Your message dated Tue, 30 May 2023 17:49:16 +0000
with message-id <[email protected]>
and subject line Bug#1034720: fixed in openssl 3.1.1-1
has caused the Debian Bug report #1034720,
regarding openssl: CVE-2023-1255 CVE-2023-0466 CVE-2023-0465 CVE-2023-0464
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034720: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openssl.
CVE-2023-1255[0]:
| Issue summary: The AES-XTS cipher decryption implementation for 64 bit
| ARM platform contains a bug that could cause it to read past the input
| buffer, leading to a crash. Impact summary: Applications that use the
| AES-XTS algorithm on the 64 bit ARM platform can crash in rare
| circumstances. The AES-XTS algorithm is usually used for disk
| encryption. The AES-XTS cipher decryption implementation for 64 bit
| ARM platform will read past the end of the ciphertext buffer if the
| ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024
| bytes. If the memory after the ciphertext buffer is unmapped, this
| will trigger a crash which results in a denial of service. If an
| attacker can control the size and location of the ciphertext buffer
| being decrypted by an application using AES-XTS on 64 bit ARM, the
| application is affected. This is fairly unlikely making this issue a
| Low severity one.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=02ac9c9420275868472f33b01def01218742b8bb
https://www.openssl.org/news/secadv/20230420.txt
CVE-2023-0466[1]:
| The function X509_VERIFY_PARAM_add0_policy() is documented to
| implicitly enable the certificate policy check when doing certificate
| verification. However the implementation of the function does not
| enable the check which allows certificates with invalid or incorrect
| policies to pass the certificate verification. As suddenly enabling
| the policy check could break existing deployments it was decided to
| keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
| function. Instead the applications that require OpenSSL to perform
| certificate policy check need to use X509_VERIFY_PARAM_set1_policies()
| or explicitly enable the policy check by calling
| X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
| argument. Certificate policy checks are disabled by default in OpenSSL
| and are not commonly used by applications.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908
(openssl-3.0)
CVE-2023-0465[2]:
| Applications that use a non-default option when verifying certificates
| may be vulnerable to an attack from a malicious CA to circumvent
| certain checks. Invalid certificate policies in leaf certificates are
| silently ignored by OpenSSL and other certificate policy checks are
| skipped for that certificate. A malicious CA could use this to
| deliberately assert invalid certificate policies in order to
| circumvent policy checking on the certificate altogether. Policy
| processing is disabled by default but can be enabled by passing the
| `-policy' argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb
(openssl-3.0)
CVE-2023-0464[3]:
| A security vulnerability has been identified in all supported versions
| of OpenSSL related to the verification of X.509 certificate chains
| that include policy constraints. Attackers may be able to exploit this
| vulnerability by creating a malicious certificate chain that triggers
| exponential use of computational resources, leading to a denial-of-
| service (DoS) attack on affected systems. Policy processing is
| disabled by default but can be enabled by passing the `-policy'
| argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
(openssl-3.0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1255
https://www.cve.org/CVERecord?id=CVE-2023-1255
[1] https://security-tracker.debian.org/tracker/CVE-2023-0466
https://www.cve.org/CVERecord?id=CVE-2023-0466
[2] https://security-tracker.debian.org/tracker/CVE-2023-0465
https://www.cve.org/CVERecord?id=CVE-2023-0465
[3] https://security-tracker.debian.org/tracker/CVE-2023-0464
https://www.cve.org/CVERecord?id=CVE-2023-0464
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.1.1-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 May 2023 19:46:00 +0200
Source: openssl
Architecture: source
Version: 3.1.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1034720
Changes:
openssl (3.1.1-1) experimental; urgency=medium
.
* Import 3.1.1
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64
bit ARM).
- Add new symbol.
Checksums-Sha1:
b393d85b6f854028982d157868bfd05fb838731c 2459 openssl_3.1.1-1.dsc
d01a0f243672d514aee14bdd74a5d109b6394a78 15544757 openssl_3.1.1.orig.tar.gz
d44bffcd2554511dd8e72f333c58a81c24443ad7 833 openssl_3.1.1.orig.tar.gz.asc
834418ea4af2f1cdf02a31d31569caa45c90c75f 75620 openssl_3.1.1-1.debian.tar.xz
Checksums-Sha256:
f528bb034241e177e741c938a4d18950ec1be186d8b4939383207174c980750b 2459
openssl_3.1.1-1.dsc
b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674 15544757
openssl_3.1.1.orig.tar.gz
2c7e352420ed25de719ba5342384a6feaeb6d3b4f53c7b8a8b090dd456b6544e 833
openssl_3.1.1.orig.tar.gz.asc
3dc022c2d1f8ad0a2f2fefc27b72e890a3f4fc527cbfdbcd2b6c5a97ed73f9c7 75620
openssl_3.1.1-1.debian.tar.xz
Files:
b941bed86a0caf1681d9b42e7e310f99 2459 utils optional openssl_3.1.1-1.dsc
1864b75e31fb4a6e0a07fd832529add3 15544757 utils optional
openssl_3.1.1.orig.tar.gz
67c220fc1962dce4e12540ab33349f4f 833 utils optional
openssl_3.1.1.orig.tar.gz.asc
ad9e056e65d434fbbcbd74d8885cbe72 75620 utils optional
openssl_3.1.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmR2NowACgkQBWQfF1cS
+luPBgv9E3/qHkhY/RbRVkaH6cRDPO12TFxIfCHdgKUddlQXoQIxcJ/8CbWLdbwa
k1zcOLnt25Dc7piX7mhN+QwJsKHTuTwLppZgLeHvanYSz17bgJTOmYDPd7TjMjZz
HTd3SWBHIdRZsKRLpTI6rg3PueoChUREcT3TFB3Lywodii/XVMiT3RTnl4lfY5xU
hRVunDN/pnvqKK5SITd/ZMG9+LjcLiDy49GzfLHNupvYdGTauEZ16RdpNKPlxVeB
Ek0NjPoWmhE0h3nDEG5GGduG2/1LWrSyTsFmeBwI1P3nK+/yVwsCK7FRBBgthaVi
23lvXjqq71+AheCNd0mf2qX8V/e+r2dTrMiTandcNrFaDX2Z9imiXQ04ppjuJyNv
ZQ9v1u/R61+t/JALaPiu0S1TrE+Qz6nx0jx8xzIfQf+7BK4/iPuHuUZLoqf40Yce
zlNlp+HT30m/b4v7s31WSr5H7706mHRVPItDZP+yx2VXkrOmti/Ps2pa6nCeQoEW
Ve77X1HZ
=cckS
-----END PGP SIGNATURE-----
--- End Message ---
