Your message dated Tue, 30 May 2023 17:19:18 +0000
with message-id <[email protected]>
and subject line Bug#1034720: fixed in openssl 3.0.9-1
has caused the Debian Bug report #1034720,
regarding openssl: CVE-2023-1255 CVE-2023-0466 CVE-2023-0465 CVE-2023-0464
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034720: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openssl.
CVE-2023-1255[0]:
| Issue summary: The AES-XTS cipher decryption implementation for 64 bit
| ARM platform contains a bug that could cause it to read past the input
| buffer, leading to a crash. Impact summary: Applications that use the
| AES-XTS algorithm on the 64 bit ARM platform can crash in rare
| circumstances. The AES-XTS algorithm is usually used for disk
| encryption. The AES-XTS cipher decryption implementation for 64 bit
| ARM platform will read past the end of the ciphertext buffer if the
| ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024
| bytes. If the memory after the ciphertext buffer is unmapped, this
| will trigger a crash which results in a denial of service. If an
| attacker can control the size and location of the ciphertext buffer
| being decrypted by an application using AES-XTS on 64 bit ARM, the
| application is affected. This is fairly unlikely making this issue a
| Low severity one.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=02ac9c9420275868472f33b01def01218742b8bb
https://www.openssl.org/news/secadv/20230420.txt
CVE-2023-0466[1]:
| The function X509_VERIFY_PARAM_add0_policy() is documented to
| implicitly enable the certificate policy check when doing certificate
| verification. However the implementation of the function does not
| enable the check which allows certificates with invalid or incorrect
| policies to pass the certificate verification. As suddenly enabling
| the policy check could break existing deployments it was decided to
| keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
| function. Instead the applications that require OpenSSL to perform
| certificate policy check need to use X509_VERIFY_PARAM_set1_policies()
| or explicitly enable the policy check by calling
| X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
| argument. Certificate policy checks are disabled by default in OpenSSL
| and are not commonly used by applications.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908
(openssl-3.0)
CVE-2023-0465[2]:
| Applications that use a non-default option when verifying certificates
| may be vulnerable to an attack from a malicious CA to circumvent
| certain checks. Invalid certificate policies in leaf certificates are
| silently ignored by OpenSSL and other certificate policy checks are
| skipped for that certificate. A malicious CA could use this to
| deliberately assert invalid certificate policies in order to
| circumvent policy checking on the certificate altogether. Policy
| processing is disabled by default but can be enabled by passing the
| `-policy' argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb
(openssl-3.0)
CVE-2023-0464[3]:
| A security vulnerability has been identified in all supported versions
| of OpenSSL related to the verification of X.509 certificate chains
| that include policy constraints. Attackers may be able to exploit this
| vulnerability by creating a malicious certificate chain that triggers
| exponential use of computational resources, leading to a denial-of-
| service (DoS) attack on affected systems. Policy processing is
| disabled by default but can be enabled by passing the `-policy'
| argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
(openssl-3.0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1255
https://www.cve.org/CVERecord?id=CVE-2023-1255
[1] https://security-tracker.debian.org/tracker/CVE-2023-0466
https://www.cve.org/CVERecord?id=CVE-2023-0466
[2] https://security-tracker.debian.org/tracker/CVE-2023-0465
https://www.cve.org/CVERecord?id=CVE-2023-0465
[3] https://security-tracker.debian.org/tracker/CVE-2023-0464
https://www.cve.org/CVERecord?id=CVE-2023-0464
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.0.9-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 May 2023 18:12:36 +0200
Source: openssl
Architecture: source
Version: 3.0.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1034720
Changes:
openssl (3.0.9-1) unstable; urgency=medium
.
* Import 3.0.7
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit
ARM).
- Add new symbol.
Checksums-Sha1:
87228c5645414248fab10827ba09df7a4d192964 2459 openssl_3.0.9-1.dsc
b569725118c0603537c9a19449046b41b39627c8 15181285 openssl_3.0.9.orig.tar.gz
fae89348414f17e5e7782ba3452e03e97a9cba85 833 openssl_3.0.9.orig.tar.gz.asc
16a3f57149bc0982190bf24ef5f60202bae39087 75600 openssl_3.0.9-1.debian.tar.xz
Checksums-Sha256:
e1349619b782e9a7ef5e838f9d3ef3b669454ddcd4be740a1183d8cf12153e91 2459
openssl_3.0.9-1.dsc
eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90 15181285
openssl_3.0.9.orig.tar.gz
75f46c27c14fbe84c16d41ed95b1af347641c06a53533d3926c4fc05f59ef87a 833
openssl_3.0.9.orig.tar.gz.asc
e2d357313d50b244727c37aceae3c1e69b0d03a6e911d73de5382515a27647f1 75600
openssl_3.0.9-1.debian.tar.xz
Files:
912190d5e5a5c1947251bb6de9994baa 2459 utils optional openssl_3.0.9-1.dsc
8b2aff668b8ce0da24b9505ebfd26b4d 15181285 utils optional
openssl_3.0.9.orig.tar.gz
55648b488efe8b690d65ca0fed27d414 833 utils optional
openssl_3.0.9.orig.tar.gz.asc
f327c0c89ee445c9f42267dbb2941adb 75600 utils optional
openssl_3.0.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmR2LaUACgkQBWQfF1cS
+lv+rwwAtejQppXCuqbjZRieS6WgIsZH65OSMmxW1L4y1gBVf2Dvbw7vGjoahjuk
axkrpd9UfZqv+wzHuC86GZWcFRkj2/O3XkEBwmx5eHtH6oUE4Noch3BJtuoI2XVY
aW8HD+6T8SuA74Qkul4q3RCvCrdDh4bmt2t20RA2aDMWX2vz3BJFdY0xFVmHTB9m
rhEtGgP5WSfCXCC0aLq+mE28PlD/TFM2oyvr0Z6S/fZqgl8L/C8ohJdCdeB/Wl2D
01kHFSfxp4KtEYYdGc4JeT+7iH9Dtr8tsj57GeFNNZ3ePReCxD/Ur7P8or16tAcH
db8aEsb3G7nGsE9esnEPa1JwC+de/eSmdzXu5JHIcEsCgefecWlD6Hqz+/cvuqKR
3Oop7reuwpLudlLhjZgukgu8teuJ2wtrXaE6iQWp5CzHE+ATPAEEISWaGnMfaGyV
vkmKtU6bqsGFps2pnHi6ti10GFTbOhFuvkeXNr7hDQbVQ/urA7gNbupDY6Gz/yWd
gL7JlA+s
=1s9b
-----END PGP SIGNATURE-----
--- End Message ---
