#4816: openssl-1.1.1j
--------------------+-----------------------
Reporter: renodr | Owner: lfs-book
Type: task | Status: new
Priority: high | Milestone: 10.1
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
--------------------+-----------------------
Comment (by renodr):
{{{
Integer overflow in CipherUpdate (CVE-2021-23840)
=================================================
Severity: Low
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
overflow
the output length argument in some cases where the input length is close
to the
maximum permissable length for an integer on the platform. In such cases
the
return value from the function call will be 1 (indicating success), but
the
output length value will be negative. This could cause applications to
behave
incorrectly or crash.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of
these
versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However
OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium
support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade
to 1.1.1j.
This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer.
The fix
was developed by Matt Caswell.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4816#comment:3>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
