Описание
ELSA-2026-50131: openssl security update (MODERATE)
[1:1.1.1k-15]
- Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing ticket_lifetime_hint exceed 1 week in TLSv1.3 and breaks compliant clients Resolves: RHEL-149165 Resolves: RHEL-142715
[1:1.1.1k-14.1]
- Backport fix for openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap Fix CVE-2025-9230 Resolves: RHEL-128615
[1:1.1.1k-14]
- Backport fix SSL_select_next proto from OpenSSL 3.2 Fix CVE-2024-5535 Resolves: RHEL-45654
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
openssl
1.1.1k-15.ksplice1.el8_6
openssl-devel
1.1.1k-15.ksplice1.el8_6
openssl-libs
1.1.1k-15.ksplice1.el8_6
openssl-perl
1.1.1k-15.ksplice1.el8_6
openssl-static
1.1.1k-15.ksplice1.el8_6
Oracle Linux x86_64
openssl
1.1.1k-15.ksplice1.el8_6
openssl-devel
1.1.1k-15.ksplice1.el8_6
openssl-libs
1.1.1k-15.ksplice1.el8_6
openssl-perl
1.1.1k-15.ksplice1.el8_6
Связанные CVE
Связанные уязвимости
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, caus...
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, caus...
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causi
Issue summary: Calling PKCS12_get_friendlyname() function on a malicio ...
