Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 769785 (CVE-2021-23840, CVE-2021-23841) - <dev-libs/openssl-1.1.1j: multiple vulnerabilities (CVE-2021-{23840,23841})
Summary: <dev-libs/openssl-1.1.1j: multiple vulnerabilities (CVE-2021-{23840,23841})
Status: RESOLVED FIXED
Alias: CVE-2021-23840, CVE-2021-23841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-09 17:43 UTC by Sam James
Modified: 2021-04-03 19:23 UTC (History)
3 users (show)

See Also:
Package list:
dev-libs/openssl-1.1.1j
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 17:43:28 UTC
"The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1j.

This release will be made available on Tuesday 16th February 2021
between 1300-1700 UTC.

OpenSSL 1.1.1j is a security-fix release. The highest severity issue
fixed in this release is MODERATE:
https://www.openssl.org/policies/secpolicy.html#moderate

Yours

The OpenSSL Project Team"
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 16:22:02 UTC
1.1.1j is released:

    Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-23841)
    Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
    Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-23840)
    Fixed SRP_Calc_client_key so that it runs in constant time

Please bump.
Comment 2 Larry the Git Cow gentoo-dev 2021-02-16 18:14:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e046f5a13926d01660a6abfbe63dfeb15ac2adec

commit e046f5a13926d01660a6abfbe63dfeb15ac2adec
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-02-16 16:32:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-02-16 18:14:15 +0000

    dev-libs/openssl: bump to v1.1.1j
    
    Bug: https://bugs.gentoo.org/769785
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/openssl/Manifest              |   1 +
 dev-libs/openssl/openssl-1.1.1j.ebuild | 326 +++++++++++++++++++++++++++++++++
 2 files changed, 327 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 00:02:52 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 00:02:55 UTC
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 07:29:41 UTC
s390 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 07:32:15 UTC
sparc done
Comment 7 Fabian Groffen gentoo-dev 2021-02-18 07:40:08 UTC
Prefix done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 08:47:50 UTC
arm64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 08:49:33 UTC
ppc done
Comment 10 Rolf Eike Beer archtester 2021-02-18 18:31:23 UTC
hppa stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-18 20:20:23 UTC
ppc64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 23:28:26 UTC
arm done

all arches done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 23:33:52 UTC
Please cleanup, thanks.
Comment 14 NATTkA bot gentoo-dev 2021-03-28 16:49:05 UTC Comment hidden (obsolete)
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2021-03-31 11:27:43 UTC
New GLSA request filed.
Comment 16 NATTkA bot gentoo-dev 2021-04-01 20:11:06 UTC
Unable to check for sanity:

> no match for package: dev-libs/openssl-1.1.1j
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2021-04-03 19:23:12 UTC
This issue was resolved and addressed in
 GLSA 202103-03 at https://security.gentoo.org/glsa/202103-03
by GLSA coordinator Thomas Deutschmann (whissi).