Revisions of openssl-3
Marco Strigl (mstrigl)
committed
(revision 5)
- Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored * Add openssl-CVE-2023-0465.patch - Security Fix: [CVE-2023-0466, bsc#1209873] * Certificate policy check not enabled * Add openssl-CVE-2023-0466.patch
Marcus Rueckert (darix)
committed
(revision 4)
- Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints * Add openssl-CVE-2023-0464.patch
Marcus Rueckert (darix)
committed
(revision 3)
- Update to version 3.0.8 in SLE15-SP5 [jsc#PED-544] * Fixed NULL dereference during PKCS7 data verification. A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. ([bsc#1207541, CVE-2023-0401]) PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. ([bsc#1207533, CVE-2023-0286]) * Fixed NULL dereference validating DSA public key. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the
Lars Vogdt (lrupp)
committed
(revision 2)
- Update openssl.keyring: pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14] A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C uid Tomáš Mráz <tm@t8m.info> uid Tomáš Mráz <tomas@arleto.cz> uid Tomáš Mráz <tomas@openssl.org> - Update to version 3.0.7 in SLE15-SP5 [jsc#PED-544] - Remove patches (already present in 3.0.7): * openssl-3-CVE-2022-1343.patch * openssl-CVE-2022-0778.patch * openssl-CVE-2022-0778-tests.patch * openssl-CVE-2022-1292.patch * openssl-3-Fix-EC-ASM-flag-passing.patch * openssl-update_expired_certificates.patch * openssl-3-CVE-2022-3358.patch * openssl-3-Fix-SHA-SHAKE-and-KECCAK-ASM-flag-passing.patch * openssl-3-CVE-2022-3602_2.patch * openssl-3-CVE-2022-3602_1.patch * openssl-CVE-2022-2097.patch * openssl-3-CVE-2022-1434.patch * openssl-3-CVE-2022-1473.patch * openssl-3-Fix-file-operations-in-c_rehash.patch - Enable tests: test_req test_verify_store test_ca test_ssl_old - Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786] * Fixed two buffer overflows in punycode decoding functions. A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to
Lars Vogdt (lrupp)
committed
(revision 1)
initialize package
Displaying all 5 revisions