Re: [lfs-book] [LFS Trac] #4816: openssl-1.1.1j

Tue, 16 Feb 2021 08:17:06 -0800 

#4816: openssl-1.1.1j
--------------------+-----------------------
 Reporter:  renodr  |       Owner:  lfs-book
     Type:  task    |      Status:  new
 Priority:  high    |   Milestone:  10.1
Component:  Book    |     Version:  SVN
 Severity:  normal  |  Resolution:
 Keywords:          |
--------------------+-----------------------

Comment (by renodr):

 {{{
 OpenSSL Security Advisory [16 February 2021]
 ============================================

 Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
 ====================================================================

 Severity: Moderate

 The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
 create a unique hash value based on the issuer and serial number data
 contained
 within an X509 certificate. However it fails to correctly handle any
 errors
 that may occur while parsing the issuer field (which might occur if the
 issuer
 field is maliciously constructed). This may subsequently result in a NULL
 pointer deref and a crash leading to a potential denial of service attack.

 The function X509_issuer_and_serial_hash() is never directly called by
 OpenSSL
 itself so applications are only vulnerable if they use this function
 directly
 and they use it on certificates that may have been obtained from untrusted
 sources.

 OpenSSL versions 1.1.1i and below are affected by this issue. Users of
 these
 versions should upgrade to OpenSSL 1.1.1j.

 OpenSSL versions 1.0.2x and below are affected by this issue. However
 OpenSSL
 1.0.2 is out of support and no longer receiving public updates. Premium
 support
 customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
 upgrade
 to 1.1.1j.

 This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy
 from
 Google. The fix was developed by Matt Caswell.
 }}}

--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4816#comment:2>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to