Source: openssl Version: 3.0.12-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.0.11-1 Control: found -1 3.0.11-1~deb12u1 Control: found -1 3.0.11-1~deb12u2 Control: found -1 1.1.1w-0+deb11u1
Hi, The following vulnerability was published for openssl. CVE-2023-5678[0]: | Issue summary: Generating excessively long X9.42 DH keys or checking | excessively long X9.42 DH keys or parameters may be very slow. | Impact summary: Applications that use the functions | DH_generate_key() to generate an X9.42 DH key may experience long | delays. Likewise, applications that use DH_check_pub_key(), | DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 | DH key or X9.42 DH parameters may experience long delays. Where the | key or parameters that are being checked have been obtained from an | untrusted source this may lead to a Denial of Service. While | DH_check() performs all the necessary checks (as of CVE-2023-3817), | DH_check_pub_key() doesn't make any of these checks, and is | therefore vulnerable for excessively large P and Q parameters. | Likewise, while DH_generate_key() performs a check for an | excessively large P, it doesn't check for an excessively large Q. | An application that calls DH_generate_key() or DH_check_pub_key() | and supplies a key or parameters obtained from an untrusted source | could be vulnerable to a Denial of Service attack. | DH_generate_key() and DH_check_pub_key() are also called by a number | of other OpenSSL functions. An application calling any of those | other functions may similarly be affected. The other functions | affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), | and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey | command line application when using the "-pubcheck" option, as well | as the OpenSSL genpkey command line application. The OpenSSL | SSL/TLS implementation is not affected by this issue. The OpenSSL | 3.0 and 3.1 FIPS providers are not affected by this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-5678 https://www.cve.org/CVERecord?id=CVE-2023-5678 [1] https://www.openssl.org/news/secadv/20231106.txt Regards, Salvatore