Your message dated Thu, 08 Jun 2023 21:19:10 +0000
with message-id <[email protected]>
and subject line Bug#1034720: fixed in openssl 1.1.1n-0+deb11u5
has caused the Debian Bug report #1034720,
regarding openssl: CVE-2023-1255 CVE-2023-0466 CVE-2023-0465 CVE-2023-0464
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034720: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openssl.
CVE-2023-1255[0]:
| Issue summary: The AES-XTS cipher decryption implementation for 64 bit
| ARM platform contains a bug that could cause it to read past the input
| buffer, leading to a crash. Impact summary: Applications that use the
| AES-XTS algorithm on the 64 bit ARM platform can crash in rare
| circumstances. The AES-XTS algorithm is usually used for disk
| encryption. The AES-XTS cipher decryption implementation for 64 bit
| ARM platform will read past the end of the ciphertext buffer if the
| ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024
| bytes. If the memory after the ciphertext buffer is unmapped, this
| will trigger a crash which results in a denial of service. If an
| attacker can control the size and location of the ciphertext buffer
| being decrypted by an application using AES-XTS on 64 bit ARM, the
| application is affected. This is fairly unlikely making this issue a
| Low severity one.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=02ac9c9420275868472f33b01def01218742b8bb
https://www.openssl.org/news/secadv/20230420.txt
CVE-2023-0466[1]:
| The function X509_VERIFY_PARAM_add0_policy() is documented to
| implicitly enable the certificate policy check when doing certificate
| verification. However the implementation of the function does not
| enable the check which allows certificates with invalid or incorrect
| policies to pass the certificate verification. As suddenly enabling
| the policy check could break existing deployments it was decided to
| keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
| function. Instead the applications that require OpenSSL to perform
| certificate policy check need to use X509_VERIFY_PARAM_set1_policies()
| or explicitly enable the policy check by calling
| X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
| argument. Certificate policy checks are disabled by default in OpenSSL
| and are not commonly used by applications.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908
(openssl-3.0)
CVE-2023-0465[2]:
| Applications that use a non-default option when verifying certificates
| may be vulnerable to an attack from a malicious CA to circumvent
| certain checks. Invalid certificate policies in leaf certificates are
| silently ignored by OpenSSL and other certificate policy checks are
| skipped for that certificate. A malicious CA could use this to
| deliberately assert invalid certificate policies in order to
| circumvent policy checking on the certificate altogether. Policy
| processing is disabled by default but can be enabled by passing the
| `-policy' argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb
(openssl-3.0)
CVE-2023-0464[3]:
| A security vulnerability has been identified in all supported versions
| of OpenSSL related to the verification of X.509 certificate chains
| that include policy constraints. Attackers may be able to exploit this
| vulnerability by creating a malicious certificate chain that triggers
| exponential use of computational resources, leading to a denial-of-
| service (DoS) attack on affected systems. Policy processing is
| disabled by default but can be enabled by passing the `-policy'
| argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
(openssl-3.0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1255
https://www.cve.org/CVERecord?id=CVE-2023-1255
[1] https://security-tracker.debian.org/tracker/CVE-2023-0466
https://www.cve.org/CVERecord?id=CVE-2023-0466
[2] https://security-tracker.debian.org/tracker/CVE-2023-0465
https://www.cve.org/CVERecord?id=CVE-2023-0465
[3] https://security-tracker.debian.org/tracker/CVE-2023-0464
https://www.cve.org/CVERecord?id=CVE-2023-0464
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.1.1n-0+deb11u5
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 May 2023 23:30:44 +0200
Source: openssl
Architecture: source
Version: 1.1.1n-0+deb11u5
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1034720
Changes:
openssl (1.1.1n-0+deb11u5) bullseye-security; urgency=medium
.
* CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
* CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
* CVE-2023-0466 (Certificate policy check not enabled).
* Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
* CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
Checksums-Sha1:
fbbeb971d5f849727d97504fbbf00707ce276df7 2481 openssl_1.1.1n-0+deb11u5.dsc
fe71ab8df190172227e94704d1edbe79bd313d16 141712
openssl_1.1.1n-0+deb11u5.debian.tar.xz
Checksums-Sha256:
412c88207a7108507f015cd0ac5ee38fa99e5919f2704d4422f9a21a3760667b 2481
openssl_1.1.1n-0+deb11u5.dsc
b9e6eb5bd11c2bafb63a6df6f786cc72f9d94b16b66ceadaf3a2971127a31836 141712
openssl_1.1.1n-0+deb11u5.debian.tar.xz
Files:
4b2299ebc5315f3188fa582c873c10d9 2481 utils optional
openssl_1.1.1n-0+deb11u5.dsc
f3406d63715f58073e91c3dd89598865 141712 utils optional
openssl_1.1.1n-0+deb11u5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmR0gmgACgkQBWQfF1cS
+lsJRwv/ZgYxqaSZqq3HWd8nViMtWkOBiPnChE5IfyaRvKHETtoIdmyw7HH6HZ71
ppgWOrI63fWVdvito9CA56ZPVocrah9/SD9QrjqV09TgSR4sYfS7mj62DaCLWgL1
GVebbWsarG/O9x51vVJbIW37EYY8TA2InkGV9XBc8uIulCpwX4cL2Nn2v96DrROD
1jeaatg79SOByuaQK0bx4QOyTD3/nqjBs+pwCJKXbXWx5GGoGfPV9GqVIq9JgAH+
+Mao3lhOAxiYutSuRPsFvSMRkdF6RLEgKtFSBEyOEgPZR6zC1CHc7Zfq0V9rJWgR
Y0ItuSxu1YU9Jd0UBE0FAI893DYO7yZbBoOWFCCGPkmgxgjbKqEPE9Xo4Nxwk6Lk
O+xtbbKW3Ib4WQ2tKszoZzYtLmNgkJd2LwsiX70cqTidxphQ+azuTgwX3NTlviQZ
SJkArIvnaVXUCmQUezjYli3DSTxveeB+o9chn9IcmH3Dxl6Dxb4K5YqiMeS3NSp5
btPN6u1t
=67T7
-----END PGP SIGNATURE-----
--- End Message ---
