[ALSA-2023:0946] Moderate: openssl security and bug fix update
Release date:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: read buffer overflow in X.509 certificate verification (CVE-2022-4203) * openssl: timing attack in RSA Decryption implementation (CVE-2022-4304) * openssl: double free after calling PEM_read_bio_ex (CVE-2022-4450) * openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215) * openssl: invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) * openssl: NULL dereference validating DSA public key (CVE-2023-0217) * openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) * openssl: NULL dereference during PKCS7 data verification (CVE-2023-0401) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * HMAC generation should reject key lengths < 112 bits or provide an indicator in FIPS mode (BZ#2144000) * In FIPS mode, openssl should set a minimum length for passwords in PBKDF2 (BZ#2144003) * stunnel consumes high amount of memory when pestered with TCP connections without a TLS handshake (BZ#2144008) * In FIPS mode, openssl should reject SHAKE as digest for RSA-OAEP or provide an indicator (BZ#2144010) * In FIPS mode, openssl should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator (BZ#2144012) * In FIPS mode, openssl should reject RSA signatures with X9.31 padding, or provide an indicator (BZ#2144015) * In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16 (BZ#2144017) * In FIPS mode, openssl should reject KDF input and output key lengths < 112 bits or provide an indicator (BZ#2144019) * In FIPS mode, openssl should reject RSA keys < 2048 bits when using EVP_PKEY_decapsulate, or provide an indicator (BZ#2145170) * AlmaLinux9.1 Nightly[0912] - error:03000093:digital envelope routines::command not supported when git clone is run with configured ibmca engine backed by libica.so.4 (OpenSSL 3.0) (BZ#2149010) * OpenSSL FIPS checksum code needs update (BZ#2158412)
Updated packages listed below:
Architecture Package Checksum
aarch64 openssl-perl-3.0.1-47.el9_1.aarch64.rpm 424415fc6295c6bdd264ff2d7ad6a0694c490a64bd01307cb7f2e16da48922c9
aarch64 openssl-3.0.1-47.el9_1.aarch64.rpm 452be58430c790f862344449b7fa729dbc58fec662ba072bae3e46b3aefb20c7
aarch64 openssl-libs-3.0.1-47.el9_1.aarch64.rpm 6d83b88a919909c2a4dd310a2f22d6a61c8abd313bf65d142c96fad2ec089779
aarch64 openssl-devel-3.0.1-47.el9_1.aarch64.rpm c56b1052db8412f92fd263ccae582e4a05f3dfdbb7d04f15556f0c5e61a16919
i686 openssl-libs-3.0.1-47.el9_1.i686.rpm 57df9f5e63ab39844acc175505d7d88ca13920970831afbc756883ac4596b2ee
i686 openssl-devel-3.0.1-47.el9_1.i686.rpm b2d37c816aba81b64f4ef993cad7add3c3cd631e278f1bc8eaeaf52294ff9284
ppc64le openssl-perl-3.0.1-47.el9_1.ppc64le.rpm 0c074e3a4969a4e69feb68c39a5ceff4f5b21d10669c63ab3b20b85f0217930f
ppc64le openssl-3.0.1-47.el9_1.ppc64le.rpm 1d50b1e8c6fbe3b7725afe134ac64fd3e82dc26ab55126c8647b87ba20159b95
ppc64le openssl-devel-3.0.1-47.el9_1.ppc64le.rpm 8a2a14307ceba266473d7fdeed19da8a2f2b50641da7222cd5a96eb1b03782f2
ppc64le openssl-libs-3.0.1-47.el9_1.ppc64le.rpm c3b4724fbf9c41a2aabc720d1783c3707b6a3c258fe41937def30f24ce28904d
s390x openssl-libs-3.0.1-47.el9_1.s390x.rpm 1abed78f5bae6815f0331d730b4ea43fe4a2c608011bb16101ff2058b2b631bf
s390x openssl-3.0.1-47.el9_1.s390x.rpm 9017ea0325437387aa894cf7e3d88c0c1f99c499fd50d19c2833469b2d8a0f65
s390x openssl-devel-3.0.1-47.el9_1.s390x.rpm 9de5a112b55e6433299fc7baf005ad0ff243cc1922e1874a0b9f5e3ed7259411
s390x openssl-perl-3.0.1-47.el9_1.s390x.rpm dfa573e8755ce24c3ad6b68fafb81be1ae2af9ffb31d0352d47455a236afab00
x86_64 openssl-perl-3.0.1-47.el9_1.x86_64.rpm 4a4df0837e1159a813151ef97ca398246bf3a0188406f7fbceaa9dc8ae7218e7
x86_64 openssl-3.0.1-47.el9_1.x86_64.rpm 795d238c60f586e278db2d8517de751894776924d8f48bf089e144ae3f7c7570
x86_64 openssl-libs-3.0.1-47.el9_1.x86_64.rpm 93750e9503edf54c0a59ad307dab00f8579cdad2503d70c1310649ed652aa7f3
x86_64 openssl-devel-3.0.1-47.el9_1.x86_64.rpm 97c9a9dcda8c5d614bfb7d41103c1d44128d8ebf9727fb538e9301eba7815edc
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.