""" Unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) ======================================================================== Severity: Low Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue. OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released (premium support customers only). Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit e9d7083e (for 3.2), commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git repository. It is available to premium support customers in commit 5f8d2577 (for 1.1.1). This issue was reported on 27th February 2024 by Manish Patidar (Hewlett Packard Enterprise). The fix was developed by Matt Caswell. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccf71abfb2591dbf4b65f1db957596562234cb82 commit ccf71abfb2591dbf4b65f1db957596562234cb82 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-15 07:15:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-15 07:16:11 +0000 dev-libs/openssl: fix CVE-2024-2511 for 3.2.1 Bug: https://bugs.gentoo.org/930047 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.2.1-CVE-2024-2511.patch | 137 +++++++++ dev-libs/openssl/openssl-3.2.1-r2.ebuild | 307 +++++++++++++++++++++ 2 files changed, 444 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=636d49c76a46cd0bbe86a1eb9c64880b34036c43 commit 636d49c76a46cd0bbe86a1eb9c64880b34036c43 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-15 07:08:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-15 07:16:10 +0000 dev-libs/openssl: fix CVE-2024-2511 for 3.1.5 Bug: https://bugs.gentoo.org/930047 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.1.5-CVE-2024-2511.patch | 137 ++++++++++ dev-libs/openssl/openssl-3.1.5-r2.ebuild | 286 +++++++++++++++++++++ 2 files changed, 423 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84e42134da6902dd0b2f9d224127defa9b5ef21f commit 84e42134da6902dd0b2f9d224127defa9b5ef21f Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-15 07:01:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-15 07:16:10 +0000 dev-libs/openssl: fix CVE-2024-2511 for 3.0.13 Bug: https://bugs.gentoo.org/930047 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.0.13-CVE-2024-2511.patch | 141 +++++++++++ dev-libs/openssl/openssl-3.0.13-r1.ebuild | 282 +++++++++++++++++++++ 2 files changed, 423 insertions(+)
