0.7-27.0.3.el9
openssl-perl
3.0.7-27.0.3.el9
Oracle Linux x86_64
openssl
3.0.7-27.0.3.el9
openssl-devel
3.0.7-27.0.3.el9
openssl-fips-provider
3.0.7-2.0.1.el9
openssl-libs
3.0.7-27.0.3.el9
openssl-perl
3.0.7-27.0.3.el9
Ссылки на источники
Связанные уязвимости
Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that applica...
Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that applica...