https://www.openwall.com/lists/oss-security/2023/07/31/1 """ OpenSSL Security Advisory [31st July 2023] ========================================== Excessive time spent checking DH q parameter value (CVE-2023-3817) ================================================================== Severity: Low Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. [...] """
I'll do the bumps now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b047d0148c912d45bb2beb4b1accbdfbd6abe11f commit b047d0148c912d45bb2beb4b1accbdfbd6abe11f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-08-01 15:31:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-01 15:42:14 +0000 dev-libs/openssl: add 3.1.2 Bug: https://bugs.gentoo.org/911560 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.1.2.ebuild | 288 ++++++++++++++++++++++++++++++++++ 2 files changed, 290 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ae4e101b7c4b4e05dbf730fe3651850b98b81bf commit 8ae4e101b7c4b4e05dbf730fe3651850b98b81bf Author: Sam James <sam@gentoo.org> AuthorDate: 2023-08-01 15:24:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-01 15:42:13 +0000 dev-libs/openssl: add 3.0.10 Bug: https://bugs.gentoo.org/911560 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-3.0.10.ebuild | 285 +++++++++++++++++++++++++++++++++ 2 files changed, 287 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e092d4054d90a203b2a3d8ebc53c7390789f4d commit 18e092d4054d90a203b2a3d8ebc53c7390789f4d Author: Sam James <sam@gentoo.org> AuthorDate: 2023-08-01 15:13:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-01 15:42:12 +0000 dev-libs/openssl: add 1.1.1v Bug: https://bugs.gentoo.org/911560 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 + dev-libs/openssl/openssl-1.1.1v.ebuild | 265 +++++++++++++++++++++++++++++++++ 2 files changed, 267 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03ed151102256c7905f06b5b6c88a448975c34ef commit 03ed151102256c7905f06b5b6c88a448975c34ef Author: Sam James <sam@gentoo.org> AuthorDate: 2023-12-28 04:40:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-12-28 04:40:25 +0000 dev-libs/openssl: drop 3.0.9-r1, 3.0.9-r2, 3.0.10 Bug: https://bugs.gentoo.org/910556 Bug: https://bugs.gentoo.org/916241 Bug: https://bugs.gentoo.org/911560 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 4 - dev-libs/openssl/openssl-3.0.10.ebuild | 288 ------------------------------ dev-libs/openssl/openssl-3.0.9-r1.ebuild | 286 ------------------------------ dev-libs/openssl/openssl-3.0.9-r2.ebuild | 293 ------------------------------- 4 files changed, 871 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f353a9a7c6ffd4dd54f9b93774d103942a88892e commit f353a9a7c6ffd4dd54f9b93774d103942a88892e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-04 08:02:53 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-04 08:03:15 +0000 [ GLSA 202402-08 ] OpenSSL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/876787 Bug: https://bugs.gentoo.org/893446 Bug: https://bugs.gentoo.org/902779 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Bug: https://bugs.gentoo.org/910556 Bug: https://bugs.gentoo.org/911560 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-08.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+)
