- https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 """ CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored [Low severity] 23 March 2023: Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Found by David Benjamin (Google). Fix developed by Matt Caswell. Fixed in OpenSSL 3.1.1 (git commit) (Affected since 3.1.0) Fixed in OpenSSL 3.0.9 (git commit) (Affected since 3.0.0) Fixed in OpenSSL 1.1.1u (git commit) (Affected since 1.1.1) Fixed in OpenSSL 1.0.2zh (Affected since 1.0.2) """ - https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 """ CVE-2023-0466 Certificate policy check not enabled [Low severity] 21 March 2023: The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. Found by David Benjamin (Google). Fix developed by Tomas Mraz. Fixed in OpenSSL 3.1.1 (git commit) (Affected since 3.1.0) Fixed in OpenSSL 3.0.9 (git commit) (Affected since 3.0.0) Fixed in OpenSSL 1.1.1u (git commit) (Affected since 1.1.1) Fixed in OpenSSL 1.0.2zh (Affected since 1.0.2) """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a commit 14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:18:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:20:29 +0000 dev-libs/openssl: drop 3.1.0-r3 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.1.0-CVE-2023-0464.patch | 214 ---------------- .../files/openssl-3.1.0-CVE-2023-0465.patch | 46 ---- .../files/openssl-3.1.0-CVE-2023-0466.patch | 41 --- .../files/openssl-3.1.0-CVE-2023-1255.patch | 40 --- dev-libs/openssl/openssl-3.1.0-r3.ebuild | 284 --------------------- 6 files changed, 627 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4610dbafdc773344fd62e49e27ada4c6b6dfd2 commit 6c4610dbafdc773344fd62e49e27ada4c6b6dfd2 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:17:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:20:25 +0000 dev-libs/openssl: drop 1.1.1t-r3 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-1.1.1t-CVE-2023-0464.patch | 215 ---------------- .../files/openssl-1.1.1t-CVE-2023-0465.patch | 48 ---- .../files/openssl-1.1.1t-CVE-2023-0466.patch | 41 ---- dev-libs/openssl/openssl-1.1.1t-r3.ebuild | 269 --------------------- 5 files changed, 575 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a593ae96eb045245e5ad41879ce602f193d013f commit 6a593ae96eb045245e5ad41879ce602f193d013f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:16:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:20:12 +0000 dev-libs/openssl: drop 1.1.1t-r1 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/openssl-1.1.1t-r1.ebuild | 265 ------------------------------ 1 file changed, 265 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db09f5bac6ff132b69d3f723d4c93662c96ed72 commit 3db09f5bac6ff132b69d3f723d4c93662c96ed72 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-14 05:17:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-14 05:19:10 +0000 dev-libs/openssl: drop 3.0.8-r4 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.0.8-CVE-2023-0464.patch | 214 ---------------- .../files/openssl-3.0.8-CVE-2023-0465.patch | 46 ---- .../files/openssl-3.0.8-CVE-2023-0466.patch | 41 --- .../files/openssl-3.0.8-CVE-2023-1255.patch | 40 --- .../openssl/files/openssl-3.0.8-mips-cflags.patch | 30 --- dev-libs/openssl/openssl-3.0.8-r4.ebuild | 281 --------------------- 7 files changed, 654 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f353a9a7c6ffd4dd54f9b93774d103942a88892e commit f353a9a7c6ffd4dd54f9b93774d103942a88892e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-04 08:02:53 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-04 08:03:15 +0000 [ GLSA 202402-08 ] OpenSSL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/876787 Bug: https://bugs.gentoo.org/893446 Bug: https://bugs.gentoo.org/902779 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Bug: https://bugs.gentoo.org/910556 Bug: https://bugs.gentoo.org/911560 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-08.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+)