https://www.openssl.org/news/secadv/20230530.txt """ Possible DoS translating ASN.1 object identifiers (CVE-2023-2650) ================================================================= Severity: Moderate Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. [...] """
Note that some of these vulnerabilities were fixed via backports a while ago in bug 902779 & bug 903545, so only the thing I mention in comment 0 is new here.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d17210a58009faca0a1bc9ef02d1c90826a9269 commit 2d17210a58009faca0a1bc9ef02d1c90826a9269 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-30 14:15:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-30 14:16:23 +0000 dev-libs/openssl: add 3.1.1 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.1.1.ebuild | 276 ++++++++++++++++++++++++++++++++++ 2 files changed, 278 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36b7028bd1e91f33166a5794451f051a56d50d62 commit 36b7028bd1e91f33166a5794451f051a56d50d62 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-30 14:08:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-30 14:16:22 +0000 dev-libs/openssl: add 3.0.9 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.0.9.ebuild | 273 ++++++++++++++++++++++++++++++++++ 2 files changed, 275 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4aa0cfc16f02cc06906f8aa226074b628a6ce67 commit a4aa0cfc16f02cc06906f8aa226074b628a6ce67 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-30 14:01:22 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-30 14:16:21 +0000 dev-libs/openssl: add 1.1.1u Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-1.1.1u.ebuild | 265 +++++++++++++++++++++++++++++++++ 2 files changed, 267 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d737227c660e1f5c1442ed11dda5fb20ec6d09b commit 6d737227c660e1f5c1442ed11dda5fb20ec6d09b Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-30 16:00:22 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-30 16:00:29 +0000 dev-libs/openssl-compat: add 1.1.1u Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl-compat/Manifest | 2 + .../openssl-compat/openssl-compat-1.1.1u.ebuild | 221 +++++++++++++++++++++ 2 files changed, 223 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a commit 14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:18:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:20:29 +0000 dev-libs/openssl: drop 3.1.0-r3 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.1.0-CVE-2023-0464.patch | 214 ---------------- .../files/openssl-3.1.0-CVE-2023-0465.patch | 46 ---- .../files/openssl-3.1.0-CVE-2023-0466.patch | 41 --- .../files/openssl-3.1.0-CVE-2023-1255.patch | 40 --- dev-libs/openssl/openssl-3.1.0-r3.ebuild | 284 --------------------- 6 files changed, 627 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4610dbafdc773344fd62e49e27ada4c6b6dfd2 commit 6c4610dbafdc773344fd62e49e27ada4c6b6dfd2 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:17:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:20:25 +0000 dev-libs/openssl: drop 1.1.1t-r3 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-1.1.1t-CVE-2023-0464.patch | 215 ---------------- .../files/openssl-1.1.1t-CVE-2023-0465.patch | 48 ---- .../files/openssl-1.1.1t-CVE-2023-0466.patch | 41 ---- dev-libs/openssl/openssl-1.1.1t-r3.ebuild | 269 --------------------- 5 files changed, 575 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a593ae96eb045245e5ad41879ce602f193d013f commit 6a593ae96eb045245e5ad41879ce602f193d013f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:16:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:20:12 +0000 dev-libs/openssl: drop 1.1.1t-r1 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/openssl-1.1.1t-r1.ebuild | 265 ------------------------------ 1 file changed, 265 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db09f5bac6ff132b69d3f723d4c93662c96ed72 commit 3db09f5bac6ff132b69d3f723d4c93662c96ed72 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:17:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:19:10 +0000 dev-libs/openssl: drop 3.0.8-r4 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.0.8-CVE-2023-0464.patch | 214 ---------------- .../files/openssl-3.0.8-CVE-2023-0465.patch | 46 ---- .../files/openssl-3.0.8-CVE-2023-0466.patch | 41 --- .../files/openssl-3.0.8-CVE-2023-1255.patch | 40 --- .../openssl/files/openssl-3.0.8-mips-cflags.patch | 30 --- dev-libs/openssl/openssl-3.0.8-r4.ebuild | 281 --------------------- 7 files changed, 654 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f353a9a7c6ffd4dd54f9b93774d103942a88892e commit f353a9a7c6ffd4dd54f9b93774d103942a88892e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-04 08:02:53 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-04 08:03:15 +0000 [ GLSA 202402-08 ] OpenSSL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/876787 Bug: https://bugs.gentoo.org/893446 Bug: https://bugs.gentoo.org/902779 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Bug: https://bugs.gentoo.org/910556 Bug: https://bugs.gentoo.org/911560 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-08.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+)
