ALSA-2023:0946

[ALSA-2023:0946] Moderate: openssl security and bug fix update

Type:

security

Severity:

moderate

Release date:

2023-02-28

Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: read buffer overflow in X.509 certificate verification (CVE-2022-4203)
* openssl: timing attack in RSA Decryption implementation (CVE-2022-4304)
* openssl: double free after calling PEM_read_bio_ex (CVE-2022-4450)
* openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)
* openssl: invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216)
* openssl: NULL dereference validating DSA public key (CVE-2023-0217)
* openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
* openssl: NULL dereference during PKCS7 data verification (CVE-2023-0401)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* HMAC generation should reject key lengths < 112 bits or provide an indicator in FIPS mode (BZ#2144000)
* In FIPS mode, openssl should set a minimum length for passwords in PBKDF2 (BZ#2144003)
* stunnel consumes high amount of memory when pestered with TCP connections without a TLS handshake (BZ#2144008)
* In FIPS mode, openssl should reject SHAKE as digest for RSA-OAEP or provide an indicator (BZ#2144010)
* In FIPS mode, openssl should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator (BZ#2144012)
* In FIPS mode, openssl should reject RSA signatures with X9.31 padding, or provide an indicator (BZ#2144015)
* In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16 (BZ#2144017)
* In FIPS mode, openssl should reject KDF input and output key lengths < 112 bits or provide an indicator (BZ#2144019)
* In FIPS mode, openssl should reject RSA keys < 2048 bits when using EVP_PKEY_decapsulate, or provide an indicator (BZ#2145170)
* AlmaLinux9.1 Nightly[0912] - error:03000093:digital envelope routines::command not supported when git clone is run with configured ibmca engine backed by libica.so.4 (OpenSSL 3.0) (BZ#2149010)
* OpenSSL FIPS checksum code needs update (BZ#2158412)

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	openssl-perl-3.0.1-47.el9_1.aarch64.rpm	424415fc6295c6bdd264ff2d7ad6a0694c490a64bd01307cb7f2e16da48922c9
aarch64	openssl-3.0.1-47.el9_1.aarch64.rpm	452be58430c790f862344449b7fa729dbc58fec662ba072bae3e46b3aefb20c7
aarch64	openssl-libs-3.0.1-47.el9_1.aarch64.rpm	6d83b88a919909c2a4dd310a2f22d6a61c8abd313bf65d142c96fad2ec089779
aarch64	openssl-devel-3.0.1-47.el9_1.aarch64.rpm	c56b1052db8412f92fd263ccae582e4a05f3dfdbb7d04f15556f0c5e61a16919
i686	openssl-libs-3.0.1-47.el9_1.i686.rpm	57df9f5e63ab39844acc175505d7d88ca13920970831afbc756883ac4596b2ee
i686	openssl-devel-3.0.1-47.el9_1.i686.rpm	b2d37c816aba81b64f4ef993cad7add3c3cd631e278f1bc8eaeaf52294ff9284
ppc64le	openssl-perl-3.0.1-47.el9_1.ppc64le.rpm	0c074e3a4969a4e69feb68c39a5ceff4f5b21d10669c63ab3b20b85f0217930f
ppc64le	openssl-3.0.1-47.el9_1.ppc64le.rpm	1d50b1e8c6fbe3b7725afe134ac64fd3e82dc26ab55126c8647b87ba20159b95
ppc64le	openssl-devel-3.0.1-47.el9_1.ppc64le.rpm	8a2a14307ceba266473d7fdeed19da8a2f2b50641da7222cd5a96eb1b03782f2
ppc64le	openssl-libs-3.0.1-47.el9_1.ppc64le.rpm	c3b4724fbf9c41a2aabc720d1783c3707b6a3c258fe41937def30f24ce28904d
s390x	openssl-libs-3.0.1-47.el9_1.s390x.rpm	1abed78f5bae6815f0331d730b4ea43fe4a2c608011bb16101ff2058b2b631bf
s390x	openssl-3.0.1-47.el9_1.s390x.rpm	9017ea0325437387aa894cf7e3d88c0c1f99c499fd50d19c2833469b2d8a0f65
s390x	openssl-devel-3.0.1-47.el9_1.s390x.rpm	9de5a112b55e6433299fc7baf005ad0ff243cc1922e1874a0b9f5e3ed7259411
s390x	openssl-perl-3.0.1-47.el9_1.s390x.rpm	dfa573e8755ce24c3ad6b68fafb81be1ae2af9ffb31d0352d47455a236afab00
x86_64	openssl-perl-3.0.1-47.el9_1.x86_64.rpm	4a4df0837e1159a813151ef97ca398246bf3a0188406f7fbceaa9dc8ae7218e7
x86_64	openssl-3.0.1-47.el9_1.x86_64.rpm	795d238c60f586e278db2d8517de751894776924d8f48bf089e144ae3f7c7570
x86_64	openssl-libs-3.0.1-47.el9_1.x86_64.rpm	93750e9503edf54c0a59ad307dab00f8579cdad2503d70c1310649ed652aa7f3
x86_64	openssl-devel-3.0.1-47.el9_1.x86_64.rpm	97c9a9dcda8c5d614bfb7d41103c1d44128d8ebf9727fb538e9301eba7815edc

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.