| Summary: | <dev-libs/openssl-{3.0.15, 3.1.7, 3.2.3, 3.3.2}: denial of service | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jacekalex <wampir98> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | base-system, bertrand |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B3 [stable] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 940192, 939499 | ||
| Bug Blocks: | |||
|
Description
Jacekalex
2024-09-05 11:56:16 UTC
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a "reference identifier" (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue. OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2 OpenSSL 3.2 users should upgrade to OpenSSL 3.2.3 OpenSSL 3.1 users should upgrade to OpenSSL 3.1.7 OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15 I've classified this B3 since this only happens in very uncommon code paths and not in normal regular usage of openssl. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25644e8b7055a502ed7d49f0b4c5d51670385bc4 commit 25644e8b7055a502ed7d49f0b4c5d51670385bc4 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-20 09:09:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-20 09:43:07 +0000 dev-libs/openssl: add 3.0.15 Bug: https://bugs.gentoo.org/939110 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.0.15.ebuild | 283 +++++++++++++++++++++++++++++++++ 2 files changed, 285 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=281153f87c742deb7e7020cfeda4cf610821ed6e commit 281153f87c742deb7e7020cfeda4cf610821ed6e Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-20 09:01:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-20 09:43:06 +0000 dev-libs/openssl: add 3.3.2 Bug: https://bugs.gentoo.org/939110 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.3.2.ebuild | 300 ++++++++++++++++++++++++++++++++++ 2 files changed, 302 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f93db2b73aa60f6fe6fa47014c0f0cddbb5c7d90 commit f93db2b73aa60f6fe6fa47014c0f0cddbb5c7d90 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-20 08:49:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-20 09:43:06 +0000 sec-keys/openpgp-keys-openssl: add 20240920 With the big rework upstream mentioned in 03960013634a39f41a1e0fdc7daabf29a6f4e5b5, they seem to have changed their signing setup again. Per https://openssl-library.org/source/, we now have: """ PGP keys for the signatures of old releases are available from the OTC page and can also be signed with a key with the fingerprint: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5. The current releases are signed by the OpenSSL key with fingerprint BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF. """ We keep the older keys in this package's keyring for now to allow older versions of openssl to be verified rather than having awkward deps. Bug: https://bugs.gentoo.org/939110 Signed-off-by: Sam James <sam@gentoo.org> sec-keys/openpgp-keys-openssl/Manifest | 1 + .../openpgp-keys-openssl-20240920.ebuild | 65 ++++++++++++++++++++++ 2 files changed, 66 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15604b22b7a3e1af834f1a3a12cdc4b8f8266229 commit 15604b22b7a3e1af834f1a3a12cdc4b8f8266229 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-20 09:57:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-20 09:57:38 +0000 dev-libs/openssl: add 3.2.3 Bug: https://bugs.gentoo.org/939110 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.2.3.ebuild | 302 ++++++++++++++++++++++++++++++++++ 2 files changed, 304 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aedc85a60e6270569ce3d8c9c3dff0fa8739790e commit aedc85a60e6270569ce3d8c9c3dff0fa8739790e Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-20 09:49:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-20 09:49:07 +0000 dev-libs/openssl: add 3.1.7 Bug: https://bugs.gentoo.org/939110 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.1.7.ebuild | 284 ++++++++++++++++++++++++++++++++++ 2 files changed, 286 insertions(+) |
